From a5b2409055c034c5749d9ab1eb7a1b280cf17755 Mon Sep 17 00:00:00 2001
From: Kylie Geller <kylie.geller@elastic.co>
Date: Tue, 28 Jun 2022 09:52:49 -0400
Subject: [PATCH 001/186] finalizing changelog for 8.3 release (#1966)

---
 CHANGELOG.md      | 14 ++++++++++++++
 CHANGELOG.next.md | 14 --------------
 2 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 69a7258515..6acba3098c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,20 @@
 # CHANGELOG
 All notable changes to this project will be documented in this file based on the [Keep a Changelog](http://keepachangelog.com/) Standard. This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [8.3.0](https://github.com/elastic/ecs/compare/v8.2.1...v8.3.0)
+
+### Schema Changes
+
+#### Added
+
+* Added `pattern` attribute to `.mac` fields. #1871
+* Add `orchestrator.cluster.id` #1875
+* Add `orchestrator.resource.id` #1878
+* Add `orchestrator.resource.parent.type` #1889
+* Add `orchestrator.resource.ip` #1889
+* Add `container.image.hash.all` #1889
+* Advanced `container.*` metric fields to GA. #1927
+
 ## [8.2.1](https://github.com/elastic/ecs/compare/v8.2.0...v8.2.1)
 
 ### Schema Changes
diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 2be5298ed9..9e2262ec7a 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -67,20 +67,6 @@ Thanks, you're awesome :-) -->
 
 #### Deprecated
 
-## 8.3.0 (Hard Feature Freeze)
-
-### Schema Changes
-
-#### Added
-
-* Added `pattern` attribute to `.mac` fields. #1871
-* Add `orchestrator.cluster.id` #1875
-* Add `orchestrator.resource.id` #1878
-* Add `orchestrator.resource.parent.type` #1889
-* Add `orchestrator.resource.ip` #1889
-* Add `container.image.hash.all` #1889
-* Advanced `container.*` metric fields to GA. #1927
-
 <!-- All empty sections:
 
 ## Unreleased

From 8c09c81c24823f150e807c4223a2cbc4ea784d44 Mon Sep 17 00:00:00 2001
From: Kylie Geller <kylie.geller@elastic.co>
Date: Tue, 28 Jun 2022 12:11:01 -0400
Subject: [PATCH 002/186] Release notes 8.3 (#1967)

---
 docs/release-notes/8.3.asciidoc | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/docs/release-notes/8.3.asciidoc b/docs/release-notes/8.3.asciidoc
index b636126e56..2a6df7151c 100644
--- a/docs/release-notes/8.3.asciidoc
+++ b/docs/release-notes/8.3.asciidoc
@@ -1,4 +1,25 @@
 [[ecs-release-notes-8.3.0]]
 === 8.3.0
 
-coming[8.3.0]
+[[schema-changes-8.3.0]]
+[float]
+==== Schema changes
+
+[[schema-added-8.3.0]]
+[float]
+===== Added
+
+* Added `pattern` attribute to `.mac` fields. {ecs_pull}1871[#1871]
+* Add `orchestrator.cluster.id`. {ecs_pull}1875[#1875]
+* Add `orchestrator.resource.id`. {ecs_pull}1878[#1878]
+* Add `orchestrator.resource.parent.type`. {ecs_pull}1889[#1889]
+* Add `orchestrator.resource.ip`. {ecs_pull}1889[#1889]
+* Add `container.image.hash.all`. {ecs_pull}1889[#1889]
+* Add `service.node.role`. {ecs_pull}1916[#1916]
+* Advanced `container.*` metric fields to GA. {ecs_pull}1927[#1927]
+
+[[schema-important-8.3.0]]
+[float]
+===== Important
+
+After adding `service.node.role`, it was realized that we intend for this field to have multiple values, and therefore we will be removing `role` and replacing with `roles` at the earliest opportunity. Please do not use `service.node.role`.
\ No newline at end of file

From 3c26b0792f6bb4dc95f73d61bd4493749672e138 Mon Sep 17 00:00:00 2001
From: Kylie Geller <kylie.geller@elastic.co>
Date: Tue, 28 Jun 2022 14:06:10 -0400
Subject: [PATCH 003/186] [main] 8.3 changelog fix (#1974)

---
 CHANGELOG.md      | 1 +
 CHANGELOG.next.md | 1 -
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6acba3098c..bd4ab6fa90 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -15,6 +15,7 @@ All notable changes to this project will be documented in this file based on the
 * Add `orchestrator.resource.parent.type` #1889
 * Add `orchestrator.resource.ip` #1889
 * Add `container.image.hash.all` #1889
+* Add `service.node.role` #1916
 * Advanced `container.*` metric fields to GA. #1927
 
 ## [8.2.1](https://github.com/elastic/ecs/compare/v8.2.0...v8.2.1)
diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 9e2262ec7a..6a82140f82 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -42,7 +42,6 @@ Thanks, you're awesome :-) -->
 
 #### Added
 
-* Add `service.node.role` #1916
 * Initial set of `expected_values`. #1962
 
 #### Improvements

From 44205fff68f32ab073faed46f4e1d389498517f1 Mon Sep 17 00:00:00 2001
From: Kylie Geller <kylie.geller@elastic.co>
Date: Wed, 29 Jun 2022 11:41:55 -0400
Subject: [PATCH 004/186] [main] Deprecate service.node.role

---
 CHANGELOG.next.md                           |  8 ++++++++
 docs/fields/field-details.asciidoc          |  4 +++-
 experimental/generated/beats/fields.ecs.yml | 15 ++++++++++++---
 experimental/generated/csv/fields.csv       |  6 +++---
 experimental/generated/ecs/ecs_flat.yml     | 21 +++++++++++++++------
 experimental/generated/ecs/ecs_nested.yml   | 21 +++++++++++++++------
 generated/beats/fields.ecs.yml              | 15 ++++++++++++---
 generated/csv/fields.csv                    |  6 +++---
 generated/ecs/ecs_flat.yml                  | 21 +++++++++++++++------
 generated/ecs/ecs_nested.yml                | 21 +++++++++++++++------
 schemas/service.yml                         |  5 ++++-
 11 files changed, 105 insertions(+), 38 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 6a82140f82..0611ec8147 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -66,6 +66,14 @@ Thanks, you're awesome :-) -->
 
 #### Deprecated
 
+## 8.3.1
+
+### Schema Changes
+
+#### Deprecated
+
+* Deprecate `service.node.role` in favor of upcoming `service.node.roles`. #1976
+
 <!-- All empty sections:
 
 ## Unreleased
diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index 6f1d11bc0a..ac2a5538e5 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -8638,7 +8638,9 @@ example: `instance-0000000016`
 [[field-service-node-role]]
 <<field-service-node-role, service.node.role>>
 
-a| Role of a service node.
+a| Deprecated for removal in next major version release. This field will be superseded by `node.roles`.
+
+Role of a service node.
 
 This allows for distinction between different running roles of the same service.
 
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 3218ca398e..9b815bf49a 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -7644,7 +7644,10 @@
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Role of a service node.
+      description: 'Deprecated for removal in next major version release. This field
+        will be superseded by `node.roles`.
+
+        Role of a service node.
 
         This allows for distinction between different running roles of the same service.
 
@@ -7739,7 +7742,10 @@
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Role of a service node.
+      description: 'Deprecated for removal in next major version release. This field
+        will be superseded by `node.roles`.
+
+        Role of a service node.
 
         This allows for distinction between different running roles of the same service.
 
@@ -7867,7 +7873,10 @@
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Role of a service node.
+      description: 'Deprecated for removal in next major version release. This field
+        will be superseded by `node.roles`.
+
+        Role of a service node.
 
         This allows for distinction between different running roles of the same service.
 
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index db3ebeb048..b5cd5e88d1 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -896,14 +896,14 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.5.0-dev+exp,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
 8.5.0-dev+exp,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
 8.5.0-dev+exp,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.5.0-dev+exp,true,service,service.node.role,keyword,extended,,background-tasks,Role of the service node.
+8.5.0-dev+exp,true,service,service.node.role,keyword,extended,,background-tasks,Deprecated role (singular) of the service node.
 8.5.0-dev+exp,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service.
 8.5.0-dev+exp,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
 8.5.0-dev+exp,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
 8.5.0-dev+exp,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
 8.5.0-dev+exp,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service.
 8.5.0-dev+exp,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.5.0-dev+exp,true,service,service.origin.node.role,keyword,extended,,background-tasks,Role of the service node.
+8.5.0-dev+exp,true,service,service.origin.node.role,keyword,extended,,background-tasks,Deprecated role (singular) of the service node.
 8.5.0-dev+exp,true,service,service.origin.state,keyword,core,,,Current state of the service.
 8.5.0-dev+exp,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service.
 8.5.0-dev+exp,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service.
@@ -914,7 +914,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.5.0-dev+exp,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
 8.5.0-dev+exp,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service.
 8.5.0-dev+exp,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.5.0-dev+exp,true,service,service.target.node.role,keyword,extended,,background-tasks,Role of the service node.
+8.5.0-dev+exp,true,service,service.target.node.role,keyword,extended,,background-tasks,Deprecated role (singular) of the service node.
 8.5.0-dev+exp,true,service,service.target.state,keyword,core,,,Current state of the service.
 8.5.0-dev+exp,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service.
 8.5.0-dev+exp,true,service,service.target.version,keyword,core,,3.2.4,Version of the service.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 76cb23baef..e74862f362 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -11275,7 +11275,10 @@ service.node.name:
   type: keyword
 service.node.role:
   dashed_name: service-node-role
-  description: 'Role of a service node.
+  description: 'Deprecated for removal in next major version release. This field will
+    be superseded by `node.roles`.
+
+    Role of a service node.
 
     This allows for distinction between different running roles of the same service.
 
@@ -11291,7 +11294,7 @@ service.node.role:
   level: extended
   name: node.role
   normalize: []
-  short: Role of the service node.
+  short: Deprecated role (singular) of the service node.
   type: keyword
 service.origin.address:
   dashed_name: service-origin-address
@@ -11403,7 +11406,10 @@ service.origin.node.name:
   type: keyword
 service.origin.node.role:
   dashed_name: service-origin-node-role
-  description: 'Role of a service node.
+  description: 'Deprecated for removal in next major version release. This field will
+    be superseded by `node.roles`.
+
+    Role of a service node.
 
     This allows for distinction between different running roles of the same service.
 
@@ -11420,7 +11426,7 @@ service.origin.node.role:
   name: node.role
   normalize: []
   original_fieldset: service
-  short: Role of the service node.
+  short: Deprecated role (singular) of the service node.
   type: keyword
 service.origin.state:
   dashed_name: service-origin-state
@@ -11585,7 +11591,10 @@ service.target.node.name:
   type: keyword
 service.target.node.role:
   dashed_name: service-target-node-role
-  description: 'Role of a service node.
+  description: 'Deprecated for removal in next major version release. This field will
+    be superseded by `node.roles`.
+
+    Role of a service node.
 
     This allows for distinction between different running roles of the same service.
 
@@ -11602,7 +11611,7 @@ service.target.node.role:
   name: node.role
   normalize: []
   original_fieldset: service
-  short: Role of the service node.
+  short: Deprecated role (singular) of the service node.
   type: keyword
 service.target.state:
   dashed_name: service-target-state
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 5225eacfe2..b7303fff27 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -13273,7 +13273,10 @@ service:
       type: keyword
     service.node.role:
       dashed_name: service-node-role
-      description: 'Role of a service node.
+      description: 'Deprecated for removal in next major version release. This field
+        will be superseded by `node.roles`.
+
+        Role of a service node.
 
         This allows for distinction between different running roles of the same service.
 
@@ -13290,7 +13293,7 @@ service:
       level: extended
       name: node.role
       normalize: []
-      short: Role of the service node.
+      short: Deprecated role (singular) of the service node.
       type: keyword
     service.origin.address:
       dashed_name: service-origin-address
@@ -13403,7 +13406,10 @@ service:
       type: keyword
     service.origin.node.role:
       dashed_name: service-origin-node-role
-      description: 'Role of a service node.
+      description: 'Deprecated for removal in next major version release. This field
+        will be superseded by `node.roles`.
+
+        Role of a service node.
 
         This allows for distinction between different running roles of the same service.
 
@@ -13421,7 +13427,7 @@ service:
       name: node.role
       normalize: []
       original_fieldset: service
-      short: Role of the service node.
+      short: Deprecated role (singular) of the service node.
       type: keyword
     service.origin.state:
       dashed_name: service-origin-state
@@ -13587,7 +13593,10 @@ service:
       type: keyword
     service.target.node.role:
       dashed_name: service-target-node-role
-      description: 'Role of a service node.
+      description: 'Deprecated for removal in next major version release. This field
+        will be superseded by `node.roles`.
+
+        Role of a service node.
 
         This allows for distinction between different running roles of the same service.
 
@@ -13605,7 +13614,7 @@ service:
       name: node.role
       normalize: []
       original_fieldset: service
-      short: Role of the service node.
+      short: Deprecated role (singular) of the service node.
       type: keyword
     service.target.state:
       dashed_name: service-target-state
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 3b0b29e29b..51944b5df1 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -7594,7 +7594,10 @@
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Role of a service node.
+      description: 'Deprecated for removal in next major version release. This field
+        will be superseded by `node.roles`.
+
+        Role of a service node.
 
         This allows for distinction between different running roles of the same service.
 
@@ -7689,7 +7692,10 @@
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Role of a service node.
+      description: 'Deprecated for removal in next major version release. This field
+        will be superseded by `node.roles`.
+
+        Role of a service node.
 
         This allows for distinction between different running roles of the same service.
 
@@ -7817,7 +7823,10 @@
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Role of a service node.
+      description: 'Deprecated for removal in next major version release. This field
+        will be superseded by `node.roles`.
+
+        Role of a service node.
 
         This allows for distinction between different running roles of the same service.
 
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index 0a97f3799e..808934856d 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -889,14 +889,14 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.5.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
 8.5.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
 8.5.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.5.0-dev,true,service,service.node.role,keyword,extended,,background-tasks,Role of the service node.
+8.5.0-dev,true,service,service.node.role,keyword,extended,,background-tasks,Deprecated role (singular) of the service node.
 8.5.0-dev,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service.
 8.5.0-dev,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
 8.5.0-dev,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
 8.5.0-dev,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
 8.5.0-dev,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service.
 8.5.0-dev,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.5.0-dev,true,service,service.origin.node.role,keyword,extended,,background-tasks,Role of the service node.
+8.5.0-dev,true,service,service.origin.node.role,keyword,extended,,background-tasks,Deprecated role (singular) of the service node.
 8.5.0-dev,true,service,service.origin.state,keyword,core,,,Current state of the service.
 8.5.0-dev,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service.
 8.5.0-dev,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service.
@@ -907,7 +907,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.5.0-dev,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
 8.5.0-dev,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service.
 8.5.0-dev,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.5.0-dev,true,service,service.target.node.role,keyword,extended,,background-tasks,Role of the service node.
+8.5.0-dev,true,service,service.target.node.role,keyword,extended,,background-tasks,Deprecated role (singular) of the service node.
 8.5.0-dev,true,service,service.target.state,keyword,core,,,Current state of the service.
 8.5.0-dev,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service.
 8.5.0-dev,true,service,service.target.version,keyword,core,,3.2.4,Version of the service.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 2f3068b46b..2926edf0e3 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -11206,7 +11206,10 @@ service.node.name:
   type: keyword
 service.node.role:
   dashed_name: service-node-role
-  description: 'Role of a service node.
+  description: 'Deprecated for removal in next major version release. This field will
+    be superseded by `node.roles`.
+
+    Role of a service node.
 
     This allows for distinction between different running roles of the same service.
 
@@ -11222,7 +11225,7 @@ service.node.role:
   level: extended
   name: node.role
   normalize: []
-  short: Role of the service node.
+  short: Deprecated role (singular) of the service node.
   type: keyword
 service.origin.address:
   dashed_name: service-origin-address
@@ -11334,7 +11337,10 @@ service.origin.node.name:
   type: keyword
 service.origin.node.role:
   dashed_name: service-origin-node-role
-  description: 'Role of a service node.
+  description: 'Deprecated for removal in next major version release. This field will
+    be superseded by `node.roles`.
+
+    Role of a service node.
 
     This allows for distinction between different running roles of the same service.
 
@@ -11351,7 +11357,7 @@ service.origin.node.role:
   name: node.role
   normalize: []
   original_fieldset: service
-  short: Role of the service node.
+  short: Deprecated role (singular) of the service node.
   type: keyword
 service.origin.state:
   dashed_name: service-origin-state
@@ -11516,7 +11522,10 @@ service.target.node.name:
   type: keyword
 service.target.node.role:
   dashed_name: service-target-node-role
-  description: 'Role of a service node.
+  description: 'Deprecated for removal in next major version release. This field will
+    be superseded by `node.roles`.
+
+    Role of a service node.
 
     This allows for distinction between different running roles of the same service.
 
@@ -11533,7 +11542,7 @@ service.target.node.role:
   name: node.role
   normalize: []
   original_fieldset: service
-  short: Role of the service node.
+  short: Deprecated role (singular) of the service node.
   type: keyword
 service.target.state:
   dashed_name: service-target-state
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 680bee23a2..c514288a5c 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -13193,7 +13193,10 @@ service:
       type: keyword
     service.node.role:
       dashed_name: service-node-role
-      description: 'Role of a service node.
+      description: 'Deprecated for removal in next major version release. This field
+        will be superseded by `node.roles`.
+
+        Role of a service node.
 
         This allows for distinction between different running roles of the same service.
 
@@ -13210,7 +13213,7 @@ service:
       level: extended
       name: node.role
       normalize: []
-      short: Role of the service node.
+      short: Deprecated role (singular) of the service node.
       type: keyword
     service.origin.address:
       dashed_name: service-origin-address
@@ -13323,7 +13326,10 @@ service:
       type: keyword
     service.origin.node.role:
       dashed_name: service-origin-node-role
-      description: 'Role of a service node.
+      description: 'Deprecated for removal in next major version release. This field
+        will be superseded by `node.roles`.
+
+        Role of a service node.
 
         This allows for distinction between different running roles of the same service.
 
@@ -13341,7 +13347,7 @@ service:
       name: node.role
       normalize: []
       original_fieldset: service
-      short: Role of the service node.
+      short: Deprecated role (singular) of the service node.
       type: keyword
     service.origin.state:
       dashed_name: service-origin-state
@@ -13507,7 +13513,10 @@ service:
       type: keyword
     service.target.node.role:
       dashed_name: service-target-node-role
-      description: 'Role of a service node.
+      description: 'Deprecated for removal in next major version release. This field
+        will be superseded by `node.roles`.
+
+        Role of a service node.
 
         This allows for distinction between different running roles of the same service.
 
@@ -13525,7 +13534,7 @@ service:
       name: node.role
       normalize: []
       original_fieldset: service
-      short: Role of the service node.
+      short: Deprecated role (singular) of the service node.
       type: keyword
     service.target.state:
       dashed_name: service-target-state
diff --git a/schemas/service.yml b/schemas/service.yml
index 9dadee1e09..497f134526 100644
--- a/schemas/service.yml
+++ b/schemas/service.yml
@@ -120,8 +120,11 @@
       level: extended
       type: keyword
       example: "background-tasks"
-      short: Role of the service node.
+      short: Deprecated role (singular) of the service node.
       description: >
+        Deprecated for removal in next major version release. This field will be superseded by
+        `node.roles`.
+
         Role of a service node.
 
         This allows for distinction between different running roles of the same service.

From cbbc4eb83c70c7061e83c272385aaeb4169ad5d1 Mon Sep 17 00:00:00 2001
From: Kylie Geller <kylie.geller@elastic.co>
Date: Wed, 6 Jul 2022 10:03:16 -0400
Subject: [PATCH 005/186] Adding service.node.roles (#1981)

---
 CHANGELOG.next.md                             |  1 +
 docs/fields/field-details.asciidoc            | 31 ++++++-
 experimental/generated/beats/fields.ecs.yml   | 66 +++++++++++++--
 experimental/generated/csv/fields.csv         |  9 +-
 experimental/generated/ecs/ecs_flat.yml       | 83 +++++++++++++++++--
 experimental/generated/ecs/ecs_nested.yml     | 83 +++++++++++++++++--
 .../composable/component/service.json         | 12 +++
 .../elasticsearch/legacy/template.json        | 12 +++
 generated/beats/fields.ecs.yml                | 66 +++++++++++++--
 generated/csv/fields.csv                      |  9 +-
 generated/ecs/ecs_flat.yml                    | 83 +++++++++++++++++--
 generated/ecs/ecs_nested.yml                  | 83 +++++++++++++++++--
 .../composable/component/service.json         | 12 +++
 generated/elasticsearch/legacy/template.json  | 12 +++
 schemas/service.yml                           | 22 ++++-
 15 files changed, 538 insertions(+), 46 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 0611ec8147..a447d741e9 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -43,6 +43,7 @@ Thanks, you're awesome :-) -->
 #### Added
 
 * Initial set of `expected_values`. #1962
+* Adding `service.node.roles`. #1981
 
 #### Improvements
 
diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index ac2a5538e5..6eccd77281 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -8644,7 +8644,7 @@ Role of a service node.
 
 This allows for distinction between different running roles of the same service.
 
-In the case of Kibana, the `service.node.role` could be `ui` or `background-tasks`.
+In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`.
 
 In the case of Elasticsearch, the `service.node.role` could be `master` or `data`.
 
@@ -8654,7 +8654,34 @@ type: keyword
 
 
 
-example: `background-tasks`
+example: `background_tasks`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-service-node-roles]]
+<<field-service-node-roles, service.node.roles>>
+
+a| Roles of a service node.
+
+This allows for distinction between different running roles of the same service.
+
+In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks` or both.
+
+In the case of Elasticsearch, the `service.node.role` could be `master` or `data` or both.
+
+Other services could use this to distinguish between a `web` and `worker` role running as part of the service.
+
+type: keyword
+
+
+Note: this field should contain an array of values.
+
+
+
+example: `["ui", "background_tasks"]`
 
 | extended
 
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 9b815bf49a..ae28420db8 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -7651,14 +7651,32 @@
 
         This allows for distinction between different running roles of the same service.
 
-        In the case of Kibana, the `service.node.role` could be `ui` or `background-tasks`.
+        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`.
 
         In the case of Elasticsearch, the `service.node.role` could be `master` or
         `data`.
 
         Other services could use this to distinguish between a `web` and `worker`
         role running as part of the service.'
-      example: background-tasks
+      example: background_tasks
+      default_field: false
+    - name: node.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Roles of a service node.
+
+        This allows for distinction between different running roles of the same service.
+
+        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`
+        or both.
+
+        In the case of Elasticsearch, the `service.node.role` could be `master` or
+        `data` or both.
+
+        Other services could use this to distinguish between a `web` and `worker`
+        role running as part of the service.'
+      example: '["ui", "background_tasks"]'
       default_field: false
     - name: origin.address
       level: extended
@@ -7749,14 +7767,32 @@
 
         This allows for distinction between different running roles of the same service.
 
-        In the case of Kibana, the `service.node.role` could be `ui` or `background-tasks`.
+        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`.
 
         In the case of Elasticsearch, the `service.node.role` could be `master` or
         `data`.
 
         Other services could use this to distinguish between a `web` and `worker`
         role running as part of the service.'
-      example: background-tasks
+      example: background_tasks
+      default_field: false
+    - name: origin.node.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Roles of a service node.
+
+        This allows for distinction between different running roles of the same service.
+
+        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`
+        or both.
+
+        In the case of Elasticsearch, the `service.node.role` could be `master` or
+        `data` or both.
+
+        Other services could use this to distinguish between a `web` and `worker`
+        role running as part of the service.'
+      example: '["ui", "background_tasks"]'
       default_field: false
     - name: origin.state
       level: core
@@ -7880,14 +7916,32 @@
 
         This allows for distinction between different running roles of the same service.
 
-        In the case of Kibana, the `service.node.role` could be `ui` or `background-tasks`.
+        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`.
 
         In the case of Elasticsearch, the `service.node.role` could be `master` or
         `data`.
 
         Other services could use this to distinguish between a `web` and `worker`
         role running as part of the service.'
-      example: background-tasks
+      example: background_tasks
+      default_field: false
+    - name: target.node.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Roles of a service node.
+
+        This allows for distinction between different running roles of the same service.
+
+        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`
+        or both.
+
+        In the case of Elasticsearch, the `service.node.role` could be `master` or
+        `data` or both.
+
+        Other services could use this to distinguish between a `web` and `worker`
+        role running as part of the service.'
+      example: '["ui", "background_tasks"]'
       default_field: false
     - name: target.state
       level: core
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index b5cd5e88d1..a63cbef4d0 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -896,14 +896,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.5.0-dev+exp,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
 8.5.0-dev+exp,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
 8.5.0-dev+exp,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.5.0-dev+exp,true,service,service.node.role,keyword,extended,,background-tasks,Deprecated role (singular) of the service node.
+8.5.0-dev+exp,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.5.0-dev+exp,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
 8.5.0-dev+exp,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service.
 8.5.0-dev+exp,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
 8.5.0-dev+exp,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
 8.5.0-dev+exp,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
 8.5.0-dev+exp,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service.
 8.5.0-dev+exp,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.5.0-dev+exp,true,service,service.origin.node.role,keyword,extended,,background-tasks,Deprecated role (singular) of the service node.
+8.5.0-dev+exp,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.5.0-dev+exp,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
 8.5.0-dev+exp,true,service,service.origin.state,keyword,core,,,Current state of the service.
 8.5.0-dev+exp,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service.
 8.5.0-dev+exp,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service.
@@ -914,7 +916,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.5.0-dev+exp,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
 8.5.0-dev+exp,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service.
 8.5.0-dev+exp,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.5.0-dev+exp,true,service,service.target.node.role,keyword,extended,,background-tasks,Deprecated role (singular) of the service node.
+8.5.0-dev+exp,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.5.0-dev+exp,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
 8.5.0-dev+exp,true,service,service.target.state,keyword,core,,,Current state of the service.
 8.5.0-dev+exp,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service.
 8.5.0-dev+exp,true,service,service.target.version,keyword,core,,3.2.4,Version of the service.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index e74862f362..f91484cf01 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -11282,13 +11282,13 @@ service.node.role:
 
     This allows for distinction between different running roles of the same service.
 
-    In the case of Kibana, the `service.node.role` could be `ui` or `background-tasks`.
+    In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`.
 
     In the case of Elasticsearch, the `service.node.role` could be `master` or `data`.
 
     Other services could use this to distinguish between a `web` and `worker` role
     running as part of the service.'
-  example: background-tasks
+  example: background_tasks
   flat_name: service.node.role
   ignore_above: 1024
   level: extended
@@ -11296,6 +11296,29 @@ service.node.role:
   normalize: []
   short: Deprecated role (singular) of the service node.
   type: keyword
+service.node.roles:
+  dashed_name: service-node-roles
+  description: 'Roles of a service node.
+
+    This allows for distinction between different running roles of the same service.
+
+    In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`
+    or both.
+
+    In the case of Elasticsearch, the `service.node.role` could be `master` or `data`
+    or both.
+
+    Other services could use this to distinguish between a `web` and `worker` role
+    running as part of the service.'
+  example: '["ui", "background_tasks"]'
+  flat_name: service.node.roles
+  ignore_above: 1024
+  level: extended
+  name: node.roles
+  normalize:
+  - array
+  short: Roles of the service node.
+  type: keyword
 service.origin.address:
   dashed_name: service-origin-address
   description: 'Address where data about this service was collected from.
@@ -11413,13 +11436,13 @@ service.origin.node.role:
 
     This allows for distinction between different running roles of the same service.
 
-    In the case of Kibana, the `service.node.role` could be `ui` or `background-tasks`.
+    In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`.
 
     In the case of Elasticsearch, the `service.node.role` could be `master` or `data`.
 
     Other services could use this to distinguish between a `web` and `worker` role
     running as part of the service.'
-  example: background-tasks
+  example: background_tasks
   flat_name: service.origin.node.role
   ignore_above: 1024
   level: extended
@@ -11428,6 +11451,30 @@ service.origin.node.role:
   original_fieldset: service
   short: Deprecated role (singular) of the service node.
   type: keyword
+service.origin.node.roles:
+  dashed_name: service-origin-node-roles
+  description: 'Roles of a service node.
+
+    This allows for distinction between different running roles of the same service.
+
+    In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`
+    or both.
+
+    In the case of Elasticsearch, the `service.node.role` could be `master` or `data`
+    or both.
+
+    Other services could use this to distinguish between a `web` and `worker` role
+    running as part of the service.'
+  example: '["ui", "background_tasks"]'
+  flat_name: service.origin.node.roles
+  ignore_above: 1024
+  level: extended
+  name: node.roles
+  normalize:
+  - array
+  original_fieldset: service
+  short: Roles of the service node.
+  type: keyword
 service.origin.state:
   dashed_name: service-origin-state
   description: Current state of the service.
@@ -11598,13 +11645,13 @@ service.target.node.role:
 
     This allows for distinction between different running roles of the same service.
 
-    In the case of Kibana, the `service.node.role` could be `ui` or `background-tasks`.
+    In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`.
 
     In the case of Elasticsearch, the `service.node.role` could be `master` or `data`.
 
     Other services could use this to distinguish between a `web` and `worker` role
     running as part of the service.'
-  example: background-tasks
+  example: background_tasks
   flat_name: service.target.node.role
   ignore_above: 1024
   level: extended
@@ -11613,6 +11660,30 @@ service.target.node.role:
   original_fieldset: service
   short: Deprecated role (singular) of the service node.
   type: keyword
+service.target.node.roles:
+  dashed_name: service-target-node-roles
+  description: 'Roles of a service node.
+
+    This allows for distinction between different running roles of the same service.
+
+    In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`
+    or both.
+
+    In the case of Elasticsearch, the `service.node.role` could be `master` or `data`
+    or both.
+
+    Other services could use this to distinguish between a `web` and `worker` role
+    running as part of the service.'
+  example: '["ui", "background_tasks"]'
+  flat_name: service.target.node.roles
+  ignore_above: 1024
+  level: extended
+  name: node.roles
+  normalize:
+  - array
+  original_fieldset: service
+  short: Roles of the service node.
+  type: keyword
 service.target.state:
   dashed_name: service-target-state
   description: Current state of the service.
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index b7303fff27..3564f2019f 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -13280,14 +13280,14 @@ service:
 
         This allows for distinction between different running roles of the same service.
 
-        In the case of Kibana, the `service.node.role` could be `ui` or `background-tasks`.
+        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`.
 
         In the case of Elasticsearch, the `service.node.role` could be `master` or
         `data`.
 
         Other services could use this to distinguish between a `web` and `worker`
         role running as part of the service.'
-      example: background-tasks
+      example: background_tasks
       flat_name: service.node.role
       ignore_above: 1024
       level: extended
@@ -13295,6 +13295,29 @@ service:
       normalize: []
       short: Deprecated role (singular) of the service node.
       type: keyword
+    service.node.roles:
+      dashed_name: service-node-roles
+      description: 'Roles of a service node.
+
+        This allows for distinction between different running roles of the same service.
+
+        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`
+        or both.
+
+        In the case of Elasticsearch, the `service.node.role` could be `master` or
+        `data` or both.
+
+        Other services could use this to distinguish between a `web` and `worker`
+        role running as part of the service.'
+      example: '["ui", "background_tasks"]'
+      flat_name: service.node.roles
+      ignore_above: 1024
+      level: extended
+      name: node.roles
+      normalize:
+      - array
+      short: Roles of the service node.
+      type: keyword
     service.origin.address:
       dashed_name: service-origin-address
       description: 'Address where data about this service was collected from.
@@ -13413,14 +13436,14 @@ service:
 
         This allows for distinction between different running roles of the same service.
 
-        In the case of Kibana, the `service.node.role` could be `ui` or `background-tasks`.
+        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`.
 
         In the case of Elasticsearch, the `service.node.role` could be `master` or
         `data`.
 
         Other services could use this to distinguish between a `web` and `worker`
         role running as part of the service.'
-      example: background-tasks
+      example: background_tasks
       flat_name: service.origin.node.role
       ignore_above: 1024
       level: extended
@@ -13429,6 +13452,30 @@ service:
       original_fieldset: service
       short: Deprecated role (singular) of the service node.
       type: keyword
+    service.origin.node.roles:
+      dashed_name: service-origin-node-roles
+      description: 'Roles of a service node.
+
+        This allows for distinction between different running roles of the same service.
+
+        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`
+        or both.
+
+        In the case of Elasticsearch, the `service.node.role` could be `master` or
+        `data` or both.
+
+        Other services could use this to distinguish between a `web` and `worker`
+        role running as part of the service.'
+      example: '["ui", "background_tasks"]'
+      flat_name: service.origin.node.roles
+      ignore_above: 1024
+      level: extended
+      name: node.roles
+      normalize:
+      - array
+      original_fieldset: service
+      short: Roles of the service node.
+      type: keyword
     service.origin.state:
       dashed_name: service-origin-state
       description: Current state of the service.
@@ -13600,14 +13647,14 @@ service:
 
         This allows for distinction between different running roles of the same service.
 
-        In the case of Kibana, the `service.node.role` could be `ui` or `background-tasks`.
+        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`.
 
         In the case of Elasticsearch, the `service.node.role` could be `master` or
         `data`.
 
         Other services could use this to distinguish between a `web` and `worker`
         role running as part of the service.'
-      example: background-tasks
+      example: background_tasks
       flat_name: service.target.node.role
       ignore_above: 1024
       level: extended
@@ -13616,6 +13663,30 @@ service:
       original_fieldset: service
       short: Deprecated role (singular) of the service node.
       type: keyword
+    service.target.node.roles:
+      dashed_name: service-target-node-roles
+      description: 'Roles of a service node.
+
+        This allows for distinction between different running roles of the same service.
+
+        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`
+        or both.
+
+        In the case of Elasticsearch, the `service.node.role` could be `master` or
+        `data` or both.
+
+        Other services could use this to distinguish between a `web` and `worker`
+        role running as part of the service.'
+      example: '["ui", "background_tasks"]'
+      flat_name: service.target.node.roles
+      ignore_above: 1024
+      level: extended
+      name: node.roles
+      normalize:
+      - array
+      original_fieldset: service
+      short: Roles of the service node.
+      type: keyword
     service.target.state:
       dashed_name: service-target-state
       description: Current state of the service.
diff --git a/experimental/generated/elasticsearch/composable/component/service.json b/experimental/generated/elasticsearch/composable/component/service.json
index 02b983e48a..bf155139f1 100644
--- a/experimental/generated/elasticsearch/composable/component/service.json
+++ b/experimental/generated/elasticsearch/composable/component/service.json
@@ -37,6 +37,10 @@
                 "role": {
                   "ignore_above": 1024,
                   "type": "keyword"
+                },
+                "roles": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 }
               }
             },
@@ -71,6 +75,10 @@
                     "role": {
                       "ignore_above": 1024,
                       "type": "keyword"
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
                     }
                   }
                 },
@@ -123,6 +131,10 @@
                     "role": {
                       "ignore_above": 1024,
                       "type": "keyword"
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
                     }
                   }
                 },
diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json
index 5c8b973eb3..4235a87fb7 100644
--- a/experimental/generated/elasticsearch/legacy/template.json
+++ b/experimental/generated/elasticsearch/legacy/template.json
@@ -4258,6 +4258,10 @@
               "role": {
                 "ignore_above": 1024,
                 "type": "keyword"
+              },
+              "roles": {
+                "ignore_above": 1024,
+                "type": "keyword"
               }
             }
           },
@@ -4292,6 +4296,10 @@
                   "role": {
                     "ignore_above": 1024,
                     "type": "keyword"
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
                   }
                 }
               },
@@ -4344,6 +4352,10 @@
                   "role": {
                     "ignore_above": 1024,
                     "type": "keyword"
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
                   }
                 }
               },
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 51944b5df1..1cd2d99870 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -7601,14 +7601,32 @@
 
         This allows for distinction between different running roles of the same service.
 
-        In the case of Kibana, the `service.node.role` could be `ui` or `background-tasks`.
+        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`.
 
         In the case of Elasticsearch, the `service.node.role` could be `master` or
         `data`.
 
         Other services could use this to distinguish between a `web` and `worker`
         role running as part of the service.'
-      example: background-tasks
+      example: background_tasks
+      default_field: false
+    - name: node.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Roles of a service node.
+
+        This allows for distinction between different running roles of the same service.
+
+        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`
+        or both.
+
+        In the case of Elasticsearch, the `service.node.role` could be `master` or
+        `data` or both.
+
+        Other services could use this to distinguish between a `web` and `worker`
+        role running as part of the service.'
+      example: '["ui", "background_tasks"]'
       default_field: false
     - name: origin.address
       level: extended
@@ -7699,14 +7717,32 @@
 
         This allows for distinction between different running roles of the same service.
 
-        In the case of Kibana, the `service.node.role` could be `ui` or `background-tasks`.
+        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`.
 
         In the case of Elasticsearch, the `service.node.role` could be `master` or
         `data`.
 
         Other services could use this to distinguish between a `web` and `worker`
         role running as part of the service.'
-      example: background-tasks
+      example: background_tasks
+      default_field: false
+    - name: origin.node.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Roles of a service node.
+
+        This allows for distinction between different running roles of the same service.
+
+        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`
+        or both.
+
+        In the case of Elasticsearch, the `service.node.role` could be `master` or
+        `data` or both.
+
+        Other services could use this to distinguish between a `web` and `worker`
+        role running as part of the service.'
+      example: '["ui", "background_tasks"]'
       default_field: false
     - name: origin.state
       level: core
@@ -7830,14 +7866,32 @@
 
         This allows for distinction between different running roles of the same service.
 
-        In the case of Kibana, the `service.node.role` could be `ui` or `background-tasks`.
+        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`.
 
         In the case of Elasticsearch, the `service.node.role` could be `master` or
         `data`.
 
         Other services could use this to distinguish between a `web` and `worker`
         role running as part of the service.'
-      example: background-tasks
+      example: background_tasks
+      default_field: false
+    - name: target.node.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Roles of a service node.
+
+        This allows for distinction between different running roles of the same service.
+
+        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`
+        or both.
+
+        In the case of Elasticsearch, the `service.node.role` could be `master` or
+        `data` or both.
+
+        Other services could use this to distinguish between a `web` and `worker`
+        role running as part of the service.'
+      example: '["ui", "background_tasks"]'
       default_field: false
     - name: target.state
       level: core
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index 808934856d..f29d8d5c71 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -889,14 +889,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.5.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
 8.5.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
 8.5.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.5.0-dev,true,service,service.node.role,keyword,extended,,background-tasks,Deprecated role (singular) of the service node.
+8.5.0-dev,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.5.0-dev,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
 8.5.0-dev,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service.
 8.5.0-dev,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
 8.5.0-dev,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
 8.5.0-dev,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
 8.5.0-dev,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service.
 8.5.0-dev,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.5.0-dev,true,service,service.origin.node.role,keyword,extended,,background-tasks,Deprecated role (singular) of the service node.
+8.5.0-dev,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.5.0-dev,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
 8.5.0-dev,true,service,service.origin.state,keyword,core,,,Current state of the service.
 8.5.0-dev,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service.
 8.5.0-dev,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service.
@@ -907,7 +909,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.5.0-dev,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
 8.5.0-dev,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service.
 8.5.0-dev,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.5.0-dev,true,service,service.target.node.role,keyword,extended,,background-tasks,Deprecated role (singular) of the service node.
+8.5.0-dev,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.5.0-dev,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
 8.5.0-dev,true,service,service.target.state,keyword,core,,,Current state of the service.
 8.5.0-dev,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service.
 8.5.0-dev,true,service,service.target.version,keyword,core,,3.2.4,Version of the service.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 2926edf0e3..7ade1b8cf1 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -11213,13 +11213,13 @@ service.node.role:
 
     This allows for distinction between different running roles of the same service.
 
-    In the case of Kibana, the `service.node.role` could be `ui` or `background-tasks`.
+    In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`.
 
     In the case of Elasticsearch, the `service.node.role` could be `master` or `data`.
 
     Other services could use this to distinguish between a `web` and `worker` role
     running as part of the service.'
-  example: background-tasks
+  example: background_tasks
   flat_name: service.node.role
   ignore_above: 1024
   level: extended
@@ -11227,6 +11227,29 @@ service.node.role:
   normalize: []
   short: Deprecated role (singular) of the service node.
   type: keyword
+service.node.roles:
+  dashed_name: service-node-roles
+  description: 'Roles of a service node.
+
+    This allows for distinction between different running roles of the same service.
+
+    In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`
+    or both.
+
+    In the case of Elasticsearch, the `service.node.role` could be `master` or `data`
+    or both.
+
+    Other services could use this to distinguish between a `web` and `worker` role
+    running as part of the service.'
+  example: '["ui", "background_tasks"]'
+  flat_name: service.node.roles
+  ignore_above: 1024
+  level: extended
+  name: node.roles
+  normalize:
+  - array
+  short: Roles of the service node.
+  type: keyword
 service.origin.address:
   dashed_name: service-origin-address
   description: 'Address where data about this service was collected from.
@@ -11344,13 +11367,13 @@ service.origin.node.role:
 
     This allows for distinction between different running roles of the same service.
 
-    In the case of Kibana, the `service.node.role` could be `ui` or `background-tasks`.
+    In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`.
 
     In the case of Elasticsearch, the `service.node.role` could be `master` or `data`.
 
     Other services could use this to distinguish between a `web` and `worker` role
     running as part of the service.'
-  example: background-tasks
+  example: background_tasks
   flat_name: service.origin.node.role
   ignore_above: 1024
   level: extended
@@ -11359,6 +11382,30 @@ service.origin.node.role:
   original_fieldset: service
   short: Deprecated role (singular) of the service node.
   type: keyword
+service.origin.node.roles:
+  dashed_name: service-origin-node-roles
+  description: 'Roles of a service node.
+
+    This allows for distinction between different running roles of the same service.
+
+    In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`
+    or both.
+
+    In the case of Elasticsearch, the `service.node.role` could be `master` or `data`
+    or both.
+
+    Other services could use this to distinguish between a `web` and `worker` role
+    running as part of the service.'
+  example: '["ui", "background_tasks"]'
+  flat_name: service.origin.node.roles
+  ignore_above: 1024
+  level: extended
+  name: node.roles
+  normalize:
+  - array
+  original_fieldset: service
+  short: Roles of the service node.
+  type: keyword
 service.origin.state:
   dashed_name: service-origin-state
   description: Current state of the service.
@@ -11529,13 +11576,13 @@ service.target.node.role:
 
     This allows for distinction between different running roles of the same service.
 
-    In the case of Kibana, the `service.node.role` could be `ui` or `background-tasks`.
+    In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`.
 
     In the case of Elasticsearch, the `service.node.role` could be `master` or `data`.
 
     Other services could use this to distinguish between a `web` and `worker` role
     running as part of the service.'
-  example: background-tasks
+  example: background_tasks
   flat_name: service.target.node.role
   ignore_above: 1024
   level: extended
@@ -11544,6 +11591,30 @@ service.target.node.role:
   original_fieldset: service
   short: Deprecated role (singular) of the service node.
   type: keyword
+service.target.node.roles:
+  dashed_name: service-target-node-roles
+  description: 'Roles of a service node.
+
+    This allows for distinction between different running roles of the same service.
+
+    In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`
+    or both.
+
+    In the case of Elasticsearch, the `service.node.role` could be `master` or `data`
+    or both.
+
+    Other services could use this to distinguish between a `web` and `worker` role
+    running as part of the service.'
+  example: '["ui", "background_tasks"]'
+  flat_name: service.target.node.roles
+  ignore_above: 1024
+  level: extended
+  name: node.roles
+  normalize:
+  - array
+  original_fieldset: service
+  short: Roles of the service node.
+  type: keyword
 service.target.state:
   dashed_name: service-target-state
   description: Current state of the service.
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index c514288a5c..62185d1d4a 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -13200,14 +13200,14 @@ service:
 
         This allows for distinction between different running roles of the same service.
 
-        In the case of Kibana, the `service.node.role` could be `ui` or `background-tasks`.
+        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`.
 
         In the case of Elasticsearch, the `service.node.role` could be `master` or
         `data`.
 
         Other services could use this to distinguish between a `web` and `worker`
         role running as part of the service.'
-      example: background-tasks
+      example: background_tasks
       flat_name: service.node.role
       ignore_above: 1024
       level: extended
@@ -13215,6 +13215,29 @@ service:
       normalize: []
       short: Deprecated role (singular) of the service node.
       type: keyword
+    service.node.roles:
+      dashed_name: service-node-roles
+      description: 'Roles of a service node.
+
+        This allows for distinction between different running roles of the same service.
+
+        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`
+        or both.
+
+        In the case of Elasticsearch, the `service.node.role` could be `master` or
+        `data` or both.
+
+        Other services could use this to distinguish between a `web` and `worker`
+        role running as part of the service.'
+      example: '["ui", "background_tasks"]'
+      flat_name: service.node.roles
+      ignore_above: 1024
+      level: extended
+      name: node.roles
+      normalize:
+      - array
+      short: Roles of the service node.
+      type: keyword
     service.origin.address:
       dashed_name: service-origin-address
       description: 'Address where data about this service was collected from.
@@ -13333,14 +13356,14 @@ service:
 
         This allows for distinction between different running roles of the same service.
 
-        In the case of Kibana, the `service.node.role` could be `ui` or `background-tasks`.
+        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`.
 
         In the case of Elasticsearch, the `service.node.role` could be `master` or
         `data`.
 
         Other services could use this to distinguish between a `web` and `worker`
         role running as part of the service.'
-      example: background-tasks
+      example: background_tasks
       flat_name: service.origin.node.role
       ignore_above: 1024
       level: extended
@@ -13349,6 +13372,30 @@ service:
       original_fieldset: service
       short: Deprecated role (singular) of the service node.
       type: keyword
+    service.origin.node.roles:
+      dashed_name: service-origin-node-roles
+      description: 'Roles of a service node.
+
+        This allows for distinction between different running roles of the same service.
+
+        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`
+        or both.
+
+        In the case of Elasticsearch, the `service.node.role` could be `master` or
+        `data` or both.
+
+        Other services could use this to distinguish between a `web` and `worker`
+        role running as part of the service.'
+      example: '["ui", "background_tasks"]'
+      flat_name: service.origin.node.roles
+      ignore_above: 1024
+      level: extended
+      name: node.roles
+      normalize:
+      - array
+      original_fieldset: service
+      short: Roles of the service node.
+      type: keyword
     service.origin.state:
       dashed_name: service-origin-state
       description: Current state of the service.
@@ -13520,14 +13567,14 @@ service:
 
         This allows for distinction between different running roles of the same service.
 
-        In the case of Kibana, the `service.node.role` could be `ui` or `background-tasks`.
+        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`.
 
         In the case of Elasticsearch, the `service.node.role` could be `master` or
         `data`.
 
         Other services could use this to distinguish between a `web` and `worker`
         role running as part of the service.'
-      example: background-tasks
+      example: background_tasks
       flat_name: service.target.node.role
       ignore_above: 1024
       level: extended
@@ -13536,6 +13583,30 @@ service:
       original_fieldset: service
       short: Deprecated role (singular) of the service node.
       type: keyword
+    service.target.node.roles:
+      dashed_name: service-target-node-roles
+      description: 'Roles of a service node.
+
+        This allows for distinction between different running roles of the same service.
+
+        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`
+        or both.
+
+        In the case of Elasticsearch, the `service.node.role` could be `master` or
+        `data` or both.
+
+        Other services could use this to distinguish between a `web` and `worker`
+        role running as part of the service.'
+      example: '["ui", "background_tasks"]'
+      flat_name: service.target.node.roles
+      ignore_above: 1024
+      level: extended
+      name: node.roles
+      normalize:
+      - array
+      original_fieldset: service
+      short: Roles of the service node.
+      type: keyword
     service.target.state:
       dashed_name: service-target-state
       description: Current state of the service.
diff --git a/generated/elasticsearch/composable/component/service.json b/generated/elasticsearch/composable/component/service.json
index bff9c92c0b..d225f6a1f0 100644
--- a/generated/elasticsearch/composable/component/service.json
+++ b/generated/elasticsearch/composable/component/service.json
@@ -37,6 +37,10 @@
                 "role": {
                   "ignore_above": 1024,
                   "type": "keyword"
+                },
+                "roles": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 }
               }
             },
@@ -71,6 +75,10 @@
                     "role": {
                       "ignore_above": 1024,
                       "type": "keyword"
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
                     }
                   }
                 },
@@ -123,6 +131,10 @@
                     "role": {
                       "ignore_above": 1024,
                       "type": "keyword"
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
                     }
                   }
                 },
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index 1d440c5e92..3a7641f171 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -4216,6 +4216,10 @@
               "role": {
                 "ignore_above": 1024,
                 "type": "keyword"
+              },
+              "roles": {
+                "ignore_above": 1024,
+                "type": "keyword"
               }
             }
           },
@@ -4250,6 +4254,10 @@
                   "role": {
                     "ignore_above": 1024,
                     "type": "keyword"
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
                   }
                 }
               },
@@ -4302,6 +4310,10 @@
                   "role": {
                     "ignore_above": 1024,
                     "type": "keyword"
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
                   }
                 }
               },
diff --git a/schemas/service.yml b/schemas/service.yml
index 497f134526..ecfbc99ed2 100644
--- a/schemas/service.yml
+++ b/schemas/service.yml
@@ -119,7 +119,7 @@
     - name: node.role
       level: extended
       type: keyword
-      example: "background-tasks"
+      example: "background_tasks"
       short: Deprecated role (singular) of the service node.
       description: >
         Deprecated for removal in next major version release. This field will be superseded by
@@ -129,12 +129,30 @@
 
         This allows for distinction between different running roles of the same service.
 
-        In the case of Kibana, the `service.node.role` could be `ui` or `background-tasks`.
+        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`.
 
         In the case of Elasticsearch, the `service.node.role` could be `master` or `data`.
 
         Other services could use this to distinguish between a `web` and `worker` role running as part of the service.
 
+    - name: node.roles
+      level: extended
+      type: keyword
+      example: "[\"ui\", \"background_tasks\"]"
+      normalize:
+        - array
+      short: Roles of the service node.
+      description: >
+        Roles of a service node.
+
+        This allows for distinction between different running roles of the same service.
+
+        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks` or both.
+
+        In the case of Elasticsearch, the `service.node.role` could be `master` or `data` or both.
+
+        Other services could use this to distinguish between a `web` and `worker` role running as part of the service.
+
     - name: type
       level: core
       type: keyword

From 498ec821e8d24497b4323046188e1374dc0b8526 Mon Sep 17 00:00:00 2001
From: Kylie Geller <kylie.geller@elastic.co>
Date: Wed, 6 Jul 2022 13:00:01 -0400
Subject: [PATCH 006/186] [main] changelog for 8.3.1 (#1983) (#1986)

---
 CHANGELOG.md      | 8 ++++++++
 CHANGELOG.next.md | 8 --------
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index bd4ab6fa90..87ab71e926 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,14 @@
 # CHANGELOG
 All notable changes to this project will be documented in this file based on the [Keep a Changelog](http://keepachangelog.com/) Standard. This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [8.3.1](https://github.com/elastic/ecs/compare/v8.3.0...v8.3.1)
+
+### Schema Changes
+
+#### Deprecated
+
+* Deprecate `service.node.role` in favor of upcoming `service.node.roles`. #1976
+
 ## [8.3.0](https://github.com/elastic/ecs/compare/v8.2.1...v8.3.0)
 
 ### Schema Changes
diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index a447d741e9..7eb5ee4233 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -67,14 +67,6 @@ Thanks, you're awesome :-) -->
 
 #### Deprecated
 
-## 8.3.1
-
-### Schema Changes
-
-#### Deprecated
-
-* Deprecate `service.node.role` in favor of upcoming `service.node.roles`. #1976
-
 <!-- All empty sections:
 
 ## Unreleased

From b3f8b57647af0b139564718674f7646dcc6cf869 Mon Sep 17 00:00:00 2001
From: Kylie Geller <kylie.geller@elastic.co>
Date: Wed, 6 Jul 2022 13:58:21 -0400
Subject: [PATCH 007/186] [main] 8.3.1 Release Notes (#1989)

---
 docs/release-notes/8.3.1.asciidoc | 12 ++++++++++++
 docs/release-notes/index.asciidoc |  2 ++
 2 files changed, 14 insertions(+)
 create mode 100644 docs/release-notes/8.3.1.asciidoc

diff --git a/docs/release-notes/8.3.1.asciidoc b/docs/release-notes/8.3.1.asciidoc
new file mode 100644
index 0000000000..5a5b60c8e5
--- /dev/null
+++ b/docs/release-notes/8.3.1.asciidoc
@@ -0,0 +1,12 @@
+[[ecs-release-notes-8.3.1]]
+=== 8.3.1
+
+[[schema-changes-8.3.1]]
+[float]
+==== Schema changes
+
+[[schema-deprecated-8.3.1]]
+[float]
+===== Deprecated
+
+* Deprecate `service.node.role` in favor of upcoming `service.node.roles`. {ecs_pull}1976[#1976]
\ No newline at end of file
diff --git a/docs/release-notes/index.asciidoc b/docs/release-notes/index.asciidoc
index 38a3dcf536..79e59a1577 100644
--- a/docs/release-notes/index.asciidoc
+++ b/docs/release-notes/index.asciidoc
@@ -4,6 +4,7 @@
 This section summarizes the changes in each release.
 
 * <<ecs-release-notes-8.4.0, {ecs} version 8.4.0>>
+* <<ecs-release-notes-8.3.1, {ecs} version 8.3.1>>
 * <<ecs-release-notes-8.3.0, {ecs} version 8.3.0>>
 * <<ecs-release-notes-8.2.0, {ecs} version 8.2.0>>
 * <<ecs-release-notes-8.1.0, {ecs} version 8.1.0>>
@@ -16,6 +17,7 @@ This section summarizes the changes in each release.
 :pull: https://github.com/elastic/ecs/pull/
 
 include::8.4.asciidoc[]
+include::8.3.1.asciidoc[]
 include::8.3.asciidoc[]
 include::8.2.asciidoc[]
 include::8.1.asciidoc[]

From b57b9e6702bf3cf8b0d779b9f6f49e2ece224da4 Mon Sep 17 00:00:00 2001
From: Kylie Geller <kylie.geller@elastic.co>
Date: Wed, 6 Jul 2022 14:15:35 -0400
Subject: [PATCH 008/186] [main] 8.2.1 Release Notes (#1992)

Co-authored-by: Eric Beahan <eric.beahan@elastic.co>
---
 docs/release-notes/8.2.1.asciidoc | 23 +++++++++++++++++++++++
 docs/release-notes/index.asciidoc |  2 ++
 2 files changed, 25 insertions(+)
 create mode 100644 docs/release-notes/8.2.1.asciidoc

diff --git a/docs/release-notes/8.2.1.asciidoc b/docs/release-notes/8.2.1.asciidoc
new file mode 100644
index 0000000000..d942f18e67
--- /dev/null
+++ b/docs/release-notes/8.2.1.asciidoc
@@ -0,0 +1,23 @@
+[[ecs-release-notes-8.2.1]]
+=== 8.2.1
+
+[[schema-changes-8.2.1]]
+[float]
+==== Schema changes
+
+[[schema-bugfixes-8.2.1]]
+[float]
+===== Bugfixes
+
+* Adding missing process fields for documentation. {ecs_pull}1906[#1906]
+
+[[tooling-changes-8.2.1]]
+[float]
+==== Tooling and artifact changes
+
+[[tooling-improvements-8.2.1]]
+[float]
+===== Improvements
+
+* Add type hints to `schema` modules. {ecs_pull}1771[#1771]
+* Support `docs_only` param to subset defs. {ecs_pull}1909[#1909]
diff --git a/docs/release-notes/index.asciidoc b/docs/release-notes/index.asciidoc
index 79e59a1577..a748c5b8e5 100644
--- a/docs/release-notes/index.asciidoc
+++ b/docs/release-notes/index.asciidoc
@@ -6,6 +6,7 @@ This section summarizes the changes in each release.
 * <<ecs-release-notes-8.4.0, {ecs} version 8.4.0>>
 * <<ecs-release-notes-8.3.1, {ecs} version 8.3.1>>
 * <<ecs-release-notes-8.3.0, {ecs} version 8.3.0>>
+* <<ecs-release-notes-8.2.1, {ecs} version 8.2.1>>
 * <<ecs-release-notes-8.2.0, {ecs} version 8.2.0>>
 * <<ecs-release-notes-8.1.0, {ecs} version 8.1.0>>
 * <<ecs-release-notes-8.0.1, {ecs} version 8.0.1>>
@@ -19,6 +20,7 @@ This section summarizes the changes in each release.
 include::8.4.asciidoc[]
 include::8.3.1.asciidoc[]
 include::8.3.asciidoc[]
+include::8.2.1.asciidoc[]
 include::8.2.asciidoc[]
 include::8.1.asciidoc[]
 include::8.0.1.asciidoc[]

From 094252d1fe3a189ca3b51f5a42ffe552819d0451 Mon Sep 17 00:00:00 2001
From: Dominic Page <11043991+djptek@users.noreply.github.com>
Date: Tue, 12 Jul 2022 17:50:38 +0200
Subject: [PATCH 009/186] Misspell macos fix (#1993)

* add misspell_warn task
---
 CHANGELOG.next.md | 2 ++
 Makefile          | 7 ++++++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 7eb5ee4233..1660cf6195 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -57,6 +57,8 @@ Thanks, you're awesome :-) -->
 
 #### Bugfixes
 
+* Added Deprecation Warning for `misspell` task #1993
+
 #### Added
 
 * Introduce `expected_values` attribute. #1952
diff --git a/Makefile b/Makefile
index f9abc5c287..d6e65d4a45 100644
--- a/Makefile
+++ b/Makefile
@@ -20,7 +20,7 @@ all: generate experimental
 # Check verifies that all of the committed files that are generated are
 # up-to-date.
 .PHONY: check
-check: generate experimental test fmt misspell makelint
+check: generate experimental test fmt misspell_warn makelint
 	# Check if diff is empty.
 	git diff | cat
 	git update-index --refresh
@@ -86,6 +86,11 @@ misspell:
 	fi
 	./build/misspell/bin/misspell -error README.md CONTRIBUTING.md schemas/* docs/* experimental/schemas/*
 
+# Warn re misspell removal     
+.PHONY: misspell_warn
+misspell_warn:
+	@echo "Warning: due to lack of cross-platform support, misspell is no longer included in this task and may be deprecated in future\n"
+
 .PHONY: reload_docs
 reload_docs: generator docs
 

From cfe519602c5d362c22421f1cf63891d5dbad4fa7 Mon Sep 17 00:00:00 2001
From: Apoorva Joshi <30438249+ajosh0504@users.noreply.github.com>
Date: Tue, 12 Jul 2022 20:09:34 +0200
Subject: [PATCH 010/186] [RFC 0031] Risk Fields- Stage 1 (#1744)

---
 rfcs/text/0031-risk-fields.md | 61 ++++++++++++++++++++++++++++++-----
 1 file changed, 53 insertions(+), 8 deletions(-)

diff --git a/rfcs/text/0031-risk-fields.md b/rfcs/text/0031-risk-fields.md
index 5257f4e9da..313e9781f2 100644
--- a/rfcs/text/0031-risk-fields.md
+++ b/rfcs/text/0031-risk-fields.md
@@ -1,12 +1,12 @@
 # 0031: Risk fields for multiple entities
 
-- Stage: **0 (strawperson)**
-- Date: **2022/01/27**
+- Stage: **1 (draft)**
+- Date: **2022/07/12**
 
 <!--
 Stage 0: Provide a high level summary of the premise of these changes. Briefly describe the nature, purpose, and impact of the changes. ~2-5 sentences.
 -->
-In 7.16, we released an experimental feature in the Security solution, called [Host Risk Score](https://www.elastic.co/guide/en/security/7.17/host-risk-score.html). Initially, the requirement of the feature was limited to surfacing risky hosts in a customer environment. As the feature matures, we want to further integrate it into the Security solution, and be able to perform filtering and sorting operations based on the risk information. Furthermore, there's also work currently in progress for a User Risk Score functionality, which will highlight users at risk within the Security solutions. Both these features (and potentially others) currently do not use could benefit from having a reusable risk field set highlighting information like risk score, risk level, contributors to risk etc.
+In 7.16, we released an experimental feature in the Security solution, called [Host Risk Score](https://www.elastic.co/guide/en/security/7.17/host-risk-score.html). Initially, the requirement of the feature was limited to surfacing risky hosts in a customer environment. As the feature matures, we want to further integrate it into the Security solution, and be able to perform filtering and sorting operations based on the risk information. Furthermore, there's also work currently in progress for a User Risk Score functionality, which will highlight users at risk within the Security solution. Both these features (and potentially others) currently could benefit from having a reusable risk field set highlighting information like risk score, risk level, contributors to risk etc.
 
 <!--
 Stage 1: If the changes include field additions or modifications, please create a folder titled as the RFC number under rfcs/text/. This will be where proposed schema changes as standalone YAML files or extended example mappings and larger source documents will go as the RFC is iterated upon.
@@ -21,6 +21,21 @@ Stage X: Provide a brief explanation of why the proposal is being marked as aban
 <!--
 Stage 1: Describe at a high level how this change affects fields. Include new or updated yml field definitions for all of the essential fields in this draft. While not exhaustive, the fields documented here should be comprehensive enough to deeply evaluate the technical considerations of this change. The goal here is to validate the technical details for all essential fields and to provide a basis for adding experimental field definitions to the schema. Use GitHub code blocks with yml syntax formatting, and add them to the corresponding RFC folder.
 -->
+The `risk` fields being proposed are as follows:
+
+Field | Type | Example | Description | Use Case
+-- | -- | -- | -- | -- 
+risk.calculated_score | float | 880.73 | A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring | Can be used to indicate the risk associated with a particular host
+risk.calculated_score_norm | float | 88.73 | A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100 | Can be used to indicate the risk associated with a particular host
+risk.static_score | float | 830.0 | A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform | Can be used to indicate the projected risk of a particular host based on a trusted third party intelligence feed
+risk.static_score_norm | float | 83.0 | A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100 | Can be used to indicate the projected risk of a particular host based on a trusted third party intelligence feed 
+risk.calculated_level | keyword | High | A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring | Can be used to indicate the risk associated with a particular host
+risk.static_level | keyword | High | A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform | Can be used to indicate the projected risk of a particular host based on a trusted third party intelligence feed
+
+### Nesting `risk.*` fields under other fields
+The `risk.*` fields mentioned above can be used to quantify the amount of risk associated with entities like hosts, users etc. For example, a host with a high risk score would imply that the probability of the host being exposed to harm during a cyber attack or breach is high. Attaching risk to entities can help analysts identify entities that require their immediate attention and hence drive investigations in a more systematic manner.
+
+To begin with, the `risk.*` fields could be nested under the existing `host.*` and `user.*` fields, since hosts and users tend to be important entities during investigations.
 
 <!--
 Stage 2: Add or update all remaining field definitions. The list should now be exhaustive. The goal here is to validate the technical details of all remaining fields and to provide a basis for releasing these field definitions as beta in the schema. Use GitHub code blocks with yml syntax formatting, and add them to the corresponding RFC folder.
@@ -31,13 +46,43 @@ Stage 2: Add or update all remaining field definitions. The list should now be e
 <!--
 Stage 1: Describe at a high-level how these field changes will be used in practice. Real world examples are encouraged. The goal here is to understand how people would leverage these fields to gain insights or solve problems. ~1-3 paragraphs.
 -->
+As mentioned previously, we have released an experimental feature called Host Risk Score in the Security solution recently. As of 7.16, the feature has some real estate on the Overview page and the Alert Flyout within the Security solution, as documented [here](https://www.elastic.co/guide/en/security/8.0/host-risk-score.html). In 8.1, users will also be able to see host risk information on the Hosts page and Host Details page as well. 
+
+In addition to Host Risk Score, there is work currently in progress to introduce a Users page in the Security solution and a User Risk Scoring capability. Entities at risk is a new concept for users of the Security solution. Defining and normalizing this concept of entity risk using the `risk` fields will be crucial for users to get the most out of the Host and User Risk Scoring capabilities when they go GA.
+
+Furthermore, these `risk` fields will provide users with an additional vector to filter, sort and correlate information within the Security solution. For example, users will be able to start investigations by running queries like the following:
+* "Show me the most critical and high-risk Windows hosts in my environment"
+* "Show me the activity that contributed towards making Host X high-risk"
+* "Show me how the risk of Host X changed over time"
+* "Show me Critical and high-risk users on Host X"
+
 
 ## Source data
 
 <!--
 Stage 1: Provide a high-level description of example sources of data. This does not yet need to be a concrete example of a source document, but instead can simply describe a potential source (e.g. nginx access log). This will ultimately be fleshed out to include literal source examples in a future stage. The goal here is to identify practical sources for these fields in the real world. ~1-3 sentences or unordered list.
 -->
-
+The Host and User Risk Score views in the Security solution are/will be backed by indices produced as a result of running [transforms](https://www.elastic.co/guide/en/elasticsearch/reference/current/put-transform.html) on a variety of data sources, not limited to the alerts data streams. An example document produced by the Host Risk Score transform in the absence of ECS `risk` fields looks as follows:
+
+```
+{
+  "risk_stats": {
+    "risk_score": 78.61701409613882
+  },
+  "risk": "High"
+}
+```
+
+With the introduction of ECS `risk` fields, fields in the above document would look as follows:
+
+```
+{
+  "risk": {
+    "calculated_risk_score_norm": 78.61701409613882,
+    "calculated_level": "High"
+  }
+}
+```
 <!--
 Stage 2: Included a real world example source document. Ideally this example comes from the source(s) identified in stage 1. If not, it should replace them. The goal here is to validate the utility of these field changes in the context of a real world example. Format with the source name as a ### header and the example document in a GitHub code block with json formatting, or if on the larger side, add them to the corresponding RFC folder.
 -->
@@ -61,6 +106,7 @@ The goal here is to research and understand the impact of these changes on users
 <!--
 Stage 1: Identify potential concerns, implementation challenges, or complexity. Spend some time on this. Play devil's advocate. Try to identify the sort of non-obvious challenges that tend to surface later. The goal here is to surface risks early, allow everyone the time to work through them, and ultimately document resolution for posterity's sake.
 -->
+Events and detection rules in the Security solution already have a risk score and/or severity associated with them. We might need to update these assets to use the new `risk` fieldset, otherwise it might potentially get confusing for users. 
 
 <!--
 Stage 2: Document new concerns or resolutions to previously listed concerns. It's not critical that all concerns have resolutions at this point, but it would be helpful if resolutions were taking shape for the most significant concerns.
@@ -75,6 +121,7 @@ Stage 3: Document resolutions for all existing concerns. Any new concerns should
 The following are the people that consulted on the contents of this RFC.
 
 * @ajosh0504 | author
+* @ajosh0504 | sponsor
 
 <!--
 Who will be or has been consulted on the contents of this RFC? Identify authorship and sponsorship, and optionally identify the nature of involvement of others. Link to GitHub aliases where possible. This list will likely change or grow stage after stage.
@@ -84,6 +131,7 @@ e.g.:
 * @Yasmina | author
 * @Monique | sponsor
 * @EunJung | subject matter expert
+* @MikePaquette | subject matter expert
 * @JaneDoe | grammar, spelling, prose
 * @Mariana
 -->
@@ -99,7 +147,4 @@ e.g.:
 
 * Stage 0: https://github.com/elastic/ecs/pull/1740
 
-<!--
-* Stage 1: https://github.com/elastic/ecs/pull/NNN
-...
--->
+* Stage 1: https://github.com/elastic/ecs/pull/1744

From 643076a1f6871acd1cd824973872bc38cc42e894 Mon Sep 17 00:00:00 2001
From: Kylie Geller <kylie.geller@elastic.co>
Date: Tue, 19 Jul 2022 10:07:53 -0400
Subject: [PATCH 011/186] GA threat.enrichments.indicator (#1928)

---
 CHANGELOG.next.md                         |   2 +
 docs/fields/field-details.asciidoc        | 114 +++++++---------------
 experimental/generated/ecs/ecs_flat.yml   |  21 ----
 experimental/generated/ecs/ecs_nested.yml |  46 ++-------
 generated/ecs/ecs_flat.yml                |  21 ----
 generated/ecs/ecs_nested.yml              |  46 ++-------
 schemas/as.yml                            |   1 -
 schemas/file.yml                          |   1 -
 schemas/geo.yml                           |   1 -
 schemas/registry.yml                      |   1 -
 schemas/threat.yml                        |  21 ----
 schemas/url.yml                           |   1 -
 schemas/x509.yml                          |   1 -
 13 files changed, 47 insertions(+), 230 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 1660cf6195..80cbaaa50c 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -18,6 +18,8 @@ Thanks, you're awesome :-) -->
 
 #### Improvements
 
+* Advances `threat.enrichments.indicator` to GA. #1928
+
 #### Deprecated
 
 ### Tooling and Artifact Changes
diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index 6eccd77281..7e03edec56 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -9089,9 +9089,7 @@ These fields are for users to classify alerts from all of their sources (e.g. ID
 [[field-threat-enrichments]]
 <<field-threat-enrichments, threat.enrichments>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-A list of associated indicators objects enriching the event, and the context of that association/enrichment.
+a| A list of associated indicators objects enriching the event, and the context of that association/enrichment.
 
 type: nested
 
@@ -9110,9 +9108,7 @@ Note: this field should contain an array of values.
 [[field-threat-enrichments-indicator]]
 <<field-threat-enrichments-indicator, threat.enrichments.indicator>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-Object containing associated indicators enriching the event.
+a| Object containing associated indicators enriching the event.
 
 type: object
 
@@ -9128,9 +9124,7 @@ type: object
 [[field-threat-enrichments-indicator-confidence]]
 <<field-threat-enrichments-indicator-confidence, threat.enrichments.indicator.confidence>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields.
+a| Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields.
 
 Expected values for this field:
 
@@ -9154,9 +9148,7 @@ example: `Medium`
 [[field-threat-enrichments-indicator-description]]
 <<field-threat-enrichments-indicator-description, threat.enrichments.indicator.description>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-Describes the type of action conducted by the threat.
+a| Describes the type of action conducted by the threat.
 
 type: keyword
 
@@ -9172,9 +9164,7 @@ example: `IP x.x.x.x was observed delivering the Angler EK.`
 [[field-threat-enrichments-indicator-email-address]]
 <<field-threat-enrichments-indicator-email-address, threat.enrichments.indicator.email.address>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-Identifies a threat indicator as an email address (irrespective of direction).
+a| Identifies a threat indicator as an email address (irrespective of direction).
 
 type: keyword
 
@@ -9190,9 +9180,7 @@ example: `phish@example.com`
 [[field-threat-enrichments-indicator-first-seen]]
 <<field-threat-enrichments-indicator-first-seen, threat.enrichments.indicator.first_seen>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-The date and time when intelligence source first reported sighting this indicator.
+a| The date and time when intelligence source first reported sighting this indicator.
 
 type: date
 
@@ -9208,9 +9196,7 @@ example: `2020-11-05T17:25:47.000Z`
 [[field-threat-enrichments-indicator-ip]]
 <<field-threat-enrichments-indicator-ip, threat.enrichments.indicator.ip>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-Identifies a threat indicator as an IP address (irrespective of direction).
+a| Identifies a threat indicator as an IP address (irrespective of direction).
 
 type: ip
 
@@ -9226,9 +9212,7 @@ example: `1.2.3.4`
 [[field-threat-enrichments-indicator-last-seen]]
 <<field-threat-enrichments-indicator-last-seen, threat.enrichments.indicator.last_seen>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-The date and time when intelligence source last reported sighting this indicator.
+a| The date and time when intelligence source last reported sighting this indicator.
 
 type: date
 
@@ -9244,9 +9228,7 @@ example: `2020-11-05T17:25:47.000Z`
 [[field-threat-enrichments-indicator-marking-tlp]]
 <<field-threat-enrichments-indicator-marking-tlp, threat.enrichments.indicator.marking.tlp>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-Traffic Light Protocol sharing markings.
+a| Traffic Light Protocol sharing markings.
 
 Expected values for this field:
 
@@ -9269,9 +9251,7 @@ example: `WHITE`
 [[field-threat-enrichments-indicator-modified-at]]
 <<field-threat-enrichments-indicator-modified-at, threat.enrichments.indicator.modified_at>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-The date and time when intelligence source last modified information for this indicator.
+a| The date and time when intelligence source last modified information for this indicator.
 
 type: date
 
@@ -9287,9 +9267,7 @@ example: `2020-11-05T17:25:47.000Z`
 [[field-threat-enrichments-indicator-port]]
 <<field-threat-enrichments-indicator-port, threat.enrichments.indicator.port>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-Identifies a threat indicator as a port number (irrespective of direction).
+a| Identifies a threat indicator as a port number (irrespective of direction).
 
 type: long
 
@@ -9305,9 +9283,7 @@ example: `443`
 [[field-threat-enrichments-indicator-provider]]
 <<field-threat-enrichments-indicator-provider, threat.enrichments.indicator.provider>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-The name of the indicator's provider.
+a| The name of the indicator's provider.
 
 type: keyword
 
@@ -9323,9 +9299,7 @@ example: `lrz_urlhaus`
 [[field-threat-enrichments-indicator-reference]]
 <<field-threat-enrichments-indicator-reference, threat.enrichments.indicator.reference>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-Reference URL linking to additional information about this indicator.
+a| Reference URL linking to additional information about this indicator.
 
 type: keyword
 
@@ -9341,9 +9315,7 @@ example: `https://system.example.com/indicator/0001234`
 [[field-threat-enrichments-indicator-scanner-stats]]
 <<field-threat-enrichments-indicator-scanner-stats, threat.enrichments.indicator.scanner_stats>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-Count of AV/EDR vendors that successfully detected malicious file or URL.
+a| Count of AV/EDR vendors that successfully detected malicious file or URL.
 
 type: long
 
@@ -9359,9 +9331,7 @@ example: `4`
 [[field-threat-enrichments-indicator-sightings]]
 <<field-threat-enrichments-indicator-sightings, threat.enrichments.indicator.sightings>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-Number of times this indicator was observed conducting threat activity.
+a| Number of times this indicator was observed conducting threat activity.
 
 type: long
 
@@ -9377,9 +9347,7 @@ example: `20`
 [[field-threat-enrichments-indicator-type]]
 <<field-threat-enrichments-indicator-type, threat.enrichments.indicator.type>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-Type of indicator as represented by Cyber Observable in STIX 2.0.
+a| Type of indicator as represented by Cyber Observable in STIX 2.0.
 
 Expected values for this field:
 
@@ -9415,9 +9383,7 @@ example: `ipv4-addr`
 [[field-threat-enrichments-matched-atomic]]
 <<field-threat-enrichments-matched-atomic, threat.enrichments.matched.atomic>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-Identifies the atomic indicator value that matched a local environment endpoint or network event.
+a| Identifies the atomic indicator value that matched a local environment endpoint or network event.
 
 type: keyword
 
@@ -9433,9 +9399,7 @@ example: `bad-domain.com`
 [[field-threat-enrichments-matched-field]]
 <<field-threat-enrichments-matched-field, threat.enrichments.matched.field>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-Identifies the field of the atomic indicator that matched a local environment endpoint or network event.
+a| Identifies the field of the atomic indicator that matched a local environment endpoint or network event.
 
 type: keyword
 
@@ -9451,9 +9415,7 @@ example: `file.hash.sha256`
 [[field-threat-enrichments-matched-id]]
 <<field-threat-enrichments-matched-id, threat.enrichments.matched.id>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-Identifies the _id of the indicator document enriching the event.
+a| Identifies the _id of the indicator document enriching the event.
 
 type: keyword
 
@@ -9469,9 +9431,7 @@ example: `ff93aee5-86a1-4a61-b0e6-0cdc313d01b5`
 [[field-threat-enrichments-matched-index]]
 <<field-threat-enrichments-matched-index, threat.enrichments.matched.index>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-Identifies the _index of the indicator document enriching the event.
+a| Identifies the _index of the indicator document enriching the event.
 
 type: keyword
 
@@ -9503,9 +9463,7 @@ example: `2021-10-05T17:00:58.326Z`
 [[field-threat-enrichments-matched-type]]
 <<field-threat-enrichments-matched-type, threat.enrichments.matched.type>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-Identifies the type of match that caused the event to be enriched with the given indicator
+a| Identifies the type of match that caused the event to be enriched with the given indicator
 
 type: keyword
 
@@ -10263,49 +10221,43 @@ example: `https://attack.mitre.org/techniques/T1059/001/`
 
 
 | `threat.enrichments.indicator.as.*`
-| <<ecs-as,as>>| beta:[ Reusing the `as` fields in this location is currently considered beta.]
-
-Fields describing an Autonomous System (Internet routing prefix).
+| <<ecs-as,as>>
+| Fields describing an Autonomous System (Internet routing prefix).
 
 // ===============================================================
 
 
 | `threat.enrichments.indicator.file.*`
-| <<ecs-file,file>>| beta:[ Reusing the `file` fields in this location is currently considered beta.]
-
-Fields describing files.
+| <<ecs-file,file>>
+| Fields describing files.
 
 // ===============================================================
 
 
 | `threat.enrichments.indicator.geo.*`
-| <<ecs-geo,geo>>| beta:[ Reusing the `geo` fields in this location is currently considered beta.]
-
-Fields describing a location.
+| <<ecs-geo,geo>>
+| Fields describing a location.
 
 // ===============================================================
 
 
 | `threat.enrichments.indicator.registry.*`
-| <<ecs-registry,registry>>| beta:[ Reusing the `registry` fields in this location is currently considered beta.]
-
-Fields related to Windows Registry operations.
+| <<ecs-registry,registry>>
+| Fields related to Windows Registry operations.
 
 // ===============================================================
 
 
 | `threat.enrichments.indicator.url.*`
-| <<ecs-url,url>>| beta:[ Reusing the `url` fields in this location is currently considered beta.]
-
-Fields that let you store URLs in various forms.
+| <<ecs-url,url>>
+| Fields that let you store URLs in various forms.
 
 // ===============================================================
 
 
 | `threat.enrichments.indicator.x509.*`
-| <<ecs-x509,x509>>| beta:[ Reusing the `x509` fields in this location is currently considered beta.]
-
-These fields contain x509 certificate metadata.
+| <<ecs-x509,x509>>
+| These fields contain x509 certificate metadata.
 
 // ===============================================================
 
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index f91484cf01..0743817d9c 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -12245,7 +12245,6 @@ tags:
   short: List of keywords used to tag each event.
   type: keyword
 threat.enrichments:
-  beta: This field is beta and subject to change.
   dashed_name: threat-enrichments
   description: A list of associated indicators objects enriching the event, and the
     context of that association/enrichment.
@@ -12257,7 +12256,6 @@ threat.enrichments:
   short: List of objects containing indicators enriching the event.
   type: nested
 threat.enrichments.indicator:
-  beta: This field is beta and subject to change.
   dashed_name: threat-enrichments-indicator
   description: Object containing associated indicators enriching the event.
   flat_name: threat.enrichments.indicator
@@ -12295,7 +12293,6 @@ threat.enrichments.indicator.as.organization.name:
   short: Organization name.
   type: keyword
 threat.enrichments.indicator.confidence:
-  beta: This field is beta and subject to change.
   dashed_name: threat-enrichments-indicator-confidence
   description: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High
     scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence
@@ -12315,7 +12312,6 @@ threat.enrichments.indicator.confidence:
   short: Indicator confidence rating
   type: keyword
 threat.enrichments.indicator.description:
-  beta: This field is beta and subject to change.
   dashed_name: threat-enrichments-indicator-description
   description: Describes the type of action conducted by the threat.
   example: IP x.x.x.x was observed delivering the Angler EK.
@@ -12327,7 +12323,6 @@ threat.enrichments.indicator.description:
   short: Indicator description
   type: keyword
 threat.enrichments.indicator.email.address:
-  beta: This field is beta and subject to change.
   dashed_name: threat-enrichments-indicator-email-address
   description: Identifies a threat indicator as an email address (irrespective of
     direction).
@@ -13578,7 +13573,6 @@ threat.enrichments.indicator.file.x509.version_number:
   short: Version of x509 format.
   type: keyword
 threat.enrichments.indicator.first_seen:
-  beta: This field is beta and subject to change.
   dashed_name: threat-enrichments-indicator-first-seen
   description: The date and time when intelligence source first reported sighting
     this indicator.
@@ -13730,7 +13724,6 @@ threat.enrichments.indicator.geo.timezone:
   short: Time zone.
   type: keyword
 threat.enrichments.indicator.ip:
-  beta: This field is beta and subject to change.
   dashed_name: threat-enrichments-indicator-ip
   description: Identifies a threat indicator as an IP address (irrespective of direction).
   example: 1.2.3.4
@@ -13741,7 +13734,6 @@ threat.enrichments.indicator.ip:
   short: Indicator IP address
   type: ip
 threat.enrichments.indicator.last_seen:
-  beta: This field is beta and subject to change.
   dashed_name: threat-enrichments-indicator-last-seen
   description: The date and time when intelligence source last reported sighting this
     indicator.
@@ -13753,7 +13745,6 @@ threat.enrichments.indicator.last_seen:
   short: Date/time indicator was last reported.
   type: date
 threat.enrichments.indicator.marking.tlp:
-  beta: This field is beta and subject to change.
   dashed_name: threat-enrichments-indicator-marking-tlp
   description: Traffic Light Protocol sharing markings.
   example: WHITE
@@ -13770,7 +13761,6 @@ threat.enrichments.indicator.marking.tlp:
   short: Indicator TLP marking
   type: keyword
 threat.enrichments.indicator.modified_at:
-  beta: This field is beta and subject to change.
   dashed_name: threat-enrichments-indicator-modified-at
   description: The date and time when intelligence source last modified information
     for this indicator.
@@ -13782,7 +13772,6 @@ threat.enrichments.indicator.modified_at:
   short: Date/time indicator was last updated.
   type: date
 threat.enrichments.indicator.port:
-  beta: This field is beta and subject to change.
   dashed_name: threat-enrichments-indicator-port
   description: Identifies a threat indicator as a port number (irrespective of direction).
   example: 443
@@ -13793,7 +13782,6 @@ threat.enrichments.indicator.port:
   short: Indicator port
   type: long
 threat.enrichments.indicator.provider:
-  beta: This field is beta and subject to change.
   dashed_name: threat-enrichments-indicator-provider
   description: The name of the indicator's provider.
   example: lrz_urlhaus
@@ -13805,7 +13793,6 @@ threat.enrichments.indicator.provider:
   short: Indicator provider
   type: keyword
 threat.enrichments.indicator.reference:
-  beta: This field is beta and subject to change.
   dashed_name: threat-enrichments-indicator-reference
   description: Reference URL linking to additional information about this indicator.
   example: https://system.example.com/indicator/0001234
@@ -13912,7 +13899,6 @@ threat.enrichments.indicator.registry.value:
   short: Name of the value written.
   type: keyword
 threat.enrichments.indicator.scanner_stats:
-  beta: This field is beta and subject to change.
   dashed_name: threat-enrichments-indicator-scanner-stats
   description: Count of AV/EDR vendors that successfully detected malicious file or
     URL.
@@ -13924,7 +13910,6 @@ threat.enrichments.indicator.scanner_stats:
   short: Scanner statistics
   type: long
 threat.enrichments.indicator.sightings:
-  beta: This field is beta and subject to change.
   dashed_name: threat-enrichments-indicator-sightings
   description: Number of times this indicator was observed conducting threat activity.
   example: 20
@@ -13935,7 +13920,6 @@ threat.enrichments.indicator.sightings:
   short: Number of times indicator observed
   type: long
 threat.enrichments.indicator.type:
-  beta: This field is beta and subject to change.
   dashed_name: threat-enrichments-indicator-type
   description: Type of indicator as represented by Cyber Observable in STIX 2.0.
   example: ipv4-addr
@@ -14489,7 +14473,6 @@ threat.enrichments.indicator.x509.version_number:
   short: Version of x509 format.
   type: keyword
 threat.enrichments.matched.atomic:
-  beta: This field is beta and subject to change.
   dashed_name: threat-enrichments-matched-atomic
   description: Identifies the atomic indicator value that matched a local environment
     endpoint or network event.
@@ -14502,7 +14485,6 @@ threat.enrichments.matched.atomic:
   short: Matched indicator value
   type: keyword
 threat.enrichments.matched.field:
-  beta: This field is beta and subject to change.
   dashed_name: threat-enrichments-matched-field
   description: Identifies the field of the atomic indicator that matched a local environment
     endpoint or network event.
@@ -14515,7 +14497,6 @@ threat.enrichments.matched.field:
   short: Matched indicator field
   type: keyword
 threat.enrichments.matched.id:
-  beta: This field is beta and subject to change.
   dashed_name: threat-enrichments-matched-id
   description: Identifies the _id of the indicator document enriching the event.
   example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5
@@ -14527,7 +14508,6 @@ threat.enrichments.matched.id:
   short: Matched indicator identifier
   type: keyword
 threat.enrichments.matched.index:
-  beta: This field is beta and subject to change.
   dashed_name: threat-enrichments-matched-index
   description: Identifies the _index of the indicator document enriching the event.
   example: filebeat-8.0.0-2021.05.23-000011
@@ -14549,7 +14529,6 @@ threat.enrichments.matched.occurred:
   short: Date of match
   type: date
 threat.enrichments.matched.type:
-  beta: This field is beta and subject to change.
   dashed_name: threat-enrichments-matched-type
   description: Identifies the type of match that caused the event to be enriched with
     the given indicator
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 3564f2019f..0b75c8593b 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -153,7 +153,6 @@ as:
       full: threat.indicator.as
     - as: as
       at: threat.enrichments.indicator
-      beta: Reusing the `as` fields in this location is currently considered beta.
       full: threat.enrichments.indicator.as
     top_level: false
   short: Fields describing an Autonomous System (Internet routing prefix).
@@ -5706,7 +5705,6 @@ file:
       full: threat.indicator.file
     - as: file
       at: threat.enrichments.indicator
-      beta: Reusing the `file` fields in this location is currently considered beta.
       full: threat.enrichments.indicator.file
     top_level: true
   reused_here:
@@ -5893,7 +5891,6 @@ geo:
       full: threat.indicator.geo
     - as: geo
       at: threat.enrichments.indicator
-      beta: Reusing the `geo` fields in this location is currently considered beta.
       full: threat.enrichments.indicator.geo
     top_level: false
   short: Fields describing a location.
@@ -12453,8 +12450,6 @@ registry:
       full: threat.indicator.registry
     - as: registry
       at: threat.enrichments.indicator
-      beta: Reusing the `registry` fields in this location is currently considered
-        beta.
       full: threat.enrichments.indicator.registry
     top_level: true
   short: Fields related to Windows Registry operations.
@@ -14315,7 +14310,6 @@ threat:
     \ (e.g. \"endpoint denial of service\")."
   fields:
     threat.enrichments:
-      beta: This field is beta and subject to change.
       dashed_name: threat-enrichments
       description: A list of associated indicators objects enriching the event, and
         the context of that association/enrichment.
@@ -14327,7 +14321,6 @@ threat:
       short: List of objects containing indicators enriching the event.
       type: nested
     threat.enrichments.indicator:
-      beta: This field is beta and subject to change.
       dashed_name: threat-enrichments-indicator
       description: Object containing associated indicators enriching the event.
       flat_name: threat.enrichments.indicator
@@ -14365,7 +14358,6 @@ threat:
       short: Organization name.
       type: keyword
     threat.enrichments.indicator.confidence:
-      beta: This field is beta and subject to change.
       dashed_name: threat-enrichments-indicator-confidence
       description: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High
         scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence
@@ -14385,7 +14377,6 @@ threat:
       short: Indicator confidence rating
       type: keyword
     threat.enrichments.indicator.description:
-      beta: This field is beta and subject to change.
       dashed_name: threat-enrichments-indicator-description
       description: Describes the type of action conducted by the threat.
       example: IP x.x.x.x was observed delivering the Angler EK.
@@ -14397,7 +14388,6 @@ threat:
       short: Indicator description
       type: keyword
     threat.enrichments.indicator.email.address:
-      beta: This field is beta and subject to change.
       dashed_name: threat-enrichments-indicator-email-address
       description: Identifies a threat indicator as an email address (irrespective
         of direction).
@@ -15648,7 +15638,6 @@ threat:
       short: Version of x509 format.
       type: keyword
     threat.enrichments.indicator.first_seen:
-      beta: This field is beta and subject to change.
       dashed_name: threat-enrichments-indicator-first-seen
       description: The date and time when intelligence source first reported sighting
         this indicator.
@@ -15800,7 +15789,6 @@ threat:
       short: Time zone.
       type: keyword
     threat.enrichments.indicator.ip:
-      beta: This field is beta and subject to change.
       dashed_name: threat-enrichments-indicator-ip
       description: Identifies a threat indicator as an IP address (irrespective of
         direction).
@@ -15812,7 +15800,6 @@ threat:
       short: Indicator IP address
       type: ip
     threat.enrichments.indicator.last_seen:
-      beta: This field is beta and subject to change.
       dashed_name: threat-enrichments-indicator-last-seen
       description: The date and time when intelligence source last reported sighting
         this indicator.
@@ -15824,7 +15811,6 @@ threat:
       short: Date/time indicator was last reported.
       type: date
     threat.enrichments.indicator.marking.tlp:
-      beta: This field is beta and subject to change.
       dashed_name: threat-enrichments-indicator-marking-tlp
       description: Traffic Light Protocol sharing markings.
       example: WHITE
@@ -15841,7 +15827,6 @@ threat:
       short: Indicator TLP marking
       type: keyword
     threat.enrichments.indicator.modified_at:
-      beta: This field is beta and subject to change.
       dashed_name: threat-enrichments-indicator-modified-at
       description: The date and time when intelligence source last modified information
         for this indicator.
@@ -15853,7 +15838,6 @@ threat:
       short: Date/time indicator was last updated.
       type: date
     threat.enrichments.indicator.port:
-      beta: This field is beta and subject to change.
       dashed_name: threat-enrichments-indicator-port
       description: Identifies a threat indicator as a port number (irrespective of
         direction).
@@ -15865,7 +15849,6 @@ threat:
       short: Indicator port
       type: long
     threat.enrichments.indicator.provider:
-      beta: This field is beta and subject to change.
       dashed_name: threat-enrichments-indicator-provider
       description: The name of the indicator's provider.
       example: lrz_urlhaus
@@ -15877,7 +15860,6 @@ threat:
       short: Indicator provider
       type: keyword
     threat.enrichments.indicator.reference:
-      beta: This field is beta and subject to change.
       dashed_name: threat-enrichments-indicator-reference
       description: Reference URL linking to additional information about this indicator.
       example: https://system.example.com/indicator/0001234
@@ -15984,7 +15966,6 @@ threat:
       short: Name of the value written.
       type: keyword
     threat.enrichments.indicator.scanner_stats:
-      beta: This field is beta and subject to change.
       dashed_name: threat-enrichments-indicator-scanner-stats
       description: Count of AV/EDR vendors that successfully detected malicious file
         or URL.
@@ -15996,7 +15977,6 @@ threat:
       short: Scanner statistics
       type: long
     threat.enrichments.indicator.sightings:
-      beta: This field is beta and subject to change.
       dashed_name: threat-enrichments-indicator-sightings
       description: Number of times this indicator was observed conducting threat activity.
       example: 20
@@ -16007,7 +15987,6 @@ threat:
       short: Number of times indicator observed
       type: long
     threat.enrichments.indicator.type:
-      beta: This field is beta and subject to change.
       dashed_name: threat-enrichments-indicator-type
       description: Type of indicator as represented by Cyber Observable in STIX 2.0.
       example: ipv4-addr
@@ -16563,7 +16542,6 @@ threat:
       short: Version of x509 format.
       type: keyword
     threat.enrichments.matched.atomic:
-      beta: This field is beta and subject to change.
       dashed_name: threat-enrichments-matched-atomic
       description: Identifies the atomic indicator value that matched a local environment
         endpoint or network event.
@@ -16576,7 +16554,6 @@ threat:
       short: Matched indicator value
       type: keyword
     threat.enrichments.matched.field:
-      beta: This field is beta and subject to change.
       dashed_name: threat-enrichments-matched-field
       description: Identifies the field of the atomic indicator that matched a local
         environment endpoint or network event.
@@ -16589,7 +16566,6 @@ threat:
       short: Matched indicator field
       type: keyword
     threat.enrichments.matched.id:
-      beta: This field is beta and subject to change.
       dashed_name: threat-enrichments-matched-id
       description: Identifies the _id of the indicator document enriching the event.
       example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5
@@ -16601,7 +16577,6 @@ threat:
       short: Matched indicator identifier
       type: keyword
     threat.enrichments.matched.index:
-      beta: This field is beta and subject to change.
       dashed_name: threat-enrichments-matched-index
       description: Identifies the _index of the indicator document enriching the event.
       example: filebeat-8.0.0-2021.05.23-000011
@@ -16623,7 +16598,6 @@ threat:
       short: Date of match
       type: date
     threat.enrichments.matched.type:
-      beta: This field is beta and subject to change.
       dashed_name: threat-enrichments-matched-type
       description: Identifies the type of match that caused the event to be enriched
         with the given indicator
@@ -19199,43 +19173,37 @@ threat:
   - full: threat.indicator.x509
     schema_name: x509
     short: These fields contain x509 certificate metadata.
-  - beta: Reusing the `x509` fields in this location is currently considered beta.
-    full: threat.enrichments.indicator.x509
+  - full: threat.enrichments.indicator.x509
     schema_name: x509
     short: These fields contain x509 certificate metadata.
   - full: threat.indicator.as
     schema_name: as
     short: Fields describing an Autonomous System (Internet routing prefix).
-  - beta: Reusing the `as` fields in this location is currently considered beta.
-    full: threat.enrichments.indicator.as
+  - full: threat.enrichments.indicator.as
     schema_name: as
     short: Fields describing an Autonomous System (Internet routing prefix).
   - full: threat.indicator.file
     schema_name: file
     short: Fields describing files.
-  - beta: Reusing the `file` fields in this location is currently considered beta.
-    full: threat.enrichments.indicator.file
+  - full: threat.enrichments.indicator.file
     schema_name: file
     short: Fields describing files.
   - full: threat.indicator.geo
     schema_name: geo
     short: Fields describing a location.
-  - beta: Reusing the `geo` fields in this location is currently considered beta.
-    full: threat.enrichments.indicator.geo
+  - full: threat.enrichments.indicator.geo
     schema_name: geo
     short: Fields describing a location.
   - full: threat.indicator.registry
     schema_name: registry
     short: Fields related to Windows Registry operations.
-  - beta: Reusing the `registry` fields in this location is currently considered beta.
-    full: threat.enrichments.indicator.registry
+  - full: threat.enrichments.indicator.registry
     schema_name: registry
     short: Fields related to Windows Registry operations.
   - full: threat.indicator.url
     schema_name: url
     short: Fields that let you store URLs in various forms.
-  - beta: Reusing the `url` fields in this location is currently considered beta.
-    full: threat.enrichments.indicator.url
+  - full: threat.enrichments.indicator.url
     schema_name: url
     short: Fields that let you store URLs in various forms.
   short: Fields to classify events and alerts according to a threat taxonomy.
@@ -20517,7 +20485,6 @@ url:
       full: threat.indicator.url
     - as: url
       at: threat.enrichments.indicator
-      beta: Reusing the `url` fields in this location is currently considered beta.
       full: threat.enrichments.indicator.url
     top_level: true
   short: Fields that let you store URLs in various forms.
@@ -21834,7 +21801,6 @@ x509:
       full: threat.indicator.x509
     - as: x509
       at: threat.enrichments.indicator
-      beta: Reusing the `x509` fields in this location is currently considered beta.
       full: threat.enrichments.indicator.x509
     - as: x509
       at: tls.client
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 7ade1b8cf1..d01a605fab 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -12176,7 +12176,6 @@ tags:
   short: List of keywords used to tag each event.
   type: keyword
 threat.enrichments:
-  beta: This field is beta and subject to change.
   dashed_name: threat-enrichments
   description: A list of associated indicators objects enriching the event, and the
     context of that association/enrichment.
@@ -12188,7 +12187,6 @@ threat.enrichments:
   short: List of objects containing indicators enriching the event.
   type: nested
 threat.enrichments.indicator:
-  beta: This field is beta and subject to change.
   dashed_name: threat-enrichments-indicator
   description: Object containing associated indicators enriching the event.
   flat_name: threat.enrichments.indicator
@@ -12226,7 +12224,6 @@ threat.enrichments.indicator.as.organization.name:
   short: Organization name.
   type: keyword
 threat.enrichments.indicator.confidence:
-  beta: This field is beta and subject to change.
   dashed_name: threat-enrichments-indicator-confidence
   description: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High
     scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence
@@ -12246,7 +12243,6 @@ threat.enrichments.indicator.confidence:
   short: Indicator confidence rating
   type: keyword
 threat.enrichments.indicator.description:
-  beta: This field is beta and subject to change.
   dashed_name: threat-enrichments-indicator-description
   description: Describes the type of action conducted by the threat.
   example: IP x.x.x.x was observed delivering the Angler EK.
@@ -12258,7 +12254,6 @@ threat.enrichments.indicator.description:
   short: Indicator description
   type: keyword
 threat.enrichments.indicator.email.address:
-  beta: This field is beta and subject to change.
   dashed_name: threat-enrichments-indicator-email-address
   description: Identifies a threat indicator as an email address (irrespective of
     direction).
@@ -13509,7 +13504,6 @@ threat.enrichments.indicator.file.x509.version_number:
   short: Version of x509 format.
   type: keyword
 threat.enrichments.indicator.first_seen:
-  beta: This field is beta and subject to change.
   dashed_name: threat-enrichments-indicator-first-seen
   description: The date and time when intelligence source first reported sighting
     this indicator.
@@ -13661,7 +13655,6 @@ threat.enrichments.indicator.geo.timezone:
   short: Time zone.
   type: keyword
 threat.enrichments.indicator.ip:
-  beta: This field is beta and subject to change.
   dashed_name: threat-enrichments-indicator-ip
   description: Identifies a threat indicator as an IP address (irrespective of direction).
   example: 1.2.3.4
@@ -13672,7 +13665,6 @@ threat.enrichments.indicator.ip:
   short: Indicator IP address
   type: ip
 threat.enrichments.indicator.last_seen:
-  beta: This field is beta and subject to change.
   dashed_name: threat-enrichments-indicator-last-seen
   description: The date and time when intelligence source last reported sighting this
     indicator.
@@ -13684,7 +13676,6 @@ threat.enrichments.indicator.last_seen:
   short: Date/time indicator was last reported.
   type: date
 threat.enrichments.indicator.marking.tlp:
-  beta: This field is beta and subject to change.
   dashed_name: threat-enrichments-indicator-marking-tlp
   description: Traffic Light Protocol sharing markings.
   example: WHITE
@@ -13701,7 +13692,6 @@ threat.enrichments.indicator.marking.tlp:
   short: Indicator TLP marking
   type: keyword
 threat.enrichments.indicator.modified_at:
-  beta: This field is beta and subject to change.
   dashed_name: threat-enrichments-indicator-modified-at
   description: The date and time when intelligence source last modified information
     for this indicator.
@@ -13713,7 +13703,6 @@ threat.enrichments.indicator.modified_at:
   short: Date/time indicator was last updated.
   type: date
 threat.enrichments.indicator.port:
-  beta: This field is beta and subject to change.
   dashed_name: threat-enrichments-indicator-port
   description: Identifies a threat indicator as a port number (irrespective of direction).
   example: 443
@@ -13724,7 +13713,6 @@ threat.enrichments.indicator.port:
   short: Indicator port
   type: long
 threat.enrichments.indicator.provider:
-  beta: This field is beta and subject to change.
   dashed_name: threat-enrichments-indicator-provider
   description: The name of the indicator's provider.
   example: lrz_urlhaus
@@ -13736,7 +13724,6 @@ threat.enrichments.indicator.provider:
   short: Indicator provider
   type: keyword
 threat.enrichments.indicator.reference:
-  beta: This field is beta and subject to change.
   dashed_name: threat-enrichments-indicator-reference
   description: Reference URL linking to additional information about this indicator.
   example: https://system.example.com/indicator/0001234
@@ -13843,7 +13830,6 @@ threat.enrichments.indicator.registry.value:
   short: Name of the value written.
   type: keyword
 threat.enrichments.indicator.scanner_stats:
-  beta: This field is beta and subject to change.
   dashed_name: threat-enrichments-indicator-scanner-stats
   description: Count of AV/EDR vendors that successfully detected malicious file or
     URL.
@@ -13855,7 +13841,6 @@ threat.enrichments.indicator.scanner_stats:
   short: Scanner statistics
   type: long
 threat.enrichments.indicator.sightings:
-  beta: This field is beta and subject to change.
   dashed_name: threat-enrichments-indicator-sightings
   description: Number of times this indicator was observed conducting threat activity.
   example: 20
@@ -13866,7 +13851,6 @@ threat.enrichments.indicator.sightings:
   short: Number of times indicator observed
   type: long
 threat.enrichments.indicator.type:
-  beta: This field is beta and subject to change.
   dashed_name: threat-enrichments-indicator-type
   description: Type of indicator as represented by Cyber Observable in STIX 2.0.
   example: ipv4-addr
@@ -14420,7 +14404,6 @@ threat.enrichments.indicator.x509.version_number:
   short: Version of x509 format.
   type: keyword
 threat.enrichments.matched.atomic:
-  beta: This field is beta and subject to change.
   dashed_name: threat-enrichments-matched-atomic
   description: Identifies the atomic indicator value that matched a local environment
     endpoint or network event.
@@ -14433,7 +14416,6 @@ threat.enrichments.matched.atomic:
   short: Matched indicator value
   type: keyword
 threat.enrichments.matched.field:
-  beta: This field is beta and subject to change.
   dashed_name: threat-enrichments-matched-field
   description: Identifies the field of the atomic indicator that matched a local environment
     endpoint or network event.
@@ -14446,7 +14428,6 @@ threat.enrichments.matched.field:
   short: Matched indicator field
   type: keyword
 threat.enrichments.matched.id:
-  beta: This field is beta and subject to change.
   dashed_name: threat-enrichments-matched-id
   description: Identifies the _id of the indicator document enriching the event.
   example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5
@@ -14458,7 +14439,6 @@ threat.enrichments.matched.id:
   short: Matched indicator identifier
   type: keyword
 threat.enrichments.matched.index:
-  beta: This field is beta and subject to change.
   dashed_name: threat-enrichments-matched-index
   description: Identifies the _index of the indicator document enriching the event.
   example: filebeat-8.0.0-2021.05.23-000011
@@ -14480,7 +14460,6 @@ threat.enrichments.matched.occurred:
   short: Date of match
   type: date
 threat.enrichments.matched.type:
-  beta: This field is beta and subject to change.
   dashed_name: threat-enrichments-matched-type
   description: Identifies the type of match that caused the event to be enriched with
     the given indicator
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 62185d1d4a..df3b90e117 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -153,7 +153,6 @@ as:
       full: threat.indicator.as
     - as: as
       at: threat.enrichments.indicator
-      beta: Reusing the `as` fields in this location is currently considered beta.
       full: threat.enrichments.indicator.as
     top_level: false
   short: Fields describing an Autonomous System (Internet routing prefix).
@@ -5626,7 +5625,6 @@ file:
       full: threat.indicator.file
     - as: file
       at: threat.enrichments.indicator
-      beta: Reusing the `file` fields in this location is currently considered beta.
       full: threat.enrichments.indicator.file
     top_level: true
   reused_here:
@@ -5813,7 +5811,6 @@ geo:
       full: threat.indicator.geo
     - as: geo
       at: threat.enrichments.indicator
-      beta: Reusing the `geo` fields in this location is currently considered beta.
       full: threat.enrichments.indicator.geo
     top_level: false
   short: Fields describing a location.
@@ -12373,8 +12370,6 @@ registry:
       full: threat.indicator.registry
     - as: registry
       at: threat.enrichments.indicator
-      beta: Reusing the `registry` fields in this location is currently considered
-        beta.
       full: threat.enrichments.indicator.registry
     top_level: true
   short: Fields related to Windows Registry operations.
@@ -14235,7 +14230,6 @@ threat:
     \ (e.g. \"endpoint denial of service\")."
   fields:
     threat.enrichments:
-      beta: This field is beta and subject to change.
       dashed_name: threat-enrichments
       description: A list of associated indicators objects enriching the event, and
         the context of that association/enrichment.
@@ -14247,7 +14241,6 @@ threat:
       short: List of objects containing indicators enriching the event.
       type: nested
     threat.enrichments.indicator:
-      beta: This field is beta and subject to change.
       dashed_name: threat-enrichments-indicator
       description: Object containing associated indicators enriching the event.
       flat_name: threat.enrichments.indicator
@@ -14285,7 +14278,6 @@ threat:
       short: Organization name.
       type: keyword
     threat.enrichments.indicator.confidence:
-      beta: This field is beta and subject to change.
       dashed_name: threat-enrichments-indicator-confidence
       description: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High
         scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence
@@ -14305,7 +14297,6 @@ threat:
       short: Indicator confidence rating
       type: keyword
     threat.enrichments.indicator.description:
-      beta: This field is beta and subject to change.
       dashed_name: threat-enrichments-indicator-description
       description: Describes the type of action conducted by the threat.
       example: IP x.x.x.x was observed delivering the Angler EK.
@@ -14317,7 +14308,6 @@ threat:
       short: Indicator description
       type: keyword
     threat.enrichments.indicator.email.address:
-      beta: This field is beta and subject to change.
       dashed_name: threat-enrichments-indicator-email-address
       description: Identifies a threat indicator as an email address (irrespective
         of direction).
@@ -15568,7 +15558,6 @@ threat:
       short: Version of x509 format.
       type: keyword
     threat.enrichments.indicator.first_seen:
-      beta: This field is beta and subject to change.
       dashed_name: threat-enrichments-indicator-first-seen
       description: The date and time when intelligence source first reported sighting
         this indicator.
@@ -15720,7 +15709,6 @@ threat:
       short: Time zone.
       type: keyword
     threat.enrichments.indicator.ip:
-      beta: This field is beta and subject to change.
       dashed_name: threat-enrichments-indicator-ip
       description: Identifies a threat indicator as an IP address (irrespective of
         direction).
@@ -15732,7 +15720,6 @@ threat:
       short: Indicator IP address
       type: ip
     threat.enrichments.indicator.last_seen:
-      beta: This field is beta and subject to change.
       dashed_name: threat-enrichments-indicator-last-seen
       description: The date and time when intelligence source last reported sighting
         this indicator.
@@ -15744,7 +15731,6 @@ threat:
       short: Date/time indicator was last reported.
       type: date
     threat.enrichments.indicator.marking.tlp:
-      beta: This field is beta and subject to change.
       dashed_name: threat-enrichments-indicator-marking-tlp
       description: Traffic Light Protocol sharing markings.
       example: WHITE
@@ -15761,7 +15747,6 @@ threat:
       short: Indicator TLP marking
       type: keyword
     threat.enrichments.indicator.modified_at:
-      beta: This field is beta and subject to change.
       dashed_name: threat-enrichments-indicator-modified-at
       description: The date and time when intelligence source last modified information
         for this indicator.
@@ -15773,7 +15758,6 @@ threat:
       short: Date/time indicator was last updated.
       type: date
     threat.enrichments.indicator.port:
-      beta: This field is beta and subject to change.
       dashed_name: threat-enrichments-indicator-port
       description: Identifies a threat indicator as a port number (irrespective of
         direction).
@@ -15785,7 +15769,6 @@ threat:
       short: Indicator port
       type: long
     threat.enrichments.indicator.provider:
-      beta: This field is beta and subject to change.
       dashed_name: threat-enrichments-indicator-provider
       description: The name of the indicator's provider.
       example: lrz_urlhaus
@@ -15797,7 +15780,6 @@ threat:
       short: Indicator provider
       type: keyword
     threat.enrichments.indicator.reference:
-      beta: This field is beta and subject to change.
       dashed_name: threat-enrichments-indicator-reference
       description: Reference URL linking to additional information about this indicator.
       example: https://system.example.com/indicator/0001234
@@ -15904,7 +15886,6 @@ threat:
       short: Name of the value written.
       type: keyword
     threat.enrichments.indicator.scanner_stats:
-      beta: This field is beta and subject to change.
       dashed_name: threat-enrichments-indicator-scanner-stats
       description: Count of AV/EDR vendors that successfully detected malicious file
         or URL.
@@ -15916,7 +15897,6 @@ threat:
       short: Scanner statistics
       type: long
     threat.enrichments.indicator.sightings:
-      beta: This field is beta and subject to change.
       dashed_name: threat-enrichments-indicator-sightings
       description: Number of times this indicator was observed conducting threat activity.
       example: 20
@@ -15927,7 +15907,6 @@ threat:
       short: Number of times indicator observed
       type: long
     threat.enrichments.indicator.type:
-      beta: This field is beta and subject to change.
       dashed_name: threat-enrichments-indicator-type
       description: Type of indicator as represented by Cyber Observable in STIX 2.0.
       example: ipv4-addr
@@ -16483,7 +16462,6 @@ threat:
       short: Version of x509 format.
       type: keyword
     threat.enrichments.matched.atomic:
-      beta: This field is beta and subject to change.
       dashed_name: threat-enrichments-matched-atomic
       description: Identifies the atomic indicator value that matched a local environment
         endpoint or network event.
@@ -16496,7 +16474,6 @@ threat:
       short: Matched indicator value
       type: keyword
     threat.enrichments.matched.field:
-      beta: This field is beta and subject to change.
       dashed_name: threat-enrichments-matched-field
       description: Identifies the field of the atomic indicator that matched a local
         environment endpoint or network event.
@@ -16509,7 +16486,6 @@ threat:
       short: Matched indicator field
       type: keyword
     threat.enrichments.matched.id:
-      beta: This field is beta and subject to change.
       dashed_name: threat-enrichments-matched-id
       description: Identifies the _id of the indicator document enriching the event.
       example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5
@@ -16521,7 +16497,6 @@ threat:
       short: Matched indicator identifier
       type: keyword
     threat.enrichments.matched.index:
-      beta: This field is beta and subject to change.
       dashed_name: threat-enrichments-matched-index
       description: Identifies the _index of the indicator document enriching the event.
       example: filebeat-8.0.0-2021.05.23-000011
@@ -16543,7 +16518,6 @@ threat:
       short: Date of match
       type: date
     threat.enrichments.matched.type:
-      beta: This field is beta and subject to change.
       dashed_name: threat-enrichments-matched-type
       description: Identifies the type of match that caused the event to be enriched
         with the given indicator
@@ -19119,43 +19093,37 @@ threat:
   - full: threat.indicator.x509
     schema_name: x509
     short: These fields contain x509 certificate metadata.
-  - beta: Reusing the `x509` fields in this location is currently considered beta.
-    full: threat.enrichments.indicator.x509
+  - full: threat.enrichments.indicator.x509
     schema_name: x509
     short: These fields contain x509 certificate metadata.
   - full: threat.indicator.as
     schema_name: as
     short: Fields describing an Autonomous System (Internet routing prefix).
-  - beta: Reusing the `as` fields in this location is currently considered beta.
-    full: threat.enrichments.indicator.as
+  - full: threat.enrichments.indicator.as
     schema_name: as
     short: Fields describing an Autonomous System (Internet routing prefix).
   - full: threat.indicator.file
     schema_name: file
     short: Fields describing files.
-  - beta: Reusing the `file` fields in this location is currently considered beta.
-    full: threat.enrichments.indicator.file
+  - full: threat.enrichments.indicator.file
     schema_name: file
     short: Fields describing files.
   - full: threat.indicator.geo
     schema_name: geo
     short: Fields describing a location.
-  - beta: Reusing the `geo` fields in this location is currently considered beta.
-    full: threat.enrichments.indicator.geo
+  - full: threat.enrichments.indicator.geo
     schema_name: geo
     short: Fields describing a location.
   - full: threat.indicator.registry
     schema_name: registry
     short: Fields related to Windows Registry operations.
-  - beta: Reusing the `registry` fields in this location is currently considered beta.
-    full: threat.enrichments.indicator.registry
+  - full: threat.enrichments.indicator.registry
     schema_name: registry
     short: Fields related to Windows Registry operations.
   - full: threat.indicator.url
     schema_name: url
     short: Fields that let you store URLs in various forms.
-  - beta: Reusing the `url` fields in this location is currently considered beta.
-    full: threat.enrichments.indicator.url
+  - full: threat.enrichments.indicator.url
     schema_name: url
     short: Fields that let you store URLs in various forms.
   short: Fields to classify events and alerts according to a threat taxonomy.
@@ -20437,7 +20405,6 @@ url:
       full: threat.indicator.url
     - as: url
       at: threat.enrichments.indicator
-      beta: Reusing the `url` fields in this location is currently considered beta.
       full: threat.enrichments.indicator.url
     top_level: true
   short: Fields that let you store URLs in various forms.
@@ -21754,7 +21721,6 @@ x509:
       full: threat.indicator.x509
     - as: x509
       at: threat.enrichments.indicator
-      beta: Reusing the `x509` fields in this location is currently considered beta.
       full: threat.enrichments.indicator.x509
     - as: x509
       at: tls.client
diff --git a/schemas/as.yml b/schemas/as.yml
index 754b9c0085..0bf57d38b9 100644
--- a/schemas/as.yml
+++ b/schemas/as.yml
@@ -35,7 +35,6 @@
         as: as
       - at: threat.enrichments.indicator
         as: as
-        beta: Reusing the `as` fields in this location is currently considered beta.
   type: group
   fields:
 
diff --git a/schemas/file.yml b/schemas/file.yml
index 39de2ff68e..a5e3e76cf7 100644
--- a/schemas/file.yml
+++ b/schemas/file.yml
@@ -33,7 +33,6 @@
         as: file
       - at: threat.enrichments.indicator
         as: file
-        beta: Reusing the `file` fields in this location is currently considered beta.
   fields:
     - name: name
       level: extended
diff --git a/schemas/geo.yml b/schemas/geo.yml
index 874e43fa1f..bd04a03e9e 100644
--- a/schemas/geo.yml
+++ b/schemas/geo.yml
@@ -37,7 +37,6 @@
         as: geo
       - at: threat.enrichments.indicator
         as: geo
-        beta: Reusing the `geo` fields in this location is currently considered beta.
   type: group
   fields:
 
diff --git a/schemas/registry.yml b/schemas/registry.yml
index fe058afd0c..93c7409274 100644
--- a/schemas/registry.yml
+++ b/schemas/registry.yml
@@ -27,7 +27,6 @@
         as: registry
       - at: threat.enrichments.indicator
         as: registry
-        beta: Reusing the `registry` fields in this location is currently considered beta.
   fields:
 
     - name: hive
diff --git a/schemas/threat.yml b/schemas/threat.yml
index 6da587aae6..36c1ba4e87 100644
--- a/schemas/threat.yml
+++ b/schemas/threat.yml
@@ -34,7 +34,6 @@
       level: extended
       type: nested
       short: List of objects containing indicators enriching the event.
-      beta: This field is beta and subject to change.
       description: >
         A list of associated indicators objects enriching the event, and the context of
         that association/enrichment.
@@ -45,7 +44,6 @@
       level: extended
       type: object
       short: Object containing indicators enriching the event.
-      beta: This field is beta and subject to change.
       description: >
         Object containing associated indicators enriching the event.
 
@@ -53,7 +51,6 @@
       level: extended
       type: date
       short: Date/time indicator was first reported.
-      beta: This field is beta and subject to change.
       description: >
         The date and time when intelligence source first reported sighting this indicator.
       example: "2020-11-05T17:25:47.000Z"
@@ -62,7 +59,6 @@
       level: extended
       type: date
       short: Date/time indicator was last reported.
-      beta: This field is beta and subject to change.
       description: >
         The date and time when intelligence source last reported sighting this indicator.
       example: "2020-11-05T17:25:47.000Z"
@@ -71,7 +67,6 @@
       level: extended
       type: date
       short: Date/time indicator was last updated.
-      beta: This field is beta and subject to change.
       description: >
         The date and time when intelligence source last modified information for this indicator.
       example: "2020-11-05T17:25:47.000Z"
@@ -80,7 +75,6 @@
       level: extended
       type: long
       short: Number of times indicator observed
-      beta: This field is beta and subject to change.
       description: >
         Number of times this indicator was observed conducting threat activity.
       example: 20
@@ -89,7 +83,6 @@
       level: extended
       type: keyword
       short: Type of indicator
-      beta: This field is beta and subject to change.
       description: >
         Type of indicator as represented by Cyber Observable in STIX 2.0.
       expected_values:
@@ -116,7 +109,6 @@
       level: extended
       type: keyword
       short: Indicator description
-      beta: This field is beta and subject to change.
       description: >
         Describes the type of action conducted by the threat.
       example: IP x.x.x.x was observed delivering the Angler EK.
@@ -125,7 +117,6 @@
       level: extended
       type: long
       short: Scanner statistics
-      beta: This field is beta and subject to change.
       description: >
         Count of AV/EDR vendors that successfully detected malicious file or URL.
       example: 4
@@ -134,7 +125,6 @@
       level: extended
       type: keyword
       short: Indicator confidence rating
-      beta: This field is beta and subject to change.
       description: >
         Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific
         confidence scales may be added as custom fields.
@@ -150,7 +140,6 @@
       level: extended
       type: ip
       short: Indicator IP address
-      beta: This field is beta and subject to change.
       description: >
         Identifies a threat indicator as an IP address (irrespective of direction).
       example: 1.2.3.4
@@ -159,7 +148,6 @@
       level: extended
       type: long
       short: Indicator port
-      beta: This field is beta and subject to change.
       description: >
         Identifies a threat indicator as a port number (irrespective of direction).
       example: 443
@@ -168,7 +156,6 @@
       level: extended
       type: keyword
       short: Indicator email address
-      beta: This field is beta and subject to change.
       description: >
         Identifies a threat indicator as an email address (irrespective of direction).
       example: phish@example.com
@@ -177,7 +164,6 @@
       level: extended
       type: keyword
       short: Indicator TLP marking
-      beta: This field is beta and subject to change.
       description: >
         Traffic Light Protocol sharing markings.
       expected_values:
@@ -191,7 +177,6 @@
       level: extended
       type: keyword
       short: Indicator reference URL
-      beta: This field is beta and subject to change.
       description: >
         Reference URL linking to additional information about this indicator.
       example: https://system.example.com/indicator/0001234
@@ -200,7 +185,6 @@
       level: extended
       type: keyword
       short: Indicator provider
-      beta: This field is beta and subject to change.
       description: >
         The name of the indicator's provider.
       example: lrz_urlhaus
@@ -209,7 +193,6 @@
       level: extended
       type: keyword
       short: Matched indicator value
-      beta: This field is beta and subject to change.
       description: >
         Identifies the atomic indicator value that matched a local environment endpoint or network event.
       example: bad-domain.com
@@ -218,7 +201,6 @@
       level: extended
       type: keyword
       short: Matched indicator field
-      beta: This field is beta and subject to change.
       description: >
         Identifies the field of the atomic indicator that matched a local environment endpoint or network event.
       example: file.hash.sha256
@@ -227,7 +209,6 @@
       level: extended
       type: keyword
       short: Matched indicator identifier
-      beta: This field is beta and subject to change.
       description: >
         Identifies the _id of the indicator document enriching the event.
       example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5
@@ -236,7 +217,6 @@
       level: extended
       type: keyword
       short: Matched indicator index
-      beta: This field is beta and subject to change.
       description: >
         Identifies the _index of the indicator document enriching the event.
       example: filebeat-8.0.0-2021.05.23-000011
@@ -253,7 +233,6 @@
       level: extended
       type: keyword
       short: Type of indicator match
-      beta: This field is beta and subject to change.
       description: >
         Identifies the type of match that caused the event to be enriched with the given indicator
       example: indicator_match_rule
diff --git a/schemas/url.yml b/schemas/url.yml
index 090782a8a3..4a904249a7 100644
--- a/schemas/url.yml
+++ b/schemas/url.yml
@@ -29,7 +29,6 @@
         as: url
       - at: threat.enrichments.indicator
         as: url
-        beta: Reusing the `url` fields in this location is currently considered beta.
   fields:
 
     - name: original
diff --git a/schemas/x509.yml b/schemas/x509.yml
index 906b63279b..be03f7c685 100644
--- a/schemas/x509.yml
+++ b/schemas/x509.yml
@@ -38,7 +38,6 @@
         as: x509
       - at: threat.enrichments.indicator
         as: x509
-        beta: Reusing the `x509` fields in this location is currently considered beta.
       - tls.client
       - tls.server
   fields:

From b9cded6d8429fa2513d25842e71a6a24506b11b1 Mon Sep 17 00:00:00 2001
From: Alex Resnick <adr8292@gmail.com>
Date: Fri, 22 Jul 2022 12:43:05 -0500
Subject: [PATCH 012/186] [RFC] Stage 0 - Add new cloud fields (#1953)

* Add new cloud fields

* added some more examples

* update based on comments

* assign RFC number and set date

* author field needs set also

Co-authored-by: Eric Beahan <eric.beahan@elastic.co>
---
 rfcs/text/0033-new-cloud-fields.md | 225 +++++++++++++++++++++++++++++
 1 file changed, 225 insertions(+)
 create mode 100644 rfcs/text/0033-new-cloud-fields.md

diff --git a/rfcs/text/0033-new-cloud-fields.md b/rfcs/text/0033-new-cloud-fields.md
new file mode 100644
index 0000000000..0420647a37
--- /dev/null
+++ b/rfcs/text/0033-new-cloud-fields.md
@@ -0,0 +1,225 @@
+# 0033: New cloud (or related) fields
+<!-- Leave this ID at 0000. The ECS team will assign a unique, contiguous RFC number upon merging the initial stage of this RFC. -->
+
+- Stage: **0 (strawperson)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
+- Date: **2022-07-22** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
+
+<!--
+As you work on your RFC, use the "Stage N" comments to guide you in what you should focus on, for the stage you're targeting.
+Feel free to remove these comments as you go along.
+-->
+
+<!--
+Stage 0: Provide a high level summary of the premise of these changes. Briefly describe the nature, purpose, and impact of the changes. ~2-5 sentences.
+-->
+
+This RFC is to add several new cloud or cloud related fields to ECS.  As more cloud integrations/data sources are developed there are a variety of fields that don't have an ECS normalized field to put them. This would add the ability to normalize data related to cloud instance images, network/VPC information, S3/Object storage data....
+
+<!--
+Stage 1: If the changes include field additions or modifications, please create a folder titled as the RFC number under rfcs/text/. This will be where proposed schema changes as standalone YAML files or extended example mappings and larger source documents will go as the RFC is iterated upon.
+-->
+
+<!--
+Stage X: Provide a brief explanation of why the proposal is being marked as abandoned. This is useful context for anyone revisiting this proposal or considering similar changes later on.
+-->
+
+## Fields
+
+Initial list of proposed fields:
+
+* `cloud.edge_location`: The edge location, usually an airport IATA code (DFW), of a cloud service. Very common for DNS, CDN, or other cloud services
+* `cloud.instance.image.id`: ID of the image used to create the virtual instance/machine
+* `cloud.instance.image.name`: Name of the image used to create the virtual instance/machine
+* `cloud.vpc.name`: Name of the virtual network
+* `cloud.vpc.id`: ID of the virtual network
+* `cloud.subnet.name`: Name of the Subnet within the VPC/Virtual network
+* `cloud.subnet.id`: ID of the Subnet within the VPC/Virtual network
+* `cloud.instance.lifecycle`: Type of instance *normal* vs *spot*, see https://github.com/elastic/ecs/issues/323 for more discussion
+* `cloud.object_store.name`: Name of S3/Compatible storage
+* `cloud.object_store.id`: Name of S3/Compatible storage
+
+
+Possible alternatives proposed in https://github.com/elastic/ecs/issues/1725
+* `network.edge_location` instead of `cloud.edge_location`
+* `cloud.image.id` instead of `cloud.instance.image.id`
+* `cloud.image.name` instead of `cloud.instance.image.name`
+* `network.name` (already exists) instead of  instead of `cloud.vpc.name`
+* `network.id` instead of `cloud.vpc.id`
+* `network.subnetwork.name` instead of  instead of `cloud.subnet.name`
+* `network.subnetwork.id` instead of `cloud.subnet.id`
+
+<!--
+Stage 1: Describe at a high level how this change affects fields. Include new or updated yml field definitions for all of the essential fields in this draft. While not exhaustive, the fields documented here should be comprehensive enough to deeply evaluate the technical considerations of this change. The goal here is to validate the technical details for all essential fields and to provide a basis for adding experimental field definitions to the schema. Use GitHub code blocks with yml syntax formatting, and add them to the corresponding RFC folder.
+-->
+
+<!--
+Stage 2: Add or update all remaining field definitions. The list should now be exhaustive. The goal here is to validate the technical details of all remaining fields and to provide a basis for releasing these field definitions as beta in the schema. Use GitHub code blocks with yml syntax formatting, and add them to the corresponding RFC folder.
+-->
+
+## Usage
+This started with multiple new cloud integrations for the agent having edge location data fields to include Akamai, Cloudflare, AWS DNS, AWS Cloudfront...  Additionally AWS Guard Duty integration has numerous data points with regards to AWS network, S3/Object storage, instance information...
+
+<!--
+Stage 1: Describe at a high-level how these field changes will be used in practice. Real world examples are encouraged. The goal here is to understand how people would leverage these fields to gain insights or solve problems. ~1-3 paragraphs.
+-->
+
+## Source data
+### AWS Cloudfront Logs
+`2019-12-04	21:02:31	LAX1	392	89.160.20.112	GET	d111111abcdef8.cloudfront.net	/index.html	200	-	.......`
+### AWS Public ZOne DNS Logs
+`1.0 2017-12-13T08:16:02.130Z Z123412341234 example.com A NOERROR UDP FRA6 89.160.20.112 -`
+### Cloudflare HTTP Logs
+`{..."EdgeColoCode":"AMS","EdgeColoID":20,...}`
+### GCP Flow logs:
+`..."src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"}...`
+## GCP DNS logs
+`..."sourceIP":"10.154.0.3","sourceNetwork":"default","vmInstanceId":8340998530665147,"vmInstanceIdString":"8340998530665147",...`
+### AWS Guard Duty Logs
+```
+  {
+    "schemaVersion": "2.0",
+    "accountId": "290443255379",
+    "region": "us-east-2",
+    "partition": "aws",
+    "id": "02bf27df0ab318783b0a8f63569dfd68",
+    "arn": "arn:aws:guardduty:us-east-2:290443255379:detector/c0bf27def0a899b467ad81c4a5681b78/finding/02bf27df0ab318783b0a8f63569dfd68",
+    "type": "Impact:S3/MaliciousIPCaller",
+    "resource": {
+      "resourceType": "S3Bucket",
+      "accessKeyDetails": {
+        "accessKeyId": "GeneratedFindingAccessKeyId",
+        "principalId": "GeneratedFindingPrincipalId",
+        "userType": "IAMUser",
+        "userName": "GeneratedFindingUserName"
+      },
+      "s3BucketDetails": [
+        {
+          "owner": {
+            "id": "CanonicalId of Owner"
+          },
+          "createdAt": 1513612691.551,
+          **"name": "bucketName",**
+          "defaultServerSideEncryption": {
+            "kmsMasterKeyArn": "arn:aws:kms:region:123456789012:key/key-id",
+            "encryptionType": "SSEAlgorithm"
+          },
+          "arn": "arn:aws:s3:::bucketName",
+          "type": "Destination",
+        }
+      ],
+      "instanceDetails": {
+        "instanceId": "i-99999999",
+        "instanceType": "m3.xlarge",
+        "outpostArn": "arn:aws:outposts:us-west-2:123456789000:outpost/op-0fbc006e9abbc73c3",
+        "launchTime": "2016-08-02T02:05:06.000Z",
+        "platform": null,
+        "productCodes": [
+          {
+            "productCodeId": "GeneratedFindingProductCodeId",
+            "productCodeType": "GeneratedFindingProductCodeType"
+          }
+        ],
+        "iamInstanceProfile": {
+          "arn": "arn:aws:iam::290443255379:example/instance/profile",
+          "id": "GeneratedFindingInstanceProfileId"
+        },
+        "networkInterfaces": [
+          {
+            "networkInterfaceId": "eni-bfcffe88",
+            "privateIpAddresses": [
+              {
+                "privateDnsName": "GeneratedFindingPrivateName",
+                "privateIpAddress": "10.0.0.1"
+              }
+            ],
+            "subnetId": "GeneratedFindingSubnetId",
+            "vpcId": "GeneratedFindingVPCId",
+            "privateDnsName": "GeneratedFindingPrivateDnsName",
+            "securityGroups": [
+              {
+                "groupName": "GeneratedFindingSecurityGroupName",
+                "groupId": "GeneratedFindingSecurityId"
+              }
+            ],
+            "publicIp": "198.51.100.0",
+            "ipv6Addresses": [],
+            "publicDnsName": "GeneratedFindingPublicDNSName",
+            "privateIpAddress": "10.0.0.1"
+          }
+        ],
+        "instanceState": "running",
+        "availabilityZone": "GeneratedFindingInstaceAvailabilityZone",
+        "imageId": "ami-99999999",
+        "imageDescription": "GeneratedFindingInstaceImageDescription"
+      }
+    }
+```
+<!--
+Stage 1: Provide a high-level description of example sources of data. This does not yet need to be a concrete example of a source document, but instead can simply describe a potential source (e.g. nginx access log). This will ultimately be fleshed out to include literal source examples in a future stage. The goal here is to identify practical sources for these fields in the real world. ~1-3 sentences or unordered list.
+-->
+
+<!--
+Stage 2: Included a real world example source document. Ideally this example comes from the source(s) identified in stage 1. If not, it should replace them. The goal here is to validate the utility of these field changes in the context of a real world example. Format with the source name as a ### header and the example document in a GitHub code block with json formatting, or if on the larger side, add them to the corresponding RFC folder.
+-->
+
+<!--
+Stage 3: Add more real world example source documents so we have at least 2 total, but ideally 3. Format as described in stage 2.
+-->
+
+## Scope of impact
+
+<!--
+Stage 2: Identifies scope of impact of changes. Are breaking changes required? Should deprecation strategies be adopted? Will significant refactoring be involved? Break the impact down into:
+ * Ingestion mechanisms (e.g. beats/logstash)
+ * Usage mechanisms (e.g. Kibana applications, detections)
+ * ECS project (e.g. docs, tooling)
+The goal here is to research and understand the impact of these changes on users in the community and development teams across Elastic. 2-5 sentences each.
+-->
+
+## Concerns
+
+<!--
+Stage 1: Identify potential concerns, implementation challenges, or complexity. Spend some time on this. Play devil's advocate. Try to identify the sort of non-obvious challenges that tend to surface later. The goal here is to surface risks early, allow everyone the time to work through them, and ultimately document resolution for posterity's sake.
+-->
+
+<!--
+Stage 2: Document new concerns or resolutions to previously listed concerns. It's not critical that all concerns have resolutions at this point, but it would be helpful if resolutions were taking shape for the most significant concerns.
+-->
+
+<!--
+Stage 3: Document resolutions for all existing concerns. Any new concerns should be documented along with their resolution. The goal here is to eliminate risk of churn and instability by ensuring all concerns have been addressed.
+-->
+
+## People
+
+The following are the people that consulted on the contents of this RFC.
+
+* @legoguy1000 | author
+
+<!--
+Who will be or has been consulted on the contents of this RFC? Identify authorship and sponsorship, and optionally identify the nature of involvement of others. Link to GitHub aliases where possible. This list will likely change or grow stage after stage.
+
+e.g.:
+
+* @Yasmina | author
+* @Monique | sponsor
+* @EunJung | subject matter expert
+* @JaneDoe | grammar, spelling, prose
+* @Mariana
+-->
+
+
+## References
+
+<!-- Insert any links appropriate to this RFC in this section. -->
+
+### RFC Pull Requests
+
+<!-- An RFC should link to the PRs for each of it stage advancements. -->
+
+* Stage 0: https://github.com/elastic/ecs/pull/1953
+
+<!--
+* Stage 1: https://github.com/elastic/ecs/pull/NNN
+...
+-->

From 8c4c636fd0a7dc1d4f466a29de705fa59b7c84d4 Mon Sep 17 00:00:00 2001
From: Kylie Geller <kylie.geller@elastic.co>
Date: Tue, 26 Jul 2022 10:57:29 -0400
Subject: [PATCH 013/186] Adding `risk.*` fields as experimental (#1994)

---
 CHANGELOG.next.md                             |   2 +
 experimental/generated/beats/fields.ecs.yml   | 283 ++++++++++
 experimental/generated/csv/fields.csv         |  30 +
 experimental/generated/ecs/ecs_flat.yml       | 415 ++++++++++++++
 experimental/generated/ecs/ecs_nested.yml     | 524 ++++++++++++++++++
 .../composable/component/host.json            |  24 +
 .../composable/component/user.json            |  96 ++++
 .../elasticsearch/legacy/template.json        | 120 ++++
 experimental/schemas/risk.yml                 |  58 ++
 experimental/schemas/subsets/experimental.yml |   2 +
 10 files changed, 1554 insertions(+)
 create mode 100644 experimental/schemas/risk.yml

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 80cbaaa50c..f9d7beb253 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -16,6 +16,8 @@ Thanks, you're awesome :-) -->
 
 #### Added
 
+* Adding `risk.*` fields as experimental. #1994
+
 #### Improvements
 
 * Advances `threat.enrichments.indicator` to GA. #1928
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index ae28420db8..8993e52523 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -3652,6 +3652,52 @@
         system (nsfs). Unsigned int inum in include/linux/ns_common.h.
       example: 256383
       default_field: false
+    - name: risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
     - name: type
       level: core
       type: keyword
@@ -7162,6 +7208,59 @@
       ignore_above: 1024
       description: All the user names or other user identifiers seen on the event.
       default_field: false
+  - name: risk
+    title: Risk score information
+    group: 2
+    description: Fields for describing the risk score and level.
+    type: group
+    default_field: true
+    fields:
+    - name: calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
   - name: rule
     title: Rule
     group: 2
@@ -11987,6 +12086,52 @@
       description: Short name or login of the user.
       example: a.einstein
       default_field: false
+    - name: changes.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: changes.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: changes.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: changes.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: changes.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: changes.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
     - name: changes.roles
       level: extended
       type: keyword
@@ -12072,6 +12217,52 @@
       description: Short name or login of the user.
       example: a.einstein
       default_field: false
+    - name: effective.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: effective.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: effective.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: effective.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: effective.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: effective.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
     - name: effective.roles
       level: extended
       type: keyword
@@ -12136,6 +12327,52 @@
         default_field: false
       description: Short name or login of the user.
       example: a.einstein
+    - name: risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
     - name: roles
       level: extended
       type: keyword
@@ -12214,6 +12451,52 @@
       description: Short name or login of the user.
       example: a.einstein
       default_field: false
+    - name: target.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: target.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: target.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: target.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: target.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: target.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
     - name: target.roles
       level: extended
       type: keyword
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index a63cbef4d0..f6a27fc8b4 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -393,6 +393,12 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.5.0-dev+exp,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
 8.5.0-dev+exp,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
 8.5.0-dev+exp,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode
+8.5.0-dev+exp,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.5.0-dev+exp,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.5.0-dev+exp,true,host,host.risk.calculated_score_norm,float,extended,,88.73,"A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100."
+8.5.0-dev+exp,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.5.0-dev+exp,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.5.0-dev+exp,true,host,host.risk.static_score_norm,float,extended,,83.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100."
 8.5.0-dev+exp,true,host,host.type,keyword,core,,,Type of host.
 8.5.0-dev+exp,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
 8.5.0-dev+exp,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
@@ -1454,6 +1460,12 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.5.0-dev+exp,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.5.0-dev+exp,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
 8.5.0-dev+exp,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.5.0-dev+exp,true,user,user.changes.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.5.0-dev+exp,true,user,user.changes.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.5.0-dev+exp,true,user,user.changes.risk.calculated_score_norm,float,extended,,88.73,"A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100."
+8.5.0-dev+exp,true,user,user.changes.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.5.0-dev+exp,true,user,user.changes.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.5.0-dev+exp,true,user,user.changes.risk.static_score_norm,float,extended,,83.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100."
 8.5.0-dev+exp,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 8.5.0-dev+exp,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
 8.5.0-dev+exp,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
@@ -1467,6 +1479,12 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.5.0-dev+exp,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.5.0-dev+exp,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
 8.5.0-dev+exp,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.5.0-dev+exp,true,user,user.effective.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.5.0-dev+exp,true,user,user.effective.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.5.0-dev+exp,true,user,user.effective.risk.calculated_score_norm,float,extended,,88.73,"A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100."
+8.5.0-dev+exp,true,user,user.effective.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.5.0-dev+exp,true,user,user.effective.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.5.0-dev+exp,true,user,user.effective.risk.static_score_norm,float,extended,,83.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100."
 8.5.0-dev+exp,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 8.5.0-dev+exp,true,user,user.email,keyword,extended,,,User email address.
 8.5.0-dev+exp,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
@@ -1478,6 +1496,12 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.5.0-dev+exp,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.5.0-dev+exp,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user.
 8.5.0-dev+exp,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.5.0-dev+exp,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.5.0-dev+exp,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.5.0-dev+exp,true,user,user.risk.calculated_score_norm,float,extended,,88.73,"A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100."
+8.5.0-dev+exp,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.5.0-dev+exp,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.5.0-dev+exp,true,user,user.risk.static_score_norm,float,extended,,83.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100."
 8.5.0-dev+exp,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 8.5.0-dev+exp,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
 8.5.0-dev+exp,true,user,user.target.email,keyword,extended,,,User email address.
@@ -1490,6 +1514,12 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.5.0-dev+exp,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.5.0-dev+exp,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
 8.5.0-dev+exp,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.5.0-dev+exp,true,user,user.target.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.5.0-dev+exp,true,user,user.target.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.5.0-dev+exp,true,user,user.target.risk.calculated_score_norm,float,extended,,88.73,"A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100."
+8.5.0-dev+exp,true,user,user.target.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.5.0-dev+exp,true,user,user.target.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.5.0-dev+exp,true,user,user.target.risk.static_score_norm,float,extended,,83.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100."
 8.5.0-dev+exp,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 8.5.0-dev+exp,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
 8.5.0-dev+exp,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 0743817d9c..db568fea1a 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -5247,6 +5247,89 @@ host.pid_ns_ino:
   normalize: []
   short: Pid namespace inode
   type: keyword
+host.risk.calculated_level:
+  dashed_name: host-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: host.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+host.risk.calculated_score:
+  dashed_name: host-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: host.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+host.risk.calculated_score_norm:
+  dashed_name: host-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: host.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring, and normalized to a range of 0 to 100.
+  type: float
+host.risk.static_level:
+  dashed_name: host-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: host.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+host.risk.static_score:
+  dashed_name: host-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: host.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+host.risk.static_score_norm:
+  dashed_name: host-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: host.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform, and normalized to a range of 0 to
+    100.
+  type: float
 host.type:
   dashed_name: host-type
   description: 'Type of host.
@@ -18400,6 +18483,89 @@ user.changes.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+user.changes.risk.calculated_level:
+  dashed_name: user-changes-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: user.changes.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+user.changes.risk.calculated_score:
+  dashed_name: user-changes-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: user.changes.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+user.changes.risk.calculated_score_norm:
+  dashed_name: user-changes-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: user.changes.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring, and normalized to a range of 0 to 100.
+  type: float
+user.changes.risk.static_level:
+  dashed_name: user-changes-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: user.changes.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+user.changes.risk.static_score:
+  dashed_name: user-changes-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: user.changes.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+user.changes.risk.static_score_norm:
+  dashed_name: user-changes-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: user.changes.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform, and normalized to a range of 0 to
+    100.
+  type: float
 user.changes.roles:
   dashed_name: user-changes-roles
   description: Array of user roles at the time of the event.
@@ -18543,6 +18709,89 @@ user.effective.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+user.effective.risk.calculated_level:
+  dashed_name: user-effective-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: user.effective.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+user.effective.risk.calculated_score:
+  dashed_name: user-effective-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: user.effective.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+user.effective.risk.calculated_score_norm:
+  dashed_name: user-effective-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: user.effective.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring, and normalized to a range of 0 to 100.
+  type: float
+user.effective.risk.static_level:
+  dashed_name: user-effective-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: user.effective.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+user.effective.risk.static_score:
+  dashed_name: user-effective-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: user.effective.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+user.effective.risk.static_score_norm:
+  dashed_name: user-effective-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: user.effective.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform, and normalized to a range of 0 to
+    100.
+  type: float
 user.effective.roles:
   dashed_name: user-effective-roles
   description: Array of user roles at the time of the event.
@@ -18656,6 +18905,89 @@ user.name:
   normalize: []
   short: Short name or login of the user.
   type: keyword
+user.risk.calculated_level:
+  dashed_name: user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+user.risk.calculated_score:
+  dashed_name: user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+user.risk.calculated_score_norm:
+  dashed_name: user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring, and normalized to a range of 0 to 100.
+  type: float
+user.risk.static_level:
+  dashed_name: user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+user.risk.static_score:
+  dashed_name: user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+user.risk.static_score_norm:
+  dashed_name: user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform, and normalized to a range of 0 to
+    100.
+  type: float
 user.roles:
   dashed_name: user-roles
   description: Array of user roles at the time of the event.
@@ -18786,6 +19118,89 @@ user.target.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+user.target.risk.calculated_level:
+  dashed_name: user-target-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: user.target.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+user.target.risk.calculated_score:
+  dashed_name: user-target-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: user.target.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+user.target.risk.calculated_score_norm:
+  dashed_name: user-target-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: user.target.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring, and normalized to a range of 0 to 100.
+  type: float
+user.target.risk.static_level:
+  dashed_name: user-target-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: user.target.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+user.target.risk.static_score:
+  dashed_name: user-target-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: user.target.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+user.target.risk.static_score_norm:
+  dashed_name: user-target-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: user.target.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform, and normalized to a range of 0 to
+    100.
+  type: float
 user.target.roles:
   dashed_name: user-target-roles
   description: Array of user roles at the time of the event.
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 0b75c8593b..f26fd038ca 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -6516,6 +6516,90 @@ host:
       normalize: []
       short: Pid namespace inode
       type: keyword
+    host.risk.calculated_level:
+      dashed_name: host-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: host.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    host.risk.calculated_score:
+      dashed_name: host-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: host.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    host.risk.calculated_score_norm:
+      dashed_name: host-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: host.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring, and normalized to a range of
+        0 to 100.
+      type: float
+    host.risk.static_level:
+      dashed_name: host-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: host.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    host.risk.static_score:
+      dashed_name: host-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: host.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    host.risk.static_score_norm:
+      dashed_name: host-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: host.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      type: float
     host.type:
       dashed_name: host-type
       description: 'Type of host.
@@ -6545,6 +6629,7 @@ host:
   nestings:
   - host.geo
   - host.os
+  - host.risk
   prefix: host.
   reused_here:
   - full: host.geo
@@ -6553,6 +6638,9 @@ host:
   - full: host.os
     schema_name: os
     short: OS fields contain information about the operating system.
+  - full: host.risk
+    schema_name: risk
+    short: Fields for describing the risk score and level.
   short: Fields describing the relevant computing instance.
   title: Host
   type: group
@@ -12519,6 +12607,102 @@ related:
   short: Fields meant to facilitate pivoting around a piece of data.
   title: Related
   type: group
+risk:
+  description: Fields for describing the risk score and level.
+  fields:
+    risk.calculated_level:
+      dashed_name: risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    risk.calculated_score:
+      dashed_name: risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    risk.calculated_score_norm:
+      dashed_name: risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring, and normalized to a range of
+        0 to 100.
+      type: float
+    risk.static_level:
+      dashed_name: risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    risk.static_score:
+      dashed_name: risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    risk.static_score_norm:
+      dashed_name: risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      type: float
+  group: 2
+  name: risk
+  prefix: risk.
+  reusable:
+    expected:
+    - as: risk
+      at: host
+      full: host.risk
+    - as: risk
+      at: user
+      full: user.risk
+    top_level: false
+  short: Fields for describing the risk score and level.
+  title: Risk score information
+  type: group
 rule:
   description: 'Rule fields are used to capture the specifics of any observer or agent
     rules that generate alerts or other notable events.
@@ -20615,6 +20799,90 @@ user:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
+    user.changes.risk.calculated_level:
+      dashed_name: user-changes-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: user.changes.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    user.changes.risk.calculated_score:
+      dashed_name: user-changes-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: user.changes.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    user.changes.risk.calculated_score_norm:
+      dashed_name: user-changes-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: user.changes.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring, and normalized to a range of
+        0 to 100.
+      type: float
+    user.changes.risk.static_level:
+      dashed_name: user-changes-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: user.changes.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    user.changes.risk.static_score:
+      dashed_name: user-changes-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: user.changes.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    user.changes.risk.static_score_norm:
+      dashed_name: user-changes-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: user.changes.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      type: float
     user.changes.roles:
       dashed_name: user-changes-roles
       description: Array of user roles at the time of the event.
@@ -20758,6 +21026,90 @@ user:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
+    user.effective.risk.calculated_level:
+      dashed_name: user-effective-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: user.effective.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    user.effective.risk.calculated_score:
+      dashed_name: user-effective-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: user.effective.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    user.effective.risk.calculated_score_norm:
+      dashed_name: user-effective-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: user.effective.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring, and normalized to a range of
+        0 to 100.
+      type: float
+    user.effective.risk.static_level:
+      dashed_name: user-effective-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: user.effective.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    user.effective.risk.static_score:
+      dashed_name: user-effective-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: user.effective.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    user.effective.risk.static_score_norm:
+      dashed_name: user-effective-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: user.effective.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      type: float
     user.effective.roles:
       dashed_name: user-effective-roles
       description: Array of user roles at the time of the event.
@@ -20871,6 +21223,90 @@ user:
       normalize: []
       short: Short name or login of the user.
       type: keyword
+    user.risk.calculated_level:
+      dashed_name: user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    user.risk.calculated_score:
+      dashed_name: user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    user.risk.calculated_score_norm:
+      dashed_name: user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring, and normalized to a range of
+        0 to 100.
+      type: float
+    user.risk.static_level:
+      dashed_name: user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    user.risk.static_score:
+      dashed_name: user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    user.risk.static_score_norm:
+      dashed_name: user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      type: float
     user.roles:
       dashed_name: user-roles
       description: Array of user roles at the time of the event.
@@ -21001,6 +21437,90 @@ user:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
+    user.target.risk.calculated_level:
+      dashed_name: user-target-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: user.target.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    user.target.risk.calculated_score:
+      dashed_name: user-target-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: user.target.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    user.target.risk.calculated_score_norm:
+      dashed_name: user-target-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: user.target.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring, and normalized to a range of
+        0 to 100.
+      type: float
+    user.target.risk.static_level:
+      dashed_name: user-target-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: user.target.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    user.target.risk.static_score:
+      dashed_name: user-target-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: user.target.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    user.target.risk.static_score_norm:
+      dashed_name: user-target-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: user.target.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      type: float
     user.target.roles:
       dashed_name: user-target-roles
       description: Array of user roles at the time of the event.
@@ -21020,6 +21540,7 @@ user:
   - user.changes
   - user.effective
   - user.group
+  - user.risk
   - user.target
   prefix: user.
   reusable:
@@ -21068,6 +21589,9 @@ user:
   - full: user.group
     schema_name: group
     short: User's group relevant to the event.
+  - full: user.risk
+    schema_name: risk
+    short: Fields for describing the risk score and level.
   - full: user.target
     schema_name: user
     short: Targeted user of action taken.
diff --git a/experimental/generated/elasticsearch/composable/component/host.json b/experimental/generated/elasticsearch/composable/component/host.json
index 32aa9ac20e..d29e1e413c 100644
--- a/experimental/generated/elasticsearch/composable/component/host.json
+++ b/experimental/generated/elasticsearch/composable/component/host.json
@@ -186,6 +186,30 @@
               "ignore_above": 1024,
               "type": "keyword"
             },
+            "risk": {
+              "properties": {
+                "calculated_level": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "calculated_score": {
+                  "type": "float"
+                },
+                "calculated_score_norm": {
+                  "type": "float"
+                },
+                "static_level": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "static_score": {
+                  "type": "float"
+                },
+                "static_score_norm": {
+                  "type": "float"
+                }
+              }
+            },
             "type": {
               "ignore_above": 1024,
               "type": "keyword"
diff --git a/experimental/generated/elasticsearch/composable/component/user.json b/experimental/generated/elasticsearch/composable/component/user.json
index 5ccf147651..1da075520f 100644
--- a/experimental/generated/elasticsearch/composable/component/user.json
+++ b/experimental/generated/elasticsearch/composable/component/user.json
@@ -60,6 +60,30 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "risk": {
+                  "properties": {
+                    "calculated_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "calculated_score": {
+                      "type": "float"
+                    },
+                    "calculated_score_norm": {
+                      "type": "float"
+                    },
+                    "static_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "static_score": {
+                      "type": "float"
+                    },
+                    "static_score_norm": {
+                      "type": "float"
+                    }
+                  }
+                },
                 "roles": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -122,6 +146,30 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "risk": {
+                  "properties": {
+                    "calculated_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "calculated_score": {
+                      "type": "float"
+                    },
+                    "calculated_score_norm": {
+                      "type": "float"
+                    },
+                    "static_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "static_score": {
+                      "type": "float"
+                    },
+                    "static_score_norm": {
+                      "type": "float"
+                    }
+                  }
+                },
                 "roles": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -174,6 +222,30 @@
               "ignore_above": 1024,
               "type": "keyword"
             },
+            "risk": {
+              "properties": {
+                "calculated_level": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "calculated_score": {
+                  "type": "float"
+                },
+                "calculated_score_norm": {
+                  "type": "float"
+                },
+                "static_level": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "static_score": {
+                  "type": "float"
+                },
+                "static_score_norm": {
+                  "type": "float"
+                }
+              }
+            },
             "roles": {
               "ignore_above": 1024,
               "type": "keyword"
@@ -230,6 +302,30 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "risk": {
+                  "properties": {
+                    "calculated_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "calculated_score": {
+                      "type": "float"
+                    },
+                    "calculated_score_norm": {
+                      "type": "float"
+                    },
+                    "static_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "static_score": {
+                      "type": "float"
+                    },
+                    "static_score_norm": {
+                      "type": "float"
+                    }
+                  }
+                },
                 "roles": {
                   "ignore_above": 1024,
                   "type": "keyword"
diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json
index 4235a87fb7..ad36c72e64 100644
--- a/experimental/generated/elasticsearch/legacy/template.json
+++ b/experimental/generated/elasticsearch/legacy/template.json
@@ -1882,6 +1882,30 @@
             "ignore_above": 1024,
             "type": "keyword"
           },
+          "risk": {
+            "properties": {
+              "calculated_level": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "calculated_score": {
+                "type": "float"
+              },
+              "calculated_score_norm": {
+                "type": "float"
+              },
+              "static_level": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "static_score": {
+                "type": "float"
+              },
+              "static_score_norm": {
+                "type": "float"
+              }
+            }
+          },
           "type": {
             "ignore_above": 1024,
             "type": "keyword"
@@ -6733,6 +6757,30 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "risk": {
+                "properties": {
+                  "calculated_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "calculated_score": {
+                    "type": "float"
+                  },
+                  "calculated_score_norm": {
+                    "type": "float"
+                  },
+                  "static_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "static_score": {
+                    "type": "float"
+                  },
+                  "static_score_norm": {
+                    "type": "float"
+                  }
+                }
+              },
               "roles": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -6795,6 +6843,30 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "risk": {
+                "properties": {
+                  "calculated_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "calculated_score": {
+                    "type": "float"
+                  },
+                  "calculated_score_norm": {
+                    "type": "float"
+                  },
+                  "static_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "static_score": {
+                    "type": "float"
+                  },
+                  "static_score_norm": {
+                    "type": "float"
+                  }
+                }
+              },
               "roles": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -6847,6 +6919,30 @@
             "ignore_above": 1024,
             "type": "keyword"
           },
+          "risk": {
+            "properties": {
+              "calculated_level": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "calculated_score": {
+                "type": "float"
+              },
+              "calculated_score_norm": {
+                "type": "float"
+              },
+              "static_level": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "static_score": {
+                "type": "float"
+              },
+              "static_score_norm": {
+                "type": "float"
+              }
+            }
+          },
           "roles": {
             "ignore_above": 1024,
             "type": "keyword"
@@ -6903,6 +6999,30 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "risk": {
+                "properties": {
+                  "calculated_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "calculated_score": {
+                    "type": "float"
+                  },
+                  "calculated_score_norm": {
+                    "type": "float"
+                  },
+                  "static_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "static_score": {
+                    "type": "float"
+                  },
+                  "static_score_norm": {
+                    "type": "float"
+                  }
+                }
+              },
               "roles": {
                 "ignore_above": 1024,
                 "type": "keyword"
diff --git a/experimental/schemas/risk.yml b/experimental/schemas/risk.yml
new file mode 100644
index 0000000000..456c4659f6
--- /dev/null
+++ b/experimental/schemas/risk.yml
@@ -0,0 +1,58 @@
+---
+- name: risk
+  title: Risk score information
+  group: 2
+  short: Fields for describing the risk score and level.
+  description: >
+    Fields for describing the risk score and level.
+  reusable:
+    top_level: false
+    expected:
+      - host
+      - user
+  type: group
+  fields:
+    - name: calculated_score
+      level: extended
+      type: float
+      example: 880.73
+      description: >
+        A risk classification score calculated by an internal system as part of
+        entity analytics and entity risk scoring.
+    - name: calculated_score_norm
+      level: extended
+      type: float
+      example: 88.73
+      description: >
+        A risk classification score calculated by an internal system as part of
+        entity analytics and entity risk scoring, and normalized to a range of
+        0 to 100.
+    - name: static_score
+      level: extended
+      type: float
+      example: 830.0
+      description: >
+        A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+    - name: static_score_norm
+      level: extended
+      type: float
+      example: 83.0
+      description: >
+        A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform, and normalized to a
+        range of 0 to 100.
+    - name: calculated_level
+      level: extended
+      type: keyword
+      example: "High"
+      description: >
+        A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+    - name: static_level
+      level: extended
+      type: keyword
+      example: "High"
+      description: >
+        A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
diff --git a/experimental/schemas/subsets/experimental.yml b/experimental/schemas/subsets/experimental.yml
index 379fff2e86..c3c13aea8d 100644
--- a/experimental/schemas/subsets/experimental.yml
+++ b/experimental/schemas/subsets/experimental.yml
@@ -3,3 +3,5 @@ name: experimental
 fields:
   cgroup:
     fields: "*"
+  risk:
+    fields: "*"

From 73cea0840273643a2419b8668951e5d6ca547ca0 Mon Sep 17 00:00:00 2001
From: Kylie Geller <kylie.geller@elastic.co>
Date: Tue, 26 Jul 2022 15:32:30 -0400
Subject: [PATCH 014/186] [main] Cutting 8.4 HFF changelog (#2006)

---
 CHANGELOG.next.md | 18 +++---------------
 1 file changed, 3 insertions(+), 15 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index f9d7beb253..9eade7cec1 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -30,39 +30,27 @@ Thanks, you're awesome :-) -->
 
 #### Bugfixes
 
+* Added Deprecation Warning for `misspell` task #1993
+
 #### Added
 
 #### Improvements
 
 #### Deprecated
 
-## 8.4.0 (Soft Feature Freeze)
+## 8.4.0 (Hard Feature Freeze)
 
 ### Schema Changes
 
-#### Breaking changes
-
-#### Bugfixes
-
 #### Added
 
 * Initial set of `expected_values`. #1962
 * Adding `service.node.roles`. #1981
 
-#### Improvements
-
-#### Deprecated
-
-#### Removed
-
 ### Tooling and Artifact Changes
 
 #### Breaking changes
 
-#### Bugfixes
-
-* Added Deprecation Warning for `misspell` task #1993
-
 #### Added
 
 * Introduce `expected_values` attribute. #1952

From 0d3b425b9ef6b1d9a47b81e3df946babb2b3b715 Mon Sep 17 00:00:00 2001
From: Kylie Geller <kylie.geller@elastic.co>
Date: Tue, 26 Jul 2022 15:50:53 -0400
Subject: [PATCH 015/186] adding 8.5 to backport config (#2004)

---
 .backportrc.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.backportrc.json b/.backportrc.json
index 4b56e5e3d2..f8860f33df 100644
--- a/.backportrc.json
+++ b/.backportrc.json
@@ -2,6 +2,7 @@
   "upstream": "elastic/ecs",
   "branches": [
     { "name": "main", "checked": true },
+    "8.5",
     "8.4",
     "8.3",
     "8.2",

From 5d43d23f3b5bad6b74f692894d8939cca619771d Mon Sep 17 00:00:00 2001
From: Kylie Geller <kylie.geller@elastic.co>
Date: Tue, 26 Jul 2022 16:05:56 -0400
Subject: [PATCH 016/186] [main] adding 8.5 placeholder release notes (#2002)
 (#2007)

---
 docs/release-notes/8.5.asciidoc   | 4 ++++
 docs/release-notes/index.asciidoc | 2 ++
 2 files changed, 6 insertions(+)
 create mode 100644 docs/release-notes/8.5.asciidoc

diff --git a/docs/release-notes/8.5.asciidoc b/docs/release-notes/8.5.asciidoc
new file mode 100644
index 0000000000..779b247999
--- /dev/null
+++ b/docs/release-notes/8.5.asciidoc
@@ -0,0 +1,4 @@
+[[ecs-release-notes-8.5.0]]
+=== 8.5.0
+
+coming[8.5.0]
diff --git a/docs/release-notes/index.asciidoc b/docs/release-notes/index.asciidoc
index a748c5b8e5..02ca782516 100644
--- a/docs/release-notes/index.asciidoc
+++ b/docs/release-notes/index.asciidoc
@@ -3,6 +3,7 @@
 
 This section summarizes the changes in each release.
 
+* <<ecs-release-notes-8.5.0, {ecs} version 8.5.0>>
 * <<ecs-release-notes-8.4.0, {ecs} version 8.4.0>>
 * <<ecs-release-notes-8.3.1, {ecs} version 8.3.1>>
 * <<ecs-release-notes-8.3.0, {ecs} version 8.3.0>>
@@ -17,6 +18,7 @@ This section summarizes the changes in each release.
 :issue: https://github.com/elastic/ecs/issues/
 :pull: https://github.com/elastic/ecs/pull/
 
+include::8.5.asciidoc[]
 include::8.4.asciidoc[]
 include::8.3.1.asciidoc[]
 include::8.3.asciidoc[]

From e5b56d9385f9f3282dfcdca72bd686fac789b87e Mon Sep 17 00:00:00 2001
From: Kylie Geller <kylie.geller@elastic.co>
Date: Tue, 26 Jul 2022 16:19:24 -0400
Subject: [PATCH 017/186] [main] 8.5 SFF changelog (#2003) (#2009)

---
 CHANGELOG.next.md | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 9eade7cec1..a202bcadb9 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -16,6 +16,32 @@ Thanks, you're awesome :-) -->
 
 #### Added
 
+#### Improvements
+
+#### Deprecated
+
+### Tooling and Artifact Changes
+
+#### Breaking changes
+
+#### Bugfixes
+
+#### Added
+
+#### Improvements
+
+#### Deprecated
+
+## 8.5.0 (Soft Feature Freeze)
+
+### Schema Changes
+
+#### Breaking changes
+
+#### Bugfixes
+
+#### Added
+
 * Adding `risk.*` fields as experimental. #1994
 
 #### Improvements

From 1f00405f524832a4a6e8bd72af682d6d1cbd24d8 Mon Sep 17 00:00:00 2001
From: Kylie Geller <kylie.geller@elastic.co>
Date: Tue, 26 Jul 2022 16:24:46 -0400
Subject: [PATCH 018/186] incrementing main's version for 8.5 sff (#2001)

---
 docs/fields/fields.asciidoc                   |    2 +-
 docs/index.asciidoc                           |    2 +-
 experimental/generated/beats/fields.ecs.yml   |    2 +-
 experimental/generated/csv/fields.csv         | 3100 ++++++++---------
 .../composable/component/agent.json           |    2 +-
 .../composable/component/base.json            |    2 +-
 .../composable/component/cgroup.json          |    2 +-
 .../composable/component/client.json          |    2 +-
 .../composable/component/cloud.json           |    2 +-
 .../composable/component/container.json       |    2 +-
 .../composable/component/data_stream.json     |    2 +-
 .../composable/component/destination.json     |    2 +-
 .../composable/component/dll.json             |    2 +-
 .../composable/component/dns.json             |    2 +-
 .../composable/component/ecs.json             |    2 +-
 .../composable/component/email.json           |    2 +-
 .../composable/component/error.json           |    2 +-
 .../composable/component/event.json           |    2 +-
 .../composable/component/faas.json            |    2 +-
 .../composable/component/file.json            |    2 +-
 .../composable/component/group.json           |    2 +-
 .../composable/component/host.json            |    2 +-
 .../composable/component/http.json            |    2 +-
 .../composable/component/log.json             |    2 +-
 .../composable/component/network.json         |    2 +-
 .../composable/component/observer.json        |    2 +-
 .../composable/component/orchestrator.json    |    2 +-
 .../composable/component/organization.json    |    2 +-
 .../composable/component/package.json         |    2 +-
 .../composable/component/process.json         |    2 +-
 .../composable/component/registry.json        |    2 +-
 .../composable/component/related.json         |    2 +-
 .../composable/component/rule.json            |    2 +-
 .../composable/component/server.json          |    2 +-
 .../composable/component/service.json         |    2 +-
 .../composable/component/source.json          |    2 +-
 .../composable/component/threat.json          |    2 +-
 .../composable/component/tls.json             |    2 +-
 .../composable/component/tracing.json         |    2 +-
 .../composable/component/url.json             |    2 +-
 .../composable/component/user.json            |    2 +-
 .../composable/component/user_agent.json      |    2 +-
 .../composable/component/vulnerability.json   |    2 +-
 .../elasticsearch/composable/template.json    |   80 +-
 .../elasticsearch/legacy/template.json        |    2 +-
 generated/beats/fields.ecs.yml                |    2 +-
 generated/csv/fields.csv                      | 3026 ++++++++--------
 .../composable/component/agent.json           |    2 +-
 .../composable/component/base.json            |    2 +-
 .../composable/component/client.json          |    2 +-
 .../composable/component/cloud.json           |    2 +-
 .../composable/component/container.json       |    2 +-
 .../composable/component/data_stream.json     |    2 +-
 .../composable/component/destination.json     |    2 +-
 .../composable/component/dll.json             |    2 +-
 .../composable/component/dns.json             |    2 +-
 .../composable/component/ecs.json             |    2 +-
 .../composable/component/email.json           |    2 +-
 .../composable/component/error.json           |    2 +-
 .../composable/component/event.json           |    2 +-
 .../composable/component/faas.json            |    2 +-
 .../composable/component/file.json            |    2 +-
 .../composable/component/group.json           |    2 +-
 .../composable/component/host.json            |    2 +-
 .../composable/component/http.json            |    2 +-
 .../composable/component/log.json             |    2 +-
 .../composable/component/network.json         |    2 +-
 .../composable/component/observer.json        |    2 +-
 .../composable/component/orchestrator.json    |    2 +-
 .../composable/component/organization.json    |    2 +-
 .../composable/component/package.json         |    2 +-
 .../composable/component/process.json         |    2 +-
 .../composable/component/registry.json        |    2 +-
 .../composable/component/related.json         |    2 +-
 .../composable/component/rule.json            |    2 +-
 .../composable/component/server.json          |    2 +-
 .../composable/component/service.json         |    2 +-
 .../composable/component/source.json          |    2 +-
 .../composable/component/threat.json          |    2 +-
 .../composable/component/tls.json             |    2 +-
 .../composable/component/tracing.json         |    2 +-
 .../composable/component/url.json             |    2 +-
 .../composable/component/user.json            |    2 +-
 .../composable/component/user_agent.json      |    2 +-
 .../composable/component/vulnerability.json   |    2 +-
 .../elasticsearch/composable/template.json    |   78 +-
 generated/elasticsearch/legacy/template.json  |    2 +-
 version                                       |    2 +-
 88 files changed, 3226 insertions(+), 3226 deletions(-)

diff --git a/docs/fields/fields.asciidoc b/docs/fields/fields.asciidoc
index adf83eea7c..ca7f3e17e1 100644
--- a/docs/fields/fields.asciidoc
+++ b/docs/fields/fields.asciidoc
@@ -1,7 +1,7 @@
 [[ecs-field-reference]]
 == {ecs} Field Reference
 
-This is the documentation of ECS version 8.5.0-dev.
+This is the documentation of ECS version 8.6.0-dev.
 
 ECS defines multiple groups of related fields. They are called "field sets".
 The <<ecs-base,Base>> field set is the only one whose fields are defined
diff --git a/docs/index.asciidoc b/docs/index.asciidoc
index 887d6042ce..c864468e22 100644
--- a/docs/index.asciidoc
+++ b/docs/index.asciidoc
@@ -13,7 +13,7 @@ include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
 [[ecs-reference]]
 == Overview
 
-This is the documentation of ECS version 8.5.0-dev.
+This is the documentation of ECS version 8.6.0-dev.
 
 [float]
 === What is ECS?
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 8993e52523..9d792c7c58 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -1,5 +1,5 @@
 # WARNING! Do not edit this file directly, it was generated by the ECS project,
-# based on ECS version 8.5.0-dev+exp.
+# based on ECS version 8.6.0-dev+exp.
 # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields.
 
 - key: ecs
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index f6a27fc8b4..c65261c124 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -1,1551 +1,1551 @@
 ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
-8.5.0-dev+exp,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
-8.5.0-dev+exp,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
-8.5.0-dev+exp,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer.
-8.5.0-dev+exp,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
-8.5.0-dev+exp,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
-8.5.0-dev+exp,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
-8.5.0-dev+exp,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
-8.5.0-dev+exp,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
-8.5.0-dev+exp,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
-8.5.0-dev+exp,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
-8.5.0-dev+exp,true,cgroup,cgroup.cpu.periods,long,extended,,454839343,Number of period intervals that have elapsed.
-8.5.0-dev+exp,true,cgroup,cgroup.cpu.throttled.us,long,extended,,15000,Microseconds of CPU throttled time.
-8.5.0-dev+exp,true,cgroup,cgroup.cpu.usage,scaled_float,extended,,,"CPU usage, normalized by the CPU count."
-8.5.0-dev+exp,true,cgroup,cgroup.memory.limit,long,extended,,256,Memory limit within the cgroup.
-8.5.0-dev+exp,true,cgroup,cgroup.memory.swap.usage,long,extended,,5600,The amount of cgroup memory in swap.
-8.5.0-dev+exp,true,cgroup,cgroup.memory.usage,long,extended,,25600,Memory usage in bytes
-8.5.0-dev+exp,true,cgroup,cgroup.version,long,extended,,,The cgroup version linked to the metrics
-8.5.0-dev+exp,true,client,client.address,keyword,extended,,,Client network address.
-8.5.0-dev+exp,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.5.0-dev+exp,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.5.0-dev+exp,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.5.0-dev+exp,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
-8.5.0-dev+exp,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client.
-8.5.0-dev+exp,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
-8.5.0-dev+exp,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
-8.5.0-dev+exp,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.5.0-dev+exp,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.5.0-dev+exp,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
-8.5.0-dev+exp,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.5.0-dev+exp,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.5.0-dev+exp,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
-8.5.0-dev+exp,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.5.0-dev+exp,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
-8.5.0-dev+exp,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.5.0-dev+exp,true,client,client.ip,ip,core,,,IP address of the client.
-8.5.0-dev+exp,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
-8.5.0-dev+exp,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
-8.5.0-dev+exp,true,client,client.nat.port,long,extended,,,Client NAT port
-8.5.0-dev+exp,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
-8.5.0-dev+exp,true,client,client.port,long,core,,,Port of the client.
-8.5.0-dev+exp,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
-8.5.0-dev+exp,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.5.0-dev+exp,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.5.0-dev+exp,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.5.0-dev+exp,true,client,client.user.email,keyword,extended,,,User email address.
-8.5.0-dev+exp,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.5.0-dev+exp,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.5.0-dev+exp,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.5.0-dev+exp,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev+exp,true,client,client.user.group.name,keyword,extended,,,Name of the group.
-8.5.0-dev+exp,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.5.0-dev+exp,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.5.0-dev+exp,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.5.0-dev+exp,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.5.0-dev+exp,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.5.0-dev+exp,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.5.0-dev+exp,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.5.0-dev+exp,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.5.0-dev+exp,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.5.0-dev+exp,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
-8.5.0-dev+exp,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.5.0-dev+exp,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.5.0-dev+exp,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.5.0-dev+exp,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.5.0-dev+exp,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.5.0-dev+exp,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine.
-8.5.0-dev+exp,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.5.0-dev+exp,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id.
-8.5.0-dev+exp,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name.
-8.5.0-dev+exp,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider.
-8.5.0-dev+exp,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.5.0-dev+exp,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name.
-8.5.0-dev+exp,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
-8.5.0-dev+exp,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
-8.5.0-dev+exp,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
-8.5.0-dev+exp,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.5.0-dev+exp,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name.
-8.5.0-dev+exp,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.5.0-dev+exp,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.5.0-dev+exp,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.5.0-dev+exp,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.5.0-dev+exp,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine.
-8.5.0-dev+exp,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.5.0-dev+exp,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id.
-8.5.0-dev+exp,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name.
-8.5.0-dev+exp,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider.
-8.5.0-dev+exp,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.5.0-dev+exp,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name.
-8.5.0-dev+exp,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
-8.5.0-dev+exp,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
-8.5.0-dev+exp,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
-8.5.0-dev+exp,true,container,container.id,keyword,core,,,Unique container id.
-8.5.0-dev+exp,true,container,container.image.hash.all,keyword,extended,array,[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26],An array of digests of the image the container was built on.
-8.5.0-dev+exp,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
-8.5.0-dev+exp,true,container,container.image.tag,keyword,extended,array,,Container image tags.
-8.5.0-dev+exp,true,container,container.labels,object,extended,,,Image labels.
-8.5.0-dev+exp,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1."
-8.5.0-dev+exp,true,container,container.name,keyword,extended,,,Container name.
-8.5.0-dev+exp,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
-8.5.0-dev+exp,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
-8.5.0-dev+exp,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
-8.5.0-dev+exp,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
-8.5.0-dev+exp,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
-8.5.0-dev+exp,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
-8.5.0-dev+exp,true,destination,destination.address,keyword,extended,,,Destination network address.
-8.5.0-dev+exp,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.5.0-dev+exp,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.5.0-dev+exp,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.5.0-dev+exp,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
-8.5.0-dev+exp,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination.
-8.5.0-dev+exp,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
-8.5.0-dev+exp,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
-8.5.0-dev+exp,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.5.0-dev+exp,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.5.0-dev+exp,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
-8.5.0-dev+exp,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.5.0-dev+exp,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.5.0-dev+exp,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
-8.5.0-dev+exp,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.5.0-dev+exp,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
-8.5.0-dev+exp,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.5.0-dev+exp,true,destination,destination.ip,ip,core,,,IP address of the destination.
-8.5.0-dev+exp,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
-8.5.0-dev+exp,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
-8.5.0-dev+exp,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
-8.5.0-dev+exp,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
-8.5.0-dev+exp,true,destination,destination.port,long,core,,,Port of the destination.
-8.5.0-dev+exp,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
-8.5.0-dev+exp,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.5.0-dev+exp,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.5.0-dev+exp,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.5.0-dev+exp,true,destination,destination.user.email,keyword,extended,,,User email address.
-8.5.0-dev+exp,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.5.0-dev+exp,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.5.0-dev+exp,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.5.0-dev+exp,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev+exp,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
-8.5.0-dev+exp,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.5.0-dev+exp,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.5.0-dev+exp,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.5.0-dev+exp,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.5.0-dev+exp,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.5.0-dev+exp,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.5.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.5.0-dev+exp,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.5.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.5.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.5.0-dev+exp,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.5.0-dev+exp,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.5.0-dev+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.5.0-dev+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.5.0-dev+exp,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
-8.5.0-dev+exp,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
-8.5.0-dev+exp,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
-8.5.0-dev+exp,true,dll,dll.hash.sha384,keyword,extended,,,SHA384 hash.
-8.5.0-dev+exp,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
-8.5.0-dev+exp,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.5.0-dev+exp,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash.
-8.5.0-dev+exp,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
-8.5.0-dev+exp,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
-8.5.0-dev+exp,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.5.0-dev+exp,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.5.0-dev+exp,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.5.0-dev+exp,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.5.0-dev+exp,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.5.0-dev+exp,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.5.0-dev+exp,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.5.0-dev+exp,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.5.0-dev+exp,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
-8.5.0-dev+exp,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
-8.5.0-dev+exp,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
-8.5.0-dev+exp,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
-8.5.0-dev+exp,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
-8.5.0-dev+exp,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
-8.5.0-dev+exp,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
-8.5.0-dev+exp,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
-8.5.0-dev+exp,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
-8.5.0-dev+exp,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
-8.5.0-dev+exp,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
-8.5.0-dev+exp,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
-8.5.0-dev+exp,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
-8.5.0-dev+exp,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.5.0-dev+exp,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
-8.5.0-dev+exp,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
-8.5.0-dev+exp,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
-8.5.0-dev+exp,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
-8.5.0-dev+exp,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
-8.5.0-dev+exp,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
-8.5.0-dev+exp,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
-8.5.0-dev+exp,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash.
-8.5.0-dev+exp,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.5.0-dev+exp,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.5.0-dev+exp,true,email,email.attachments.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.5.0-dev+exp,true,email,email.attachments.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.5.0-dev+exp,true,email,email.attachments.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.5.0-dev+exp,true,email,email.attachments.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.5.0-dev+exp,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file.
-8.5.0-dev+exp,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file.
-8.5.0-dev+exp,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size.
-8.5.0-dev+exp,true,email,email.bcc.address,keyword,extended,array,bcc.user1@example.com,Email address of BCC recipient
-8.5.0-dev+exp,true,email,email.cc.address,keyword,extended,array,cc.user1@example.com,Email address of CC recipient
-8.5.0-dev+exp,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message.
-8.5.0-dev+exp,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered.
-8.5.0-dev+exp,true,email,email.direction,keyword,extended,,inbound,Direction of the message.
-8.5.0-dev+exp,true,email,email.from.address,keyword,extended,array,sender@example.com,The sender's email address.
-8.5.0-dev+exp,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source.
-8.5.0-dev+exp,true,email,email.message_id,wildcard,extended,,81ce15$8r2j59@mail01.example.com,Value from the Message-ID header.
-8.5.0-dev+exp,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed.
-8.5.0-dev+exp,true,email,email.reply_to.address,keyword,extended,array,reply.here@example.com,Address replies should be delivered to.
-8.5.0-dev+exp,true,email,email.sender.address,keyword,extended,,,Address of the message sender.
-8.5.0-dev+exp,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message.
-8.5.0-dev+exp,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
-8.5.0-dev+exp,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient
-8.5.0-dev+exp,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
-8.5.0-dev+exp,true,error,error.code,keyword,core,,,Error code describing the error.
-8.5.0-dev+exp,true,error,error.id,keyword,core,,,Unique identifier for the error.
-8.5.0-dev+exp,true,error,error.message,match_only_text,core,,,Error message.
-8.5.0-dev+exp,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
-8.5.0-dev+exp,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text.
-8.5.0-dev+exp,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
-8.5.0-dev+exp,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
-8.5.0-dev+exp,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field.
-8.5.0-dev+exp,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
-8.5.0-dev+exp,true,event,event.code,keyword,extended,,4648,Identification code for this event.
-8.5.0-dev+exp,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
-8.5.0-dev+exp,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
-8.5.0-dev+exp,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
-8.5.0-dev+exp,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed.
-8.5.0-dev+exp,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
-8.5.0-dev+exp,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
-8.5.0-dev+exp,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
-8.5.0-dev+exp,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
-8.5.0-dev+exp,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
-8.5.0-dev+exp,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
-8.5.0-dev+exp,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
-8.5.0-dev+exp,true,event,event.provider,keyword,extended,,kernel,Source of the event.
-8.5.0-dev+exp,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
-8.5.0-dev+exp,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
-8.5.0-dev+exp,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
-8.5.0-dev+exp,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
-8.5.0-dev+exp,true,event,event.sequence,long,extended,,,Sequence number of the event.
-8.5.0-dev+exp,true,event,event.severity,long,core,,7,Numeric severity of the event.
-8.5.0-dev+exp,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed.
-8.5.0-dev+exp,true,event,event.timezone,keyword,extended,,,Event time zone.
-8.5.0-dev+exp,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
-8.5.0-dev+exp,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
-8.5.0-dev+exp,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function.
-8.5.0-dev+exp,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution.
-8.5.0-dev+exp,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function.
-8.5.0-dev+exp,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function.
-8.5.0-dev+exp,true,faas,faas.trigger,nested,extended,,,Details about the function trigger.
-8.5.0-dev+exp,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc."
-8.5.0-dev+exp,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution.
-8.5.0-dev+exp,true,faas,faas.version,keyword,extended,,123,The version of a serverless function.
-8.5.0-dev+exp,true,file,file.accessed,date,extended,,,Last time the file was accessed.
-8.5.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.5.0-dev+exp,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.5.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.5.0-dev+exp,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.5.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.5.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.5.0-dev+exp,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.5.0-dev+exp,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.5.0-dev+exp,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.5.0-dev+exp,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.5.0-dev+exp,true,file,file.created,date,extended,,,File creation time.
-8.5.0-dev+exp,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.5.0-dev+exp,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
-8.5.0-dev+exp,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.5.0-dev+exp,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.5.0-dev+exp,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.5.0-dev+exp,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.5.0-dev+exp,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.5.0-dev+exp,true,file,file.elf.creation_date,date,extended,,,Build or compile date.
-8.5.0-dev+exp,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.5.0-dev+exp,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.5.0-dev+exp,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.5.0-dev+exp,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.5.0-dev+exp,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.5.0-dev+exp,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.5.0-dev+exp,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.5.0-dev+exp,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.5.0-dev+exp,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.5.0-dev+exp,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.5.0-dev+exp,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.5.0-dev+exp,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.5.0-dev+exp,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.5.0-dev+exp,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.5.0-dev+exp,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.5.0-dev+exp,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.5.0-dev+exp,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.5.0-dev+exp,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.5.0-dev+exp,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.5.0-dev+exp,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.5.0-dev+exp,true,file,file.elf.segments,nested,extended,array,,ELF object segment list.
-8.5.0-dev+exp,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.5.0-dev+exp,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.5.0-dev+exp,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.5.0-dev+exp,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.5.0-dev+exp,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.5.0-dev+exp,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.5.0-dev+exp,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.5.0-dev+exp,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
-8.5.0-dev+exp,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
-8.5.0-dev+exp,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.5.0-dev+exp,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.5.0-dev+exp,true,file,file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.5.0-dev+exp,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.5.0-dev+exp,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.5.0-dev+exp,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.5.0-dev+exp,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.5.0-dev+exp,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.5.0-dev+exp,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.5.0-dev+exp,true,file,file.mtime,date,extended,,,Last time the file content was modified.
-8.5.0-dev+exp,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.5.0-dev+exp,true,file,file.owner,keyword,extended,,alice,File owner's username.
-8.5.0-dev+exp,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.5.0-dev+exp,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.5.0-dev+exp,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.5.0-dev+exp,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.5.0-dev+exp,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.5.0-dev+exp,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.5.0-dev+exp,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.5.0-dev+exp,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.5.0-dev+exp,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.5.0-dev+exp,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.5.0-dev+exp,true,file,file.size,long,extended,,16384,File size in bytes.
-8.5.0-dev+exp,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
-8.5.0-dev+exp,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.5.0-dev+exp,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.5.0-dev+exp,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.5.0-dev+exp,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.5.0-dev+exp,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.5.0-dev+exp,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.5.0-dev+exp,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.5.0-dev+exp,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.5.0-dev+exp,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.5.0-dev+exp,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.5.0-dev+exp,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.5.0-dev+exp,true,file,file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.5.0-dev+exp,true,file,file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.5.0-dev+exp,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.5.0-dev+exp,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.5.0-dev+exp,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.5.0-dev+exp,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.5.0-dev+exp,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.5.0-dev+exp,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.5.0-dev+exp,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.5.0-dev+exp,true,file,file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.5.0-dev+exp,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.5.0-dev+exp,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.5.0-dev+exp,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.5.0-dev+exp,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.5.0-dev+exp,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.5.0-dev+exp,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.5.0-dev+exp,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.5.0-dev+exp,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev+exp,true,group,group.name,keyword,extended,,,Name of the group.
-8.5.0-dev+exp,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
-8.5.0-dev+exp,true,host,host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id
-8.5.0-dev+exp,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
-8.5.0-dev+exp,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
-8.5.0-dev+exp,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
-8.5.0-dev+exp,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
-8.5.0-dev+exp,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
-8.5.0-dev+exp,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
-8.5.0-dev+exp,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.5.0-dev+exp,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.5.0-dev+exp,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
-8.5.0-dev+exp,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.5.0-dev+exp,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.5.0-dev+exp,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
-8.5.0-dev+exp,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.5.0-dev+exp,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
-8.5.0-dev+exp,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.5.0-dev+exp,true,host,host.hostname,keyword,core,,,Hostname of the host.
-8.5.0-dev+exp,true,host,host.id,keyword,core,,,Unique host id.
-8.5.0-dev+exp,true,host,host.ip,ip,core,array,,Host ip addresses.
-8.5.0-dev+exp,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
-8.5.0-dev+exp,true,host,host.name,keyword,core,,,Name of the host.
-8.5.0-dev+exp,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
-8.5.0-dev+exp,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
-8.5.0-dev+exp,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
-8.5.0-dev+exp,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
-8.5.0-dev+exp,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.5.0-dev+exp,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.5.0-dev+exp,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.5.0-dev+exp,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.5.0-dev+exp,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.5.0-dev+exp,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.5.0-dev+exp,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.5.0-dev+exp,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
-8.5.0-dev+exp,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.5.0-dev+exp,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode
-8.5.0-dev+exp,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.5.0-dev+exp,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.5.0-dev+exp,true,host,host.risk.calculated_score_norm,float,extended,,88.73,"A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100."
-8.5.0-dev+exp,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.5.0-dev+exp,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.5.0-dev+exp,true,host,host.risk.static_score_norm,float,extended,,83.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100."
-8.5.0-dev+exp,true,host,host.type,keyword,core,,,Type of host.
-8.5.0-dev+exp,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
-8.5.0-dev+exp,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
-8.5.0-dev+exp,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
-8.5.0-dev+exp,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body.
-8.5.0-dev+exp,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
-8.5.0-dev+exp,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
-8.5.0-dev+exp,true,http,http.request.method,keyword,extended,,POST,HTTP request method.
-8.5.0-dev+exp,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
-8.5.0-dev+exp,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
-8.5.0-dev+exp,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
-8.5.0-dev+exp,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
-8.5.0-dev+exp,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body.
-8.5.0-dev+exp,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
-8.5.0-dev+exp,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
-8.5.0-dev+exp,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
-8.5.0-dev+exp,true,http,http.version,keyword,extended,,1.1,HTTP version.
-8.5.0-dev+exp,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
-8.5.0-dev+exp,true,log,log.level,keyword,core,,error,Log level of the log event.
-8.5.0-dev+exp,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
-8.5.0-dev+exp,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event.
-8.5.0-dev+exp,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
-8.5.0-dev+exp,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
-8.5.0-dev+exp,true,log,log.syslog,object,extended,,,Syslog metadata
-8.5.0-dev+exp,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message.
-8.5.0-dev+exp,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
-8.5.0-dev+exp,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
-8.5.0-dev+exp,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message.
-8.5.0-dev+exp,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message.
-8.5.0-dev+exp,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
-8.5.0-dev+exp,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message.
-8.5.0-dev+exp,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
-8.5.0-dev+exp,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
-8.5.0-dev+exp,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages.
-8.5.0-dev+exp,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version.
-8.5.0-dev+exp,true,network,network.application,keyword,extended,,aim,Application level protocol name.
-8.5.0-dev+exp,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
-8.5.0-dev+exp,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
-8.5.0-dev+exp,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
-8.5.0-dev+exp,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
-8.5.0-dev+exp,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
-8.5.0-dev+exp,true,network,network.inner,object,extended,,,Inner VLAN tag information
-8.5.0-dev+exp,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.5.0-dev+exp,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.5.0-dev+exp,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
-8.5.0-dev+exp,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
-8.5.0-dev+exp,true,network,network.protocol,keyword,core,,http,Application protocol name.
-8.5.0-dev+exp,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
-8.5.0-dev+exp,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
-8.5.0-dev+exp,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.5.0-dev+exp,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.5.0-dev+exp,true,observer,observer.egress,object,extended,,,Object field for egress information
-8.5.0-dev+exp,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
-8.5.0-dev+exp,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
-8.5.0-dev+exp,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
-8.5.0-dev+exp,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.5.0-dev+exp,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.5.0-dev+exp,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
-8.5.0-dev+exp,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
-8.5.0-dev+exp,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code.
-8.5.0-dev+exp,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.5.0-dev+exp,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.5.0-dev+exp,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
-8.5.0-dev+exp,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.5.0-dev+exp,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.5.0-dev+exp,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code.
-8.5.0-dev+exp,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.5.0-dev+exp,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
-8.5.0-dev+exp,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.5.0-dev+exp,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
-8.5.0-dev+exp,true,observer,observer.ingress,object,extended,,,Object field for ingress information
-8.5.0-dev+exp,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
-8.5.0-dev+exp,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
-8.5.0-dev+exp,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
-8.5.0-dev+exp,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.5.0-dev+exp,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.5.0-dev+exp,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
-8.5.0-dev+exp,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
-8.5.0-dev+exp,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer.
-8.5.0-dev+exp,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
-8.5.0-dev+exp,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.5.0-dev+exp,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.5.0-dev+exp,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.5.0-dev+exp,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.5.0-dev+exp,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.5.0-dev+exp,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.5.0-dev+exp,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.5.0-dev+exp,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
-8.5.0-dev+exp,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.5.0-dev+exp,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
-8.5.0-dev+exp,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
-8.5.0-dev+exp,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
-8.5.0-dev+exp,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
-8.5.0-dev+exp,true,observer,observer.version,keyword,core,,,Observer version.
-8.5.0-dev+exp,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action
-8.5.0-dev+exp,true,orchestrator,orchestrator.cluster.id,keyword,extended,,,Unique ID of the cluster.
-8.5.0-dev+exp,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster.
-8.5.0-dev+exp,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster.
-8.5.0-dev+exp,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster.
-8.5.0-dev+exp,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place.
-8.5.0-dev+exp,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups).
-8.5.0-dev+exp,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon.
-8.5.0-dev+exp,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed.
-8.5.0-dev+exp,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon.
-8.5.0-dev+exp,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed.
-8.5.0-dev+exp,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon.
-8.5.0-dev+exp,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)."
-8.5.0-dev+exp,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
-8.5.0-dev+exp,true,organization,organization.name,keyword,extended,,,Organization name.
-8.5.0-dev+exp,true,organization,organization.name.text,match_only_text,extended,,,Organization name.
-8.5.0-dev+exp,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
-8.5.0-dev+exp,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
-8.5.0-dev+exp,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
-8.5.0-dev+exp,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
-8.5.0-dev+exp,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
-8.5.0-dev+exp,true,package,package.installed,date,extended,,,Time when package was installed.
-8.5.0-dev+exp,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
-8.5.0-dev+exp,true,package,package.name,keyword,extended,,go,Package name
-8.5.0-dev+exp,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
-8.5.0-dev+exp,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
-8.5.0-dev+exp,true,package,package.size,long,extended,,62231,Package size in bytes.
-8.5.0-dev+exp,true,package,package.type,keyword,extended,,rpm,Package type
-8.5.0-dev+exp,true,package,package.version,keyword,extended,,1.12.9,Package version
-8.5.0-dev+exp,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.5.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array.
-8.5.0-dev+exp,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.5.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.5.0-dev+exp,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.5.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.5.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.5.0-dev+exp,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.5.0-dev+exp,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.5.0-dev+exp,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.5.0-dev+exp,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.5.0-dev+exp,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.5.0-dev+exp,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.5.0-dev+exp,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.5.0-dev+exp,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.5.0-dev+exp,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.5.0-dev+exp,true,process,process.elf.creation_date,date,extended,,,Build or compile date.
-8.5.0-dev+exp,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.5.0-dev+exp,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.5.0-dev+exp,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.5.0-dev+exp,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.5.0-dev+exp,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.5.0-dev+exp,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.5.0-dev+exp,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.5.0-dev+exp,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.5.0-dev+exp,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.5.0-dev+exp,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.5.0-dev+exp,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.5.0-dev+exp,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.5.0-dev+exp,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.5.0-dev+exp,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.5.0-dev+exp,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.5.0-dev+exp,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.5.0-dev+exp,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.5.0-dev+exp,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.5.0-dev+exp,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.5.0-dev+exp,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.5.0-dev+exp,true,process,process.elf.segments,nested,extended,array,,ELF object segment list.
-8.5.0-dev+exp,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.5.0-dev+exp,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.5.0-dev+exp,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.5.0-dev+exp,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.5.0-dev+exp,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-8.5.0-dev+exp,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.5.0-dev+exp,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.5.0-dev+exp,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array.
-8.5.0-dev+exp,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.5.0-dev+exp,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.5.0-dev+exp,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.5.0-dev+exp,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
-8.5.0-dev+exp,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
-8.5.0-dev+exp,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.5.0-dev+exp,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.5.0-dev+exp,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev+exp,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group.
-8.5.0-dev+exp,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.5.0-dev+exp,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name.
-8.5.0-dev+exp,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.5.0-dev+exp,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.5.0-dev+exp,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id.
-8.5.0-dev+exp,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.5.0-dev+exp,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id.
-8.5.0-dev+exp,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.5.0-dev+exp,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.5.0-dev+exp,true,process,process.entry_leader.pid,long,core,,4242,Process id.
-8.5.0-dev+exp,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev+exp,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group.
-8.5.0-dev+exp,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.5.0-dev+exp,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.5.0-dev+exp,true,process,process.entry_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.5.0-dev+exp,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.5.0-dev+exp,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev+exp,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.5.0-dev+exp,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.5.0-dev+exp,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.5.0-dev+exp,true,process,process.entry_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.5.0-dev+exp,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.5.0-dev+exp,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev+exp,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.5.0-dev+exp,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.5.0-dev+exp,true,process,process.entry_leader.tty.char_device.major,long,extended,,1,The TTY character device's major number.
-8.5.0-dev+exp,true,process,process.entry_leader.tty.char_device.minor,long,extended,,128,The TTY character device's minor number.
-8.5.0-dev+exp,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.5.0-dev+exp,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.5.0-dev+exp,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.5.0-dev+exp,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.5.0-dev+exp,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.5.0-dev+exp,true,process,process.env_vars,object,extended,,"{""USER"": ""elastic"",""LANG"": ""en_US.UTF-8"",""HOME"": ""/home/elastic""}",Environment variables set at the time of the event.
-8.5.0-dev+exp,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.5.0-dev+exp,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.5.0-dev+exp,true,process,process.exit_code,long,extended,,137,The exit code of the process.
-8.5.0-dev+exp,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.5.0-dev+exp,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array.
-8.5.0-dev+exp,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.5.0-dev+exp,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.5.0-dev+exp,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.5.0-dev+exp,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.5.0-dev+exp,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.5.0-dev+exp,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev+exp,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group.
-8.5.0-dev+exp,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.5.0-dev+exp,true,process,process.group_leader.name,keyword,extended,,ssh,Process name.
-8.5.0-dev+exp,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.5.0-dev+exp,true,process,process.group_leader.pid,long,core,,4242,Process id.
-8.5.0-dev+exp,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev+exp,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group.
-8.5.0-dev+exp,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.5.0-dev+exp,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.5.0-dev+exp,true,process,process.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.5.0-dev+exp,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.5.0-dev+exp,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev+exp,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.5.0-dev+exp,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.5.0-dev+exp,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.5.0-dev+exp,true,process,process.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.5.0-dev+exp,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.5.0-dev+exp,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev+exp,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.5.0-dev+exp,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.5.0-dev+exp,true,process,process.group_leader.tty.char_device.major,long,extended,,1,The TTY character device's major number.
-8.5.0-dev+exp,true,process,process.group_leader.tty.char_device.minor,long,extended,,128,The TTY character device's minor number.
-8.5.0-dev+exp,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.5.0-dev+exp,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.5.0-dev+exp,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.5.0-dev+exp,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.5.0-dev+exp,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.5.0-dev+exp,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
-8.5.0-dev+exp,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
-8.5.0-dev+exp,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
-8.5.0-dev+exp,true,process,process.hash.sha384,keyword,extended,,,SHA384 hash.
-8.5.0-dev+exp,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
-8.5.0-dev+exp,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.5.0-dev+exp,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash.
-8.5.0-dev+exp,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.5.0-dev+exp,true,process,process.name,keyword,extended,,ssh,Process name.
-8.5.0-dev+exp,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
-8.5.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.5.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
-8.5.0-dev+exp,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.5.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.5.0-dev+exp,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.5.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.5.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.5.0-dev+exp,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.5.0-dev+exp,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.5.0-dev+exp,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.5.0-dev+exp,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.5.0-dev+exp,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.5.0-dev+exp,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.5.0-dev+exp,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.5.0-dev+exp,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.5.0-dev+exp,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.5.0-dev+exp,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date.
-8.5.0-dev+exp,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.5.0-dev+exp,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.5.0-dev+exp,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.5.0-dev+exp,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.5.0-dev+exp,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.5.0-dev+exp,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.5.0-dev+exp,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.5.0-dev+exp,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.5.0-dev+exp,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.5.0-dev+exp,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.5.0-dev+exp,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.5.0-dev+exp,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.5.0-dev+exp,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.5.0-dev+exp,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.5.0-dev+exp,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.5.0-dev+exp,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.5.0-dev+exp,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.5.0-dev+exp,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.5.0-dev+exp,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.5.0-dev+exp,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.5.0-dev+exp,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list.
-8.5.0-dev+exp,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.5.0-dev+exp,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.5.0-dev+exp,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.5.0-dev+exp,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.5.0-dev+exp,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-8.5.0-dev+exp,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.5.0-dev+exp,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.5.0-dev+exp,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.5.0-dev+exp,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
-8.5.0-dev+exp,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev+exp,true,process,process.parent.group.name,keyword,extended,,,Name of the group.
-8.5.0-dev+exp,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.5.0-dev+exp,true,process,process.parent.group_leader.pid,long,core,,4242,Process id.
-8.5.0-dev+exp,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.5.0-dev+exp,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
-8.5.0-dev+exp,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
-8.5.0-dev+exp,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
-8.5.0-dev+exp,true,process,process.parent.hash.sha384,keyword,extended,,,SHA384 hash.
-8.5.0-dev+exp,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
-8.5.0-dev+exp,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.5.0-dev+exp,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash.
-8.5.0-dev+exp,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.5.0-dev+exp,true,process,process.parent.name,keyword,extended,,ssh,Process name.
-8.5.0-dev+exp,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
-8.5.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.5.0-dev+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.5.0-dev+exp,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.5.0-dev+exp,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.5.0-dev+exp,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.5.0-dev+exp,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.5.0-dev+exp,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.5.0-dev+exp,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.5.0-dev+exp,true,process,process.parent.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
-8.5.0-dev+exp,true,process,process.parent.pid,long,core,,4242,Process id.
-8.5.0-dev+exp,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev+exp,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group.
-8.5.0-dev+exp,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.5.0-dev+exp,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.5.0-dev+exp,true,process,process.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.5.0-dev+exp,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev+exp,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group.
-8.5.0-dev+exp,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.5.0-dev+exp,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.5.0-dev+exp,true,process,process.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.5.0-dev+exp,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.5.0-dev+exp,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev+exp,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.5.0-dev+exp,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
-8.5.0-dev+exp,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
-8.5.0-dev+exp,true,process,process.parent.title,keyword,extended,,,Process title.
-8.5.0-dev+exp,true,process,process.parent.title.text,match_only_text,extended,,,Process title.
-8.5.0-dev+exp,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device.
-8.5.0-dev+exp,true,process,process.parent.tty.char_device.major,long,extended,,1,The TTY character device's major number.
-8.5.0-dev+exp,true,process,process.parent.tty.char_device.minor,long,extended,,128,The TTY character device's minor number.
-8.5.0-dev+exp,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
-8.5.0-dev+exp,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.5.0-dev+exp,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.5.0-dev+exp,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.5.0-dev+exp,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.5.0-dev+exp,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.5.0-dev+exp,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.5.0-dev+exp,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.5.0-dev+exp,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.5.0-dev+exp,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.5.0-dev+exp,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.5.0-dev+exp,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.5.0-dev+exp,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.5.0-dev+exp,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.5.0-dev+exp,true,process,process.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
-8.5.0-dev+exp,true,process,process.pid,long,core,,4242,Process id.
-8.5.0-dev+exp,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.5.0-dev+exp,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array.
-8.5.0-dev+exp,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.5.0-dev+exp,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.5.0-dev+exp,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev+exp,true,process,process.real_group.name,keyword,extended,,,Name of the group.
-8.5.0-dev+exp,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.5.0-dev+exp,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.5.0-dev+exp,true,process,process.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.5.0-dev+exp,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev+exp,true,process,process.saved_group.name,keyword,extended,,,Name of the group.
-8.5.0-dev+exp,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.5.0-dev+exp,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.5.0-dev+exp,true,process,process.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.5.0-dev+exp,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.5.0-dev+exp,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array.
-8.5.0-dev+exp,true,process,process.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.5.0-dev+exp,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.5.0-dev+exp,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.5.0-dev+exp,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.5.0-dev+exp,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.5.0-dev+exp,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev+exp,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group.
-8.5.0-dev+exp,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.5.0-dev+exp,true,process,process.session_leader.name,keyword,extended,,ssh,Process name.
-8.5.0-dev+exp,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.5.0-dev+exp,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.5.0-dev+exp,true,process,process.session_leader.parent.pid,long,core,,4242,Process id.
-8.5.0-dev+exp,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.5.0-dev+exp,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id.
-8.5.0-dev+exp,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.5.0-dev+exp,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.5.0-dev+exp,true,process,process.session_leader.pid,long,core,,4242,Process id.
-8.5.0-dev+exp,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev+exp,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group.
-8.5.0-dev+exp,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.5.0-dev+exp,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.5.0-dev+exp,true,process,process.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.5.0-dev+exp,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.5.0-dev+exp,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev+exp,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.5.0-dev+exp,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.5.0-dev+exp,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.5.0-dev+exp,true,process,process.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.5.0-dev+exp,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.5.0-dev+exp,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev+exp,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.5.0-dev+exp,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.5.0-dev+exp,true,process,process.session_leader.tty.char_device.major,long,extended,,1,The TTY character device's major number.
-8.5.0-dev+exp,true,process,process.session_leader.tty.char_device.minor,long,extended,,128,The TTY character device's minor number.
-8.5.0-dev+exp,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.5.0-dev+exp,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.5.0-dev+exp,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.5.0-dev+exp,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.5.0-dev+exp,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.5.0-dev+exp,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.5.0-dev+exp,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev+exp,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.5.0-dev+exp,true,process,process.thread.id,long,extended,,4242,Thread ID.
-8.5.0-dev+exp,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
-8.5.0-dev+exp,true,process,process.title,keyword,extended,,,Process title.
-8.5.0-dev+exp,true,process,process.title.text,match_only_text,extended,,,Process title.
-8.5.0-dev+exp,true,process,process.tty,object,extended,,,Information about the controlling TTY device.
-8.5.0-dev+exp,true,process,process.tty.char_device.major,long,extended,,1,The TTY character device's major number.
-8.5.0-dev+exp,true,process,process.tty.char_device.minor,long,extended,,128,The TTY character device's minor number.
-8.5.0-dev+exp,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
-8.5.0-dev+exp,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.5.0-dev+exp,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.5.0-dev+exp,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.5.0-dev+exp,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.5.0-dev+exp,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.5.0-dev+exp,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.5.0-dev+exp,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.5.0-dev+exp,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.5.0-dev+exp,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.5.0-dev+exp,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.5.0-dev+exp,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.5.0-dev+exp,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
-8.5.0-dev+exp,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
-8.5.0-dev+exp,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
-8.5.0-dev+exp,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
-8.5.0-dev+exp,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event.
-8.5.0-dev+exp,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
-8.5.0-dev+exp,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
-8.5.0-dev+exp,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
-8.5.0-dev+exp,true,rule,rule.id,keyword,extended,,101,Rule ID
-8.5.0-dev+exp,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
-8.5.0-dev+exp,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
-8.5.0-dev+exp,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
-8.5.0-dev+exp,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
-8.5.0-dev+exp,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
-8.5.0-dev+exp,true,rule,rule.version,keyword,extended,,1.1,Rule version
-8.5.0-dev+exp,true,server,server.address,keyword,extended,,,Server network address.
-8.5.0-dev+exp,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.5.0-dev+exp,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.5.0-dev+exp,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.5.0-dev+exp,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
-8.5.0-dev+exp,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server.
-8.5.0-dev+exp,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
-8.5.0-dev+exp,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
-8.5.0-dev+exp,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.5.0-dev+exp,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.5.0-dev+exp,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
-8.5.0-dev+exp,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.5.0-dev+exp,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.5.0-dev+exp,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
-8.5.0-dev+exp,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.5.0-dev+exp,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
-8.5.0-dev+exp,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.5.0-dev+exp,true,server,server.ip,ip,core,,,IP address of the server.
-8.5.0-dev+exp,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
-8.5.0-dev+exp,true,server,server.nat.ip,ip,extended,,,Server NAT ip
-8.5.0-dev+exp,true,server,server.nat.port,long,extended,,,Server NAT port
-8.5.0-dev+exp,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
-8.5.0-dev+exp,true,server,server.port,long,core,,,Port of the server.
-8.5.0-dev+exp,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
-8.5.0-dev+exp,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.5.0-dev+exp,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.5.0-dev+exp,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.5.0-dev+exp,true,server,server.user.email,keyword,extended,,,User email address.
-8.5.0-dev+exp,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.5.0-dev+exp,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.5.0-dev+exp,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.5.0-dev+exp,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev+exp,true,server,server.user.group.name,keyword,extended,,,Name of the group.
-8.5.0-dev+exp,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.5.0-dev+exp,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.5.0-dev+exp,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.5.0-dev+exp,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.5.0-dev+exp,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.5.0-dev+exp,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.5.0-dev+exp,true,service,service.environment,keyword,extended,,production,Environment of the service.
-8.5.0-dev+exp,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.5.0-dev+exp,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.5.0-dev+exp,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.5.0-dev+exp,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.5.0-dev+exp,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.5.0-dev+exp,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.5.0-dev+exp,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.5.0-dev+exp,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
-8.5.0-dev+exp,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.5.0-dev+exp,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.5.0-dev+exp,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.5.0-dev+exp,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.5.0-dev+exp,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.5.0-dev+exp,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.5.0-dev+exp,true,service,service.origin.state,keyword,core,,,Current state of the service.
-8.5.0-dev+exp,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service.
-8.5.0-dev+exp,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service.
-8.5.0-dev+exp,true,service,service.state,keyword,core,,,Current state of the service.
-8.5.0-dev+exp,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.5.0-dev+exp,true,service,service.target.environment,keyword,extended,,production,Environment of the service.
-8.5.0-dev+exp,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.5.0-dev+exp,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.5.0-dev+exp,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.5.0-dev+exp,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.5.0-dev+exp,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.5.0-dev+exp,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.5.0-dev+exp,true,service,service.target.state,keyword,core,,,Current state of the service.
-8.5.0-dev+exp,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service.
-8.5.0-dev+exp,true,service,service.target.version,keyword,core,,3.2.4,Version of the service.
-8.5.0-dev+exp,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
-8.5.0-dev+exp,true,service,service.version,keyword,core,,3.2.4,Version of the service.
-8.5.0-dev+exp,true,source,source.address,keyword,extended,,,Source network address.
-8.5.0-dev+exp,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.5.0-dev+exp,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.5.0-dev+exp,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.5.0-dev+exp,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
-8.5.0-dev+exp,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source.
-8.5.0-dev+exp,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
-8.5.0-dev+exp,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
-8.5.0-dev+exp,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.5.0-dev+exp,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.5.0-dev+exp,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
-8.5.0-dev+exp,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.5.0-dev+exp,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.5.0-dev+exp,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
-8.5.0-dev+exp,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.5.0-dev+exp,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
-8.5.0-dev+exp,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.5.0-dev+exp,true,source,source.ip,ip,core,,,IP address of the source.
-8.5.0-dev+exp,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
-8.5.0-dev+exp,true,source,source.nat.ip,ip,extended,,,Source NAT ip
-8.5.0-dev+exp,true,source,source.nat.port,long,extended,,,Source NAT port
-8.5.0-dev+exp,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
-8.5.0-dev+exp,true,source,source.port,long,core,,,Port of the source.
-8.5.0-dev+exp,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-8.5.0-dev+exp,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.5.0-dev+exp,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.5.0-dev+exp,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.5.0-dev+exp,true,source,source.user.email,keyword,extended,,,User email address.
-8.5.0-dev+exp,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.5.0-dev+exp,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.5.0-dev+exp,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.5.0-dev+exp,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev+exp,true,source,source.user.group.name,keyword,extended,,,Name of the group.
-8.5.0-dev+exp,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.5.0-dev+exp,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.5.0-dev+exp,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.5.0-dev+exp,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.5.0-dev+exp,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.5.0-dev+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
-8.5.0-dev+exp,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.5.0-dev+exp,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,WHITE,Indicator TLP marking
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.5.0-dev+exp,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.5.0-dev+exp,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.5.0-dev+exp,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value
-8.5.0-dev+exp,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field
-8.5.0-dev+exp,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier
-8.5.0-dev+exp,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index
-8.5.0-dev+exp,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05T17:00:58.326Z,Date of match
-8.5.0-dev+exp,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match
-8.5.0-dev+exp,true,threat,threat.feed.dashboard_id,keyword,extended,,5ba16340-72e6-11eb-a3e3-b3cc7c78a70f,Feed dashboard ID.
-8.5.0-dev+exp,true,threat,threat.feed.description,keyword,extended,,Threat feed from the AlienVault Open Threat eXchange network.,Description of the threat feed.
-8.5.0-dev+exp,true,threat,threat.feed.name,keyword,extended,,AlienVault OTX,Name of the threat feed.
-8.5.0-dev+exp,true,threat,threat.feed.reference,keyword,extended,,https://otx.alienvault.com,Reference for the threat feed.
-8.5.0-dev+exp,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
-8.5.0-dev+exp,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group.
-8.5.0-dev+exp,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group.
-8.5.0-dev+exp,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group.
-8.5.0-dev+exp,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group.
-8.5.0-dev+exp,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.5.0-dev+exp,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.5.0-dev+exp,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.5.0-dev+exp,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
-8.5.0-dev+exp,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
-8.5.0-dev+exp,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
-8.5.0-dev+exp,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed.
-8.5.0-dev+exp,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.5.0-dev+exp,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.5.0-dev+exp,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.5.0-dev+exp,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.5.0-dev+exp,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.5.0-dev+exp,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.5.0-dev+exp,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.5.0-dev+exp,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.5.0-dev+exp,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.5.0-dev+exp,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.5.0-dev+exp,true,threat,threat.indicator.file.created,date,extended,,,File creation time.
-8.5.0-dev+exp,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.5.0-dev+exp,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
-8.5.0-dev+exp,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.5.0-dev+exp,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.5.0-dev+exp,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.5.0-dev+exp,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.5.0-dev+exp,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.5.0-dev+exp,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
-8.5.0-dev+exp,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.5.0-dev+exp,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.5.0-dev+exp,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.5.0-dev+exp,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.5.0-dev+exp,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.5.0-dev+exp,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.5.0-dev+exp,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.5.0-dev+exp,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.5.0-dev+exp,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.5.0-dev+exp,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.5.0-dev+exp,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.5.0-dev+exp,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.5.0-dev+exp,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.5.0-dev+exp,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.5.0-dev+exp,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.5.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.5.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.5.0-dev+exp,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.5.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.5.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.5.0-dev+exp,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
-8.5.0-dev+exp,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.5.0-dev+exp,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.5.0-dev+exp,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.5.0-dev+exp,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.5.0-dev+exp,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.5.0-dev+exp,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.5.0-dev+exp,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.5.0-dev+exp,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
-8.5.0-dev+exp,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
-8.5.0-dev+exp,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.5.0-dev+exp,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.5.0-dev+exp,true,threat,threat.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.5.0-dev+exp,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.5.0-dev+exp,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.5.0-dev+exp,true,threat,threat.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.5.0-dev+exp,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.5.0-dev+exp,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.5.0-dev+exp,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.5.0-dev+exp,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified.
-8.5.0-dev+exp,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.5.0-dev+exp,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username.
-8.5.0-dev+exp,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.5.0-dev+exp,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.5.0-dev+exp,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.5.0-dev+exp,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.5.0-dev+exp,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.5.0-dev+exp,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.5.0-dev+exp,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.5.0-dev+exp,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.5.0-dev+exp,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.5.0-dev+exp,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.5.0-dev+exp,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes.
-8.5.0-dev+exp,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
-8.5.0-dev+exp,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.5.0-dev+exp,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.5.0-dev+exp,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.5.0-dev+exp,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.5.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.5.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.5.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.5.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.5.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.5.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.5.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.5.0-dev+exp,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.5.0-dev+exp,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.5.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.5.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.5.0-dev+exp,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.5.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.5.0-dev+exp,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.5.0-dev+exp,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.5.0-dev+exp,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.5.0-dev+exp,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.5.0-dev+exp,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.5.0-dev+exp,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.5.0-dev+exp,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.5.0-dev+exp,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.5.0-dev+exp,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.5.0-dev+exp,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.5.0-dev+exp,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
-8.5.0-dev+exp,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name.
-8.5.0-dev+exp,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code.
-8.5.0-dev+exp,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.5.0-dev+exp,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.5.0-dev+exp,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name.
-8.5.0-dev+exp,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.5.0-dev+exp,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.5.0-dev+exp,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code.
-8.5.0-dev+exp,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.5.0-dev+exp,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name.
-8.5.0-dev+exp,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.5.0-dev+exp,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
-8.5.0-dev+exp,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-8.5.0-dev+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,WHITE,Indicator TLP marking
-8.5.0-dev+exp,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
-8.5.0-dev+exp,true,threat,threat.indicator.port,long,extended,,443,Indicator port
-8.5.0-dev+exp,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
-8.5.0-dev+exp,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
-8.5.0-dev+exp,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.5.0-dev+exp,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.5.0-dev+exp,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.5.0-dev+exp,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.5.0-dev+exp,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.5.0-dev+exp,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.5.0-dev+exp,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
-8.5.0-dev+exp,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics
-8.5.0-dev+exp,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed
-8.5.0-dev+exp,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
-8.5.0-dev+exp,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.5.0-dev+exp,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.5.0-dev+exp,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.5.0-dev+exp,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.5.0-dev+exp,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.5.0-dev+exp,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.5.0-dev+exp,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.5.0-dev+exp,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request.
-8.5.0-dev+exp,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.5.0-dev+exp,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
-8.5.0-dev+exp,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request.
-8.5.0-dev+exp,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.5.0-dev+exp,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
-8.5.0-dev+exp,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.5.0-dev+exp,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.5.0-dev+exp,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request.
-8.5.0-dev+exp,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.5.0-dev+exp,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.5.0-dev+exp,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.5.0-dev+exp,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.5.0-dev+exp,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.5.0-dev+exp,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.5.0-dev+exp,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.5.0-dev+exp,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.5.0-dev+exp,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.5.0-dev+exp,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.5.0-dev+exp,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.5.0-dev+exp,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.5.0-dev+exp,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.5.0-dev+exp,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.5.0-dev+exp,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.5.0-dev+exp,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.5.0-dev+exp,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.5.0-dev+exp,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.5.0-dev+exp,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.5.0-dev+exp,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.5.0-dev+exp,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.5.0-dev+exp,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.5.0-dev+exp,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.5.0-dev+exp,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.5.0-dev+exp,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software
-8.5.0-dev+exp,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software
-8.5.0-dev+exp,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software.
-8.5.0-dev+exp,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software.
-8.5.0-dev+exp,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL.
-8.5.0-dev+exp,true,threat,threat.software.type,keyword,extended,,Tool,Software type.
-8.5.0-dev+exp,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
-8.5.0-dev+exp,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
-8.5.0-dev+exp,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
-8.5.0-dev+exp,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
-8.5.0-dev+exp,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
-8.5.0-dev+exp,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name.
-8.5.0-dev+exp,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
-8.5.0-dev+exp,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
-8.5.0-dev+exp,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
-8.5.0-dev+exp,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
-8.5.0-dev+exp,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
-8.5.0-dev+exp,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
-8.5.0-dev+exp,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
-8.5.0-dev+exp,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
-8.5.0-dev+exp,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
-8.5.0-dev+exp,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
-8.5.0-dev+exp,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
-8.5.0-dev+exp,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
-8.5.0-dev+exp,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
-8.5.0-dev+exp,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
-8.5.0-dev+exp,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
-8.5.0-dev+exp,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
-8.5.0-dev+exp,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
-8.5.0-dev+exp,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
-8.5.0-dev+exp,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.5.0-dev+exp,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.5.0-dev+exp,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.5.0-dev+exp,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.5.0-dev+exp,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.5.0-dev+exp,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.5.0-dev+exp,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.5.0-dev+exp,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.5.0-dev+exp,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.5.0-dev+exp,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.5.0-dev+exp,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.5.0-dev+exp,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.5.0-dev+exp,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.5.0-dev+exp,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.5.0-dev+exp,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.5.0-dev+exp,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.5.0-dev+exp,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.5.0-dev+exp,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.5.0-dev+exp,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.5.0-dev+exp,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.5.0-dev+exp,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.5.0-dev+exp,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.5.0-dev+exp,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.5.0-dev+exp,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.5.0-dev+exp,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
-8.5.0-dev+exp,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
-8.5.0-dev+exp,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
-8.5.0-dev+exp,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
-8.5.0-dev+exp,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
-8.5.0-dev+exp,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
-8.5.0-dev+exp,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
-8.5.0-dev+exp,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
-8.5.0-dev+exp,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
-8.5.0-dev+exp,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
-8.5.0-dev+exp,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
-8.5.0-dev+exp,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
-8.5.0-dev+exp,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
-8.5.0-dev+exp,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
-8.5.0-dev+exp,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.5.0-dev+exp,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.5.0-dev+exp,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.5.0-dev+exp,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.5.0-dev+exp,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.5.0-dev+exp,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.5.0-dev+exp,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.5.0-dev+exp,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.5.0-dev+exp,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.5.0-dev+exp,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.5.0-dev+exp,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.5.0-dev+exp,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.5.0-dev+exp,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.5.0-dev+exp,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.5.0-dev+exp,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.5.0-dev+exp,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.5.0-dev+exp,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.5.0-dev+exp,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.5.0-dev+exp,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.5.0-dev+exp,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.5.0-dev+exp,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.5.0-dev+exp,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.5.0-dev+exp,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.5.0-dev+exp,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.5.0-dev+exp,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
-8.5.0-dev+exp,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
-8.5.0-dev+exp,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
-8.5.0-dev+exp,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
-8.5.0-dev+exp,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.5.0-dev+exp,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.5.0-dev+exp,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.5.0-dev+exp,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.5.0-dev+exp,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.5.0-dev+exp,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.5.0-dev+exp,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.5.0-dev+exp,true,url,url.password,keyword,extended,,,Password of the request.
-8.5.0-dev+exp,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.5.0-dev+exp,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
-8.5.0-dev+exp,true,url,url.query,keyword,extended,,,Query string of the request.
-8.5.0-dev+exp,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.5.0-dev+exp,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
-8.5.0-dev+exp,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.5.0-dev+exp,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.5.0-dev+exp,true,url,url.username,keyword,extended,,,Username of the request.
-8.5.0-dev+exp,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.5.0-dev+exp,true,user,user.changes.email,keyword,extended,,,User email address.
-8.5.0-dev+exp,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.5.0-dev+exp,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.5.0-dev+exp,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.5.0-dev+exp,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev+exp,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
-8.5.0-dev+exp,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.5.0-dev+exp,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.5.0-dev+exp,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
-8.5.0-dev+exp,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.5.0-dev+exp,true,user,user.changes.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.5.0-dev+exp,true,user,user.changes.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.5.0-dev+exp,true,user,user.changes.risk.calculated_score_norm,float,extended,,88.73,"A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100."
-8.5.0-dev+exp,true,user,user.changes.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.5.0-dev+exp,true,user,user.changes.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.5.0-dev+exp,true,user,user.changes.risk.static_score_norm,float,extended,,83.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100."
-8.5.0-dev+exp,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.5.0-dev+exp,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.5.0-dev+exp,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.5.0-dev+exp,true,user,user.effective.email,keyword,extended,,,User email address.
-8.5.0-dev+exp,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.5.0-dev+exp,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.5.0-dev+exp,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.5.0-dev+exp,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev+exp,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
-8.5.0-dev+exp,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.5.0-dev+exp,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.5.0-dev+exp,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
-8.5.0-dev+exp,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.5.0-dev+exp,true,user,user.effective.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.5.0-dev+exp,true,user,user.effective.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.5.0-dev+exp,true,user,user.effective.risk.calculated_score_norm,float,extended,,88.73,"A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100."
-8.5.0-dev+exp,true,user,user.effective.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.5.0-dev+exp,true,user,user.effective.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.5.0-dev+exp,true,user,user.effective.risk.static_score_norm,float,extended,,83.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100."
-8.5.0-dev+exp,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.5.0-dev+exp,true,user,user.email,keyword,extended,,,User email address.
-8.5.0-dev+exp,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.5.0-dev+exp,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.5.0-dev+exp,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.5.0-dev+exp,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev+exp,true,user,user.group.name,keyword,extended,,,Name of the group.
-8.5.0-dev+exp,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.5.0-dev+exp,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.5.0-dev+exp,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.5.0-dev+exp,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.5.0-dev+exp,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.5.0-dev+exp,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.5.0-dev+exp,true,user,user.risk.calculated_score_norm,float,extended,,88.73,"A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100."
-8.5.0-dev+exp,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.5.0-dev+exp,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.5.0-dev+exp,true,user,user.risk.static_score_norm,float,extended,,83.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100."
-8.5.0-dev+exp,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.5.0-dev+exp,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.5.0-dev+exp,true,user,user.target.email,keyword,extended,,,User email address.
-8.5.0-dev+exp,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.5.0-dev+exp,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.5.0-dev+exp,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.5.0-dev+exp,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev+exp,true,user,user.target.group.name,keyword,extended,,,Name of the group.
-8.5.0-dev+exp,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.5.0-dev+exp,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.5.0-dev+exp,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
-8.5.0-dev+exp,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.5.0-dev+exp,true,user,user.target.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.5.0-dev+exp,true,user,user.target.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.5.0-dev+exp,true,user,user.target.risk.calculated_score_norm,float,extended,,88.73,"A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100."
-8.5.0-dev+exp,true,user,user.target.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.5.0-dev+exp,true,user,user.target.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.5.0-dev+exp,true,user,user.target.risk.static_score_norm,float,extended,,83.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100."
-8.5.0-dev+exp,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.5.0-dev+exp,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
-8.5.0-dev+exp,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
-8.5.0-dev+exp,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-8.5.0-dev+exp,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-8.5.0-dev+exp,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.5.0-dev+exp,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.5.0-dev+exp,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.5.0-dev+exp,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.5.0-dev+exp,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.5.0-dev+exp,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.5.0-dev+exp,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.5.0-dev+exp,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
-8.5.0-dev+exp,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.5.0-dev+exp,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
-8.5.0-dev+exp,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
-8.5.0-dev+exp,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
-8.5.0-dev+exp,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-8.5.0-dev+exp,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-8.5.0-dev+exp,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
-8.5.0-dev+exp,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
-8.5.0-dev+exp,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
-8.5.0-dev+exp,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
-8.5.0-dev+exp,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
-8.5.0-dev+exp,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
-8.5.0-dev+exp,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
-8.5.0-dev+exp,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
-8.5.0-dev+exp,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
-8.5.0-dev+exp,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
+8.6.0-dev+exp,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
+8.6.0-dev+exp,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
+8.6.0-dev+exp,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer.
+8.6.0-dev+exp,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
+8.6.0-dev+exp,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
+8.6.0-dev+exp,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
+8.6.0-dev+exp,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
+8.6.0-dev+exp,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
+8.6.0-dev+exp,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
+8.6.0-dev+exp,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
+8.6.0-dev+exp,true,cgroup,cgroup.cpu.periods,long,extended,,454839343,Number of period intervals that have elapsed.
+8.6.0-dev+exp,true,cgroup,cgroup.cpu.throttled.us,long,extended,,15000,Microseconds of CPU throttled time.
+8.6.0-dev+exp,true,cgroup,cgroup.cpu.usage,scaled_float,extended,,,"CPU usage, normalized by the CPU count."
+8.6.0-dev+exp,true,cgroup,cgroup.memory.limit,long,extended,,256,Memory limit within the cgroup.
+8.6.0-dev+exp,true,cgroup,cgroup.memory.swap.usage,long,extended,,5600,The amount of cgroup memory in swap.
+8.6.0-dev+exp,true,cgroup,cgroup.memory.usage,long,extended,,25600,Memory usage in bytes
+8.6.0-dev+exp,true,cgroup,cgroup.version,long,extended,,,The cgroup version linked to the metrics
+8.6.0-dev+exp,true,client,client.address,keyword,extended,,,Client network address.
+8.6.0-dev+exp,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.6.0-dev+exp,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.6.0-dev+exp,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.6.0-dev+exp,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
+8.6.0-dev+exp,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client.
+8.6.0-dev+exp,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
+8.6.0-dev+exp,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
+8.6.0-dev+exp,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.6.0-dev+exp,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.6.0-dev+exp,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
+8.6.0-dev+exp,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.6.0-dev+exp,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.6.0-dev+exp,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
+8.6.0-dev+exp,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.6.0-dev+exp,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
+8.6.0-dev+exp,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.6.0-dev+exp,true,client,client.ip,ip,core,,,IP address of the client.
+8.6.0-dev+exp,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
+8.6.0-dev+exp,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
+8.6.0-dev+exp,true,client,client.nat.port,long,extended,,,Client NAT port
+8.6.0-dev+exp,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
+8.6.0-dev+exp,true,client,client.port,long,core,,,Port of the client.
+8.6.0-dev+exp,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
+8.6.0-dev+exp,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.6.0-dev+exp,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.6.0-dev+exp,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.6.0-dev+exp,true,client,client.user.email,keyword,extended,,,User email address.
+8.6.0-dev+exp,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.6.0-dev+exp,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.6.0-dev+exp,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.6.0-dev+exp,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev+exp,true,client,client.user.group.name,keyword,extended,,,Name of the group.
+8.6.0-dev+exp,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.6.0-dev+exp,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev+exp,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.6.0-dev+exp,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.6.0-dev+exp,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.6.0-dev+exp,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.6.0-dev+exp,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.6.0-dev+exp,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
+8.6.0-dev+exp,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.6.0-dev+exp,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.6.0-dev+exp,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.6.0-dev+exp,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.6.0-dev+exp,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.6.0-dev+exp,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine.
+8.6.0-dev+exp,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.6.0-dev+exp,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id.
+8.6.0-dev+exp,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name.
+8.6.0-dev+exp,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider.
+8.6.0-dev+exp,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.6.0-dev+exp,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name.
+8.6.0-dev+exp,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
+8.6.0-dev+exp,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
+8.6.0-dev+exp,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
+8.6.0-dev+exp,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.6.0-dev+exp,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name.
+8.6.0-dev+exp,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.6.0-dev+exp,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.6.0-dev+exp,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.6.0-dev+exp,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.6.0-dev+exp,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine.
+8.6.0-dev+exp,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.6.0-dev+exp,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id.
+8.6.0-dev+exp,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name.
+8.6.0-dev+exp,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider.
+8.6.0-dev+exp,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.6.0-dev+exp,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name.
+8.6.0-dev+exp,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
+8.6.0-dev+exp,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
+8.6.0-dev+exp,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
+8.6.0-dev+exp,true,container,container.id,keyword,core,,,Unique container id.
+8.6.0-dev+exp,true,container,container.image.hash.all,keyword,extended,array,[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26],An array of digests of the image the container was built on.
+8.6.0-dev+exp,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
+8.6.0-dev+exp,true,container,container.image.tag,keyword,extended,array,,Container image tags.
+8.6.0-dev+exp,true,container,container.labels,object,extended,,,Image labels.
+8.6.0-dev+exp,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1."
+8.6.0-dev+exp,true,container,container.name,keyword,extended,,,Container name.
+8.6.0-dev+exp,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
+8.6.0-dev+exp,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+8.6.0-dev+exp,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
+8.6.0-dev+exp,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
+8.6.0-dev+exp,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
+8.6.0-dev+exp,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
+8.6.0-dev+exp,true,destination,destination.address,keyword,extended,,,Destination network address.
+8.6.0-dev+exp,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.6.0-dev+exp,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.6.0-dev+exp,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.6.0-dev+exp,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
+8.6.0-dev+exp,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination.
+8.6.0-dev+exp,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
+8.6.0-dev+exp,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
+8.6.0-dev+exp,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.6.0-dev+exp,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.6.0-dev+exp,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
+8.6.0-dev+exp,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.6.0-dev+exp,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.6.0-dev+exp,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
+8.6.0-dev+exp,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.6.0-dev+exp,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
+8.6.0-dev+exp,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.6.0-dev+exp,true,destination,destination.ip,ip,core,,,IP address of the destination.
+8.6.0-dev+exp,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
+8.6.0-dev+exp,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
+8.6.0-dev+exp,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
+8.6.0-dev+exp,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
+8.6.0-dev+exp,true,destination,destination.port,long,core,,,Port of the destination.
+8.6.0-dev+exp,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
+8.6.0-dev+exp,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.6.0-dev+exp,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.6.0-dev+exp,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.6.0-dev+exp,true,destination,destination.user.email,keyword,extended,,,User email address.
+8.6.0-dev+exp,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.6.0-dev+exp,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.6.0-dev+exp,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.6.0-dev+exp,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev+exp,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
+8.6.0-dev+exp,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.6.0-dev+exp,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev+exp,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.6.0-dev+exp,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.6.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.6.0-dev+exp,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.6.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.6.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.6.0-dev+exp,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.6.0-dev+exp,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.6.0-dev+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.6.0-dev+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.6.0-dev+exp,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
+8.6.0-dev+exp,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
+8.6.0-dev+exp,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
+8.6.0-dev+exp,true,dll,dll.hash.sha384,keyword,extended,,,SHA384 hash.
+8.6.0-dev+exp,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
+8.6.0-dev+exp,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.6.0-dev+exp,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash.
+8.6.0-dev+exp,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
+8.6.0-dev+exp,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
+8.6.0-dev+exp,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.6.0-dev+exp,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.6.0-dev+exp,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.6.0-dev+exp,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.6.0-dev+exp,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.6.0-dev+exp,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.6.0-dev+exp,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.6.0-dev+exp,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.6.0-dev+exp,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
+8.6.0-dev+exp,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
+8.6.0-dev+exp,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
+8.6.0-dev+exp,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
+8.6.0-dev+exp,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
+8.6.0-dev+exp,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
+8.6.0-dev+exp,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
+8.6.0-dev+exp,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
+8.6.0-dev+exp,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
+8.6.0-dev+exp,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
+8.6.0-dev+exp,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
+8.6.0-dev+exp,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
+8.6.0-dev+exp,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
+8.6.0-dev+exp,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.6.0-dev+exp,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
+8.6.0-dev+exp,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
+8.6.0-dev+exp,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
+8.6.0-dev+exp,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
+8.6.0-dev+exp,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
+8.6.0-dev+exp,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
+8.6.0-dev+exp,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
+8.6.0-dev+exp,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash.
+8.6.0-dev+exp,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.6.0-dev+exp,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.6.0-dev+exp,true,email,email.attachments.file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.6.0-dev+exp,true,email,email.attachments.file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.6.0-dev+exp,true,email,email.attachments.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.6.0-dev+exp,true,email,email.attachments.file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.6.0-dev+exp,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file.
+8.6.0-dev+exp,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file.
+8.6.0-dev+exp,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size.
+8.6.0-dev+exp,true,email,email.bcc.address,keyword,extended,array,bcc.user1@example.com,Email address of BCC recipient
+8.6.0-dev+exp,true,email,email.cc.address,keyword,extended,array,cc.user1@example.com,Email address of CC recipient
+8.6.0-dev+exp,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message.
+8.6.0-dev+exp,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered.
+8.6.0-dev+exp,true,email,email.direction,keyword,extended,,inbound,Direction of the message.
+8.6.0-dev+exp,true,email,email.from.address,keyword,extended,array,sender@example.com,The sender's email address.
+8.6.0-dev+exp,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source.
+8.6.0-dev+exp,true,email,email.message_id,wildcard,extended,,81ce15$8r2j59@mail01.example.com,Value from the Message-ID header.
+8.6.0-dev+exp,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed.
+8.6.0-dev+exp,true,email,email.reply_to.address,keyword,extended,array,reply.here@example.com,Address replies should be delivered to.
+8.6.0-dev+exp,true,email,email.sender.address,keyword,extended,,,Address of the message sender.
+8.6.0-dev+exp,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message.
+8.6.0-dev+exp,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
+8.6.0-dev+exp,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient
+8.6.0-dev+exp,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
+8.6.0-dev+exp,true,error,error.code,keyword,core,,,Error code describing the error.
+8.6.0-dev+exp,true,error,error.id,keyword,core,,,Unique identifier for the error.
+8.6.0-dev+exp,true,error,error.message,match_only_text,core,,,Error message.
+8.6.0-dev+exp,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
+8.6.0-dev+exp,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text.
+8.6.0-dev+exp,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
+8.6.0-dev+exp,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
+8.6.0-dev+exp,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field.
+8.6.0-dev+exp,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
+8.6.0-dev+exp,true,event,event.code,keyword,extended,,4648,Identification code for this event.
+8.6.0-dev+exp,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
+8.6.0-dev+exp,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
+8.6.0-dev+exp,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
+8.6.0-dev+exp,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed.
+8.6.0-dev+exp,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
+8.6.0-dev+exp,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
+8.6.0-dev+exp,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
+8.6.0-dev+exp,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
+8.6.0-dev+exp,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
+8.6.0-dev+exp,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
+8.6.0-dev+exp,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
+8.6.0-dev+exp,true,event,event.provider,keyword,extended,,kernel,Source of the event.
+8.6.0-dev+exp,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
+8.6.0-dev+exp,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
+8.6.0-dev+exp,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
+8.6.0-dev+exp,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
+8.6.0-dev+exp,true,event,event.sequence,long,extended,,,Sequence number of the event.
+8.6.0-dev+exp,true,event,event.severity,long,core,,7,Numeric severity of the event.
+8.6.0-dev+exp,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed.
+8.6.0-dev+exp,true,event,event.timezone,keyword,extended,,,Event time zone.
+8.6.0-dev+exp,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
+8.6.0-dev+exp,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
+8.6.0-dev+exp,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function.
+8.6.0-dev+exp,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution.
+8.6.0-dev+exp,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function.
+8.6.0-dev+exp,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function.
+8.6.0-dev+exp,true,faas,faas.trigger,nested,extended,,,Details about the function trigger.
+8.6.0-dev+exp,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc."
+8.6.0-dev+exp,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution.
+8.6.0-dev+exp,true,faas,faas.version,keyword,extended,,123,The version of a serverless function.
+8.6.0-dev+exp,true,file,file.accessed,date,extended,,,Last time the file was accessed.
+8.6.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.6.0-dev+exp,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.6.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.6.0-dev+exp,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.6.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.6.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.6.0-dev+exp,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.6.0-dev+exp,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.6.0-dev+exp,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.6.0-dev+exp,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.6.0-dev+exp,true,file,file.created,date,extended,,,File creation time.
+8.6.0-dev+exp,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.6.0-dev+exp,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
+8.6.0-dev+exp,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.6.0-dev+exp,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.6.0-dev+exp,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.6.0-dev+exp,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.6.0-dev+exp,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.6.0-dev+exp,true,file,file.elf.creation_date,date,extended,,,Build or compile date.
+8.6.0-dev+exp,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.6.0-dev+exp,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.6.0-dev+exp,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.6.0-dev+exp,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.6.0-dev+exp,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.6.0-dev+exp,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.6.0-dev+exp,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.6.0-dev+exp,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.6.0-dev+exp,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.6.0-dev+exp,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.6.0-dev+exp,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.6.0-dev+exp,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.6.0-dev+exp,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.6.0-dev+exp,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.6.0-dev+exp,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.6.0-dev+exp,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.6.0-dev+exp,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.6.0-dev+exp,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.6.0-dev+exp,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.6.0-dev+exp,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.6.0-dev+exp,true,file,file.elf.segments,nested,extended,array,,ELF object segment list.
+8.6.0-dev+exp,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.6.0-dev+exp,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.6.0-dev+exp,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.6.0-dev+exp,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.6.0-dev+exp,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.6.0-dev+exp,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.6.0-dev+exp,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.6.0-dev+exp,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
+8.6.0-dev+exp,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
+8.6.0-dev+exp,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.6.0-dev+exp,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.6.0-dev+exp,true,file,file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.6.0-dev+exp,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.6.0-dev+exp,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.6.0-dev+exp,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.6.0-dev+exp,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.6.0-dev+exp,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.6.0-dev+exp,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.6.0-dev+exp,true,file,file.mtime,date,extended,,,Last time the file content was modified.
+8.6.0-dev+exp,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.6.0-dev+exp,true,file,file.owner,keyword,extended,,alice,File owner's username.
+8.6.0-dev+exp,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.6.0-dev+exp,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.6.0-dev+exp,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.6.0-dev+exp,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.6.0-dev+exp,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.6.0-dev+exp,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.6.0-dev+exp,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.6.0-dev+exp,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.6.0-dev+exp,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.6.0-dev+exp,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.6.0-dev+exp,true,file,file.size,long,extended,,16384,File size in bytes.
+8.6.0-dev+exp,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
+8.6.0-dev+exp,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.6.0-dev+exp,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.6.0-dev+exp,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.6.0-dev+exp,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.6.0-dev+exp,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.6.0-dev+exp,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.6.0-dev+exp,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.6.0-dev+exp,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.6.0-dev+exp,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.6.0-dev+exp,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.6.0-dev+exp,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.6.0-dev+exp,true,file,file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.6.0-dev+exp,true,file,file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.6.0-dev+exp,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.6.0-dev+exp,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.6.0-dev+exp,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.6.0-dev+exp,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.6.0-dev+exp,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.6.0-dev+exp,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.6.0-dev+exp,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.6.0-dev+exp,true,file,file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.6.0-dev+exp,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.6.0-dev+exp,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.6.0-dev+exp,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.6.0-dev+exp,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.6.0-dev+exp,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.6.0-dev+exp,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.6.0-dev+exp,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.6.0-dev+exp,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev+exp,true,group,group.name,keyword,extended,,,Name of the group.
+8.6.0-dev+exp,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
+8.6.0-dev+exp,true,host,host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id
+8.6.0-dev+exp,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
+8.6.0-dev+exp,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
+8.6.0-dev+exp,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
+8.6.0-dev+exp,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
+8.6.0-dev+exp,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
+8.6.0-dev+exp,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
+8.6.0-dev+exp,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.6.0-dev+exp,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.6.0-dev+exp,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
+8.6.0-dev+exp,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.6.0-dev+exp,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.6.0-dev+exp,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
+8.6.0-dev+exp,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.6.0-dev+exp,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
+8.6.0-dev+exp,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.6.0-dev+exp,true,host,host.hostname,keyword,core,,,Hostname of the host.
+8.6.0-dev+exp,true,host,host.id,keyword,core,,,Unique host id.
+8.6.0-dev+exp,true,host,host.ip,ip,core,array,,Host ip addresses.
+8.6.0-dev+exp,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
+8.6.0-dev+exp,true,host,host.name,keyword,core,,,Name of the host.
+8.6.0-dev+exp,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
+8.6.0-dev+exp,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
+8.6.0-dev+exp,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+8.6.0-dev+exp,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
+8.6.0-dev+exp,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.6.0-dev+exp,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.6.0-dev+exp,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.6.0-dev+exp,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.6.0-dev+exp,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.6.0-dev+exp,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.6.0-dev+exp,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.6.0-dev+exp,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
+8.6.0-dev+exp,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.6.0-dev+exp,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode
+8.6.0-dev+exp,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.6.0-dev+exp,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.6.0-dev+exp,true,host,host.risk.calculated_score_norm,float,extended,,88.73,"A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100."
+8.6.0-dev+exp,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.6.0-dev+exp,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.6.0-dev+exp,true,host,host.risk.static_score_norm,float,extended,,83.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100."
+8.6.0-dev+exp,true,host,host.type,keyword,core,,,Type of host.
+8.6.0-dev+exp,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
+8.6.0-dev+exp,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
+8.6.0-dev+exp,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
+8.6.0-dev+exp,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body.
+8.6.0-dev+exp,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
+8.6.0-dev+exp,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
+8.6.0-dev+exp,true,http,http.request.method,keyword,extended,,POST,HTTP request method.
+8.6.0-dev+exp,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
+8.6.0-dev+exp,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
+8.6.0-dev+exp,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
+8.6.0-dev+exp,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
+8.6.0-dev+exp,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body.
+8.6.0-dev+exp,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
+8.6.0-dev+exp,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
+8.6.0-dev+exp,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
+8.6.0-dev+exp,true,http,http.version,keyword,extended,,1.1,HTTP version.
+8.6.0-dev+exp,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
+8.6.0-dev+exp,true,log,log.level,keyword,core,,error,Log level of the log event.
+8.6.0-dev+exp,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
+8.6.0-dev+exp,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event.
+8.6.0-dev+exp,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
+8.6.0-dev+exp,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
+8.6.0-dev+exp,true,log,log.syslog,object,extended,,,Syslog metadata
+8.6.0-dev+exp,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message.
+8.6.0-dev+exp,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
+8.6.0-dev+exp,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
+8.6.0-dev+exp,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message.
+8.6.0-dev+exp,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message.
+8.6.0-dev+exp,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
+8.6.0-dev+exp,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message.
+8.6.0-dev+exp,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
+8.6.0-dev+exp,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
+8.6.0-dev+exp,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages.
+8.6.0-dev+exp,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version.
+8.6.0-dev+exp,true,network,network.application,keyword,extended,,aim,Application level protocol name.
+8.6.0-dev+exp,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
+8.6.0-dev+exp,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
+8.6.0-dev+exp,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
+8.6.0-dev+exp,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
+8.6.0-dev+exp,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
+8.6.0-dev+exp,true,network,network.inner,object,extended,,,Inner VLAN tag information
+8.6.0-dev+exp,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.6.0-dev+exp,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.6.0-dev+exp,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
+8.6.0-dev+exp,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
+8.6.0-dev+exp,true,network,network.protocol,keyword,core,,http,Application protocol name.
+8.6.0-dev+exp,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
+8.6.0-dev+exp,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
+8.6.0-dev+exp,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.6.0-dev+exp,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.6.0-dev+exp,true,observer,observer.egress,object,extended,,,Object field for egress information
+8.6.0-dev+exp,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
+8.6.0-dev+exp,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
+8.6.0-dev+exp,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
+8.6.0-dev+exp,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.6.0-dev+exp,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.6.0-dev+exp,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
+8.6.0-dev+exp,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
+8.6.0-dev+exp,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code.
+8.6.0-dev+exp,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.6.0-dev+exp,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.6.0-dev+exp,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
+8.6.0-dev+exp,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.6.0-dev+exp,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.6.0-dev+exp,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code.
+8.6.0-dev+exp,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.6.0-dev+exp,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
+8.6.0-dev+exp,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.6.0-dev+exp,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
+8.6.0-dev+exp,true,observer,observer.ingress,object,extended,,,Object field for ingress information
+8.6.0-dev+exp,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
+8.6.0-dev+exp,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
+8.6.0-dev+exp,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
+8.6.0-dev+exp,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.6.0-dev+exp,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.6.0-dev+exp,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
+8.6.0-dev+exp,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
+8.6.0-dev+exp,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer.
+8.6.0-dev+exp,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
+8.6.0-dev+exp,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.6.0-dev+exp,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.6.0-dev+exp,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.6.0-dev+exp,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.6.0-dev+exp,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.6.0-dev+exp,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.6.0-dev+exp,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.6.0-dev+exp,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
+8.6.0-dev+exp,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.6.0-dev+exp,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
+8.6.0-dev+exp,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
+8.6.0-dev+exp,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
+8.6.0-dev+exp,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
+8.6.0-dev+exp,true,observer,observer.version,keyword,core,,,Observer version.
+8.6.0-dev+exp,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action
+8.6.0-dev+exp,true,orchestrator,orchestrator.cluster.id,keyword,extended,,,Unique ID of the cluster.
+8.6.0-dev+exp,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster.
+8.6.0-dev+exp,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster.
+8.6.0-dev+exp,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster.
+8.6.0-dev+exp,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place.
+8.6.0-dev+exp,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups).
+8.6.0-dev+exp,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon.
+8.6.0-dev+exp,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed.
+8.6.0-dev+exp,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon.
+8.6.0-dev+exp,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed.
+8.6.0-dev+exp,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon.
+8.6.0-dev+exp,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)."
+8.6.0-dev+exp,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
+8.6.0-dev+exp,true,organization,organization.name,keyword,extended,,,Organization name.
+8.6.0-dev+exp,true,organization,organization.name.text,match_only_text,extended,,,Organization name.
+8.6.0-dev+exp,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
+8.6.0-dev+exp,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
+8.6.0-dev+exp,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
+8.6.0-dev+exp,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
+8.6.0-dev+exp,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
+8.6.0-dev+exp,true,package,package.installed,date,extended,,,Time when package was installed.
+8.6.0-dev+exp,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
+8.6.0-dev+exp,true,package,package.name,keyword,extended,,go,Package name
+8.6.0-dev+exp,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
+8.6.0-dev+exp,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
+8.6.0-dev+exp,true,package,package.size,long,extended,,62231,Package size in bytes.
+8.6.0-dev+exp,true,package,package.type,keyword,extended,,rpm,Package type
+8.6.0-dev+exp,true,package,package.version,keyword,extended,,1.12.9,Package version
+8.6.0-dev+exp,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.6.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array.
+8.6.0-dev+exp,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.6.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.6.0-dev+exp,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.6.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.6.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.6.0-dev+exp,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.6.0-dev+exp,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.6.0-dev+exp,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.6.0-dev+exp,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.6.0-dev+exp,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.6.0-dev+exp,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.6.0-dev+exp,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.6.0-dev+exp,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.6.0-dev+exp,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.6.0-dev+exp,true,process,process.elf.creation_date,date,extended,,,Build or compile date.
+8.6.0-dev+exp,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.6.0-dev+exp,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.6.0-dev+exp,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.6.0-dev+exp,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.6.0-dev+exp,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.6.0-dev+exp,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.6.0-dev+exp,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.6.0-dev+exp,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.6.0-dev+exp,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.6.0-dev+exp,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.6.0-dev+exp,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.6.0-dev+exp,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.6.0-dev+exp,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.6.0-dev+exp,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.6.0-dev+exp,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.6.0-dev+exp,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.6.0-dev+exp,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.6.0-dev+exp,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.6.0-dev+exp,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.6.0-dev+exp,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.6.0-dev+exp,true,process,process.elf.segments,nested,extended,array,,ELF object segment list.
+8.6.0-dev+exp,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.6.0-dev+exp,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.6.0-dev+exp,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.6.0-dev+exp,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.6.0-dev+exp,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+8.6.0-dev+exp,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.6.0-dev+exp,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.6.0-dev+exp,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array.
+8.6.0-dev+exp,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.6.0-dev+exp,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.6.0-dev+exp,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.6.0-dev+exp,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
+8.6.0-dev+exp,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
+8.6.0-dev+exp,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.6.0-dev+exp,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.6.0-dev+exp,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev+exp,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group.
+8.6.0-dev+exp,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.6.0-dev+exp,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name.
+8.6.0-dev+exp,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name.
+8.6.0-dev+exp,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.6.0-dev+exp,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id.
+8.6.0-dev+exp,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.6.0-dev+exp,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id.
+8.6.0-dev+exp,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.6.0-dev+exp,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.6.0-dev+exp,true,process,process.entry_leader.pid,long,core,,4242,Process id.
+8.6.0-dev+exp,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev+exp,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group.
+8.6.0-dev+exp,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev+exp,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,process,process.entry_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+8.6.0-dev+exp,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev+exp,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group.
+8.6.0-dev+exp,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev+exp,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,process,process.entry_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.6.0-dev+exp,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev+exp,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.6.0-dev+exp,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device.
+8.6.0-dev+exp,true,process,process.entry_leader.tty.char_device.major,long,extended,,1,The TTY character device's major number.
+8.6.0-dev+exp,true,process,process.entry_leader.tty.char_device.minor,long,extended,,128,The TTY character device's minor number.
+8.6.0-dev+exp,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev+exp,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.6.0-dev+exp,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.6.0-dev+exp,true,process,process.env_vars,object,extended,,"{""USER"": ""elastic"",""LANG"": ""en_US.UTF-8"",""HOME"": ""/home/elastic""}",Environment variables set at the time of the event.
+8.6.0-dev+exp,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.6.0-dev+exp,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.6.0-dev+exp,true,process,process.exit_code,long,extended,,137,The exit code of the process.
+8.6.0-dev+exp,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.6.0-dev+exp,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array.
+8.6.0-dev+exp,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.6.0-dev+exp,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.6.0-dev+exp,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.6.0-dev+exp,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.6.0-dev+exp,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.6.0-dev+exp,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev+exp,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group.
+8.6.0-dev+exp,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.6.0-dev+exp,true,process,process.group_leader.name,keyword,extended,,ssh,Process name.
+8.6.0-dev+exp,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name.
+8.6.0-dev+exp,true,process,process.group_leader.pid,long,core,,4242,Process id.
+8.6.0-dev+exp,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev+exp,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group.
+8.6.0-dev+exp,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev+exp,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,process,process.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+8.6.0-dev+exp,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev+exp,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group.
+8.6.0-dev+exp,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev+exp,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,process,process.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.6.0-dev+exp,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev+exp,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.6.0-dev+exp,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device.
+8.6.0-dev+exp,true,process,process.group_leader.tty.char_device.major,long,extended,,1,The TTY character device's major number.
+8.6.0-dev+exp,true,process,process.group_leader.tty.char_device.minor,long,extended,,128,The TTY character device's minor number.
+8.6.0-dev+exp,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev+exp,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.6.0-dev+exp,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.6.0-dev+exp,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
+8.6.0-dev+exp,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
+8.6.0-dev+exp,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
+8.6.0-dev+exp,true,process,process.hash.sha384,keyword,extended,,,SHA384 hash.
+8.6.0-dev+exp,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
+8.6.0-dev+exp,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.6.0-dev+exp,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash.
+8.6.0-dev+exp,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.6.0-dev+exp,true,process,process.name,keyword,extended,,ssh,Process name.
+8.6.0-dev+exp,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
+8.6.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.6.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
+8.6.0-dev+exp,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.6.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.6.0-dev+exp,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.6.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.6.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.6.0-dev+exp,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.6.0-dev+exp,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.6.0-dev+exp,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.6.0-dev+exp,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.6.0-dev+exp,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.6.0-dev+exp,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.6.0-dev+exp,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.6.0-dev+exp,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.6.0-dev+exp,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.6.0-dev+exp,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date.
+8.6.0-dev+exp,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.6.0-dev+exp,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.6.0-dev+exp,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.6.0-dev+exp,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.6.0-dev+exp,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.6.0-dev+exp,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.6.0-dev+exp,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.6.0-dev+exp,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.6.0-dev+exp,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.6.0-dev+exp,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.6.0-dev+exp,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.6.0-dev+exp,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.6.0-dev+exp,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.6.0-dev+exp,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.6.0-dev+exp,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.6.0-dev+exp,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.6.0-dev+exp,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.6.0-dev+exp,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.6.0-dev+exp,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.6.0-dev+exp,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.6.0-dev+exp,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list.
+8.6.0-dev+exp,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.6.0-dev+exp,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.6.0-dev+exp,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.6.0-dev+exp,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.6.0-dev+exp,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+8.6.0-dev+exp,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.6.0-dev+exp,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.6.0-dev+exp,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.6.0-dev+exp,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
+8.6.0-dev+exp,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev+exp,true,process,process.parent.group.name,keyword,extended,,,Name of the group.
+8.6.0-dev+exp,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.6.0-dev+exp,true,process,process.parent.group_leader.pid,long,core,,4242,Process id.
+8.6.0-dev+exp,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.6.0-dev+exp,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
+8.6.0-dev+exp,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
+8.6.0-dev+exp,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
+8.6.0-dev+exp,true,process,process.parent.hash.sha384,keyword,extended,,,SHA384 hash.
+8.6.0-dev+exp,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
+8.6.0-dev+exp,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.6.0-dev+exp,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash.
+8.6.0-dev+exp,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.6.0-dev+exp,true,process,process.parent.name,keyword,extended,,ssh,Process name.
+8.6.0-dev+exp,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
+8.6.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.6.0-dev+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.6.0-dev+exp,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.6.0-dev+exp,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.6.0-dev+exp,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.6.0-dev+exp,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.6.0-dev+exp,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.6.0-dev+exp,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.6.0-dev+exp,true,process,process.parent.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
+8.6.0-dev+exp,true,process,process.parent.pid,long,core,,4242,Process id.
+8.6.0-dev+exp,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev+exp,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group.
+8.6.0-dev+exp,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev+exp,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,process,process.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev+exp,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group.
+8.6.0-dev+exp,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev+exp,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,process,process.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.6.0-dev+exp,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev+exp,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.6.0-dev+exp,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
+8.6.0-dev+exp,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
+8.6.0-dev+exp,true,process,process.parent.title,keyword,extended,,,Process title.
+8.6.0-dev+exp,true,process,process.parent.title.text,match_only_text,extended,,,Process title.
+8.6.0-dev+exp,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device.
+8.6.0-dev+exp,true,process,process.parent.tty.char_device.major,long,extended,,1,The TTY character device's major number.
+8.6.0-dev+exp,true,process,process.parent.tty.char_device.minor,long,extended,,128,The TTY character device's minor number.
+8.6.0-dev+exp,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
+8.6.0-dev+exp,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev+exp,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.6.0-dev+exp,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.6.0-dev+exp,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.6.0-dev+exp,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.6.0-dev+exp,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.6.0-dev+exp,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.6.0-dev+exp,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.6.0-dev+exp,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.6.0-dev+exp,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.6.0-dev+exp,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.6.0-dev+exp,true,process,process.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
+8.6.0-dev+exp,true,process,process.pid,long,core,,4242,Process id.
+8.6.0-dev+exp,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.6.0-dev+exp,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array.
+8.6.0-dev+exp,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.6.0-dev+exp,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.6.0-dev+exp,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev+exp,true,process,process.real_group.name,keyword,extended,,,Name of the group.
+8.6.0-dev+exp,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev+exp,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,process,process.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev+exp,true,process,process.saved_group.name,keyword,extended,,,Name of the group.
+8.6.0-dev+exp,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev+exp,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,process,process.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.6.0-dev+exp,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array.
+8.6.0-dev+exp,true,process,process.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.6.0-dev+exp,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.6.0-dev+exp,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.6.0-dev+exp,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.6.0-dev+exp,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.6.0-dev+exp,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev+exp,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group.
+8.6.0-dev+exp,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.6.0-dev+exp,true,process,process.session_leader.name,keyword,extended,,ssh,Process name.
+8.6.0-dev+exp,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name.
+8.6.0-dev+exp,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.6.0-dev+exp,true,process,process.session_leader.parent.pid,long,core,,4242,Process id.
+8.6.0-dev+exp,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.6.0-dev+exp,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id.
+8.6.0-dev+exp,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.6.0-dev+exp,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.6.0-dev+exp,true,process,process.session_leader.pid,long,core,,4242,Process id.
+8.6.0-dev+exp,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev+exp,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group.
+8.6.0-dev+exp,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev+exp,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,process,process.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+8.6.0-dev+exp,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev+exp,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group.
+8.6.0-dev+exp,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev+exp,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,process,process.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.6.0-dev+exp,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev+exp,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.6.0-dev+exp,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device.
+8.6.0-dev+exp,true,process,process.session_leader.tty.char_device.major,long,extended,,1,The TTY character device's major number.
+8.6.0-dev+exp,true,process,process.session_leader.tty.char_device.minor,long,extended,,128,The TTY character device's minor number.
+8.6.0-dev+exp,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev+exp,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.6.0-dev+exp,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.6.0-dev+exp,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.6.0-dev+exp,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev+exp,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.6.0-dev+exp,true,process,process.thread.id,long,extended,,4242,Thread ID.
+8.6.0-dev+exp,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
+8.6.0-dev+exp,true,process,process.title,keyword,extended,,,Process title.
+8.6.0-dev+exp,true,process,process.title.text,match_only_text,extended,,,Process title.
+8.6.0-dev+exp,true,process,process.tty,object,extended,,,Information about the controlling TTY device.
+8.6.0-dev+exp,true,process,process.tty.char_device.major,long,extended,,1,The TTY character device's major number.
+8.6.0-dev+exp,true,process,process.tty.char_device.minor,long,extended,,128,The TTY character device's minor number.
+8.6.0-dev+exp,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
+8.6.0-dev+exp,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev+exp,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.6.0-dev+exp,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.6.0-dev+exp,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.6.0-dev+exp,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.6.0-dev+exp,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.6.0-dev+exp,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.6.0-dev+exp,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.6.0-dev+exp,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.6.0-dev+exp,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
+8.6.0-dev+exp,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
+8.6.0-dev+exp,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
+8.6.0-dev+exp,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
+8.6.0-dev+exp,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event.
+8.6.0-dev+exp,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
+8.6.0-dev+exp,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
+8.6.0-dev+exp,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
+8.6.0-dev+exp,true,rule,rule.id,keyword,extended,,101,Rule ID
+8.6.0-dev+exp,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
+8.6.0-dev+exp,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
+8.6.0-dev+exp,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
+8.6.0-dev+exp,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
+8.6.0-dev+exp,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
+8.6.0-dev+exp,true,rule,rule.version,keyword,extended,,1.1,Rule version
+8.6.0-dev+exp,true,server,server.address,keyword,extended,,,Server network address.
+8.6.0-dev+exp,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.6.0-dev+exp,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.6.0-dev+exp,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.6.0-dev+exp,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
+8.6.0-dev+exp,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server.
+8.6.0-dev+exp,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
+8.6.0-dev+exp,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
+8.6.0-dev+exp,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.6.0-dev+exp,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.6.0-dev+exp,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
+8.6.0-dev+exp,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.6.0-dev+exp,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.6.0-dev+exp,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
+8.6.0-dev+exp,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.6.0-dev+exp,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
+8.6.0-dev+exp,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.6.0-dev+exp,true,server,server.ip,ip,core,,,IP address of the server.
+8.6.0-dev+exp,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
+8.6.0-dev+exp,true,server,server.nat.ip,ip,extended,,,Server NAT ip
+8.6.0-dev+exp,true,server,server.nat.port,long,extended,,,Server NAT port
+8.6.0-dev+exp,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
+8.6.0-dev+exp,true,server,server.port,long,core,,,Port of the server.
+8.6.0-dev+exp,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
+8.6.0-dev+exp,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.6.0-dev+exp,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.6.0-dev+exp,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.6.0-dev+exp,true,server,server.user.email,keyword,extended,,,User email address.
+8.6.0-dev+exp,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.6.0-dev+exp,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.6.0-dev+exp,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.6.0-dev+exp,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev+exp,true,server,server.user.group.name,keyword,extended,,,Name of the group.
+8.6.0-dev+exp,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.6.0-dev+exp,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev+exp,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.6.0-dev+exp,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.6.0-dev+exp,true,service,service.environment,keyword,extended,,production,Environment of the service.
+8.6.0-dev+exp,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.6.0-dev+exp,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.6.0-dev+exp,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.6.0-dev+exp,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.6.0-dev+exp,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.6.0-dev+exp,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+8.6.0-dev+exp,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.6.0-dev+exp,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
+8.6.0-dev+exp,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.6.0-dev+exp,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.6.0-dev+exp,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.6.0-dev+exp,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.6.0-dev+exp,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.6.0-dev+exp,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+8.6.0-dev+exp,true,service,service.origin.state,keyword,core,,,Current state of the service.
+8.6.0-dev+exp,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service.
+8.6.0-dev+exp,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service.
+8.6.0-dev+exp,true,service,service.state,keyword,core,,,Current state of the service.
+8.6.0-dev+exp,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.6.0-dev+exp,true,service,service.target.environment,keyword,extended,,production,Environment of the service.
+8.6.0-dev+exp,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.6.0-dev+exp,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.6.0-dev+exp,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.6.0-dev+exp,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.6.0-dev+exp,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.6.0-dev+exp,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+8.6.0-dev+exp,true,service,service.target.state,keyword,core,,,Current state of the service.
+8.6.0-dev+exp,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service.
+8.6.0-dev+exp,true,service,service.target.version,keyword,core,,3.2.4,Version of the service.
+8.6.0-dev+exp,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
+8.6.0-dev+exp,true,service,service.version,keyword,core,,3.2.4,Version of the service.
+8.6.0-dev+exp,true,source,source.address,keyword,extended,,,Source network address.
+8.6.0-dev+exp,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.6.0-dev+exp,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.6.0-dev+exp,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.6.0-dev+exp,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
+8.6.0-dev+exp,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source.
+8.6.0-dev+exp,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
+8.6.0-dev+exp,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
+8.6.0-dev+exp,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.6.0-dev+exp,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.6.0-dev+exp,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
+8.6.0-dev+exp,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.6.0-dev+exp,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.6.0-dev+exp,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
+8.6.0-dev+exp,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.6.0-dev+exp,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
+8.6.0-dev+exp,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.6.0-dev+exp,true,source,source.ip,ip,core,,,IP address of the source.
+8.6.0-dev+exp,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
+8.6.0-dev+exp,true,source,source.nat.ip,ip,extended,,,Source NAT ip
+8.6.0-dev+exp,true,source,source.nat.port,long,extended,,,Source NAT port
+8.6.0-dev+exp,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
+8.6.0-dev+exp,true,source,source.port,long,core,,,Port of the source.
+8.6.0-dev+exp,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+8.6.0-dev+exp,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.6.0-dev+exp,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.6.0-dev+exp,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.6.0-dev+exp,true,source,source.user.email,keyword,extended,,,User email address.
+8.6.0-dev+exp,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.6.0-dev+exp,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.6.0-dev+exp,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.6.0-dev+exp,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev+exp,true,source,source.user.group.name,keyword,extended,,,Name of the group.
+8.6.0-dev+exp,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.6.0-dev+exp,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev+exp,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.6.0-dev+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
+8.6.0-dev+exp,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.6.0-dev+exp,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,WHITE,Indicator TLP marking
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.6.0-dev+exp,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.6.0-dev+exp,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.6.0-dev+exp,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value
+8.6.0-dev+exp,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field
+8.6.0-dev+exp,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier
+8.6.0-dev+exp,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index
+8.6.0-dev+exp,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05T17:00:58.326Z,Date of match
+8.6.0-dev+exp,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match
+8.6.0-dev+exp,true,threat,threat.feed.dashboard_id,keyword,extended,,5ba16340-72e6-11eb-a3e3-b3cc7c78a70f,Feed dashboard ID.
+8.6.0-dev+exp,true,threat,threat.feed.description,keyword,extended,,Threat feed from the AlienVault Open Threat eXchange network.,Description of the threat feed.
+8.6.0-dev+exp,true,threat,threat.feed.name,keyword,extended,,AlienVault OTX,Name of the threat feed.
+8.6.0-dev+exp,true,threat,threat.feed.reference,keyword,extended,,https://otx.alienvault.com,Reference for the threat feed.
+8.6.0-dev+exp,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
+8.6.0-dev+exp,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group.
+8.6.0-dev+exp,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group.
+8.6.0-dev+exp,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group.
+8.6.0-dev+exp,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group.
+8.6.0-dev+exp,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.6.0-dev+exp,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.6.0-dev+exp,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.6.0-dev+exp,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
+8.6.0-dev+exp,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
+8.6.0-dev+exp,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
+8.6.0-dev+exp,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed.
+8.6.0-dev+exp,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.6.0-dev+exp,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.6.0-dev+exp,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.6.0-dev+exp,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.6.0-dev+exp,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.6.0-dev+exp,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.6.0-dev+exp,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.6.0-dev+exp,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.6.0-dev+exp,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.6.0-dev+exp,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.6.0-dev+exp,true,threat,threat.indicator.file.created,date,extended,,,File creation time.
+8.6.0-dev+exp,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.6.0-dev+exp,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
+8.6.0-dev+exp,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.6.0-dev+exp,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.6.0-dev+exp,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.6.0-dev+exp,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.6.0-dev+exp,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.6.0-dev+exp,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
+8.6.0-dev+exp,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.6.0-dev+exp,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.6.0-dev+exp,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.6.0-dev+exp,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.6.0-dev+exp,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.6.0-dev+exp,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.6.0-dev+exp,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.6.0-dev+exp,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.6.0-dev+exp,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.6.0-dev+exp,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.6.0-dev+exp,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.6.0-dev+exp,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.6.0-dev+exp,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.6.0-dev+exp,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.6.0-dev+exp,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.6.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.6.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.6.0-dev+exp,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.6.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.6.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.6.0-dev+exp,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
+8.6.0-dev+exp,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.6.0-dev+exp,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.6.0-dev+exp,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.6.0-dev+exp,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.6.0-dev+exp,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.6.0-dev+exp,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.6.0-dev+exp,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.6.0-dev+exp,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
+8.6.0-dev+exp,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
+8.6.0-dev+exp,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.6.0-dev+exp,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.6.0-dev+exp,true,threat,threat.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.6.0-dev+exp,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.6.0-dev+exp,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.6.0-dev+exp,true,threat,threat.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.6.0-dev+exp,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.6.0-dev+exp,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.6.0-dev+exp,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.6.0-dev+exp,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified.
+8.6.0-dev+exp,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.6.0-dev+exp,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username.
+8.6.0-dev+exp,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.6.0-dev+exp,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.6.0-dev+exp,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.6.0-dev+exp,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.6.0-dev+exp,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.6.0-dev+exp,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.6.0-dev+exp,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.6.0-dev+exp,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.6.0-dev+exp,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.6.0-dev+exp,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.6.0-dev+exp,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes.
+8.6.0-dev+exp,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
+8.6.0-dev+exp,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.6.0-dev+exp,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.6.0-dev+exp,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.6.0-dev+exp,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.6.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.6.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.6.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.6.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.6.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.6.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.6.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.6.0-dev+exp,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.6.0-dev+exp,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.6.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.6.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.6.0-dev+exp,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.6.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.6.0-dev+exp,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.6.0-dev+exp,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.6.0-dev+exp,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.6.0-dev+exp,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.6.0-dev+exp,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.6.0-dev+exp,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.6.0-dev+exp,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.6.0-dev+exp,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.6.0-dev+exp,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.6.0-dev+exp,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.6.0-dev+exp,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
+8.6.0-dev+exp,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name.
+8.6.0-dev+exp,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code.
+8.6.0-dev+exp,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.6.0-dev+exp,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.6.0-dev+exp,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name.
+8.6.0-dev+exp,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.6.0-dev+exp,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.6.0-dev+exp,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code.
+8.6.0-dev+exp,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.6.0-dev+exp,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name.
+8.6.0-dev+exp,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.6.0-dev+exp,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
+8.6.0-dev+exp,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
+8.6.0-dev+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,WHITE,Indicator TLP marking
+8.6.0-dev+exp,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
+8.6.0-dev+exp,true,threat,threat.indicator.port,long,extended,,443,Indicator port
+8.6.0-dev+exp,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
+8.6.0-dev+exp,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
+8.6.0-dev+exp,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.6.0-dev+exp,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.6.0-dev+exp,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.6.0-dev+exp,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.6.0-dev+exp,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.6.0-dev+exp,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.6.0-dev+exp,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
+8.6.0-dev+exp,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics
+8.6.0-dev+exp,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed
+8.6.0-dev+exp,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
+8.6.0-dev+exp,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.6.0-dev+exp,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.6.0-dev+exp,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.6.0-dev+exp,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.6.0-dev+exp,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.6.0-dev+exp,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.6.0-dev+exp,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.6.0-dev+exp,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request.
+8.6.0-dev+exp,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.6.0-dev+exp,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
+8.6.0-dev+exp,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request.
+8.6.0-dev+exp,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.6.0-dev+exp,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
+8.6.0-dev+exp,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.6.0-dev+exp,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.6.0-dev+exp,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request.
+8.6.0-dev+exp,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.6.0-dev+exp,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.6.0-dev+exp,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.6.0-dev+exp,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.6.0-dev+exp,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.6.0-dev+exp,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.6.0-dev+exp,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.6.0-dev+exp,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.6.0-dev+exp,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.6.0-dev+exp,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.6.0-dev+exp,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.6.0-dev+exp,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.6.0-dev+exp,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.6.0-dev+exp,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.6.0-dev+exp,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.6.0-dev+exp,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.6.0-dev+exp,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.6.0-dev+exp,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.6.0-dev+exp,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.6.0-dev+exp,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.6.0-dev+exp,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.6.0-dev+exp,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.6.0-dev+exp,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.6.0-dev+exp,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.6.0-dev+exp,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software
+8.6.0-dev+exp,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software
+8.6.0-dev+exp,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software.
+8.6.0-dev+exp,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software.
+8.6.0-dev+exp,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL.
+8.6.0-dev+exp,true,threat,threat.software.type,keyword,extended,,Tool,Software type.
+8.6.0-dev+exp,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
+8.6.0-dev+exp,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
+8.6.0-dev+exp,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
+8.6.0-dev+exp,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
+8.6.0-dev+exp,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
+8.6.0-dev+exp,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name.
+8.6.0-dev+exp,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
+8.6.0-dev+exp,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
+8.6.0-dev+exp,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
+8.6.0-dev+exp,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
+8.6.0-dev+exp,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
+8.6.0-dev+exp,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
+8.6.0-dev+exp,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
+8.6.0-dev+exp,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
+8.6.0-dev+exp,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
+8.6.0-dev+exp,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
+8.6.0-dev+exp,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
+8.6.0-dev+exp,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
+8.6.0-dev+exp,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
+8.6.0-dev+exp,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
+8.6.0-dev+exp,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
+8.6.0-dev+exp,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
+8.6.0-dev+exp,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
+8.6.0-dev+exp,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
+8.6.0-dev+exp,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.6.0-dev+exp,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.6.0-dev+exp,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.6.0-dev+exp,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.6.0-dev+exp,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.6.0-dev+exp,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.6.0-dev+exp,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.6.0-dev+exp,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.6.0-dev+exp,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.6.0-dev+exp,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.6.0-dev+exp,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.6.0-dev+exp,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.6.0-dev+exp,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.6.0-dev+exp,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.6.0-dev+exp,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.6.0-dev+exp,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.6.0-dev+exp,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.6.0-dev+exp,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.6.0-dev+exp,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.6.0-dev+exp,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.6.0-dev+exp,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.6.0-dev+exp,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.6.0-dev+exp,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.6.0-dev+exp,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.6.0-dev+exp,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
+8.6.0-dev+exp,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
+8.6.0-dev+exp,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
+8.6.0-dev+exp,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
+8.6.0-dev+exp,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
+8.6.0-dev+exp,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
+8.6.0-dev+exp,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
+8.6.0-dev+exp,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
+8.6.0-dev+exp,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
+8.6.0-dev+exp,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
+8.6.0-dev+exp,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
+8.6.0-dev+exp,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
+8.6.0-dev+exp,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
+8.6.0-dev+exp,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
+8.6.0-dev+exp,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.6.0-dev+exp,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.6.0-dev+exp,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.6.0-dev+exp,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.6.0-dev+exp,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.6.0-dev+exp,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.6.0-dev+exp,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.6.0-dev+exp,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.6.0-dev+exp,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.6.0-dev+exp,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.6.0-dev+exp,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.6.0-dev+exp,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.6.0-dev+exp,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.6.0-dev+exp,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.6.0-dev+exp,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.6.0-dev+exp,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.6.0-dev+exp,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.6.0-dev+exp,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.6.0-dev+exp,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.6.0-dev+exp,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.6.0-dev+exp,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.6.0-dev+exp,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.6.0-dev+exp,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.6.0-dev+exp,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.6.0-dev+exp,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
+8.6.0-dev+exp,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
+8.6.0-dev+exp,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
+8.6.0-dev+exp,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
+8.6.0-dev+exp,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.6.0-dev+exp,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.6.0-dev+exp,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.6.0-dev+exp,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.6.0-dev+exp,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.6.0-dev+exp,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.6.0-dev+exp,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.6.0-dev+exp,true,url,url.password,keyword,extended,,,Password of the request.
+8.6.0-dev+exp,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.6.0-dev+exp,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
+8.6.0-dev+exp,true,url,url.query,keyword,extended,,,Query string of the request.
+8.6.0-dev+exp,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.6.0-dev+exp,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
+8.6.0-dev+exp,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.6.0-dev+exp,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.6.0-dev+exp,true,url,url.username,keyword,extended,,,Username of the request.
+8.6.0-dev+exp,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.6.0-dev+exp,true,user,user.changes.email,keyword,extended,,,User email address.
+8.6.0-dev+exp,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.6.0-dev+exp,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.6.0-dev+exp,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.6.0-dev+exp,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev+exp,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
+8.6.0-dev+exp,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.6.0-dev+exp,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev+exp,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,user,user.changes.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.6.0-dev+exp,true,user,user.changes.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.6.0-dev+exp,true,user,user.changes.risk.calculated_score_norm,float,extended,,88.73,"A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100."
+8.6.0-dev+exp,true,user,user.changes.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.6.0-dev+exp,true,user,user.changes.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.6.0-dev+exp,true,user,user.changes.risk.static_score_norm,float,extended,,83.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100."
+8.6.0-dev+exp,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.6.0-dev+exp,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.6.0-dev+exp,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.6.0-dev+exp,true,user,user.effective.email,keyword,extended,,,User email address.
+8.6.0-dev+exp,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.6.0-dev+exp,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.6.0-dev+exp,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.6.0-dev+exp,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev+exp,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
+8.6.0-dev+exp,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.6.0-dev+exp,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev+exp,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,user,user.effective.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.6.0-dev+exp,true,user,user.effective.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.6.0-dev+exp,true,user,user.effective.risk.calculated_score_norm,float,extended,,88.73,"A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100."
+8.6.0-dev+exp,true,user,user.effective.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.6.0-dev+exp,true,user,user.effective.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.6.0-dev+exp,true,user,user.effective.risk.static_score_norm,float,extended,,83.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100."
+8.6.0-dev+exp,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.6.0-dev+exp,true,user,user.email,keyword,extended,,,User email address.
+8.6.0-dev+exp,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.6.0-dev+exp,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.6.0-dev+exp,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.6.0-dev+exp,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev+exp,true,user,user.group.name,keyword,extended,,,Name of the group.
+8.6.0-dev+exp,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.6.0-dev+exp,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev+exp,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.6.0-dev+exp,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.6.0-dev+exp,true,user,user.risk.calculated_score_norm,float,extended,,88.73,"A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100."
+8.6.0-dev+exp,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.6.0-dev+exp,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.6.0-dev+exp,true,user,user.risk.static_score_norm,float,extended,,83.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100."
+8.6.0-dev+exp,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.6.0-dev+exp,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.6.0-dev+exp,true,user,user.target.email,keyword,extended,,,User email address.
+8.6.0-dev+exp,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.6.0-dev+exp,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.6.0-dev+exp,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.6.0-dev+exp,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev+exp,true,user,user.target.group.name,keyword,extended,,,Name of the group.
+8.6.0-dev+exp,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.6.0-dev+exp,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev+exp,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,user,user.target.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.6.0-dev+exp,true,user,user.target.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.6.0-dev+exp,true,user,user.target.risk.calculated_score_norm,float,extended,,88.73,"A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100."
+8.6.0-dev+exp,true,user,user.target.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.6.0-dev+exp,true,user,user.target.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.6.0-dev+exp,true,user,user.target.risk.static_score_norm,float,extended,,83.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100."
+8.6.0-dev+exp,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.6.0-dev+exp,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
+8.6.0-dev+exp,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
+8.6.0-dev+exp,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+8.6.0-dev+exp,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+8.6.0-dev+exp,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.6.0-dev+exp,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.6.0-dev+exp,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.6.0-dev+exp,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.6.0-dev+exp,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.6.0-dev+exp,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.6.0-dev+exp,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.6.0-dev+exp,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
+8.6.0-dev+exp,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.6.0-dev+exp,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
+8.6.0-dev+exp,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
+8.6.0-dev+exp,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
+8.6.0-dev+exp,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+8.6.0-dev+exp,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+8.6.0-dev+exp,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
+8.6.0-dev+exp,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
+8.6.0-dev+exp,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
+8.6.0-dev+exp,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
+8.6.0-dev+exp,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
+8.6.0-dev+exp,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
+8.6.0-dev+exp,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
+8.6.0-dev+exp,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
+8.6.0-dev+exp,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
+8.6.0-dev+exp,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
diff --git a/experimental/generated/elasticsearch/composable/component/agent.json b/experimental/generated/elasticsearch/composable/component/agent.json
index dd0b319a01..d1b80be6d9 100644
--- a/experimental/generated/elasticsearch/composable/component/agent.json
+++ b/experimental/generated/elasticsearch/composable/component/agent.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html",
-    "ecs_version": "8.5.0-dev+exp"
+    "ecs_version": "8.6.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/base.json b/experimental/generated/elasticsearch/composable/component/base.json
index 616f9eb392..03ba4f0971 100644
--- a/experimental/generated/elasticsearch/composable/component/base.json
+++ b/experimental/generated/elasticsearch/composable/component/base.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
-    "ecs_version": "8.5.0-dev+exp"
+    "ecs_version": "8.6.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/cgroup.json b/experimental/generated/elasticsearch/composable/component/cgroup.json
index 2858a47dcd..0a5fae57ad 100644
--- a/experimental/generated/elasticsearch/composable/component/cgroup.json
+++ b/experimental/generated/elasticsearch/composable/component/cgroup.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cgroup.html",
-    "ecs_version": "8.5.0-dev+exp"
+    "ecs_version": "8.6.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/client.json b/experimental/generated/elasticsearch/composable/component/client.json
index 0e4ac4799a..355ba5edb7 100644
--- a/experimental/generated/elasticsearch/composable/component/client.json
+++ b/experimental/generated/elasticsearch/composable/component/client.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-client.html",
-    "ecs_version": "8.5.0-dev+exp"
+    "ecs_version": "8.6.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/cloud.json b/experimental/generated/elasticsearch/composable/component/cloud.json
index a47bf43b3a..42b4ff42ec 100644
--- a/experimental/generated/elasticsearch/composable/component/cloud.json
+++ b/experimental/generated/elasticsearch/composable/component/cloud.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cloud.html",
-    "ecs_version": "8.5.0-dev+exp"
+    "ecs_version": "8.6.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/container.json b/experimental/generated/elasticsearch/composable/component/container.json
index e2e491f7f6..273e50282a 100644
--- a/experimental/generated/elasticsearch/composable/component/container.json
+++ b/experimental/generated/elasticsearch/composable/component/container.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-container.html",
-    "ecs_version": "8.5.0-dev+exp"
+    "ecs_version": "8.6.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/data_stream.json b/experimental/generated/elasticsearch/composable/component/data_stream.json
index b1ad1a760f..53279d3e89 100644
--- a/experimental/generated/elasticsearch/composable/component/data_stream.json
+++ b/experimental/generated/elasticsearch/composable/component/data_stream.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-data_stream.html",
-    "ecs_version": "8.5.0-dev+exp"
+    "ecs_version": "8.6.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/destination.json b/experimental/generated/elasticsearch/composable/component/destination.json
index b71371297c..487d9736bb 100644
--- a/experimental/generated/elasticsearch/composable/component/destination.json
+++ b/experimental/generated/elasticsearch/composable/component/destination.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-destination.html",
-    "ecs_version": "8.5.0-dev+exp"
+    "ecs_version": "8.6.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/dll.json b/experimental/generated/elasticsearch/composable/component/dll.json
index 411d1579a8..232e902250 100644
--- a/experimental/generated/elasticsearch/composable/component/dll.json
+++ b/experimental/generated/elasticsearch/composable/component/dll.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dll.html",
-    "ecs_version": "8.5.0-dev+exp"
+    "ecs_version": "8.6.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/dns.json b/experimental/generated/elasticsearch/composable/component/dns.json
index 7340178127..dd4360329f 100644
--- a/experimental/generated/elasticsearch/composable/component/dns.json
+++ b/experimental/generated/elasticsearch/composable/component/dns.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html",
-    "ecs_version": "8.5.0-dev+exp"
+    "ecs_version": "8.6.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/ecs.json b/experimental/generated/elasticsearch/composable/component/ecs.json
index 0bf4371551..2efa0bd8b5 100644
--- a/experimental/generated/elasticsearch/composable/component/ecs.json
+++ b/experimental/generated/elasticsearch/composable/component/ecs.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html",
-    "ecs_version": "8.5.0-dev+exp"
+    "ecs_version": "8.6.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/email.json b/experimental/generated/elasticsearch/composable/component/email.json
index fb9daeca3a..c2e9766c02 100644
--- a/experimental/generated/elasticsearch/composable/component/email.json
+++ b/experimental/generated/elasticsearch/composable/component/email.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-email.html",
-    "ecs_version": "8.5.0-dev+exp"
+    "ecs_version": "8.6.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/error.json b/experimental/generated/elasticsearch/composable/component/error.json
index d40e94d096..679dfe6f64 100644
--- a/experimental/generated/elasticsearch/composable/component/error.json
+++ b/experimental/generated/elasticsearch/composable/component/error.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-error.html",
-    "ecs_version": "8.5.0-dev+exp"
+    "ecs_version": "8.6.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/event.json b/experimental/generated/elasticsearch/composable/component/event.json
index 4f5bd8ad86..f5660ca18c 100644
--- a/experimental/generated/elasticsearch/composable/component/event.json
+++ b/experimental/generated/elasticsearch/composable/component/event.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html",
-    "ecs_version": "8.5.0-dev+exp"
+    "ecs_version": "8.6.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/faas.json b/experimental/generated/elasticsearch/composable/component/faas.json
index a67b6a6e9d..b54e3f0397 100644
--- a/experimental/generated/elasticsearch/composable/component/faas.json
+++ b/experimental/generated/elasticsearch/composable/component/faas.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-faas.html",
-    "ecs_version": "8.5.0-dev+exp"
+    "ecs_version": "8.6.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/file.json b/experimental/generated/elasticsearch/composable/component/file.json
index ceedfb1f43..f76c5592ac 100644
--- a/experimental/generated/elasticsearch/composable/component/file.json
+++ b/experimental/generated/elasticsearch/composable/component/file.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html",
-    "ecs_version": "8.5.0-dev+exp"
+    "ecs_version": "8.6.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/group.json b/experimental/generated/elasticsearch/composable/component/group.json
index cb10ab34b8..78ec95ff47 100644
--- a/experimental/generated/elasticsearch/composable/component/group.json
+++ b/experimental/generated/elasticsearch/composable/component/group.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-group.html",
-    "ecs_version": "8.5.0-dev+exp"
+    "ecs_version": "8.6.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/host.json b/experimental/generated/elasticsearch/composable/component/host.json
index d29e1e413c..44a6bb8c4f 100644
--- a/experimental/generated/elasticsearch/composable/component/host.json
+++ b/experimental/generated/elasticsearch/composable/component/host.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-host.html",
-    "ecs_version": "8.5.0-dev+exp"
+    "ecs_version": "8.6.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/http.json b/experimental/generated/elasticsearch/composable/component/http.json
index 7ab5e47e9e..510e1a0266 100644
--- a/experimental/generated/elasticsearch/composable/component/http.json
+++ b/experimental/generated/elasticsearch/composable/component/http.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-http.html",
-    "ecs_version": "8.5.0-dev+exp"
+    "ecs_version": "8.6.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/log.json b/experimental/generated/elasticsearch/composable/component/log.json
index 7bb0437a44..811944e3d7 100644
--- a/experimental/generated/elasticsearch/composable/component/log.json
+++ b/experimental/generated/elasticsearch/composable/component/log.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-log.html",
-    "ecs_version": "8.5.0-dev+exp"
+    "ecs_version": "8.6.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/network.json b/experimental/generated/elasticsearch/composable/component/network.json
index b3af297429..2cc0892fee 100644
--- a/experimental/generated/elasticsearch/composable/component/network.json
+++ b/experimental/generated/elasticsearch/composable/component/network.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html",
-    "ecs_version": "8.5.0-dev+exp"
+    "ecs_version": "8.6.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/observer.json b/experimental/generated/elasticsearch/composable/component/observer.json
index 737af5277c..57fc817539 100644
--- a/experimental/generated/elasticsearch/composable/component/observer.json
+++ b/experimental/generated/elasticsearch/composable/component/observer.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html",
-    "ecs_version": "8.5.0-dev+exp"
+    "ecs_version": "8.6.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/orchestrator.json b/experimental/generated/elasticsearch/composable/component/orchestrator.json
index 1b13423c7c..61237f7aac 100644
--- a/experimental/generated/elasticsearch/composable/component/orchestrator.json
+++ b/experimental/generated/elasticsearch/composable/component/orchestrator.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-orchestrator.html",
-    "ecs_version": "8.5.0-dev+exp"
+    "ecs_version": "8.6.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/organization.json b/experimental/generated/elasticsearch/composable/component/organization.json
index dc78f3d5f8..9e610f8120 100644
--- a/experimental/generated/elasticsearch/composable/component/organization.json
+++ b/experimental/generated/elasticsearch/composable/component/organization.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-organization.html",
-    "ecs_version": "8.5.0-dev+exp"
+    "ecs_version": "8.6.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/package.json b/experimental/generated/elasticsearch/composable/component/package.json
index f01cdc14f5..2cd39d5eee 100644
--- a/experimental/generated/elasticsearch/composable/component/package.json
+++ b/experimental/generated/elasticsearch/composable/component/package.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-package.html",
-    "ecs_version": "8.5.0-dev+exp"
+    "ecs_version": "8.6.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/process.json b/experimental/generated/elasticsearch/composable/component/process.json
index b8e5239485..b480c995e8 100644
--- a/experimental/generated/elasticsearch/composable/component/process.json
+++ b/experimental/generated/elasticsearch/composable/component/process.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-process.html",
-    "ecs_version": "8.5.0-dev+exp"
+    "ecs_version": "8.6.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/registry.json b/experimental/generated/elasticsearch/composable/component/registry.json
index 2553c20fad..9e43ea6de0 100644
--- a/experimental/generated/elasticsearch/composable/component/registry.json
+++ b/experimental/generated/elasticsearch/composable/component/registry.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-registry.html",
-    "ecs_version": "8.5.0-dev+exp"
+    "ecs_version": "8.6.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/related.json b/experimental/generated/elasticsearch/composable/component/related.json
index 70522dae0a..51e5f16a6a 100644
--- a/experimental/generated/elasticsearch/composable/component/related.json
+++ b/experimental/generated/elasticsearch/composable/component/related.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-related.html",
-    "ecs_version": "8.5.0-dev+exp"
+    "ecs_version": "8.6.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/rule.json b/experimental/generated/elasticsearch/composable/component/rule.json
index eb714161e7..a51be09c6a 100644
--- a/experimental/generated/elasticsearch/composable/component/rule.json
+++ b/experimental/generated/elasticsearch/composable/component/rule.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-rule.html",
-    "ecs_version": "8.5.0-dev+exp"
+    "ecs_version": "8.6.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/server.json b/experimental/generated/elasticsearch/composable/component/server.json
index 72c80f65ba..281a2d37a4 100644
--- a/experimental/generated/elasticsearch/composable/component/server.json
+++ b/experimental/generated/elasticsearch/composable/component/server.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-server.html",
-    "ecs_version": "8.5.0-dev+exp"
+    "ecs_version": "8.6.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/service.json b/experimental/generated/elasticsearch/composable/component/service.json
index bf155139f1..b517b95754 100644
--- a/experimental/generated/elasticsearch/composable/component/service.json
+++ b/experimental/generated/elasticsearch/composable/component/service.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-service.html",
-    "ecs_version": "8.5.0-dev+exp"
+    "ecs_version": "8.6.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/source.json b/experimental/generated/elasticsearch/composable/component/source.json
index bbcfaa1619..06d1f03fd6 100644
--- a/experimental/generated/elasticsearch/composable/component/source.json
+++ b/experimental/generated/elasticsearch/composable/component/source.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-source.html",
-    "ecs_version": "8.5.0-dev+exp"
+    "ecs_version": "8.6.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/threat.json b/experimental/generated/elasticsearch/composable/component/threat.json
index d598a1801b..920b924d79 100644
--- a/experimental/generated/elasticsearch/composable/component/threat.json
+++ b/experimental/generated/elasticsearch/composable/component/threat.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-threat.html",
-    "ecs_version": "8.5.0-dev+exp"
+    "ecs_version": "8.6.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/tls.json b/experimental/generated/elasticsearch/composable/component/tls.json
index f4e03678a2..66c4dd082a 100644
--- a/experimental/generated/elasticsearch/composable/component/tls.json
+++ b/experimental/generated/elasticsearch/composable/component/tls.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tls.html",
-    "ecs_version": "8.5.0-dev+exp"
+    "ecs_version": "8.6.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/tracing.json b/experimental/generated/elasticsearch/composable/component/tracing.json
index c2ee0b99eb..27090faee5 100644
--- a/experimental/generated/elasticsearch/composable/component/tracing.json
+++ b/experimental/generated/elasticsearch/composable/component/tracing.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tracing.html",
-    "ecs_version": "8.5.0-dev+exp"
+    "ecs_version": "8.6.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/url.json b/experimental/generated/elasticsearch/composable/component/url.json
index c02743f06e..15eedc11ba 100644
--- a/experimental/generated/elasticsearch/composable/component/url.json
+++ b/experimental/generated/elasticsearch/composable/component/url.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-url.html",
-    "ecs_version": "8.5.0-dev+exp"
+    "ecs_version": "8.6.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/user.json b/experimental/generated/elasticsearch/composable/component/user.json
index 1da075520f..dfad2d3bbf 100644
--- a/experimental/generated/elasticsearch/composable/component/user.json
+++ b/experimental/generated/elasticsearch/composable/component/user.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user.html",
-    "ecs_version": "8.5.0-dev+exp"
+    "ecs_version": "8.6.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/user_agent.json b/experimental/generated/elasticsearch/composable/component/user_agent.json
index c22e057181..4d8d4ca5a6 100644
--- a/experimental/generated/elasticsearch/composable/component/user_agent.json
+++ b/experimental/generated/elasticsearch/composable/component/user_agent.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html",
-    "ecs_version": "8.5.0-dev+exp"
+    "ecs_version": "8.6.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/vulnerability.json b/experimental/generated/elasticsearch/composable/component/vulnerability.json
index 7798b722a2..829ebaaddb 100644
--- a/experimental/generated/elasticsearch/composable/component/vulnerability.json
+++ b/experimental/generated/elasticsearch/composable/component/vulnerability.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html",
-    "ecs_version": "8.5.0-dev+exp"
+    "ecs_version": "8.6.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/template.json b/experimental/generated/elasticsearch/composable/template.json
index 2ac32e5443..ca6daa1a59 100644
--- a/experimental/generated/elasticsearch/composable/template.json
+++ b/experimental/generated/elasticsearch/composable/template.json
@@ -1,48 +1,48 @@
 {
   "_meta": {
     "description": "Sample composable template that includes all ECS fields",
-    "ecs_version": "8.5.0-dev+exp"
+    "ecs_version": "8.6.0-dev+exp"
   },
   "composed_of": [
-    "ecs_8.5.0-dev-exp_cgroup",
-    "ecs_8.5.0-dev-exp_base",
-    "ecs_8.5.0-dev-exp_agent",
-    "ecs_8.5.0-dev-exp_client",
-    "ecs_8.5.0-dev-exp_cloud",
-    "ecs_8.5.0-dev-exp_container",
-    "ecs_8.5.0-dev-exp_data_stream",
-    "ecs_8.5.0-dev-exp_destination",
-    "ecs_8.5.0-dev-exp_dll",
-    "ecs_8.5.0-dev-exp_dns",
-    "ecs_8.5.0-dev-exp_ecs",
-    "ecs_8.5.0-dev-exp_email",
-    "ecs_8.5.0-dev-exp_error",
-    "ecs_8.5.0-dev-exp_event",
-    "ecs_8.5.0-dev-exp_faas",
-    "ecs_8.5.0-dev-exp_file",
-    "ecs_8.5.0-dev-exp_group",
-    "ecs_8.5.0-dev-exp_host",
-    "ecs_8.5.0-dev-exp_http",
-    "ecs_8.5.0-dev-exp_log",
-    "ecs_8.5.0-dev-exp_network",
-    "ecs_8.5.0-dev-exp_observer",
-    "ecs_8.5.0-dev-exp_orchestrator",
-    "ecs_8.5.0-dev-exp_organization",
-    "ecs_8.5.0-dev-exp_package",
-    "ecs_8.5.0-dev-exp_process",
-    "ecs_8.5.0-dev-exp_registry",
-    "ecs_8.5.0-dev-exp_related",
-    "ecs_8.5.0-dev-exp_rule",
-    "ecs_8.5.0-dev-exp_server",
-    "ecs_8.5.0-dev-exp_service",
-    "ecs_8.5.0-dev-exp_source",
-    "ecs_8.5.0-dev-exp_threat",
-    "ecs_8.5.0-dev-exp_tls",
-    "ecs_8.5.0-dev-exp_tracing",
-    "ecs_8.5.0-dev-exp_url",
-    "ecs_8.5.0-dev-exp_user_agent",
-    "ecs_8.5.0-dev-exp_user",
-    "ecs_8.5.0-dev-exp_vulnerability"
+    "ecs_8.6.0-dev-exp_cgroup",
+    "ecs_8.6.0-dev-exp_base",
+    "ecs_8.6.0-dev-exp_agent",
+    "ecs_8.6.0-dev-exp_client",
+    "ecs_8.6.0-dev-exp_cloud",
+    "ecs_8.6.0-dev-exp_container",
+    "ecs_8.6.0-dev-exp_data_stream",
+    "ecs_8.6.0-dev-exp_destination",
+    "ecs_8.6.0-dev-exp_dll",
+    "ecs_8.6.0-dev-exp_dns",
+    "ecs_8.6.0-dev-exp_ecs",
+    "ecs_8.6.0-dev-exp_email",
+    "ecs_8.6.0-dev-exp_error",
+    "ecs_8.6.0-dev-exp_event",
+    "ecs_8.6.0-dev-exp_faas",
+    "ecs_8.6.0-dev-exp_file",
+    "ecs_8.6.0-dev-exp_group",
+    "ecs_8.6.0-dev-exp_host",
+    "ecs_8.6.0-dev-exp_http",
+    "ecs_8.6.0-dev-exp_log",
+    "ecs_8.6.0-dev-exp_network",
+    "ecs_8.6.0-dev-exp_observer",
+    "ecs_8.6.0-dev-exp_orchestrator",
+    "ecs_8.6.0-dev-exp_organization",
+    "ecs_8.6.0-dev-exp_package",
+    "ecs_8.6.0-dev-exp_process",
+    "ecs_8.6.0-dev-exp_registry",
+    "ecs_8.6.0-dev-exp_related",
+    "ecs_8.6.0-dev-exp_rule",
+    "ecs_8.6.0-dev-exp_server",
+    "ecs_8.6.0-dev-exp_service",
+    "ecs_8.6.0-dev-exp_source",
+    "ecs_8.6.0-dev-exp_threat",
+    "ecs_8.6.0-dev-exp_tls",
+    "ecs_8.6.0-dev-exp_tracing",
+    "ecs_8.6.0-dev-exp_url",
+    "ecs_8.6.0-dev-exp_user_agent",
+    "ecs_8.6.0-dev-exp_user",
+    "ecs_8.6.0-dev-exp_vulnerability"
   ],
   "index_patterns": [
     "try-ecs-*"
diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json
index ad36c72e64..8a775c4a9c 100644
--- a/experimental/generated/elasticsearch/legacy/template.json
+++ b/experimental/generated/elasticsearch/legacy/template.json
@@ -4,7 +4,7 @@
   ],
   "mappings": {
     "_meta": {
-      "version": "8.5.0-dev+exp"
+      "version": "8.6.0-dev+exp"
     },
     "date_detection": false,
     "dynamic_templates": [
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 1cd2d99870..4df983ecd0 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -1,5 +1,5 @@
 # WARNING! Do not edit this file directly, it was generated by the ECS project,
-# based on ECS version 8.5.0-dev.
+# based on ECS version 8.6.0-dev.
 # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields.
 
 - key: ecs
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index f29d8d5c71..90474e7f4c 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -1,1514 +1,1514 @@
 ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
-8.5.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
-8.5.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
-8.5.0-dev,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer.
-8.5.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
-8.5.0-dev,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
-8.5.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
-8.5.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
-8.5.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
-8.5.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
-8.5.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
-8.5.0-dev,true,client,client.address,keyword,extended,,,Client network address.
-8.5.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.5.0-dev,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.5.0-dev,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.5.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
-8.5.0-dev,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client.
-8.5.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
-8.5.0-dev,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
-8.5.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.5.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.5.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
-8.5.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.5.0-dev,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.5.0-dev,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
-8.5.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.5.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
-8.5.0-dev,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.5.0-dev,true,client,client.ip,ip,core,,,IP address of the client.
-8.5.0-dev,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
-8.5.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
-8.5.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port
-8.5.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
-8.5.0-dev,true,client,client.port,long,core,,,Port of the client.
-8.5.0-dev,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
-8.5.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.5.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.5.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.5.0-dev,true,client,client.user.email,keyword,extended,,,User email address.
-8.5.0-dev,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.5.0-dev,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.5.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.5.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group.
-8.5.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.5.0-dev,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.5.0-dev,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.5.0-dev,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.5.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.5.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.5.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.5.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.5.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.5.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
-8.5.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.5.0-dev,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.5.0-dev,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.5.0-dev,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.5.0-dev,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.5.0-dev,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine.
-8.5.0-dev,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.5.0-dev,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id.
-8.5.0-dev,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name.
-8.5.0-dev,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider.
-8.5.0-dev,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.5.0-dev,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name.
-8.5.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
-8.5.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
-8.5.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
-8.5.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.5.0-dev,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name.
-8.5.0-dev,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.5.0-dev,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.5.0-dev,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.5.0-dev,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.5.0-dev,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine.
-8.5.0-dev,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.5.0-dev,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id.
-8.5.0-dev,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name.
-8.5.0-dev,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider.
-8.5.0-dev,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.5.0-dev,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name.
-8.5.0-dev,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
-8.5.0-dev,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
-8.5.0-dev,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
-8.5.0-dev,true,container,container.id,keyword,core,,,Unique container id.
-8.5.0-dev,true,container,container.image.hash.all,keyword,extended,array,[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26],An array of digests of the image the container was built on.
-8.5.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
-8.5.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags.
-8.5.0-dev,true,container,container.labels,object,extended,,,Image labels.
-8.5.0-dev,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1."
-8.5.0-dev,true,container,container.name,keyword,extended,,,Container name.
-8.5.0-dev,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
-8.5.0-dev,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
-8.5.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
-8.5.0-dev,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
-8.5.0-dev,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
-8.5.0-dev,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
-8.5.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address.
-8.5.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.5.0-dev,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.5.0-dev,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.5.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
-8.5.0-dev,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination.
-8.5.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
-8.5.0-dev,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
-8.5.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.5.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.5.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
-8.5.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.5.0-dev,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.5.0-dev,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
-8.5.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.5.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
-8.5.0-dev,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.5.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination.
-8.5.0-dev,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
-8.5.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
-8.5.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
-8.5.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
-8.5.0-dev,true,destination,destination.port,long,core,,,Port of the destination.
-8.5.0-dev,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
-8.5.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.5.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.5.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.5.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address.
-8.5.0-dev,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.5.0-dev,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.5.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.5.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
-8.5.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.5.0-dev,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.5.0-dev,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.5.0-dev,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.5.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.5.0-dev,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.5.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.5.0-dev,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.5.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.5.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.5.0-dev,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.5.0-dev,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.5.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.5.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.5.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
-8.5.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
-8.5.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
-8.5.0-dev,true,dll,dll.hash.sha384,keyword,extended,,,SHA384 hash.
-8.5.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
-8.5.0-dev,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.5.0-dev,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash.
-8.5.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
-8.5.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
-8.5.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.5.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.5.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.5.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.5.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.5.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.5.0-dev,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.5.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.5.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
-8.5.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
-8.5.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
-8.5.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
-8.5.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
-8.5.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
-8.5.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
-8.5.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
-8.5.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
-8.5.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
-8.5.0-dev,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
-8.5.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
-8.5.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
-8.5.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.5.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
-8.5.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
-8.5.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
-8.5.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
-8.5.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
-8.5.0-dev,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
-8.5.0-dev,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
-8.5.0-dev,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash.
-8.5.0-dev,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.5.0-dev,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.5.0-dev,true,email,email.attachments.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.5.0-dev,true,email,email.attachments.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.5.0-dev,true,email,email.attachments.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.5.0-dev,true,email,email.attachments.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.5.0-dev,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file.
-8.5.0-dev,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file.
-8.5.0-dev,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size.
-8.5.0-dev,true,email,email.bcc.address,keyword,extended,array,bcc.user1@example.com,Email address of BCC recipient
-8.5.0-dev,true,email,email.cc.address,keyword,extended,array,cc.user1@example.com,Email address of CC recipient
-8.5.0-dev,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message.
-8.5.0-dev,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered.
-8.5.0-dev,true,email,email.direction,keyword,extended,,inbound,Direction of the message.
-8.5.0-dev,true,email,email.from.address,keyword,extended,array,sender@example.com,The sender's email address.
-8.5.0-dev,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source.
-8.5.0-dev,true,email,email.message_id,wildcard,extended,,81ce15$8r2j59@mail01.example.com,Value from the Message-ID header.
-8.5.0-dev,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed.
-8.5.0-dev,true,email,email.reply_to.address,keyword,extended,array,reply.here@example.com,Address replies should be delivered to.
-8.5.0-dev,true,email,email.sender.address,keyword,extended,,,Address of the message sender.
-8.5.0-dev,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message.
-8.5.0-dev,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
-8.5.0-dev,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient
-8.5.0-dev,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
-8.5.0-dev,true,error,error.code,keyword,core,,,Error code describing the error.
-8.5.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error.
-8.5.0-dev,true,error,error.message,match_only_text,core,,,Error message.
-8.5.0-dev,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
-8.5.0-dev,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text.
-8.5.0-dev,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
-8.5.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
-8.5.0-dev,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field.
-8.5.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
-8.5.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event.
-8.5.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
-8.5.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
-8.5.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
-8.5.0-dev,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed.
-8.5.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
-8.5.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
-8.5.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
-8.5.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
-8.5.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
-8.5.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
-8.5.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
-8.5.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event.
-8.5.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
-8.5.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
-8.5.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
-8.5.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
-8.5.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event.
-8.5.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event.
-8.5.0-dev,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed.
-8.5.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone.
-8.5.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
-8.5.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
-8.5.0-dev,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function.
-8.5.0-dev,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution.
-8.5.0-dev,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function.
-8.5.0-dev,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function.
-8.5.0-dev,true,faas,faas.trigger,nested,extended,,,Details about the function trigger.
-8.5.0-dev,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc."
-8.5.0-dev,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution.
-8.5.0-dev,true,faas,faas.version,keyword,extended,,123,The version of a serverless function.
-8.5.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed.
-8.5.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.5.0-dev,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.5.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.5.0-dev,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.5.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.5.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.5.0-dev,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.5.0-dev,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.5.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.5.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.5.0-dev,true,file,file.created,date,extended,,,File creation time.
-8.5.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.5.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
-8.5.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.5.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.5.0-dev,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.5.0-dev,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.5.0-dev,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.5.0-dev,true,file,file.elf.creation_date,date,extended,,,Build or compile date.
-8.5.0-dev,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.5.0-dev,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.5.0-dev,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.5.0-dev,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.5.0-dev,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.5.0-dev,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.5.0-dev,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.5.0-dev,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.5.0-dev,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.5.0-dev,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.5.0-dev,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.5.0-dev,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.5.0-dev,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.5.0-dev,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.5.0-dev,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.5.0-dev,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.5.0-dev,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.5.0-dev,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.5.0-dev,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.5.0-dev,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.5.0-dev,true,file,file.elf.segments,nested,extended,array,,ELF object segment list.
-8.5.0-dev,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.5.0-dev,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.5.0-dev,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.5.0-dev,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.5.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.5.0-dev,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.5.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.5.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
-8.5.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
-8.5.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.5.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.5.0-dev,true,file,file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.5.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.5.0-dev,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.5.0-dev,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.5.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.5.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.5.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.5.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified.
-8.5.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.5.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username.
-8.5.0-dev,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.5.0-dev,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.5.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.5.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.5.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.5.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.5.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.5.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.5.0-dev,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.5.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.5.0-dev,true,file,file.size,long,extended,,16384,File size in bytes.
-8.5.0-dev,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
-8.5.0-dev,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.5.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.5.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.5.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.5.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.5.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.5.0-dev,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.5.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.5.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.5.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.5.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.5.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.5.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.5.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.5.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.5.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.5.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.5.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.5.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.5.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.5.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.5.0-dev,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.5.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.5.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.5.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.5.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.5.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.5.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.5.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev,true,group,group.name,keyword,extended,,,Name of the group.
-8.5.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
-8.5.0-dev,true,host,host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id
-8.5.0-dev,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
-8.5.0-dev,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
-8.5.0-dev,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
-8.5.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
-8.5.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
-8.5.0-dev,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
-8.5.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.5.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.5.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
-8.5.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.5.0-dev,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.5.0-dev,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
-8.5.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.5.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
-8.5.0-dev,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.5.0-dev,true,host,host.hostname,keyword,core,,,Hostname of the host.
-8.5.0-dev,true,host,host.id,keyword,core,,,Unique host id.
-8.5.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses.
-8.5.0-dev,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
-8.5.0-dev,true,host,host.name,keyword,core,,,Name of the host.
-8.5.0-dev,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
-8.5.0-dev,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
-8.5.0-dev,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
-8.5.0-dev,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
-8.5.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.5.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.5.0-dev,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.5.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.5.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.5.0-dev,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.5.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.5.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
-8.5.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.5.0-dev,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode
-8.5.0-dev,true,host,host.type,keyword,core,,,Type of host.
-8.5.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
-8.5.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
-8.5.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
-8.5.0-dev,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body.
-8.5.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
-8.5.0-dev,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
-8.5.0-dev,true,http,http.request.method,keyword,extended,,POST,HTTP request method.
-8.5.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
-8.5.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
-8.5.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
-8.5.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
-8.5.0-dev,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body.
-8.5.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
-8.5.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
-8.5.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
-8.5.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version.
-8.5.0-dev,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
-8.5.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event.
-8.5.0-dev,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
-8.5.0-dev,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event.
-8.5.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
-8.5.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
-8.5.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata
-8.5.0-dev,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message.
-8.5.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
-8.5.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
-8.5.0-dev,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message.
-8.5.0-dev,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message.
-8.5.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
-8.5.0-dev,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message.
-8.5.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
-8.5.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
-8.5.0-dev,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages.
-8.5.0-dev,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version.
-8.5.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name.
-8.5.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
-8.5.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
-8.5.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
-8.5.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
-8.5.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
-8.5.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information
-8.5.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.5.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.5.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
-8.5.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
-8.5.0-dev,true,network,network.protocol,keyword,core,,http,Application protocol name.
-8.5.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
-8.5.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
-8.5.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.5.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.5.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information
-8.5.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
-8.5.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
-8.5.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
-8.5.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.5.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.5.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
-8.5.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
-8.5.0-dev,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code.
-8.5.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.5.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.5.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
-8.5.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.5.0-dev,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.5.0-dev,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code.
-8.5.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.5.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
-8.5.0-dev,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.5.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
-8.5.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information
-8.5.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
-8.5.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
-8.5.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
-8.5.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.5.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.5.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
-8.5.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
-8.5.0-dev,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer.
-8.5.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
-8.5.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.5.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.5.0-dev,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.5.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.5.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.5.0-dev,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.5.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.5.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
-8.5.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.5.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
-8.5.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
-8.5.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
-8.5.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
-8.5.0-dev,true,observer,observer.version,keyword,core,,,Observer version.
-8.5.0-dev,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action
-8.5.0-dev,true,orchestrator,orchestrator.cluster.id,keyword,extended,,,Unique ID of the cluster.
-8.5.0-dev,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster.
-8.5.0-dev,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster.
-8.5.0-dev,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster.
-8.5.0-dev,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place.
-8.5.0-dev,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups).
-8.5.0-dev,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon.
-8.5.0-dev,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed.
-8.5.0-dev,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon.
-8.5.0-dev,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed.
-8.5.0-dev,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon.
-8.5.0-dev,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)."
-8.5.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
-8.5.0-dev,true,organization,organization.name,keyword,extended,,,Organization name.
-8.5.0-dev,true,organization,organization.name.text,match_only_text,extended,,,Organization name.
-8.5.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
-8.5.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
-8.5.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
-8.5.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
-8.5.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
-8.5.0-dev,true,package,package.installed,date,extended,,,Time when package was installed.
-8.5.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
-8.5.0-dev,true,package,package.name,keyword,extended,,go,Package name
-8.5.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
-8.5.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
-8.5.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes.
-8.5.0-dev,true,package,package.type,keyword,extended,,rpm,Package type
-8.5.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version
-8.5.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.5.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array.
-8.5.0-dev,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.5.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.5.0-dev,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.5.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.5.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.5.0-dev,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.5.0-dev,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.5.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.5.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.5.0-dev,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.5.0-dev,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.5.0-dev,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.5.0-dev,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.5.0-dev,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.5.0-dev,true,process,process.elf.creation_date,date,extended,,,Build or compile date.
-8.5.0-dev,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.5.0-dev,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.5.0-dev,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.5.0-dev,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.5.0-dev,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.5.0-dev,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.5.0-dev,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.5.0-dev,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.5.0-dev,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.5.0-dev,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.5.0-dev,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.5.0-dev,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.5.0-dev,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.5.0-dev,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.5.0-dev,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.5.0-dev,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.5.0-dev,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.5.0-dev,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.5.0-dev,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.5.0-dev,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.5.0-dev,true,process,process.elf.segments,nested,extended,array,,ELF object segment list.
-8.5.0-dev,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.5.0-dev,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.5.0-dev,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.5.0-dev,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.5.0-dev,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-8.5.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.5.0-dev,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.5.0-dev,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array.
-8.5.0-dev,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.5.0-dev,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.5.0-dev,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.5.0-dev,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
-8.5.0-dev,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
-8.5.0-dev,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.5.0-dev,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.5.0-dev,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group.
-8.5.0-dev,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.5.0-dev,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name.
-8.5.0-dev,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.5.0-dev,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.5.0-dev,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id.
-8.5.0-dev,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.5.0-dev,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id.
-8.5.0-dev,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.5.0-dev,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.5.0-dev,true,process,process.entry_leader.pid,long,core,,4242,Process id.
-8.5.0-dev,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group.
-8.5.0-dev,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.5.0-dev,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.5.0-dev,true,process,process.entry_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.5.0-dev,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.5.0-dev,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.5.0-dev,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.5.0-dev,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.5.0-dev,true,process,process.entry_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.5.0-dev,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.5.0-dev,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.5.0-dev,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.5.0-dev,true,process,process.entry_leader.tty.char_device.major,long,extended,,1,The TTY character device's major number.
-8.5.0-dev,true,process,process.entry_leader.tty.char_device.minor,long,extended,,128,The TTY character device's minor number.
-8.5.0-dev,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.5.0-dev,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.5.0-dev,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.5.0-dev,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.5.0-dev,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.5.0-dev,true,process,process.env_vars,object,extended,,"{""USER"": ""elastic"",""LANG"": ""en_US.UTF-8"",""HOME"": ""/home/elastic""}",Environment variables set at the time of the event.
-8.5.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.5.0-dev,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.5.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process.
-8.5.0-dev,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.5.0-dev,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array.
-8.5.0-dev,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.5.0-dev,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.5.0-dev,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.5.0-dev,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.5.0-dev,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.5.0-dev,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group.
-8.5.0-dev,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.5.0-dev,true,process,process.group_leader.name,keyword,extended,,ssh,Process name.
-8.5.0-dev,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.5.0-dev,true,process,process.group_leader.pid,long,core,,4242,Process id.
-8.5.0-dev,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group.
-8.5.0-dev,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.5.0-dev,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.5.0-dev,true,process,process.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.5.0-dev,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.5.0-dev,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.5.0-dev,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.5.0-dev,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.5.0-dev,true,process,process.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.5.0-dev,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.5.0-dev,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.5.0-dev,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.5.0-dev,true,process,process.group_leader.tty.char_device.major,long,extended,,1,The TTY character device's major number.
-8.5.0-dev,true,process,process.group_leader.tty.char_device.minor,long,extended,,128,The TTY character device's minor number.
-8.5.0-dev,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.5.0-dev,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.5.0-dev,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.5.0-dev,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.5.0-dev,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.5.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
-8.5.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
-8.5.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
-8.5.0-dev,true,process,process.hash.sha384,keyword,extended,,,SHA384 hash.
-8.5.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
-8.5.0-dev,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.5.0-dev,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash.
-8.5.0-dev,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.5.0-dev,true,process,process.name,keyword,extended,,ssh,Process name.
-8.5.0-dev,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
-8.5.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.5.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
-8.5.0-dev,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.5.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.5.0-dev,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.5.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.5.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.5.0-dev,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.5.0-dev,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.5.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.5.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.5.0-dev,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.5.0-dev,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.5.0-dev,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.5.0-dev,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.5.0-dev,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.5.0-dev,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date.
-8.5.0-dev,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.5.0-dev,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.5.0-dev,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.5.0-dev,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.5.0-dev,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.5.0-dev,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.5.0-dev,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.5.0-dev,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.5.0-dev,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.5.0-dev,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.5.0-dev,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.5.0-dev,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.5.0-dev,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.5.0-dev,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.5.0-dev,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.5.0-dev,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.5.0-dev,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.5.0-dev,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.5.0-dev,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.5.0-dev,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.5.0-dev,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list.
-8.5.0-dev,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.5.0-dev,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.5.0-dev,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.5.0-dev,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.5.0-dev,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-8.5.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.5.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.5.0-dev,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.5.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
-8.5.0-dev,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev,true,process,process.parent.group.name,keyword,extended,,,Name of the group.
-8.5.0-dev,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.5.0-dev,true,process,process.parent.group_leader.pid,long,core,,4242,Process id.
-8.5.0-dev,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.5.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
-8.5.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
-8.5.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
-8.5.0-dev,true,process,process.parent.hash.sha384,keyword,extended,,,SHA384 hash.
-8.5.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
-8.5.0-dev,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.5.0-dev,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash.
-8.5.0-dev,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.5.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name.
-8.5.0-dev,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
-8.5.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.5.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.5.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.5.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.5.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.5.0-dev,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.5.0-dev,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.5.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.5.0-dev,true,process,process.parent.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
-8.5.0-dev,true,process,process.parent.pid,long,core,,4242,Process id.
-8.5.0-dev,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group.
-8.5.0-dev,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.5.0-dev,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.5.0-dev,true,process,process.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.5.0-dev,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group.
-8.5.0-dev,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.5.0-dev,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.5.0-dev,true,process,process.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.5.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.5.0-dev,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.5.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
-8.5.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
-8.5.0-dev,true,process,process.parent.title,keyword,extended,,,Process title.
-8.5.0-dev,true,process,process.parent.title.text,match_only_text,extended,,,Process title.
-8.5.0-dev,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device.
-8.5.0-dev,true,process,process.parent.tty.char_device.major,long,extended,,1,The TTY character device's major number.
-8.5.0-dev,true,process,process.parent.tty.char_device.minor,long,extended,,128,The TTY character device's minor number.
-8.5.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
-8.5.0-dev,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.5.0-dev,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.5.0-dev,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.5.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.5.0-dev,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.5.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.5.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.5.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.5.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.5.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.5.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.5.0-dev,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.5.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.5.0-dev,true,process,process.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
-8.5.0-dev,true,process,process.pid,long,core,,4242,Process id.
-8.5.0-dev,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.5.0-dev,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array.
-8.5.0-dev,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.5.0-dev,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.5.0-dev,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev,true,process,process.real_group.name,keyword,extended,,,Name of the group.
-8.5.0-dev,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.5.0-dev,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.5.0-dev,true,process,process.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.5.0-dev,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev,true,process,process.saved_group.name,keyword,extended,,,Name of the group.
-8.5.0-dev,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.5.0-dev,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.5.0-dev,true,process,process.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.5.0-dev,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.5.0-dev,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array.
-8.5.0-dev,true,process,process.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.5.0-dev,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.5.0-dev,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.5.0-dev,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.5.0-dev,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.5.0-dev,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group.
-8.5.0-dev,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.5.0-dev,true,process,process.session_leader.name,keyword,extended,,ssh,Process name.
-8.5.0-dev,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.5.0-dev,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.5.0-dev,true,process,process.session_leader.parent.pid,long,core,,4242,Process id.
-8.5.0-dev,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.5.0-dev,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id.
-8.5.0-dev,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.5.0-dev,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.5.0-dev,true,process,process.session_leader.pid,long,core,,4242,Process id.
-8.5.0-dev,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group.
-8.5.0-dev,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.5.0-dev,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.5.0-dev,true,process,process.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.5.0-dev,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.5.0-dev,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.5.0-dev,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.5.0-dev,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.5.0-dev,true,process,process.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.5.0-dev,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.5.0-dev,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.5.0-dev,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.5.0-dev,true,process,process.session_leader.tty.char_device.major,long,extended,,1,The TTY character device's major number.
-8.5.0-dev,true,process,process.session_leader.tty.char_device.minor,long,extended,,128,The TTY character device's minor number.
-8.5.0-dev,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.5.0-dev,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.5.0-dev,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.5.0-dev,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.5.0-dev,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.5.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.5.0-dev,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.5.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID.
-8.5.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
-8.5.0-dev,true,process,process.title,keyword,extended,,,Process title.
-8.5.0-dev,true,process,process.title.text,match_only_text,extended,,,Process title.
-8.5.0-dev,true,process,process.tty,object,extended,,,Information about the controlling TTY device.
-8.5.0-dev,true,process,process.tty.char_device.major,long,extended,,1,The TTY character device's major number.
-8.5.0-dev,true,process,process.tty.char_device.minor,long,extended,,128,The TTY character device's minor number.
-8.5.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
-8.5.0-dev,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.5.0-dev,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.5.0-dev,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.5.0-dev,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.5.0-dev,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.5.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.5.0-dev,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.5.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.5.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.5.0-dev,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.5.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.5.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
-8.5.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
-8.5.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
-8.5.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
-8.5.0-dev,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event.
-8.5.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
-8.5.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
-8.5.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
-8.5.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID
-8.5.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
-8.5.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
-8.5.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
-8.5.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
-8.5.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
-8.5.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version
-8.5.0-dev,true,server,server.address,keyword,extended,,,Server network address.
-8.5.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.5.0-dev,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.5.0-dev,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.5.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
-8.5.0-dev,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server.
-8.5.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
-8.5.0-dev,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
-8.5.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.5.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.5.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
-8.5.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.5.0-dev,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.5.0-dev,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
-8.5.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.5.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
-8.5.0-dev,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.5.0-dev,true,server,server.ip,ip,core,,,IP address of the server.
-8.5.0-dev,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
-8.5.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip
-8.5.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port
-8.5.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
-8.5.0-dev,true,server,server.port,long,core,,,Port of the server.
-8.5.0-dev,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
-8.5.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.5.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.5.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.5.0-dev,true,server,server.user.email,keyword,extended,,,User email address.
-8.5.0-dev,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.5.0-dev,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.5.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.5.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group.
-8.5.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.5.0-dev,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.5.0-dev,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.5.0-dev,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.5.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.5.0-dev,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.5.0-dev,true,service,service.environment,keyword,extended,,production,Environment of the service.
-8.5.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.5.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.5.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.5.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.5.0-dev,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.5.0-dev,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.5.0-dev,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.5.0-dev,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
-8.5.0-dev,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.5.0-dev,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.5.0-dev,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.5.0-dev,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.5.0-dev,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.5.0-dev,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.5.0-dev,true,service,service.origin.state,keyword,core,,,Current state of the service.
-8.5.0-dev,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service.
-8.5.0-dev,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service.
-8.5.0-dev,true,service,service.state,keyword,core,,,Current state of the service.
-8.5.0-dev,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.5.0-dev,true,service,service.target.environment,keyword,extended,,production,Environment of the service.
-8.5.0-dev,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.5.0-dev,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.5.0-dev,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.5.0-dev,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.5.0-dev,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.5.0-dev,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.5.0-dev,true,service,service.target.state,keyword,core,,,Current state of the service.
-8.5.0-dev,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service.
-8.5.0-dev,true,service,service.target.version,keyword,core,,3.2.4,Version of the service.
-8.5.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
-8.5.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service.
-8.5.0-dev,true,source,source.address,keyword,extended,,,Source network address.
-8.5.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.5.0-dev,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.5.0-dev,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.5.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
-8.5.0-dev,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source.
-8.5.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
-8.5.0-dev,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
-8.5.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.5.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.5.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
-8.5.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.5.0-dev,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.5.0-dev,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
-8.5.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.5.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
-8.5.0-dev,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.5.0-dev,true,source,source.ip,ip,core,,,IP address of the source.
-8.5.0-dev,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
-8.5.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip
-8.5.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port
-8.5.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
-8.5.0-dev,true,source,source.port,long,core,,,Port of the source.
-8.5.0-dev,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-8.5.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.5.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.5.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.5.0-dev,true,source,source.user.email,keyword,extended,,,User email address.
-8.5.0-dev,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.5.0-dev,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.5.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.5.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group.
-8.5.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.5.0-dev,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.5.0-dev,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.5.0-dev,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.5.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.5.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
-8.5.0-dev,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event.
-8.5.0-dev,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event.
-8.5.0-dev,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.5.0-dev,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.5.0-dev,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.5.0-dev,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
-8.5.0-dev,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
-8.5.0-dev,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.5.0-dev,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.5.0-dev,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.5.0-dev,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
-8.5.0-dev,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name.
-8.5.0-dev,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code.
-8.5.0-dev,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.5.0-dev,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.5.0-dev,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name.
-8.5.0-dev,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.5.0-dev,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.5.0-dev,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code.
-8.5.0-dev,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.5.0-dev,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name.
-8.5.0-dev,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.5.0-dev,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
-8.5.0-dev,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-8.5.0-dev,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,WHITE,Indicator TLP marking
-8.5.0-dev,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
-8.5.0-dev,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
-8.5.0-dev,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
-8.5.0-dev,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
-8.5.0-dev,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.5.0-dev,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.5.0-dev,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.5.0-dev,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.5.0-dev,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.5.0-dev,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.5.0-dev,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
-8.5.0-dev,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics
-8.5.0-dev,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed
-8.5.0-dev,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
-8.5.0-dev,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.5.0-dev,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.5.0-dev,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.5.0-dev,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.5.0-dev,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.5.0-dev,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.5.0-dev,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.5.0-dev,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request.
-8.5.0-dev,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.5.0-dev,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
-8.5.0-dev,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request.
-8.5.0-dev,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.5.0-dev,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
-8.5.0-dev,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.5.0-dev,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.5.0-dev,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request.
-8.5.0-dev,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.5.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.5.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.5.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.5.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.5.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.5.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.5.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.5.0-dev,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.5.0-dev,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.5.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.5.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.5.0-dev,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.5.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.5.0-dev,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.5.0-dev,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.5.0-dev,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.5.0-dev,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.5.0-dev,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.5.0-dev,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.5.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.5.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.5.0-dev,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.5.0-dev,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.5.0-dev,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value
-8.5.0-dev,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field
-8.5.0-dev,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier
-8.5.0-dev,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index
-8.5.0-dev,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05T17:00:58.326Z,Date of match
-8.5.0-dev,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match
-8.5.0-dev,true,threat,threat.feed.dashboard_id,keyword,extended,,5ba16340-72e6-11eb-a3e3-b3cc7c78a70f,Feed dashboard ID.
-8.5.0-dev,true,threat,threat.feed.description,keyword,extended,,Threat feed from the AlienVault Open Threat eXchange network.,Description of the threat feed.
-8.5.0-dev,true,threat,threat.feed.name,keyword,extended,,AlienVault OTX,Name of the threat feed.
-8.5.0-dev,true,threat,threat.feed.reference,keyword,extended,,https://otx.alienvault.com,Reference for the threat feed.
-8.5.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
-8.5.0-dev,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group.
-8.5.0-dev,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group.
-8.5.0-dev,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group.
-8.5.0-dev,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group.
-8.5.0-dev,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.5.0-dev,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.5.0-dev,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.5.0-dev,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
-8.5.0-dev,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
-8.5.0-dev,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
-8.5.0-dev,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed.
-8.5.0-dev,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.5.0-dev,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.5.0-dev,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.5.0-dev,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.5.0-dev,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.5.0-dev,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.5.0-dev,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.5.0-dev,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.5.0-dev,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.5.0-dev,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.5.0-dev,true,threat,threat.indicator.file.created,date,extended,,,File creation time.
-8.5.0-dev,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.5.0-dev,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
-8.5.0-dev,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.5.0-dev,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.5.0-dev,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.5.0-dev,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.5.0-dev,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.5.0-dev,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
-8.5.0-dev,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.5.0-dev,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.5.0-dev,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.5.0-dev,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.5.0-dev,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.5.0-dev,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.5.0-dev,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.5.0-dev,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.5.0-dev,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.5.0-dev,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.5.0-dev,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.5.0-dev,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.5.0-dev,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.5.0-dev,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.5.0-dev,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.5.0-dev,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.5.0-dev,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.5.0-dev,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.5.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.5.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.5.0-dev,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
-8.5.0-dev,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.5.0-dev,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.5.0-dev,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.5.0-dev,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.5.0-dev,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.5.0-dev,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.5.0-dev,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.5.0-dev,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
-8.5.0-dev,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
-8.5.0-dev,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.5.0-dev,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.5.0-dev,true,threat,threat.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.5.0-dev,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.5.0-dev,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.5.0-dev,true,threat,threat.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.5.0-dev,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.5.0-dev,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.5.0-dev,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.5.0-dev,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified.
-8.5.0-dev,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.5.0-dev,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username.
-8.5.0-dev,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.5.0-dev,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.5.0-dev,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.5.0-dev,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.5.0-dev,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.5.0-dev,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.5.0-dev,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.5.0-dev,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.5.0-dev,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.5.0-dev,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.5.0-dev,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes.
-8.5.0-dev,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
-8.5.0-dev,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.5.0-dev,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.5.0-dev,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.5.0-dev,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.5.0-dev,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.5.0-dev,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.5.0-dev,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.5.0-dev,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.5.0-dev,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.5.0-dev,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.5.0-dev,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.5.0-dev,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.5.0-dev,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.5.0-dev,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.5.0-dev,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.5.0-dev,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.5.0-dev,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.5.0-dev,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.5.0-dev,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.5.0-dev,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.5.0-dev,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.5.0-dev,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.5.0-dev,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.5.0-dev,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.5.0-dev,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.5.0-dev,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.5.0-dev,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.5.0-dev,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
-8.5.0-dev,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name.
-8.5.0-dev,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code.
-8.5.0-dev,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.5.0-dev,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.5.0-dev,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name.
-8.5.0-dev,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.5.0-dev,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.5.0-dev,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code.
-8.5.0-dev,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.5.0-dev,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name.
-8.5.0-dev,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.5.0-dev,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
-8.5.0-dev,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-8.5.0-dev,true,threat,threat.indicator.marking.tlp,keyword,extended,,WHITE,Indicator TLP marking
-8.5.0-dev,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
-8.5.0-dev,true,threat,threat.indicator.port,long,extended,,443,Indicator port
-8.5.0-dev,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
-8.5.0-dev,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
-8.5.0-dev,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.5.0-dev,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.5.0-dev,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.5.0-dev,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.5.0-dev,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.5.0-dev,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.5.0-dev,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
-8.5.0-dev,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics
-8.5.0-dev,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed
-8.5.0-dev,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
-8.5.0-dev,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.5.0-dev,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.5.0-dev,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.5.0-dev,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.5.0-dev,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.5.0-dev,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.5.0-dev,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.5.0-dev,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request.
-8.5.0-dev,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.5.0-dev,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
-8.5.0-dev,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request.
-8.5.0-dev,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.5.0-dev,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
-8.5.0-dev,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.5.0-dev,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.5.0-dev,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request.
-8.5.0-dev,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.5.0-dev,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.5.0-dev,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.5.0-dev,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.5.0-dev,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.5.0-dev,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.5.0-dev,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.5.0-dev,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.5.0-dev,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.5.0-dev,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.5.0-dev,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.5.0-dev,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.5.0-dev,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.5.0-dev,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.5.0-dev,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.5.0-dev,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.5.0-dev,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.5.0-dev,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.5.0-dev,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.5.0-dev,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.5.0-dev,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.5.0-dev,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.5.0-dev,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.5.0-dev,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.5.0-dev,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software
-8.5.0-dev,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software
-8.5.0-dev,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software.
-8.5.0-dev,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software.
-8.5.0-dev,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL.
-8.5.0-dev,true,threat,threat.software.type,keyword,extended,,Tool,Software type.
-8.5.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
-8.5.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
-8.5.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
-8.5.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
-8.5.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
-8.5.0-dev,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name.
-8.5.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
-8.5.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
-8.5.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
-8.5.0-dev,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
-8.5.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
-8.5.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
-8.5.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
-8.5.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
-8.5.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
-8.5.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
-8.5.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
-8.5.0-dev,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
-8.5.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
-8.5.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
-8.5.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
-8.5.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
-8.5.0-dev,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
-8.5.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
-8.5.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.5.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.5.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.5.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.5.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.5.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.5.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.5.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.5.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.5.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.5.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.5.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.5.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.5.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.5.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.5.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.5.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.5.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.5.0-dev,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.5.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.5.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.5.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.5.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.5.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.5.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
-8.5.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
-8.5.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
-8.5.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
-8.5.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
-8.5.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
-8.5.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
-8.5.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
-8.5.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
-8.5.0-dev,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
-8.5.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
-8.5.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
-8.5.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
-8.5.0-dev,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
-8.5.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.5.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.5.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.5.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.5.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.5.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.5.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.5.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.5.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.5.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.5.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.5.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.5.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.5.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.5.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.5.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.5.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.5.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.5.0-dev,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.5.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.5.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.5.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.5.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.5.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.5.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
-8.5.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
-8.5.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
-8.5.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
-8.5.0-dev,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.5.0-dev,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.5.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.5.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.5.0-dev,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.5.0-dev,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.5.0-dev,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.5.0-dev,true,url,url.password,keyword,extended,,,Password of the request.
-8.5.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.5.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
-8.5.0-dev,true,url,url.query,keyword,extended,,,Query string of the request.
-8.5.0-dev,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.5.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
-8.5.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.5.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.5.0-dev,true,url,url.username,keyword,extended,,,Username of the request.
-8.5.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.5.0-dev,true,user,user.changes.email,keyword,extended,,,User email address.
-8.5.0-dev,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.5.0-dev,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.5.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.5.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
-8.5.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.5.0-dev,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.5.0-dev,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
-8.5.0-dev,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.5.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.5.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.5.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.5.0-dev,true,user,user.effective.email,keyword,extended,,,User email address.
-8.5.0-dev,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.5.0-dev,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.5.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.5.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
-8.5.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.5.0-dev,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.5.0-dev,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
-8.5.0-dev,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.5.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.5.0-dev,true,user,user.email,keyword,extended,,,User email address.
-8.5.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.5.0-dev,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.5.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.5.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group.
-8.5.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.5.0-dev,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.5.0-dev,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.5.0-dev,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.5.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.5.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.5.0-dev,true,user,user.target.email,keyword,extended,,,User email address.
-8.5.0-dev,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.5.0-dev,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.5.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.5.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.5.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group.
-8.5.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.5.0-dev,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.5.0-dev,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
-8.5.0-dev,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.5.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.5.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
-8.5.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
-8.5.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-8.5.0-dev,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-8.5.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.5.0-dev,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.5.0-dev,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.5.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.5.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.5.0-dev,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.5.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.5.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
-8.5.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.5.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
-8.5.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
-8.5.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
-8.5.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-8.5.0-dev,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-8.5.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
-8.5.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
-8.5.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
-8.5.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
-8.5.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
-8.5.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
-8.5.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
-8.5.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
-8.5.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
-8.5.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
+8.6.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
+8.6.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
+8.6.0-dev,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer.
+8.6.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
+8.6.0-dev,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
+8.6.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
+8.6.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
+8.6.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
+8.6.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
+8.6.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
+8.6.0-dev,true,client,client.address,keyword,extended,,,Client network address.
+8.6.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.6.0-dev,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.6.0-dev,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.6.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
+8.6.0-dev,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client.
+8.6.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
+8.6.0-dev,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
+8.6.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.6.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.6.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
+8.6.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.6.0-dev,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.6.0-dev,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
+8.6.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.6.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
+8.6.0-dev,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.6.0-dev,true,client,client.ip,ip,core,,,IP address of the client.
+8.6.0-dev,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
+8.6.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
+8.6.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port
+8.6.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
+8.6.0-dev,true,client,client.port,long,core,,,Port of the client.
+8.6.0-dev,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
+8.6.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.6.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.6.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.6.0-dev,true,client,client.user.email,keyword,extended,,,User email address.
+8.6.0-dev,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.6.0-dev,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.6.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.6.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group.
+8.6.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.6.0-dev,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.6.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.6.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.6.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.6.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.6.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
+8.6.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.6.0-dev,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.6.0-dev,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.6.0-dev,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.6.0-dev,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.6.0-dev,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine.
+8.6.0-dev,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.6.0-dev,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id.
+8.6.0-dev,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name.
+8.6.0-dev,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider.
+8.6.0-dev,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.6.0-dev,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name.
+8.6.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
+8.6.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
+8.6.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
+8.6.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.6.0-dev,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name.
+8.6.0-dev,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.6.0-dev,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.6.0-dev,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.6.0-dev,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.6.0-dev,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine.
+8.6.0-dev,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.6.0-dev,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id.
+8.6.0-dev,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name.
+8.6.0-dev,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider.
+8.6.0-dev,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.6.0-dev,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name.
+8.6.0-dev,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
+8.6.0-dev,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
+8.6.0-dev,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
+8.6.0-dev,true,container,container.id,keyword,core,,,Unique container id.
+8.6.0-dev,true,container,container.image.hash.all,keyword,extended,array,[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26],An array of digests of the image the container was built on.
+8.6.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
+8.6.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags.
+8.6.0-dev,true,container,container.labels,object,extended,,,Image labels.
+8.6.0-dev,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1."
+8.6.0-dev,true,container,container.name,keyword,extended,,,Container name.
+8.6.0-dev,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
+8.6.0-dev,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+8.6.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
+8.6.0-dev,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
+8.6.0-dev,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
+8.6.0-dev,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
+8.6.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address.
+8.6.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.6.0-dev,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.6.0-dev,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.6.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
+8.6.0-dev,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination.
+8.6.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
+8.6.0-dev,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
+8.6.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.6.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.6.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
+8.6.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.6.0-dev,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.6.0-dev,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
+8.6.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.6.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
+8.6.0-dev,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.6.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination.
+8.6.0-dev,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
+8.6.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
+8.6.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
+8.6.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
+8.6.0-dev,true,destination,destination.port,long,core,,,Port of the destination.
+8.6.0-dev,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
+8.6.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.6.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.6.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.6.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address.
+8.6.0-dev,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.6.0-dev,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.6.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.6.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
+8.6.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.6.0-dev,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.6.0-dev,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.6.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.6.0-dev,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.6.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.6.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.6.0-dev,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.6.0-dev,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.6.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.6.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.6.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
+8.6.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
+8.6.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
+8.6.0-dev,true,dll,dll.hash.sha384,keyword,extended,,,SHA384 hash.
+8.6.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
+8.6.0-dev,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.6.0-dev,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash.
+8.6.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
+8.6.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
+8.6.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.6.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.6.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.6.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.6.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.6.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.6.0-dev,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.6.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.6.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
+8.6.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
+8.6.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
+8.6.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
+8.6.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
+8.6.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
+8.6.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
+8.6.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
+8.6.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
+8.6.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
+8.6.0-dev,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
+8.6.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
+8.6.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
+8.6.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.6.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
+8.6.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
+8.6.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
+8.6.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
+8.6.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
+8.6.0-dev,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
+8.6.0-dev,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
+8.6.0-dev,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash.
+8.6.0-dev,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.6.0-dev,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.6.0-dev,true,email,email.attachments.file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.6.0-dev,true,email,email.attachments.file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.6.0-dev,true,email,email.attachments.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.6.0-dev,true,email,email.attachments.file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.6.0-dev,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file.
+8.6.0-dev,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file.
+8.6.0-dev,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size.
+8.6.0-dev,true,email,email.bcc.address,keyword,extended,array,bcc.user1@example.com,Email address of BCC recipient
+8.6.0-dev,true,email,email.cc.address,keyword,extended,array,cc.user1@example.com,Email address of CC recipient
+8.6.0-dev,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message.
+8.6.0-dev,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered.
+8.6.0-dev,true,email,email.direction,keyword,extended,,inbound,Direction of the message.
+8.6.0-dev,true,email,email.from.address,keyword,extended,array,sender@example.com,The sender's email address.
+8.6.0-dev,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source.
+8.6.0-dev,true,email,email.message_id,wildcard,extended,,81ce15$8r2j59@mail01.example.com,Value from the Message-ID header.
+8.6.0-dev,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed.
+8.6.0-dev,true,email,email.reply_to.address,keyword,extended,array,reply.here@example.com,Address replies should be delivered to.
+8.6.0-dev,true,email,email.sender.address,keyword,extended,,,Address of the message sender.
+8.6.0-dev,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message.
+8.6.0-dev,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
+8.6.0-dev,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient
+8.6.0-dev,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
+8.6.0-dev,true,error,error.code,keyword,core,,,Error code describing the error.
+8.6.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error.
+8.6.0-dev,true,error,error.message,match_only_text,core,,,Error message.
+8.6.0-dev,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
+8.6.0-dev,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text.
+8.6.0-dev,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
+8.6.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
+8.6.0-dev,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field.
+8.6.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
+8.6.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event.
+8.6.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
+8.6.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
+8.6.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
+8.6.0-dev,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed.
+8.6.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
+8.6.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
+8.6.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
+8.6.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
+8.6.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
+8.6.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
+8.6.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
+8.6.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event.
+8.6.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
+8.6.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
+8.6.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
+8.6.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
+8.6.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event.
+8.6.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event.
+8.6.0-dev,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed.
+8.6.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone.
+8.6.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
+8.6.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
+8.6.0-dev,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function.
+8.6.0-dev,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution.
+8.6.0-dev,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function.
+8.6.0-dev,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function.
+8.6.0-dev,true,faas,faas.trigger,nested,extended,,,Details about the function trigger.
+8.6.0-dev,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc."
+8.6.0-dev,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution.
+8.6.0-dev,true,faas,faas.version,keyword,extended,,123,The version of a serverless function.
+8.6.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed.
+8.6.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.6.0-dev,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.6.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.6.0-dev,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.6.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.6.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.6.0-dev,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.6.0-dev,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.6.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.6.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.6.0-dev,true,file,file.created,date,extended,,,File creation time.
+8.6.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.6.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
+8.6.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.6.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.6.0-dev,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.6.0-dev,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.6.0-dev,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.6.0-dev,true,file,file.elf.creation_date,date,extended,,,Build or compile date.
+8.6.0-dev,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.6.0-dev,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.6.0-dev,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.6.0-dev,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.6.0-dev,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.6.0-dev,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.6.0-dev,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.6.0-dev,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.6.0-dev,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.6.0-dev,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.6.0-dev,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.6.0-dev,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.6.0-dev,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.6.0-dev,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.6.0-dev,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.6.0-dev,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.6.0-dev,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.6.0-dev,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.6.0-dev,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.6.0-dev,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.6.0-dev,true,file,file.elf.segments,nested,extended,array,,ELF object segment list.
+8.6.0-dev,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.6.0-dev,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.6.0-dev,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.6.0-dev,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.6.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.6.0-dev,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.6.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.6.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
+8.6.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
+8.6.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.6.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.6.0-dev,true,file,file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.6.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.6.0-dev,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.6.0-dev,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.6.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.6.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.6.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.6.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified.
+8.6.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.6.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username.
+8.6.0-dev,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.6.0-dev,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.6.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.6.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.6.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.6.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.6.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.6.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.6.0-dev,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.6.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.6.0-dev,true,file,file.size,long,extended,,16384,File size in bytes.
+8.6.0-dev,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
+8.6.0-dev,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.6.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.6.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.6.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.6.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.6.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.6.0-dev,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.6.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.6.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.6.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.6.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.6.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.6.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.6.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.6.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.6.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.6.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.6.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.6.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.6.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.6.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.6.0-dev,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.6.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.6.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.6.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.6.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.6.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.6.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.6.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev,true,group,group.name,keyword,extended,,,Name of the group.
+8.6.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
+8.6.0-dev,true,host,host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id
+8.6.0-dev,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
+8.6.0-dev,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
+8.6.0-dev,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
+8.6.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
+8.6.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
+8.6.0-dev,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
+8.6.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.6.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.6.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
+8.6.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.6.0-dev,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.6.0-dev,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
+8.6.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.6.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
+8.6.0-dev,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.6.0-dev,true,host,host.hostname,keyword,core,,,Hostname of the host.
+8.6.0-dev,true,host,host.id,keyword,core,,,Unique host id.
+8.6.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses.
+8.6.0-dev,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
+8.6.0-dev,true,host,host.name,keyword,core,,,Name of the host.
+8.6.0-dev,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
+8.6.0-dev,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
+8.6.0-dev,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+8.6.0-dev,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
+8.6.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.6.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.6.0-dev,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.6.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.6.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.6.0-dev,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.6.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.6.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
+8.6.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.6.0-dev,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode
+8.6.0-dev,true,host,host.type,keyword,core,,,Type of host.
+8.6.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
+8.6.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
+8.6.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
+8.6.0-dev,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body.
+8.6.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
+8.6.0-dev,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
+8.6.0-dev,true,http,http.request.method,keyword,extended,,POST,HTTP request method.
+8.6.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
+8.6.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
+8.6.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
+8.6.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
+8.6.0-dev,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body.
+8.6.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
+8.6.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
+8.6.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
+8.6.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version.
+8.6.0-dev,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
+8.6.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event.
+8.6.0-dev,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
+8.6.0-dev,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event.
+8.6.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
+8.6.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
+8.6.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata
+8.6.0-dev,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message.
+8.6.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
+8.6.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
+8.6.0-dev,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message.
+8.6.0-dev,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message.
+8.6.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
+8.6.0-dev,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message.
+8.6.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
+8.6.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
+8.6.0-dev,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages.
+8.6.0-dev,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version.
+8.6.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name.
+8.6.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
+8.6.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
+8.6.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
+8.6.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
+8.6.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
+8.6.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information
+8.6.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.6.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.6.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
+8.6.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
+8.6.0-dev,true,network,network.protocol,keyword,core,,http,Application protocol name.
+8.6.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
+8.6.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
+8.6.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.6.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.6.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information
+8.6.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
+8.6.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
+8.6.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
+8.6.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.6.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.6.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
+8.6.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
+8.6.0-dev,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code.
+8.6.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.6.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.6.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
+8.6.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.6.0-dev,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.6.0-dev,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code.
+8.6.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.6.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
+8.6.0-dev,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.6.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
+8.6.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information
+8.6.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
+8.6.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
+8.6.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
+8.6.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.6.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.6.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
+8.6.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
+8.6.0-dev,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer.
+8.6.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
+8.6.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.6.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.6.0-dev,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.6.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.6.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.6.0-dev,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.6.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.6.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
+8.6.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.6.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
+8.6.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
+8.6.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
+8.6.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
+8.6.0-dev,true,observer,observer.version,keyword,core,,,Observer version.
+8.6.0-dev,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action
+8.6.0-dev,true,orchestrator,orchestrator.cluster.id,keyword,extended,,,Unique ID of the cluster.
+8.6.0-dev,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster.
+8.6.0-dev,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster.
+8.6.0-dev,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster.
+8.6.0-dev,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place.
+8.6.0-dev,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups).
+8.6.0-dev,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon.
+8.6.0-dev,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed.
+8.6.0-dev,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon.
+8.6.0-dev,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed.
+8.6.0-dev,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon.
+8.6.0-dev,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)."
+8.6.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
+8.6.0-dev,true,organization,organization.name,keyword,extended,,,Organization name.
+8.6.0-dev,true,organization,organization.name.text,match_only_text,extended,,,Organization name.
+8.6.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
+8.6.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
+8.6.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
+8.6.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
+8.6.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
+8.6.0-dev,true,package,package.installed,date,extended,,,Time when package was installed.
+8.6.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
+8.6.0-dev,true,package,package.name,keyword,extended,,go,Package name
+8.6.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
+8.6.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
+8.6.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes.
+8.6.0-dev,true,package,package.type,keyword,extended,,rpm,Package type
+8.6.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version
+8.6.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.6.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array.
+8.6.0-dev,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.6.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.6.0-dev,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.6.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.6.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.6.0-dev,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.6.0-dev,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.6.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.6.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.6.0-dev,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.6.0-dev,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.6.0-dev,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.6.0-dev,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.6.0-dev,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.6.0-dev,true,process,process.elf.creation_date,date,extended,,,Build or compile date.
+8.6.0-dev,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.6.0-dev,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.6.0-dev,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.6.0-dev,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.6.0-dev,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.6.0-dev,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.6.0-dev,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.6.0-dev,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.6.0-dev,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.6.0-dev,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.6.0-dev,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.6.0-dev,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.6.0-dev,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.6.0-dev,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.6.0-dev,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.6.0-dev,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.6.0-dev,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.6.0-dev,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.6.0-dev,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.6.0-dev,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.6.0-dev,true,process,process.elf.segments,nested,extended,array,,ELF object segment list.
+8.6.0-dev,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.6.0-dev,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.6.0-dev,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.6.0-dev,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.6.0-dev,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+8.6.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.6.0-dev,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.6.0-dev,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array.
+8.6.0-dev,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.6.0-dev,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.6.0-dev,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.6.0-dev,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
+8.6.0-dev,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
+8.6.0-dev,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.6.0-dev,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.6.0-dev,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group.
+8.6.0-dev,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.6.0-dev,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name.
+8.6.0-dev,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name.
+8.6.0-dev,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.6.0-dev,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id.
+8.6.0-dev,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.6.0-dev,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id.
+8.6.0-dev,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.6.0-dev,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.6.0-dev,true,process,process.entry_leader.pid,long,core,,4242,Process id.
+8.6.0-dev,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group.
+8.6.0-dev,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,process,process.entry_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+8.6.0-dev,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group.
+8.6.0-dev,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,process,process.entry_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.6.0-dev,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.6.0-dev,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device.
+8.6.0-dev,true,process,process.entry_leader.tty.char_device.major,long,extended,,1,The TTY character device's major number.
+8.6.0-dev,true,process,process.entry_leader.tty.char_device.minor,long,extended,,128,The TTY character device's minor number.
+8.6.0-dev,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.6.0-dev,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.6.0-dev,true,process,process.env_vars,object,extended,,"{""USER"": ""elastic"",""LANG"": ""en_US.UTF-8"",""HOME"": ""/home/elastic""}",Environment variables set at the time of the event.
+8.6.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.6.0-dev,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.6.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process.
+8.6.0-dev,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.6.0-dev,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array.
+8.6.0-dev,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.6.0-dev,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.6.0-dev,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.6.0-dev,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.6.0-dev,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.6.0-dev,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group.
+8.6.0-dev,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.6.0-dev,true,process,process.group_leader.name,keyword,extended,,ssh,Process name.
+8.6.0-dev,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name.
+8.6.0-dev,true,process,process.group_leader.pid,long,core,,4242,Process id.
+8.6.0-dev,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group.
+8.6.0-dev,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,process,process.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+8.6.0-dev,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group.
+8.6.0-dev,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,process,process.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.6.0-dev,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.6.0-dev,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device.
+8.6.0-dev,true,process,process.group_leader.tty.char_device.major,long,extended,,1,The TTY character device's major number.
+8.6.0-dev,true,process,process.group_leader.tty.char_device.minor,long,extended,,128,The TTY character device's minor number.
+8.6.0-dev,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.6.0-dev,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.6.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
+8.6.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
+8.6.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
+8.6.0-dev,true,process,process.hash.sha384,keyword,extended,,,SHA384 hash.
+8.6.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
+8.6.0-dev,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.6.0-dev,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash.
+8.6.0-dev,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.6.0-dev,true,process,process.name,keyword,extended,,ssh,Process name.
+8.6.0-dev,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
+8.6.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.6.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
+8.6.0-dev,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.6.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.6.0-dev,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.6.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.6.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.6.0-dev,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.6.0-dev,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.6.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.6.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.6.0-dev,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.6.0-dev,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.6.0-dev,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.6.0-dev,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.6.0-dev,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.6.0-dev,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date.
+8.6.0-dev,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.6.0-dev,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.6.0-dev,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.6.0-dev,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.6.0-dev,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.6.0-dev,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.6.0-dev,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.6.0-dev,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.6.0-dev,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.6.0-dev,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.6.0-dev,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.6.0-dev,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.6.0-dev,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.6.0-dev,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.6.0-dev,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.6.0-dev,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.6.0-dev,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.6.0-dev,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.6.0-dev,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.6.0-dev,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.6.0-dev,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list.
+8.6.0-dev,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.6.0-dev,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.6.0-dev,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.6.0-dev,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.6.0-dev,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+8.6.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.6.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.6.0-dev,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.6.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
+8.6.0-dev,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev,true,process,process.parent.group.name,keyword,extended,,,Name of the group.
+8.6.0-dev,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.6.0-dev,true,process,process.parent.group_leader.pid,long,core,,4242,Process id.
+8.6.0-dev,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.6.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
+8.6.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
+8.6.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
+8.6.0-dev,true,process,process.parent.hash.sha384,keyword,extended,,,SHA384 hash.
+8.6.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
+8.6.0-dev,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.6.0-dev,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash.
+8.6.0-dev,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.6.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name.
+8.6.0-dev,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
+8.6.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.6.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.6.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.6.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.6.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.6.0-dev,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.6.0-dev,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.6.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.6.0-dev,true,process,process.parent.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
+8.6.0-dev,true,process,process.parent.pid,long,core,,4242,Process id.
+8.6.0-dev,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group.
+8.6.0-dev,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,process,process.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group.
+8.6.0-dev,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,process,process.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.6.0-dev,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.6.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
+8.6.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
+8.6.0-dev,true,process,process.parent.title,keyword,extended,,,Process title.
+8.6.0-dev,true,process,process.parent.title.text,match_only_text,extended,,,Process title.
+8.6.0-dev,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device.
+8.6.0-dev,true,process,process.parent.tty.char_device.major,long,extended,,1,The TTY character device's major number.
+8.6.0-dev,true,process,process.parent.tty.char_device.minor,long,extended,,128,The TTY character device's minor number.
+8.6.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
+8.6.0-dev,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.6.0-dev,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.6.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.6.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.6.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.6.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.6.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.6.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.6.0-dev,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.6.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.6.0-dev,true,process,process.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
+8.6.0-dev,true,process,process.pid,long,core,,4242,Process id.
+8.6.0-dev,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.6.0-dev,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array.
+8.6.0-dev,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.6.0-dev,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.6.0-dev,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev,true,process,process.real_group.name,keyword,extended,,,Name of the group.
+8.6.0-dev,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,process,process.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev,true,process,process.saved_group.name,keyword,extended,,,Name of the group.
+8.6.0-dev,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,process,process.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.6.0-dev,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array.
+8.6.0-dev,true,process,process.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.6.0-dev,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.6.0-dev,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.6.0-dev,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.6.0-dev,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.6.0-dev,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group.
+8.6.0-dev,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.6.0-dev,true,process,process.session_leader.name,keyword,extended,,ssh,Process name.
+8.6.0-dev,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name.
+8.6.0-dev,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.6.0-dev,true,process,process.session_leader.parent.pid,long,core,,4242,Process id.
+8.6.0-dev,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.6.0-dev,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id.
+8.6.0-dev,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.6.0-dev,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.6.0-dev,true,process,process.session_leader.pid,long,core,,4242,Process id.
+8.6.0-dev,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group.
+8.6.0-dev,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,process,process.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+8.6.0-dev,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group.
+8.6.0-dev,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,process,process.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.6.0-dev,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.6.0-dev,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device.
+8.6.0-dev,true,process,process.session_leader.tty.char_device.major,long,extended,,1,The TTY character device's major number.
+8.6.0-dev,true,process,process.session_leader.tty.char_device.minor,long,extended,,128,The TTY character device's minor number.
+8.6.0-dev,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.6.0-dev,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.6.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.6.0-dev,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.6.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID.
+8.6.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
+8.6.0-dev,true,process,process.title,keyword,extended,,,Process title.
+8.6.0-dev,true,process,process.title.text,match_only_text,extended,,,Process title.
+8.6.0-dev,true,process,process.tty,object,extended,,,Information about the controlling TTY device.
+8.6.0-dev,true,process,process.tty.char_device.major,long,extended,,1,The TTY character device's major number.
+8.6.0-dev,true,process,process.tty.char_device.minor,long,extended,,128,The TTY character device's minor number.
+8.6.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
+8.6.0-dev,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.6.0-dev,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.6.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.6.0-dev,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.6.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.6.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.6.0-dev,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.6.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.6.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
+8.6.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
+8.6.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
+8.6.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
+8.6.0-dev,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event.
+8.6.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
+8.6.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
+8.6.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
+8.6.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID
+8.6.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
+8.6.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
+8.6.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
+8.6.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
+8.6.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
+8.6.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version
+8.6.0-dev,true,server,server.address,keyword,extended,,,Server network address.
+8.6.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.6.0-dev,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.6.0-dev,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.6.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
+8.6.0-dev,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server.
+8.6.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
+8.6.0-dev,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
+8.6.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.6.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.6.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
+8.6.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.6.0-dev,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.6.0-dev,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
+8.6.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.6.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
+8.6.0-dev,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.6.0-dev,true,server,server.ip,ip,core,,,IP address of the server.
+8.6.0-dev,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
+8.6.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip
+8.6.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port
+8.6.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
+8.6.0-dev,true,server,server.port,long,core,,,Port of the server.
+8.6.0-dev,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
+8.6.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.6.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.6.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.6.0-dev,true,server,server.user.email,keyword,extended,,,User email address.
+8.6.0-dev,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.6.0-dev,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.6.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.6.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group.
+8.6.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.6.0-dev,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.6.0-dev,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.6.0-dev,true,service,service.environment,keyword,extended,,production,Environment of the service.
+8.6.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.6.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.6.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.6.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.6.0-dev,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.6.0-dev,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+8.6.0-dev,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.6.0-dev,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
+8.6.0-dev,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.6.0-dev,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.6.0-dev,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.6.0-dev,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.6.0-dev,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.6.0-dev,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+8.6.0-dev,true,service,service.origin.state,keyword,core,,,Current state of the service.
+8.6.0-dev,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service.
+8.6.0-dev,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service.
+8.6.0-dev,true,service,service.state,keyword,core,,,Current state of the service.
+8.6.0-dev,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.6.0-dev,true,service,service.target.environment,keyword,extended,,production,Environment of the service.
+8.6.0-dev,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.6.0-dev,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.6.0-dev,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.6.0-dev,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.6.0-dev,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.6.0-dev,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+8.6.0-dev,true,service,service.target.state,keyword,core,,,Current state of the service.
+8.6.0-dev,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service.
+8.6.0-dev,true,service,service.target.version,keyword,core,,3.2.4,Version of the service.
+8.6.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
+8.6.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service.
+8.6.0-dev,true,source,source.address,keyword,extended,,,Source network address.
+8.6.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.6.0-dev,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.6.0-dev,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.6.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
+8.6.0-dev,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source.
+8.6.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
+8.6.0-dev,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
+8.6.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.6.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.6.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
+8.6.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.6.0-dev,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.6.0-dev,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
+8.6.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.6.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
+8.6.0-dev,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.6.0-dev,true,source,source.ip,ip,core,,,IP address of the source.
+8.6.0-dev,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
+8.6.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip
+8.6.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port
+8.6.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
+8.6.0-dev,true,source,source.port,long,core,,,Port of the source.
+8.6.0-dev,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+8.6.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.6.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.6.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.6.0-dev,true,source,source.user.email,keyword,extended,,,User email address.
+8.6.0-dev,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.6.0-dev,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.6.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.6.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group.
+8.6.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.6.0-dev,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.6.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
+8.6.0-dev,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event.
+8.6.0-dev,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event.
+8.6.0-dev,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.6.0-dev,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.6.0-dev,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.6.0-dev,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
+8.6.0-dev,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
+8.6.0-dev,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.6.0-dev,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.6.0-dev,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.6.0-dev,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
+8.6.0-dev,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name.
+8.6.0-dev,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code.
+8.6.0-dev,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.6.0-dev,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.6.0-dev,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name.
+8.6.0-dev,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.6.0-dev,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.6.0-dev,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code.
+8.6.0-dev,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.6.0-dev,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name.
+8.6.0-dev,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.6.0-dev,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
+8.6.0-dev,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
+8.6.0-dev,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,WHITE,Indicator TLP marking
+8.6.0-dev,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
+8.6.0-dev,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
+8.6.0-dev,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
+8.6.0-dev,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
+8.6.0-dev,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.6.0-dev,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.6.0-dev,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.6.0-dev,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.6.0-dev,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.6.0-dev,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.6.0-dev,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
+8.6.0-dev,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics
+8.6.0-dev,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed
+8.6.0-dev,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
+8.6.0-dev,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.6.0-dev,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.6.0-dev,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.6.0-dev,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.6.0-dev,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.6.0-dev,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.6.0-dev,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.6.0-dev,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request.
+8.6.0-dev,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.6.0-dev,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
+8.6.0-dev,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request.
+8.6.0-dev,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.6.0-dev,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
+8.6.0-dev,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.6.0-dev,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.6.0-dev,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request.
+8.6.0-dev,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.6.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.6.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.6.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.6.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.6.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.6.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.6.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.6.0-dev,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.6.0-dev,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.6.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.6.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.6.0-dev,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.6.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.6.0-dev,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.6.0-dev,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.6.0-dev,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.6.0-dev,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.6.0-dev,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.6.0-dev,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.6.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.6.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.6.0-dev,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.6.0-dev,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.6.0-dev,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value
+8.6.0-dev,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field
+8.6.0-dev,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier
+8.6.0-dev,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index
+8.6.0-dev,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05T17:00:58.326Z,Date of match
+8.6.0-dev,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match
+8.6.0-dev,true,threat,threat.feed.dashboard_id,keyword,extended,,5ba16340-72e6-11eb-a3e3-b3cc7c78a70f,Feed dashboard ID.
+8.6.0-dev,true,threat,threat.feed.description,keyword,extended,,Threat feed from the AlienVault Open Threat eXchange network.,Description of the threat feed.
+8.6.0-dev,true,threat,threat.feed.name,keyword,extended,,AlienVault OTX,Name of the threat feed.
+8.6.0-dev,true,threat,threat.feed.reference,keyword,extended,,https://otx.alienvault.com,Reference for the threat feed.
+8.6.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
+8.6.0-dev,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group.
+8.6.0-dev,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group.
+8.6.0-dev,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group.
+8.6.0-dev,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group.
+8.6.0-dev,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.6.0-dev,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.6.0-dev,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.6.0-dev,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
+8.6.0-dev,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
+8.6.0-dev,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
+8.6.0-dev,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed.
+8.6.0-dev,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.6.0-dev,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.6.0-dev,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.6.0-dev,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.6.0-dev,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.6.0-dev,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.6.0-dev,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.6.0-dev,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.6.0-dev,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.6.0-dev,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.6.0-dev,true,threat,threat.indicator.file.created,date,extended,,,File creation time.
+8.6.0-dev,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.6.0-dev,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
+8.6.0-dev,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.6.0-dev,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.6.0-dev,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.6.0-dev,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.6.0-dev,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.6.0-dev,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
+8.6.0-dev,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.6.0-dev,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.6.0-dev,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.6.0-dev,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.6.0-dev,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.6.0-dev,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.6.0-dev,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.6.0-dev,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.6.0-dev,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.6.0-dev,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.6.0-dev,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.6.0-dev,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.6.0-dev,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.6.0-dev,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.6.0-dev,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.6.0-dev,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.6.0-dev,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.6.0-dev,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.6.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.6.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.6.0-dev,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
+8.6.0-dev,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.6.0-dev,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.6.0-dev,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.6.0-dev,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.6.0-dev,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.6.0-dev,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.6.0-dev,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.6.0-dev,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
+8.6.0-dev,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
+8.6.0-dev,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.6.0-dev,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.6.0-dev,true,threat,threat.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.6.0-dev,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.6.0-dev,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.6.0-dev,true,threat,threat.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.6.0-dev,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.6.0-dev,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.6.0-dev,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.6.0-dev,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified.
+8.6.0-dev,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.6.0-dev,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username.
+8.6.0-dev,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.6.0-dev,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.6.0-dev,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.6.0-dev,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.6.0-dev,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.6.0-dev,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.6.0-dev,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.6.0-dev,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.6.0-dev,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.6.0-dev,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.6.0-dev,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes.
+8.6.0-dev,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
+8.6.0-dev,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.6.0-dev,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.6.0-dev,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.6.0-dev,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.6.0-dev,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.6.0-dev,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.6.0-dev,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.6.0-dev,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.6.0-dev,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.6.0-dev,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.6.0-dev,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.6.0-dev,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.6.0-dev,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.6.0-dev,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.6.0-dev,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.6.0-dev,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.6.0-dev,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.6.0-dev,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.6.0-dev,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.6.0-dev,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.6.0-dev,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.6.0-dev,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.6.0-dev,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.6.0-dev,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.6.0-dev,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.6.0-dev,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.6.0-dev,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.6.0-dev,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
+8.6.0-dev,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name.
+8.6.0-dev,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code.
+8.6.0-dev,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.6.0-dev,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.6.0-dev,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name.
+8.6.0-dev,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.6.0-dev,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.6.0-dev,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code.
+8.6.0-dev,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.6.0-dev,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name.
+8.6.0-dev,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.6.0-dev,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
+8.6.0-dev,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
+8.6.0-dev,true,threat,threat.indicator.marking.tlp,keyword,extended,,WHITE,Indicator TLP marking
+8.6.0-dev,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
+8.6.0-dev,true,threat,threat.indicator.port,long,extended,,443,Indicator port
+8.6.0-dev,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
+8.6.0-dev,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
+8.6.0-dev,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.6.0-dev,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.6.0-dev,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.6.0-dev,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.6.0-dev,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.6.0-dev,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.6.0-dev,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
+8.6.0-dev,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics
+8.6.0-dev,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed
+8.6.0-dev,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
+8.6.0-dev,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.6.0-dev,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.6.0-dev,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.6.0-dev,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.6.0-dev,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.6.0-dev,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.6.0-dev,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.6.0-dev,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request.
+8.6.0-dev,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.6.0-dev,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
+8.6.0-dev,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request.
+8.6.0-dev,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.6.0-dev,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
+8.6.0-dev,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.6.0-dev,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.6.0-dev,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request.
+8.6.0-dev,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.6.0-dev,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.6.0-dev,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.6.0-dev,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.6.0-dev,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.6.0-dev,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.6.0-dev,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.6.0-dev,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.6.0-dev,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.6.0-dev,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.6.0-dev,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.6.0-dev,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.6.0-dev,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.6.0-dev,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.6.0-dev,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.6.0-dev,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.6.0-dev,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.6.0-dev,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.6.0-dev,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.6.0-dev,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.6.0-dev,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.6.0-dev,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.6.0-dev,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.6.0-dev,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.6.0-dev,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software
+8.6.0-dev,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software
+8.6.0-dev,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software.
+8.6.0-dev,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software.
+8.6.0-dev,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL.
+8.6.0-dev,true,threat,threat.software.type,keyword,extended,,Tool,Software type.
+8.6.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
+8.6.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
+8.6.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
+8.6.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
+8.6.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
+8.6.0-dev,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name.
+8.6.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
+8.6.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
+8.6.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
+8.6.0-dev,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
+8.6.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
+8.6.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
+8.6.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
+8.6.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
+8.6.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
+8.6.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
+8.6.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
+8.6.0-dev,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
+8.6.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
+8.6.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
+8.6.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
+8.6.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
+8.6.0-dev,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
+8.6.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
+8.6.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.6.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.6.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.6.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.6.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.6.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.6.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.6.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.6.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.6.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.6.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.6.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.6.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.6.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.6.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.6.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.6.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.6.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.6.0-dev,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.6.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.6.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.6.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.6.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.6.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.6.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
+8.6.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
+8.6.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
+8.6.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
+8.6.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
+8.6.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
+8.6.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
+8.6.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
+8.6.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
+8.6.0-dev,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
+8.6.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
+8.6.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
+8.6.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
+8.6.0-dev,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
+8.6.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.6.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.6.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.6.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.6.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.6.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.6.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.6.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.6.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.6.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.6.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.6.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.6.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.6.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.6.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.6.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.6.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.6.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.6.0-dev,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.6.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.6.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.6.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.6.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.6.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.6.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
+8.6.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
+8.6.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
+8.6.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
+8.6.0-dev,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.6.0-dev,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.6.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.6.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.6.0-dev,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.6.0-dev,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.6.0-dev,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.6.0-dev,true,url,url.password,keyword,extended,,,Password of the request.
+8.6.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.6.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
+8.6.0-dev,true,url,url.query,keyword,extended,,,Query string of the request.
+8.6.0-dev,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.6.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
+8.6.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.6.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.6.0-dev,true,url,url.username,keyword,extended,,,Username of the request.
+8.6.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.6.0-dev,true,user,user.changes.email,keyword,extended,,,User email address.
+8.6.0-dev,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.6.0-dev,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.6.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.6.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
+8.6.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.6.0-dev,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.6.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.6.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.6.0-dev,true,user,user.effective.email,keyword,extended,,,User email address.
+8.6.0-dev,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.6.0-dev,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.6.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.6.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
+8.6.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.6.0-dev,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.6.0-dev,true,user,user.email,keyword,extended,,,User email address.
+8.6.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.6.0-dev,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.6.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.6.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group.
+8.6.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.6.0-dev,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.6.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.6.0-dev,true,user,user.target.email,keyword,extended,,,User email address.
+8.6.0-dev,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.6.0-dev,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.6.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.6.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.6.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group.
+8.6.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.6.0-dev,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.6.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
+8.6.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
+8.6.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+8.6.0-dev,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+8.6.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.6.0-dev,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.6.0-dev,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.6.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.6.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.6.0-dev,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.6.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.6.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
+8.6.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.6.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
+8.6.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
+8.6.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
+8.6.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+8.6.0-dev,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+8.6.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
+8.6.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
+8.6.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
+8.6.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
+8.6.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
+8.6.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
+8.6.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
+8.6.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
+8.6.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
+8.6.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
diff --git a/generated/elasticsearch/composable/component/agent.json b/generated/elasticsearch/composable/component/agent.json
index bd1ff8d4f0..178c86ccf0 100644
--- a/generated/elasticsearch/composable/component/agent.json
+++ b/generated/elasticsearch/composable/component/agent.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html",
-    "ecs_version": "8.5.0-dev"
+    "ecs_version": "8.6.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/base.json b/generated/elasticsearch/composable/component/base.json
index 27db71f63c..217f14a5f9 100644
--- a/generated/elasticsearch/composable/component/base.json
+++ b/generated/elasticsearch/composable/component/base.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
-    "ecs_version": "8.5.0-dev"
+    "ecs_version": "8.6.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/client.json b/generated/elasticsearch/composable/component/client.json
index 2d07a5ccc7..a2b0135e7d 100644
--- a/generated/elasticsearch/composable/component/client.json
+++ b/generated/elasticsearch/composable/component/client.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-client.html",
-    "ecs_version": "8.5.0-dev"
+    "ecs_version": "8.6.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/cloud.json b/generated/elasticsearch/composable/component/cloud.json
index 8619ef58b8..5edc8884b8 100644
--- a/generated/elasticsearch/composable/component/cloud.json
+++ b/generated/elasticsearch/composable/component/cloud.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cloud.html",
-    "ecs_version": "8.5.0-dev"
+    "ecs_version": "8.6.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/container.json b/generated/elasticsearch/composable/component/container.json
index d50b1f7220..6f683ae86b 100644
--- a/generated/elasticsearch/composable/component/container.json
+++ b/generated/elasticsearch/composable/component/container.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-container.html",
-    "ecs_version": "8.5.0-dev"
+    "ecs_version": "8.6.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/data_stream.json b/generated/elasticsearch/composable/component/data_stream.json
index c881bedf18..96754802b5 100644
--- a/generated/elasticsearch/composable/component/data_stream.json
+++ b/generated/elasticsearch/composable/component/data_stream.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-data_stream.html",
-    "ecs_version": "8.5.0-dev"
+    "ecs_version": "8.6.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/destination.json b/generated/elasticsearch/composable/component/destination.json
index 9dd5e15470..1e7b28beef 100644
--- a/generated/elasticsearch/composable/component/destination.json
+++ b/generated/elasticsearch/composable/component/destination.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-destination.html",
-    "ecs_version": "8.5.0-dev"
+    "ecs_version": "8.6.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/dll.json b/generated/elasticsearch/composable/component/dll.json
index c6ed68dc7e..188a977f16 100644
--- a/generated/elasticsearch/composable/component/dll.json
+++ b/generated/elasticsearch/composable/component/dll.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dll.html",
-    "ecs_version": "8.5.0-dev"
+    "ecs_version": "8.6.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/dns.json b/generated/elasticsearch/composable/component/dns.json
index 563a917cf5..71d87c97c1 100644
--- a/generated/elasticsearch/composable/component/dns.json
+++ b/generated/elasticsearch/composable/component/dns.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html",
-    "ecs_version": "8.5.0-dev"
+    "ecs_version": "8.6.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/ecs.json b/generated/elasticsearch/composable/component/ecs.json
index 617de17d89..a2b61e3371 100644
--- a/generated/elasticsearch/composable/component/ecs.json
+++ b/generated/elasticsearch/composable/component/ecs.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html",
-    "ecs_version": "8.5.0-dev"
+    "ecs_version": "8.6.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/email.json b/generated/elasticsearch/composable/component/email.json
index 938ecfeb3b..b5911e6d2f 100644
--- a/generated/elasticsearch/composable/component/email.json
+++ b/generated/elasticsearch/composable/component/email.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-email.html",
-    "ecs_version": "8.5.0-dev"
+    "ecs_version": "8.6.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/error.json b/generated/elasticsearch/composable/component/error.json
index e012ad8644..ced0d25e29 100644
--- a/generated/elasticsearch/composable/component/error.json
+++ b/generated/elasticsearch/composable/component/error.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-error.html",
-    "ecs_version": "8.5.0-dev"
+    "ecs_version": "8.6.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/event.json b/generated/elasticsearch/composable/component/event.json
index d57862852a..607d4cdd08 100644
--- a/generated/elasticsearch/composable/component/event.json
+++ b/generated/elasticsearch/composable/component/event.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html",
-    "ecs_version": "8.5.0-dev"
+    "ecs_version": "8.6.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/faas.json b/generated/elasticsearch/composable/component/faas.json
index 010dd907f4..d83f41aa59 100644
--- a/generated/elasticsearch/composable/component/faas.json
+++ b/generated/elasticsearch/composable/component/faas.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-faas.html",
-    "ecs_version": "8.5.0-dev"
+    "ecs_version": "8.6.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/file.json b/generated/elasticsearch/composable/component/file.json
index c7c79e5576..4fda935b5d 100644
--- a/generated/elasticsearch/composable/component/file.json
+++ b/generated/elasticsearch/composable/component/file.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html",
-    "ecs_version": "8.5.0-dev"
+    "ecs_version": "8.6.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/group.json b/generated/elasticsearch/composable/component/group.json
index ff9ec17033..2b2859ab95 100644
--- a/generated/elasticsearch/composable/component/group.json
+++ b/generated/elasticsearch/composable/component/group.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-group.html",
-    "ecs_version": "8.5.0-dev"
+    "ecs_version": "8.6.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/host.json b/generated/elasticsearch/composable/component/host.json
index 285fcad745..2c5cd8746d 100644
--- a/generated/elasticsearch/composable/component/host.json
+++ b/generated/elasticsearch/composable/component/host.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-host.html",
-    "ecs_version": "8.5.0-dev"
+    "ecs_version": "8.6.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/http.json b/generated/elasticsearch/composable/component/http.json
index a4b349b2f3..fcebba0bd2 100644
--- a/generated/elasticsearch/composable/component/http.json
+++ b/generated/elasticsearch/composable/component/http.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-http.html",
-    "ecs_version": "8.5.0-dev"
+    "ecs_version": "8.6.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/log.json b/generated/elasticsearch/composable/component/log.json
index 0842b3a2c2..64396b3e24 100644
--- a/generated/elasticsearch/composable/component/log.json
+++ b/generated/elasticsearch/composable/component/log.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-log.html",
-    "ecs_version": "8.5.0-dev"
+    "ecs_version": "8.6.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/network.json b/generated/elasticsearch/composable/component/network.json
index 3be45d0a01..e639c6486e 100644
--- a/generated/elasticsearch/composable/component/network.json
+++ b/generated/elasticsearch/composable/component/network.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html",
-    "ecs_version": "8.5.0-dev"
+    "ecs_version": "8.6.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/observer.json b/generated/elasticsearch/composable/component/observer.json
index 1b0f9af459..4e470e13a2 100644
--- a/generated/elasticsearch/composable/component/observer.json
+++ b/generated/elasticsearch/composable/component/observer.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html",
-    "ecs_version": "8.5.0-dev"
+    "ecs_version": "8.6.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/orchestrator.json b/generated/elasticsearch/composable/component/orchestrator.json
index d748750ad6..b1fd0a2259 100644
--- a/generated/elasticsearch/composable/component/orchestrator.json
+++ b/generated/elasticsearch/composable/component/orchestrator.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-orchestrator.html",
-    "ecs_version": "8.5.0-dev"
+    "ecs_version": "8.6.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/organization.json b/generated/elasticsearch/composable/component/organization.json
index ad51c86ecf..7ea9554e9f 100644
--- a/generated/elasticsearch/composable/component/organization.json
+++ b/generated/elasticsearch/composable/component/organization.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-organization.html",
-    "ecs_version": "8.5.0-dev"
+    "ecs_version": "8.6.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/package.json b/generated/elasticsearch/composable/component/package.json
index 603733f2a0..7516d09e37 100644
--- a/generated/elasticsearch/composable/component/package.json
+++ b/generated/elasticsearch/composable/component/package.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-package.html",
-    "ecs_version": "8.5.0-dev"
+    "ecs_version": "8.6.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/process.json b/generated/elasticsearch/composable/component/process.json
index b20dc8d2f9..2562eec8c4 100644
--- a/generated/elasticsearch/composable/component/process.json
+++ b/generated/elasticsearch/composable/component/process.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-process.html",
-    "ecs_version": "8.5.0-dev"
+    "ecs_version": "8.6.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/registry.json b/generated/elasticsearch/composable/component/registry.json
index d223881781..c6f683a98e 100644
--- a/generated/elasticsearch/composable/component/registry.json
+++ b/generated/elasticsearch/composable/component/registry.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-registry.html",
-    "ecs_version": "8.5.0-dev"
+    "ecs_version": "8.6.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/related.json b/generated/elasticsearch/composable/component/related.json
index 694ea1b682..2c06b52bff 100644
--- a/generated/elasticsearch/composable/component/related.json
+++ b/generated/elasticsearch/composable/component/related.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-related.html",
-    "ecs_version": "8.5.0-dev"
+    "ecs_version": "8.6.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/rule.json b/generated/elasticsearch/composable/component/rule.json
index 84d710f5ea..a571ec781f 100644
--- a/generated/elasticsearch/composable/component/rule.json
+++ b/generated/elasticsearch/composable/component/rule.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-rule.html",
-    "ecs_version": "8.5.0-dev"
+    "ecs_version": "8.6.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/server.json b/generated/elasticsearch/composable/component/server.json
index 5e109af667..414356f855 100644
--- a/generated/elasticsearch/composable/component/server.json
+++ b/generated/elasticsearch/composable/component/server.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-server.html",
-    "ecs_version": "8.5.0-dev"
+    "ecs_version": "8.6.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/service.json b/generated/elasticsearch/composable/component/service.json
index d225f6a1f0..0994a58fdf 100644
--- a/generated/elasticsearch/composable/component/service.json
+++ b/generated/elasticsearch/composable/component/service.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-service.html",
-    "ecs_version": "8.5.0-dev"
+    "ecs_version": "8.6.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/source.json b/generated/elasticsearch/composable/component/source.json
index 7976a325f6..3230d465c8 100644
--- a/generated/elasticsearch/composable/component/source.json
+++ b/generated/elasticsearch/composable/component/source.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-source.html",
-    "ecs_version": "8.5.0-dev"
+    "ecs_version": "8.6.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/threat.json b/generated/elasticsearch/composable/component/threat.json
index 991e6a0c59..5ca09a4814 100644
--- a/generated/elasticsearch/composable/component/threat.json
+++ b/generated/elasticsearch/composable/component/threat.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-threat.html",
-    "ecs_version": "8.5.0-dev"
+    "ecs_version": "8.6.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/tls.json b/generated/elasticsearch/composable/component/tls.json
index d80e1ffcc4..f01db87257 100644
--- a/generated/elasticsearch/composable/component/tls.json
+++ b/generated/elasticsearch/composable/component/tls.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tls.html",
-    "ecs_version": "8.5.0-dev"
+    "ecs_version": "8.6.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/tracing.json b/generated/elasticsearch/composable/component/tracing.json
index 17a8ae9701..e8a85a6e49 100644
--- a/generated/elasticsearch/composable/component/tracing.json
+++ b/generated/elasticsearch/composable/component/tracing.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tracing.html",
-    "ecs_version": "8.5.0-dev"
+    "ecs_version": "8.6.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/url.json b/generated/elasticsearch/composable/component/url.json
index 19f0219a8a..7484328402 100644
--- a/generated/elasticsearch/composable/component/url.json
+++ b/generated/elasticsearch/composable/component/url.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-url.html",
-    "ecs_version": "8.5.0-dev"
+    "ecs_version": "8.6.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/user.json b/generated/elasticsearch/composable/component/user.json
index 94684a08d2..82116d6a69 100644
--- a/generated/elasticsearch/composable/component/user.json
+++ b/generated/elasticsearch/composable/component/user.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user.html",
-    "ecs_version": "8.5.0-dev"
+    "ecs_version": "8.6.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/user_agent.json b/generated/elasticsearch/composable/component/user_agent.json
index 1484e8fdac..1be45b6bc5 100644
--- a/generated/elasticsearch/composable/component/user_agent.json
+++ b/generated/elasticsearch/composable/component/user_agent.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html",
-    "ecs_version": "8.5.0-dev"
+    "ecs_version": "8.6.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/vulnerability.json b/generated/elasticsearch/composable/component/vulnerability.json
index ed1a6633a5..13d1336973 100644
--- a/generated/elasticsearch/composable/component/vulnerability.json
+++ b/generated/elasticsearch/composable/component/vulnerability.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html",
-    "ecs_version": "8.5.0-dev"
+    "ecs_version": "8.6.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/template.json b/generated/elasticsearch/composable/template.json
index c7ec7c961c..f776e950e7 100644
--- a/generated/elasticsearch/composable/template.json
+++ b/generated/elasticsearch/composable/template.json
@@ -1,47 +1,47 @@
 {
   "_meta": {
     "description": "Sample composable template that includes all ECS fields",
-    "ecs_version": "8.5.0-dev"
+    "ecs_version": "8.6.0-dev"
   },
   "composed_of": [
-    "ecs_8.5.0-dev_base",
-    "ecs_8.5.0-dev_agent",
-    "ecs_8.5.0-dev_client",
-    "ecs_8.5.0-dev_cloud",
-    "ecs_8.5.0-dev_container",
-    "ecs_8.5.0-dev_data_stream",
-    "ecs_8.5.0-dev_destination",
-    "ecs_8.5.0-dev_dll",
-    "ecs_8.5.0-dev_dns",
-    "ecs_8.5.0-dev_ecs",
-    "ecs_8.5.0-dev_email",
-    "ecs_8.5.0-dev_error",
-    "ecs_8.5.0-dev_event",
-    "ecs_8.5.0-dev_faas",
-    "ecs_8.5.0-dev_file",
-    "ecs_8.5.0-dev_group",
-    "ecs_8.5.0-dev_host",
-    "ecs_8.5.0-dev_http",
-    "ecs_8.5.0-dev_log",
-    "ecs_8.5.0-dev_network",
-    "ecs_8.5.0-dev_observer",
-    "ecs_8.5.0-dev_orchestrator",
-    "ecs_8.5.0-dev_organization",
-    "ecs_8.5.0-dev_package",
-    "ecs_8.5.0-dev_process",
-    "ecs_8.5.0-dev_registry",
-    "ecs_8.5.0-dev_related",
-    "ecs_8.5.0-dev_rule",
-    "ecs_8.5.0-dev_server",
-    "ecs_8.5.0-dev_service",
-    "ecs_8.5.0-dev_source",
-    "ecs_8.5.0-dev_threat",
-    "ecs_8.5.0-dev_tls",
-    "ecs_8.5.0-dev_tracing",
-    "ecs_8.5.0-dev_url",
-    "ecs_8.5.0-dev_user_agent",
-    "ecs_8.5.0-dev_user",
-    "ecs_8.5.0-dev_vulnerability"
+    "ecs_8.6.0-dev_base",
+    "ecs_8.6.0-dev_agent",
+    "ecs_8.6.0-dev_client",
+    "ecs_8.6.0-dev_cloud",
+    "ecs_8.6.0-dev_container",
+    "ecs_8.6.0-dev_data_stream",
+    "ecs_8.6.0-dev_destination",
+    "ecs_8.6.0-dev_dll",
+    "ecs_8.6.0-dev_dns",
+    "ecs_8.6.0-dev_ecs",
+    "ecs_8.6.0-dev_email",
+    "ecs_8.6.0-dev_error",
+    "ecs_8.6.0-dev_event",
+    "ecs_8.6.0-dev_faas",
+    "ecs_8.6.0-dev_file",
+    "ecs_8.6.0-dev_group",
+    "ecs_8.6.0-dev_host",
+    "ecs_8.6.0-dev_http",
+    "ecs_8.6.0-dev_log",
+    "ecs_8.6.0-dev_network",
+    "ecs_8.6.0-dev_observer",
+    "ecs_8.6.0-dev_orchestrator",
+    "ecs_8.6.0-dev_organization",
+    "ecs_8.6.0-dev_package",
+    "ecs_8.6.0-dev_process",
+    "ecs_8.6.0-dev_registry",
+    "ecs_8.6.0-dev_related",
+    "ecs_8.6.0-dev_rule",
+    "ecs_8.6.0-dev_server",
+    "ecs_8.6.0-dev_service",
+    "ecs_8.6.0-dev_source",
+    "ecs_8.6.0-dev_threat",
+    "ecs_8.6.0-dev_tls",
+    "ecs_8.6.0-dev_tracing",
+    "ecs_8.6.0-dev_url",
+    "ecs_8.6.0-dev_user_agent",
+    "ecs_8.6.0-dev_user",
+    "ecs_8.6.0-dev_vulnerability"
   ],
   "index_patterns": [
     "try-ecs-*"
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index 3a7641f171..32cd305c61 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -4,7 +4,7 @@
   ],
   "mappings": {
     "_meta": {
-      "version": "8.5.0-dev"
+      "version": "8.6.0-dev"
     },
     "date_detection": false,
     "dynamic_templates": [
diff --git a/version b/version
index bd9f745f90..6602f0e9bc 100644
--- a/version
+++ b/version
@@ -1 +1 @@
-8.5.0-dev
+8.6.0-dev

From bf11ece676f77ead81350bc1601cbe5e440a1b5d Mon Sep 17 00:00:00 2001
From: Alexander Wert <AlexanderWert@users.noreply.github.com>
Date: Wed, 27 Jul 2022 11:57:38 +0200
Subject: [PATCH 019/186] Added `ios` and `android` as valid values for
 `os.type` (#1999)

* Added ios and android as valid values for os.type

* Generated files based on os.type change
---
 docs/fields/field-details.asciidoc        |  2 ++
 experimental/generated/csv/fields.csv     |  6 +++---
 experimental/generated/ecs/ecs_flat.yml   | 15 ++++++++++++---
 experimental/generated/ecs/ecs_nested.yml | 20 ++++++++++++++++----
 generated/csv/fields.csv                  |  6 +++---
 generated/ecs/ecs_flat.yml                | 15 ++++++++++++---
 generated/ecs/ecs_nested.yml              | 20 ++++++++++++++++----
 schemas/os.yml                            |  4 +++-
 8 files changed, 67 insertions(+), 21 deletions(-)

diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index 7e03edec56..49738c4993 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -6682,6 +6682,8 @@ Expected values for this field:
 * `macos`
 * `unix`
 * `windows`
+* `ios`
+* `android`
 
 type: keyword
 
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index c65261c124..4d6caf921d 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -390,7 +390,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0-dev+exp,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
 8.6.0-dev+exp,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
 8.6.0-dev+exp,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.6.0-dev+exp,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
+8.6.0-dev+exp,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
 8.6.0-dev+exp,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
 8.6.0-dev+exp,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode
 8.6.0-dev+exp,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
@@ -486,7 +486,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0-dev+exp,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
 8.6.0-dev+exp,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
 8.6.0-dev+exp,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.6.0-dev+exp,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
+8.6.0-dev+exp,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
 8.6.0-dev+exp,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
 8.6.0-dev+exp,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
 8.6.0-dev+exp,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
@@ -1532,7 +1532,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0-dev+exp,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
 8.6.0-dev+exp,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
 8.6.0-dev+exp,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.6.0-dev+exp,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
+8.6.0-dev+exp,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
 8.6.0-dev+exp,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
 8.6.0-dev+exp,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
 8.6.0-dev+exp,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index db568fea1a..f239d49f82 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -5214,13 +5214,16 @@ host.os.type:
   - macos
   - unix
   - windows
+  - ios
+  - android
   flat_name: host.os.type
   ignore_above: 1024
   level: extended
   name: type
   normalize: []
   original_fieldset: os
-  short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+  short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios or
+    android).'
   type: keyword
 host.os.version:
   dashed_name: host-os-version
@@ -6453,13 +6456,16 @@ observer.os.type:
   - macos
   - unix
   - windows
+  - ios
+  - android
   flat_name: observer.os.type
   ignore_above: 1024
   level: extended
   name: type
   normalize: []
   original_fieldset: os
-  short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+  short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios or
+    android).'
   type: keyword
 observer.os.version:
   dashed_name: observer-os-version
@@ -19334,13 +19340,16 @@ user_agent.os.type:
   - macos
   - unix
   - windows
+  - ios
+  - android
   flat_name: user_agent.os.type
   ignore_above: 1024
   level: extended
   name: type
   normalize: []
   original_fieldset: os
-  short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+  short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios or
+    android).'
   type: keyword
 user_agent.os.version:
   dashed_name: user-agent-os-version
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index f26fd038ca..9dafdd1782 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -6483,13 +6483,16 @@ host:
       - macos
       - unix
       - windows
+      - ios
+      - android
       flat_name: host.os.type
       ignore_above: 1024
       level: extended
       name: type
       normalize: []
       original_fieldset: os
-      short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+      short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios
+        or android).'
       type: keyword
     host.os.version:
       dashed_name: host-os-version
@@ -7844,13 +7847,16 @@ observer:
       - macos
       - unix
       - windows
+      - ios
+      - android
       flat_name: observer.os.type
       ignore_above: 1024
       level: extended
       name: type
       normalize: []
       original_fieldset: os
-      short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+      short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios
+        or android).'
       type: keyword
     observer.os.version:
       dashed_name: observer-os-version
@@ -8222,12 +8228,15 @@ os:
       - macos
       - unix
       - windows
+      - ios
+      - android
       flat_name: os.type
       ignore_above: 1024
       level: extended
       name: type
       normalize: []
-      short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+      short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios
+        or android).'
       type: keyword
     os.version:
       dashed_name: os-version
@@ -21729,13 +21738,16 @@ user_agent:
       - macos
       - unix
       - windows
+      - ios
+      - android
       flat_name: user_agent.os.type
       ignore_above: 1024
       level: extended
       name: type
       normalize: []
       original_fieldset: os
-      short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+      short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios
+        or android).'
       type: keyword
     user_agent.os.version:
       dashed_name: user-agent-os-version
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index 90474e7f4c..60cbbdedd9 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -383,7 +383,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
 8.6.0-dev,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
 8.6.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.6.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
+8.6.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
 8.6.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
 8.6.0-dev,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode
 8.6.0-dev,true,host,host.type,keyword,core,,,Type of host.
@@ -473,7 +473,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
 8.6.0-dev,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
 8.6.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.6.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
+8.6.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
 8.6.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
 8.6.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
 8.6.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
@@ -1495,7 +1495,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
 8.6.0-dev,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
 8.6.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.6.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
+8.6.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
 8.6.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
 8.6.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
 8.6.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index d01a605fab..987dacf34e 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -5145,13 +5145,16 @@ host.os.type:
   - macos
   - unix
   - windows
+  - ios
+  - android
   flat_name: host.os.type
   ignore_above: 1024
   level: extended
   name: type
   normalize: []
   original_fieldset: os
-  short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+  short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios or
+    android).'
   type: keyword
 host.os.version:
   dashed_name: host-os-version
@@ -6301,13 +6304,16 @@ observer.os.type:
   - macos
   - unix
   - windows
+  - ios
+  - android
   flat_name: observer.os.type
   ignore_above: 1024
   level: extended
   name: type
   normalize: []
   original_fieldset: os
-  short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+  short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios or
+    android).'
   type: keyword
 observer.os.version:
   dashed_name: observer-os-version
@@ -18850,13 +18856,16 @@ user_agent.os.type:
   - macos
   - unix
   - windows
+  - ios
+  - android
   flat_name: user_agent.os.type
   ignore_above: 1024
   level: extended
   name: type
   normalize: []
   original_fieldset: os
-  short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+  short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios or
+    android).'
   type: keyword
 user_agent.os.version:
   dashed_name: user-agent-os-version
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index df3b90e117..b312004b71 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -6403,13 +6403,16 @@ host:
       - macos
       - unix
       - windows
+      - ios
+      - android
       flat_name: host.os.type
       ignore_above: 1024
       level: extended
       name: type
       normalize: []
       original_fieldset: os
-      short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+      short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios
+        or android).'
       type: keyword
     host.os.version:
       dashed_name: host-os-version
@@ -7676,13 +7679,16 @@ observer:
       - macos
       - unix
       - windows
+      - ios
+      - android
       flat_name: observer.os.type
       ignore_above: 1024
       level: extended
       name: type
       normalize: []
       original_fieldset: os
-      short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+      short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios
+        or android).'
       type: keyword
     observer.os.version:
       dashed_name: observer-os-version
@@ -8054,12 +8060,15 @@ os:
       - macos
       - unix
       - windows
+      - ios
+      - android
       flat_name: os.type
       ignore_above: 1024
       level: extended
       name: type
       normalize: []
-      short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+      short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios
+        or android).'
       type: keyword
     os.version:
       dashed_name: os-version
@@ -21125,13 +21134,16 @@ user_agent:
       - macos
       - unix
       - windows
+      - ios
+      - android
       flat_name: user_agent.os.type
       ignore_above: 1024
       level: extended
       name: type
       normalize: []
       original_fieldset: os
-      short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+      short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios
+        or android).'
       type: keyword
     user_agent.os.version:
       dashed_name: user-agent-os-version
diff --git a/schemas/os.yml b/schemas/os.yml
index 3a8be5933b..de3d51bb1e 100644
--- a/schemas/os.yml
+++ b/schemas/os.yml
@@ -33,7 +33,7 @@
     - name: type
       level: extended
       type: keyword
-      short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+      short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios or android).'
       description: >
         Use the `os.type` field to categorize the operating system into one of
         the broad commercial families.
@@ -45,6 +45,8 @@
         - macos
         - unix
         - windows
+        - ios
+        - android
       example: macos
 
     - name: platform

From 2d42faa3e8818fc79d8774aea2c52ed5334a30c1 Mon Sep 17 00:00:00 2001
From: Kylie Geller <kylie.geller@elastic.co>
Date: Thu, 28 Jul 2022 12:46:47 -0400
Subject: [PATCH 020/186] Fixing risk short fields (#2010)

---
 CHANGELOG.next.md                         |  2 +-
 experimental/generated/csv/fields.csv     | 20 +++++-----
 experimental/generated/ecs/ecs_flat.yml   | 35 +++++------------
 experimental/generated/ecs/ecs_nested.yml | 48 ++++++-----------------
 experimental/schemas/risk.yml             |  2 +
 5 files changed, 35 insertions(+), 72 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index a202bcadb9..45ab024e61 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -42,7 +42,7 @@ Thanks, you're awesome :-) -->
 
 #### Added
 
-* Adding `risk.*` fields as experimental. #1994
+* Adding `risk.*` fields as experimental. #1994, #2010
 
 #### Improvements
 
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index 4d6caf921d..693a6b9c36 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -395,10 +395,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0-dev+exp,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode
 8.6.0-dev+exp,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
 8.6.0-dev+exp,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.6.0-dev+exp,true,host,host.risk.calculated_score_norm,float,extended,,88.73,"A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100."
+8.6.0-dev+exp,true,host,host.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
 8.6.0-dev+exp,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
 8.6.0-dev+exp,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.6.0-dev+exp,true,host,host.risk.static_score_norm,float,extended,,83.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100."
+8.6.0-dev+exp,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
 8.6.0-dev+exp,true,host,host.type,keyword,core,,,Type of host.
 8.6.0-dev+exp,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
 8.6.0-dev+exp,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
@@ -1462,10 +1462,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0-dev+exp,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
 8.6.0-dev+exp,true,user,user.changes.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
 8.6.0-dev+exp,true,user,user.changes.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.6.0-dev+exp,true,user,user.changes.risk.calculated_score_norm,float,extended,,88.73,"A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100."
+8.6.0-dev+exp,true,user,user.changes.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
 8.6.0-dev+exp,true,user,user.changes.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
 8.6.0-dev+exp,true,user,user.changes.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.6.0-dev+exp,true,user,user.changes.risk.static_score_norm,float,extended,,83.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100."
+8.6.0-dev+exp,true,user,user.changes.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
 8.6.0-dev+exp,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 8.6.0-dev+exp,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
 8.6.0-dev+exp,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
@@ -1481,10 +1481,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0-dev+exp,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
 8.6.0-dev+exp,true,user,user.effective.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
 8.6.0-dev+exp,true,user,user.effective.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.6.0-dev+exp,true,user,user.effective.risk.calculated_score_norm,float,extended,,88.73,"A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100."
+8.6.0-dev+exp,true,user,user.effective.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
 8.6.0-dev+exp,true,user,user.effective.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
 8.6.0-dev+exp,true,user,user.effective.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.6.0-dev+exp,true,user,user.effective.risk.static_score_norm,float,extended,,83.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100."
+8.6.0-dev+exp,true,user,user.effective.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
 8.6.0-dev+exp,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 8.6.0-dev+exp,true,user,user.email,keyword,extended,,,User email address.
 8.6.0-dev+exp,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
@@ -1498,10 +1498,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0-dev+exp,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
 8.6.0-dev+exp,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
 8.6.0-dev+exp,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.6.0-dev+exp,true,user,user.risk.calculated_score_norm,float,extended,,88.73,"A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100."
+8.6.0-dev+exp,true,user,user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
 8.6.0-dev+exp,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
 8.6.0-dev+exp,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.6.0-dev+exp,true,user,user.risk.static_score_norm,float,extended,,83.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100."
+8.6.0-dev+exp,true,user,user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
 8.6.0-dev+exp,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 8.6.0-dev+exp,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
 8.6.0-dev+exp,true,user,user.target.email,keyword,extended,,,User email address.
@@ -1516,10 +1516,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0-dev+exp,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
 8.6.0-dev+exp,true,user,user.target.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
 8.6.0-dev+exp,true,user,user.target.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.6.0-dev+exp,true,user,user.target.risk.calculated_score_norm,float,extended,,88.73,"A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100."
+8.6.0-dev+exp,true,user,user.target.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
 8.6.0-dev+exp,true,user,user.target.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
 8.6.0-dev+exp,true,user,user.target.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.6.0-dev+exp,true,user,user.target.risk.static_score_norm,float,extended,,83.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100."
+8.6.0-dev+exp,true,user,user.target.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
 8.6.0-dev+exp,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 8.6.0-dev+exp,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
 8.6.0-dev+exp,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index f239d49f82..0f0c830883 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -5288,8 +5288,7 @@ host.risk.calculated_score_norm:
   name: calculated_score_norm
   normalize: []
   original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring, and normalized to a range of 0 to 100.
+  short: A normalized risk score calculated by an internal system.
   type: float
 host.risk.static_level:
   dashed_name: host-risk-static-level
@@ -5329,9 +5328,7 @@ host.risk.static_score_norm:
   name: static_score_norm
   normalize: []
   original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform, and normalized to a range of 0 to
-    100.
+  short: A normalized risk score calculated by an external system.
   type: float
 host.type:
   dashed_name: host-type
@@ -18527,8 +18524,7 @@ user.changes.risk.calculated_score_norm:
   name: calculated_score_norm
   normalize: []
   original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring, and normalized to a range of 0 to 100.
+  short: A normalized risk score calculated by an internal system.
   type: float
 user.changes.risk.static_level:
   dashed_name: user-changes-risk-static-level
@@ -18568,9 +18564,7 @@ user.changes.risk.static_score_norm:
   name: static_score_norm
   normalize: []
   original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform, and normalized to a range of 0 to
-    100.
+  short: A normalized risk score calculated by an external system.
   type: float
 user.changes.roles:
   dashed_name: user-changes-roles
@@ -18753,8 +18747,7 @@ user.effective.risk.calculated_score_norm:
   name: calculated_score_norm
   normalize: []
   original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring, and normalized to a range of 0 to 100.
+  short: A normalized risk score calculated by an internal system.
   type: float
 user.effective.risk.static_level:
   dashed_name: user-effective-risk-static-level
@@ -18794,9 +18787,7 @@ user.effective.risk.static_score_norm:
   name: static_score_norm
   normalize: []
   original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform, and normalized to a range of 0 to
-    100.
+  short: A normalized risk score calculated by an external system.
   type: float
 user.effective.roles:
   dashed_name: user-effective-roles
@@ -18949,8 +18940,7 @@ user.risk.calculated_score_norm:
   name: calculated_score_norm
   normalize: []
   original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring, and normalized to a range of 0 to 100.
+  short: A normalized risk score calculated by an internal system.
   type: float
 user.risk.static_level:
   dashed_name: user-risk-static-level
@@ -18990,9 +18980,7 @@ user.risk.static_score_norm:
   name: static_score_norm
   normalize: []
   original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform, and normalized to a range of 0 to
-    100.
+  short: A normalized risk score calculated by an external system.
   type: float
 user.roles:
   dashed_name: user-roles
@@ -19162,8 +19150,7 @@ user.target.risk.calculated_score_norm:
   name: calculated_score_norm
   normalize: []
   original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring, and normalized to a range of 0 to 100.
+  short: A normalized risk score calculated by an internal system.
   type: float
 user.target.risk.static_level:
   dashed_name: user-target-risk-static-level
@@ -19203,9 +19190,7 @@ user.target.risk.static_score_norm:
   name: static_score_norm
   normalize: []
   original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform, and normalized to a range of 0 to
-    100.
+  short: A normalized risk score calculated by an external system.
   type: float
 user.target.roles:
   dashed_name: user-target-roles
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 9dafdd1782..76b035710b 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -6557,9 +6557,7 @@ host:
       name: calculated_score_norm
       normalize: []
       original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring, and normalized to a range of
-        0 to 100.
+      short: A normalized risk score calculated by an internal system.
       type: float
     host.risk.static_level:
       dashed_name: host-risk-static-level
@@ -6599,9 +6597,7 @@ host:
       name: static_score_norm
       normalize: []
       original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
+      short: A normalized risk score calculated by an external system.
       type: float
     host.type:
       dashed_name: host-type
@@ -12654,9 +12650,7 @@ risk:
       level: extended
       name: calculated_score_norm
       normalize: []
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring, and normalized to a range of
-        0 to 100.
+      short: A normalized risk score calculated by an internal system.
       type: float
     risk.static_level:
       dashed_name: risk-static-level
@@ -12693,9 +12687,7 @@ risk:
       level: extended
       name: static_score_norm
       normalize: []
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
+      short: A normalized risk score calculated by an external system.
       type: float
   group: 2
   name: risk
@@ -20846,9 +20838,7 @@ user:
       name: calculated_score_norm
       normalize: []
       original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring, and normalized to a range of
-        0 to 100.
+      short: A normalized risk score calculated by an internal system.
       type: float
     user.changes.risk.static_level:
       dashed_name: user-changes-risk-static-level
@@ -20888,9 +20878,7 @@ user:
       name: static_score_norm
       normalize: []
       original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
+      short: A normalized risk score calculated by an external system.
       type: float
     user.changes.roles:
       dashed_name: user-changes-roles
@@ -21073,9 +21061,7 @@ user:
       name: calculated_score_norm
       normalize: []
       original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring, and normalized to a range of
-        0 to 100.
+      short: A normalized risk score calculated by an internal system.
       type: float
     user.effective.risk.static_level:
       dashed_name: user-effective-risk-static-level
@@ -21115,9 +21101,7 @@ user:
       name: static_score_norm
       normalize: []
       original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
+      short: A normalized risk score calculated by an external system.
       type: float
     user.effective.roles:
       dashed_name: user-effective-roles
@@ -21270,9 +21254,7 @@ user:
       name: calculated_score_norm
       normalize: []
       original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring, and normalized to a range of
-        0 to 100.
+      short: A normalized risk score calculated by an internal system.
       type: float
     user.risk.static_level:
       dashed_name: user-risk-static-level
@@ -21312,9 +21294,7 @@ user:
       name: static_score_norm
       normalize: []
       original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
+      short: A normalized risk score calculated by an external system.
       type: float
     user.roles:
       dashed_name: user-roles
@@ -21484,9 +21464,7 @@ user:
       name: calculated_score_norm
       normalize: []
       original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring, and normalized to a range of
-        0 to 100.
+      short: A normalized risk score calculated by an internal system.
       type: float
     user.target.risk.static_level:
       dashed_name: user-target-risk-static-level
@@ -21526,9 +21504,7 @@ user:
       name: static_score_norm
       normalize: []
       original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
+      short: A normalized risk score calculated by an external system.
       type: float
     user.target.roles:
       dashed_name: user-target-roles
diff --git a/experimental/schemas/risk.yml b/experimental/schemas/risk.yml
index 456c4659f6..72f4ebd846 100644
--- a/experimental/schemas/risk.yml
+++ b/experimental/schemas/risk.yml
@@ -23,6 +23,7 @@
       level: extended
       type: float
       example: 88.73
+      short: A normalized risk score calculated by an internal system.
       description: >
         A risk classification score calculated by an internal system as part of
         entity analytics and entity risk scoring, and normalized to a range of
@@ -38,6 +39,7 @@
       level: extended
       type: float
       example: 83.0
+      short: A normalized risk score calculated by an external system.
       description: >
         A risk classification score obtained from outside the system, such as
         from some external Threat Intelligence Platform, and normalized to a

From ed7d50bc88e7d416eec622ec71d5fdae9e7e33f4 Mon Sep 17 00:00:00 2001
From: Dominic Page <11043991+djptek@users.noreply.github.com>
Date: Thu, 28 Jul 2022 19:29:52 +0200
Subject: [PATCH 021/186] rectify changelog 1999 (#2012)

Co-authored-by: Kylie Geller <kylie.geller@elastic.co>
---
 CHANGELOG.next.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 45ab024e61..0d413ef0cc 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -47,6 +47,7 @@ Thanks, you're awesome :-) -->
 #### Improvements
 
 * Advances `threat.enrichments.indicator` to GA. #1928
+* Added `ios` and `android` as valid values for `os.type` #1999
 
 #### Deprecated
 

From d257b0ffb38b4bb8f6e704f285d84c25861f9ea0 Mon Sep 17 00:00:00 2001
From: Martijn Laarman <Mpdreamz@gmail.com>
Date: Wed, 3 Aug 2022 17:52:16 +0200
Subject: [PATCH 022/186] Fixes a typo in the client schema (#2014)

---
 experimental/generated/beats/fields.ecs.yml | 1 +
 experimental/generated/ecs/ecs_flat.yml     | 2 +-
 experimental/generated/ecs/ecs_nested.yml   | 2 +-
 generated/beats/fields.ecs.yml              | 1 +
 generated/ecs/ecs_flat.yml                  | 2 +-
 generated/ecs/ecs_nested.yml                | 2 +-
 schemas/client.yml                          | 2 +-
 7 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 9d792c7c58..eee2fa3f27 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -353,6 +353,7 @@
         of the octet as an unsigned integer. Successive octets are separated by a
         hyphen.'
       example: 00-00-5E-00-53-23
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
     - name: nat.ip
       level: extended
       type: ip
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 0f0c830883..efd75b2107 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -398,7 +398,7 @@ client.mac:
   level: core
   name: mac
   normalize: []
-  patther: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
   short: MAC address of the client.
   type: keyword
 client.nat.ip:
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 76b035710b..dae5fd455b 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -561,7 +561,7 @@ client:
       level: core
       name: mac
       normalize: []
-      patther: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
       short: MAC address of the client.
       type: keyword
     client.nat.ip:
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 4df983ecd0..120dbc5b94 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -303,6 +303,7 @@
         of the octet as an unsigned integer. Successive octets are separated by a
         hyphen.'
       example: 00-00-5E-00-53-23
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
     - name: nat.ip
       level: extended
       type: ip
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 987dacf34e..71fc8833a8 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -329,7 +329,7 @@ client.mac:
   level: core
   name: mac
   normalize: []
-  patther: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
   short: MAC address of the client.
   type: keyword
 client.nat.ip:
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index b312004b71..e2b99a624f 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -481,7 +481,7 @@ client:
       level: core
       name: mac
       normalize: []
-      patther: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
       short: MAC address of the client.
       type: keyword
     client.nat.ip:
diff --git a/schemas/client.yml b/schemas/client.yml
index 8a1468186b..b19251acf3 100644
--- a/schemas/client.yml
+++ b/schemas/client.yml
@@ -65,7 +65,7 @@
       level: core
       type: keyword
       short: MAC address of the client.
-      patther: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
       example: 00-00-5E-00-53-23
       description: >
         MAC address of the client.

From 0dac527e4d19b98b725fcbca5a96b06514ffeaff Mon Sep 17 00:00:00 2001
From: Alexander Wert <AlexanderWert@users.noreply.github.com>
Date: Wed, 3 Aug 2022 20:20:08 +0200
Subject: [PATCH 023/186] [RFC] Stage 0 - New Fieldset for Device (#2013)

* RFC: device fields

* Updated PR number

Co-authored-by: Kylie Geller <kylie.geller@elastic.co>
---
 rfcs/text/0000-device-fields.md | 126 ++++++++++++++++++++++++++++++++
 1 file changed, 126 insertions(+)
 create mode 100644 rfcs/text/0000-device-fields.md

diff --git a/rfcs/text/0000-device-fields.md b/rfcs/text/0000-device-fields.md
new file mode 100644
index 0000000000..f513b95160
--- /dev/null
+++ b/rfcs/text/0000-device-fields.md
@@ -0,0 +1,126 @@
+# 0000: Name of RFC
+<!-- Leave this ID at 0000. The ECS team will assign a unique, contiguous RFC number upon merging the initial stage of this RFC. -->
+
+- Stage: **0 (strawperson)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
+- Date: **TBD** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
+
+<!--
+As you work on your RFC, use the "Stage N" comments to guide you in what you should focus on, for the stage you're targeting.
+Feel free to remove these comments as you go along.
+-->
+
+<!--
+Stage 0: Provide a high level summary of the premise of these changes. Briefly describe the nature, purpose, and impact of the changes. ~2-5 sentences.
+-->
+
+With mobile use cases (e.g. tracing and logging on mobile devices, such as iOS, Android, etc.) it is important to capture device information that would allow to correlate and slice and dice information by device properties (such as device manufacturer, device model id, etc.).
+
+The [OpenTelemetry semantic conventions specify the following fields for devices](https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/device/):
+- `device.id`
+- `device.model.identifier`
+- `device.model.name`
+- `device.manufacturer`
+
+With this RFC, we propose to adopt the device fields specified by OpenTelemetry to support product use cases at Elastic that are related to mobile devices (e.g. APM for iOS and Android).
+
+<!--
+Stage 1: If the changes include field additions or modifications, please create a folder titled as the RFC number under rfcs/text/. This will be where proposed schema changes as standalone YAML files or extended example mappings and larger source documents will go as the RFC is iterated upon.
+-->
+
+<!--
+Stage X: Provide a brief explanation of why the proposal is being marked as abandoned. This is useful context for anyone revisiting this proposal or considering similar changes later on.
+-->
+
+## Fields
+
+<!--
+Stage 1: Describe at a high level how this change affects fields. Include new or updated yml field definitions for all of the essential fields in this draft. While not exhaustive, the fields documented here should be comprehensive enough to deeply evaluate the technical considerations of this change. The goal here is to validate the technical details for all essential fields and to provide a basis for adding experimental field definitions to the schema. Use GitHub code blocks with yml syntax formatting, and add them to the corresponding RFC folder.
+-->
+
+<!--
+Stage 2: Add or update all remaining field definitions. The list should now be exhaustive. The goal here is to validate the technical details of all remaining fields and to provide a basis for releasing these field definitions as beta in the schema. Use GitHub code blocks with yml syntax formatting, and add them to the corresponding RFC folder.
+-->
+
+## Usage
+
+<!--
+Stage 1: Describe at a high-level how these field changes will be used in practice. Real world examples are encouraged. The goal here is to understand how people would leverage these fields to gain insights or solve problems. ~1-3 paragraphs.
+-->
+
+## Source data
+
+<!--
+Stage 1: Provide a high-level description of example sources of data. This does not yet need to be a concrete example of a source document, but instead can simply describe a potential source (e.g. nginx access log). This will ultimately be fleshed out to include literal source examples in a future stage. The goal here is to identify practical sources for these fields in the real world. ~1-3 sentences or unordered list.
+-->
+
+<!--
+Stage 2: Included a real world example source document. Ideally this example comes from the source(s) identified in stage 1. If not, it should replace them. The goal here is to validate the utility of these field changes in the context of a real world example. Format with the source name as a ### header and the example document in a GitHub code block with json formatting, or if on the larger side, add them to the corresponding RFC folder.
+-->
+
+<!--
+Stage 3: Add more real world example source documents so we have at least 2 total, but ideally 3. Format as described in stage 2.
+-->
+
+## Scope of impact
+
+<!--
+Stage 2: Identifies scope of impact of changes. Are breaking changes required? Should deprecation strategies be adopted? Will significant refactoring be involved? Break the impact down into:
+ * Ingestion mechanisms (e.g. beats/logstash)
+ * Usage mechanisms (e.g. Kibana applications, detections)
+ * ECS project (e.g. docs, tooling)
+The goal here is to research and understand the impact of these changes on users in the community and development teams across Elastic. 2-5 sentences each.
+-->
+
+## Concerns
+
+<!--
+Stage 1: Identify potential concerns, implementation challenges, or complexity. Spend some time on this. Play devil's advocate. Try to identify the sort of non-obvious challenges that tend to surface later. The goal here is to surface risks early, allow everyone the time to work through them, and ultimately document resolution for posterity's sake.
+-->
+
+<!--
+Stage 2: Document new concerns or resolutions to previously listed concerns. It's not critical that all concerns have resolutions at this point, but it would be helpful if resolutions were taking shape for the most significant concerns.
+-->
+
+<!--
+Stage 3: Document resolutions for all existing concerns. Any new concerns should be documented along with their resolution. The goal here is to eliminate risk of churn and instability by ensuring all concerns have been addressed.
+-->
+
+## People
+
+The following are the people that consulted on the contents of this RFC.
+
+* @AlexanderWert | author
+* @felixbarny | subject matter expert
+* @bryce-b | subject matter expert
+* @LikeTheSalad | subject matter expert
+* @akhileshpok | PM Mobile APM
+
+
+<!--
+Who will be or has been consulted on the contents of this RFC? Identify authorship and sponsorship, and optionally identify the nature of involvement of others. Link to GitHub aliases where possible. This list will likely change or grow stage after stage.
+
+e.g.:
+
+* @Yasmina | author
+* @Monique | sponsor
+* @EunJung | subject matter expert
+* @JaneDoe | grammar, spelling, prose
+* @Mariana
+-->
+
+
+## References
+
+<!-- Insert any links appropriate to this RFC in this section. -->
+* [OpenTelemetry specification for device](https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/device/)
+
+### RFC Pull Requests
+
+<!-- An RFC should link to the PRs for each of it stage advancements. -->
+
+* Stage 0: https://github.com/elastic/ecs/pull/2013
+
+<!--
+* Stage 1: https://github.com/elastic/ecs/pull/NNN
+...
+-->

From 02f918d65dd052927fca8a58d7d4fadd1eac09af Mon Sep 17 00:00:00 2001
From: Kylie Geller <kylie.geller@elastic.co>
Date: Wed, 3 Aug 2022 15:08:51 -0400
Subject: [PATCH 024/186] Correction to new device RFC (#2021)

---
 rfcs/text/{0000-device-fields.md => 0034-device-fields.md} | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
 rename rfcs/text/{0000-device-fields.md => 0034-device-fields.md} (96%)

diff --git a/rfcs/text/0000-device-fields.md b/rfcs/text/0034-device-fields.md
similarity index 96%
rename from rfcs/text/0000-device-fields.md
rename to rfcs/text/0034-device-fields.md
index f513b95160..be13648bb9 100644
--- a/rfcs/text/0000-device-fields.md
+++ b/rfcs/text/0034-device-fields.md
@@ -1,8 +1,8 @@
-# 0000: Name of RFC
+# 0034: Adding device fields
 <!-- Leave this ID at 0000. The ECS team will assign a unique, contiguous RFC number upon merging the initial stage of this RFC. -->
 
 - Stage: **0 (strawperson)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
-- Date: **TBD** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
+- Date: **2022-08-03** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
 
 <!--
 As you work on your RFC, use the "Stage N" comments to guide you in what you should focus on, for the stage you're targeting.
@@ -119,6 +119,7 @@ e.g.:
 <!-- An RFC should link to the PRs for each of it stage advancements. -->
 
 * Stage 0: https://github.com/elastic/ecs/pull/2013
+    * Correction: https://github.com/elastic/ecs/pull/2021
 
 <!--
 * Stage 1: https://github.com/elastic/ecs/pull/NNN

From 9fe7dc39be3af7248fcd9a28f10501300a281191 Mon Sep 17 00:00:00 2001
From: maihde <mike.ihde@randomwalking.com>
Date: Thu, 11 Aug 2022 10:32:39 -0400
Subject: [PATCH 025/186] fix: fields asciidoc folder needs to be created
 (#2018)

---
 scripts/generators/asciidoc_fields.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/scripts/generators/asciidoc_fields.py b/scripts/generators/asciidoc_fields.py
index 8d4200bf54..7b59aff25d 100644
--- a/scripts/generators/asciidoc_fields.py
+++ b/scripts/generators/asciidoc_fields.py
@@ -27,6 +27,8 @@ def generate(nested, docs_only_nested, ecs_generated_version, out_dir):
     # fields docs now have a dedicated docs subdir: docs/fields
     fields_docs_dir = out_dir + '/fields'
 
+    ecs_helpers.make_dirs(fields_docs_dir)
+
     save_asciidoc(path.join(out_dir, 'index.asciidoc'), page_index(ecs_generated_version))
     save_asciidoc(path.join(fields_docs_dir, 'fields.asciidoc'), page_field_index(nested, ecs_generated_version))
     save_asciidoc(path.join(fields_docs_dir, 'field-details.asciidoc'), page_field_details(nested, docs_only_nested))

From 61592e8255e800568457f8a8799d1d824ac40b32 Mon Sep 17 00:00:00 2001
From: Alexander Wert <AlexanderWert@users.noreply.github.com>
Date: Tue, 16 Aug 2022 15:56:13 +0200
Subject: [PATCH 026/186] RFC Stage 1: Device fields (#2026)

* RFC: Device fields - stage 1

* Update 0034-device-fields.md to stage 1

* Update 0034-device-fields.md

Co-authored-by: Kylie Geller <kylie.geller@gmail.com>
---
 rfcs/text/0034-device-fields.md | 21 +++++++++++++---
 rfcs/text/0034/device.yml       | 43 +++++++++++++++++++++++++++++++++
 2 files changed, 61 insertions(+), 3 deletions(-)
 create mode 100644 rfcs/text/0034/device.yml

diff --git a/rfcs/text/0034-device-fields.md b/rfcs/text/0034-device-fields.md
index be13648bb9..cd57376999 100644
--- a/rfcs/text/0034-device-fields.md
+++ b/rfcs/text/0034-device-fields.md
@@ -1,8 +1,8 @@
 # 0034: Adding device fields
 <!-- Leave this ID at 0000. The ECS team will assign a unique, contiguous RFC number upon merging the initial stage of this RFC. -->
 
-- Stage: **0 (strawperson)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
-- Date: **2022-08-03** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
+- Stage: **1 (draft)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
+- Date: **2022-08-16** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
 
 <!--
 As you work on your RFC, use the "Stage N" comments to guide you in what you should focus on, for the stage you're targeting.
@@ -37,6 +37,10 @@ Stage X: Provide a brief explanation of why the proposal is being marked as aban
 Stage 1: Describe at a high level how this change affects fields. Include new or updated yml field definitions for all of the essential fields in this draft. While not exhaustive, the fields documented here should be comprehensive enough to deeply evaluate the technical considerations of this change. The goal here is to validate the technical details for all essential fields and to provide a basis for adding experimental field definitions to the schema. Use GitHub code blocks with yml syntax formatting, and add them to the corresponding RFC folder.
 -->
 
+A new `Device` field group will be added with the fields defined by [OpenTelemetry Semantic Conventions for Devices](https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/device/).
+
+
+
 <!--
 Stage 2: Add or update all remaining field definitions. The list should now be exhaustive. The goal here is to validate the technical details of all remaining fields and to provide a basis for releasing these field definitions as beta in the schema. Use GitHub code blocks with yml syntax formatting, and add them to the corresponding RFC folder.
 -->
@@ -47,12 +51,22 @@ Stage 2: Add or update all remaining field definitions. The list should now be e
 Stage 1: Describe at a high-level how these field changes will be used in practice. Real world examples are encouraged. The goal here is to understand how people would leverage these fields to gain insights or solve problems. ~1-3 paragraphs.
 -->
 
+APM data (i.e. transaction and spans that are part of end-to-end traces) is also collected for mobile devices (i.e. iOS and Android applications). Enriching this APM data would allow for rhich performance and business-related analysis of the data. E.g. user could filter performance issues, errors, crashes, etc. by device model types, versions, manufacturers.
+The APM correlations feature can be improved for mobile applications by including these fields as it would identify statistical correlations if problems occur, for example, only for specific device models.
+A unique device.id allows in addition to derive statistics on recurring users vs. new users. 
+
+
 ## Source data
 
 <!--
 Stage 1: Provide a high-level description of example sources of data. This does not yet need to be a concrete example of a source document, but instead can simply describe a potential source (e.g. nginx access log). This will ultimately be fleshed out to include literal source examples in a future stage. The goal here is to identify practical sources for these fields in the real world. ~1-3 sentences or unordered list.
 -->
 
+The information will be retrieved by the APM agents for iOS and Android. The Android agent will use the [Build API](https://developer.android.com/reference/android/os/Build#MANUFACTURER) to retrieve the above information. For iOS, the [vendor identifier property](https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor) will be used to retrieve the device ID. iOS also provides an API to retrive the `device.model.identifier`.
+
+For both, iOS and Android, the `device.model.name` cannot be retrieved on the Device itself but need to be mapped from the `device.model.identifier` value. We will use an Elasticsearch ingest node processor for this mapping ([this is the corresponding ES issue for it](https://github.com/elastic/elasticsearch/issues/88865)).
+
+
 <!--
 Stage 2: Included a real world example source document. Ideally this example comes from the source(s) identified in stage 1. If not, it should replace them. The goal here is to validate the utility of these field changes in the context of a real world example. Format with the source name as a ### header and the example document in a GitHub code block with json formatting, or if on the larger side, add them to the corresponding RFC folder.
 -->
@@ -76,6 +90,7 @@ The goal here is to research and understand the impact of these changes on users
 <!--
 Stage 1: Identify potential concerns, implementation challenges, or complexity. Spend some time on this. Play devil's advocate. Try to identify the sort of non-obvious challenges that tend to surface later. The goal here is to surface risks early, allow everyone the time to work through them, and ultimately document resolution for posterity's sake.
 -->
+- `device.model.name` cannot be collected directly on the device but needs to be mapped from the `device.model.identifier`. This requires backend-side mapping. We will solve this through an Elasticsearch ingest node processor (similar to the GeoIP processor that maps IPs to geo locations). 
 
 <!--
 Stage 2: Document new concerns or resolutions to previously listed concerns. It's not critical that all concerns have resolutions at this point, but it would be helpful if resolutions were taking shape for the most significant concerns.
@@ -120,7 +135,7 @@ e.g.:
 
 * Stage 0: https://github.com/elastic/ecs/pull/2013
     * Correction: https://github.com/elastic/ecs/pull/2021
-
+* Stage 1: https://github.com/elastic/ecs/pull/2026
 <!--
 * Stage 1: https://github.com/elastic/ecs/pull/NNN
 ...
diff --git a/rfcs/text/0034/device.yml b/rfcs/text/0034/device.yml
new file mode 100644
index 0000000000..0f9159c14b
--- /dev/null
+++ b/rfcs/text/0034/device.yml
@@ -0,0 +1,43 @@
+---
+- name: device
+  title: Device
+  group: 2
+  short: Fields characterizing a (mobile) device a process or application is running on.
+  description: >
+    Fields that describe a device instance and its characteristics. 
+    Data collected for applications and processes running on a (mobile) device can be enriched with these fields
+    to describe the identity, type and other characteristics of the device.
+
+    This field group definition is based on the Device namespace of the OpenTelemetry Semantic Conventions (https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/device/).
+  type: group
+  fields:
+    - name: id
+      level: extended
+      example: 00000000-54b3-e7c7-0000-000046bffd97
+      type: keyword
+      short: The unique identifier of a device. 
+      description: >
+        The unique identifier of a device. The identifier must not change across application sessions but stay fixex for an instance of a (mobile) device. 
+
+        On iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor).
+        On Android, this value must be equal to the Firebase Installation ID or a globally unique UUID which is persisted across sessions in your application.
+
+        For GDPR and data protection law reasons this identifier should not carry information that would allow to identify a user. 
+    - name: model.name
+      level: extended
+      example: Samsung Galaxy S6
+      type: keyword
+      description: >
+        The human readable marketing name of the device model.
+    - name: model.identifier
+      level: extended
+      example: SM-G920F
+      type: keyword
+      description: >
+        The machine readable identifier of the device model.
+    - name: manufacturer
+      level: extended
+      example: Samsung
+      type: keyword
+      description: >
+        The vendor name of the device manufacturer. 

From c2ad241b6a90387f27f509bbc9d12a5c279af187 Mon Sep 17 00:00:00 2001
From: Karl Godard <karl.godard@elastic.co>
Date: Tue, 16 Aug 2022 08:55:29 -0700
Subject: [PATCH 027/186] [Stage 0/1] Initial draft for IO fieldset RFC (#1956)

* initial draft for IO RFC

fd removed. kprobe nor ebpf can get this info.

Update rfcs/text/0033-tty-output.md

Co-authored-by: Mattia Meleleo <melmat@tuta.io>

io fieldset removed in favor of new fields in process fieldset instead. per line timestamp removed. io.source added

updates

more updates to md file

formatting

typo

grammar

more updates to md file

fix

* updates reflecting latest thinking. array of lines removed in favor of single "wildcard" field type

* mike and karl updates

* typo fix

* updates to track skipped bytes and totals

* address @m-sample's comments

* Update and rename 0033-tty-output.md to 0035-tty-output.md

* rfc number updated to 0035

* Update 0035-tty-output.md

Co-authored-by: Karl Godard <karlgodard@elastic.co>
Co-authored-by: Kylie Geller <kylie.geller@elastic.co>
---
 rfcs/text/0035-tty-output.md | 178 +++++++++++++++++++++++++++++++++++
 rfcs/text/0035/process.yml   |  97 +++++++++++++++++++
 2 files changed, 275 insertions(+)
 create mode 100644 rfcs/text/0035-tty-output.md
 create mode 100644 rfcs/text/0035/process.yml

diff --git a/rfcs/text/0035-tty-output.md b/rfcs/text/0035-tty-output.md
new file mode 100644
index 0000000000..15e6bd2f9b
--- /dev/null
+++ b/rfcs/text/0035-tty-output.md
@@ -0,0 +1,178 @@
+# 0035: Process IO events
+<!-- Leave this ID at 0000. The ECS team will assign a unique, contiguous RFC number upon merging the initial stage of this RFC. -->
+
+- Stage: **2 (candidate)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
+- Date: **2022/08/16** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
+
+<!--
+As you work on your RFC, use the "Stage N" comments to guide you in what you should focus on, for the stage you're targeting.
+Feel free to remove these comments as you go along.
+-->
+
+<!--
+Stage 0: Provide a high level summary of the premise of these changes. Briefly describe the nature, purpose, and impact of the changes. ~2-5 sentences.
+-->
+
+The goal of the RFC is to introduce new fields to the 'process' fieldset to track input and output data from processes. The initial implementation will be focused on capturing Linux TTY output. Each event will contain a maximum number of bytes of output data (configurable) along with context about which tty, and process generated the output. This data can drive new visualizations in Kibana as well as providing more information to security analysts.
+
+<!--
+Stage 1: If the changes include field additions or modifications, please create a folder titled as the RFC number under rfcs/text/. This will be where proposed schema changes as standalone YAML files or extended example mappings and larger source documents will go as the RFC is iterated upon.
+-->
+
+see: 0035/process.yml
+
+<!--
+Stage X: Provide a brief explanation of why the proposal is being marked as abandoned. This is useful context for anyone revisiting this proposal or considering similar changes later on.
+-->
+
+## Fields
+
+<!--
+Stage 1: Describe at a high level how this change affects fields. Include new or updated yml field definitions for all of the essential fields in this draft. While not exhaustive, the fields documented here should be comprehensive enough to deeply evaluate the technical considerations of this change. The goal here is to validate the technical details for all essential fields and to provide a basis for adding experimental field definitions to the schema. Use GitHub code blocks with yml syntax formatting, and add them to the corresponding RFC folder.
+-->
+
+A new "io" field is added to the top level process fieldset. The key use case is capturing text output to TTY, however, the fieldset has been structured to be extensible to handle input and output from files and sockets, as well non-text (binary) data.
+
+- process.io (type: object)
+- process.io.type (type: keyword, for now the only value will be "tty", but in future "file" and "socket" may be added)
+- process.io.text (type: wildcard, a line-oriented chunk of tty output text)
+- process.io.total_bytes_captured (type: number)
+- process.io.total_bytes_skipped (type: number)
+- process.io.max_bytes_per_process_exceeded (type: boolean)
+- process.io.bytes_skipped (type: object array)
+- process.io.bytes_skipped.offset (type: number)
+- process.io.bytes_skipped.length (type: number)
+
+Possible future additions to support non utf-8 data:
+- process.io.bytes (type: binary, a single base64 encoded string)
+
+<!--
+Stage 2: Add or update all remaining field definitions. The list should now be exhaustive. The goal here is to validate the technical details of all remaining fields and to provide a basis for releasing these field definitions as beta in the schema. Use GitHub code blocks with yml syntax formatting, and add them to the corresponding RFC folder.
+-->
+
+## Usage
+
+<!--
+Stage 1: Describe at a high-level how these field changes will be used in practice. Real world examples are encouraged. The goal here is to understand how people would leverage these fields to gain insights or solve problems. ~1-3 paragraphs.
+-->
+
+  These fields will primarily be used to replay and visualize TTY output for a Linux session. Output to a TTY contains terminal control codes. These control codes can represent visual editing (cursor movements), as well as partial screen updates in graphical modes. Libraries like xtermjs.org are well suited to handle the rendering of terminal output. This will give security analysts additional means to investigate Linux sessions.
+
+## Source data
+
+<!--
+Stage 1: Provide a high-level description of example sources of data. This does not yet need to be a concrete example of a source document, but instead can simply describe a potential source (e.g. nginx access log). This will ultimately be fleshed out to include literal source examples in a future stage. The goal here is to identify practical sources for these fields in the real world. ~1-3 sentences or unordered list.
+-->
+
+```
+  {
+    event: {
+      kind: 'event',
+      action: 'text_output' (for now the only action type, though one could imagine values like: text_input, binary_output, binary_input)
+    },
+    process: {
+      args: ['ls'],
+      executable: '/bin/ls',
+      ...other_process_details,
+
+      entry_leader: <entry_context>,
+      session_leader: <session_context>,
+
+      tty: {
+        char_device: {
+          major: 1,
+          minor: 128
+        }
+      },
+
+      io: {
+        type: "tty",
+        text: "hello world/n#!/bin/bash\ngoodbyeworld",
+
+        total_bytes_captured: 1024,
+        total_bytes_skipped: 160,
+
+        bytes_skipped: [
+          { offset: 512, length: 128 },
+          { offset: 768, length: 32 }
+        ]
+
+        // future binary support
+        bytes: "<base64encodedstring>"
+      }
+    }
+  }
+```
+
+<!--
+Stage 2: Included a real world example source document. Ideally this example comes from the source(s) identified in stage 1. If not, it should replace them. The goal here is to validate the utility of these field changes in the context of a real world example. Format with the source name as a ### header and the example document in a GitHub code block with json formatting, or if on the larger side, add them to the corresponding RFC folder.
+-->
+
+<!--
+Stage 3: Add more real world example source documents so we have at least 2 total, but ideally 3. Format as described in stage 2.
+-->
+
+## Scope of impact
+
+<!--
+Stage 2: Identifies scope of impact of changes. Are breaking changes required? Should deprecation strategies be adopted? Will significant refactoring be involved? Break the impact down into:
+ * Ingestion mechanisms (e.g. beats/logstash)
+ * Usage mechanisms (e.g. Kibana applications, detections)
+ * ECS project (e.g. docs, tooling)
+The goal here is to research and understand the impact of these changes on users in the community and development teams across Elastic. 2-5 sentences each.
+-->
+
+## Concerns
+
+<!--
+Stage 1: Identify potential concerns, implementation challenges, or complexity. Spend some time on this. Play devil's advocate. Try to identify the sort of non-obvious challenges that tend to surface later. The goal here is to surface risks early, allow everyone the time to work through them, and ultimately document resolution for posterity's sake.
+-->
+
+1. Data exfiltration. TTY output is a sensitive surface area to expose. It should be featured gated, and an opt in for customers, at least until we implement some robust "regex scrubbing/redaction" mechanisms.
+2. Per event batch size should be considered. If batch size is too big, alerting on IO data becomes fuzzy, as rules are evaluated on the document level, not on an individual line of output. This could make it a challenge to figure out what part of the message triggered the alert.
+
+<!--
+Stage 2: Document new concerns or resolutions to previously listed concerns. It's not critical that all concerns have resolutions at this point, but it would be helpful if resolutions were taking shape for the most significant concerns.
+-->
+
+<!--
+Stage 3: Document resolutions for all existing concerns. Any new concerns should be documented along with their resolution. The goal here is to eliminate risk of churn and instability by ensuring all concerns have been addressed.
+-->
+
+## People
+
+The following are the people that consulted on the contents of this RFC.
+
+* @mitodrummer | author
+* @m-sample | subject matter expert
+* @norrietaylor| subject matter expert
+* @mattnite | subject matter expert
+* @tabell | subject matter expert
+
+<!--
+Who will be or has been consulted on the contents of this RFC? Identify authorship and sponsorship, and optionally identify the nature of involvement of others. Link to GitHub aliases where possible. This list will likely change or grow stage after stage.
+
+e.g.:
+
+* @Yasmina | author
+* @Monique | sponsor
+* @EunJung | subject matter expert
+* @JaneDoe | grammar, spelling, prose
+* @Mariana
+-->
+
+
+## References
+
+<!-- Insert any links appropriate to this RFC in this section. -->
+
+### RFC Pull Requests
+
+<!-- An RFC should link to the PRs for each of it stage advancements. -->
+
+* Stage 1: https://github.com/elastic/ecs/pull/1956
+
+<!--
+* Stage 1: https://github.com/elastic/ecs/pull/NNN
+...
+-->
diff --git a/rfcs/text/0035/process.yml b/rfcs/text/0035/process.yml
new file mode 100644
index 0000000000..669a9875ca
--- /dev/null
+++ b/rfcs/text/0035/process.yml
@@ -0,0 +1,97 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+---
+- name: process
+  fields:
+
+    # minor typo fix in description for this field. "pts/0 -> "pts/0"
+    - name: tty.char_device.major
+      description: >
+        The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation.
+
+    # new 'io' properties for tracking tty output
+    - name: io
+      level: extended
+      type: object
+      short: A chunk of input or output (IO) from a single process.
+      description: >
+        A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process that wrote the output or read the input.
+
+    - name: io.type
+      level: extended
+      type: keyword
+      short: The type of object on which the IO action (read or write) was taken.
+      description: >
+        The type of object on which the IO action (read or write) was taken.
+
+        Currently only 'tty' is supported. Other types may be added in the future for 'file' and 'socket' support.
+
+    - name: io.text
+      level: extended
+      type: wildcard
+      short: A chunk of output or input sanitized to UTF-8.
+      description: >
+        A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events. Assumptions should NOT be made that multiple lines will appear in the same event. TTY output may contain terminal control codes such as for cursor movement, so some string queries may not match due to terminal codes inserted between characters of a word.
+
+    - name: io.total_bytes_captured
+      level: extended
+      type: number
+      description: >
+        The total number of bytes captured in this event.
+
+    - name: io.total_bytes_skipped
+      level: extended
+      type: number
+      description: >
+        The total number of bytes of output that were not captured due to implementation restrictions such as buffer size limits. Implementors should strive to ensure this value is always zero
+
+    - name: io.max_bytes_per_process_exceeded
+      level: extended
+      type: boolean
+      description: >
+        If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting.
+
+    - name: io.bytes_skipped
+      level: extended
+      type: object
+      description: >
+        An array of byte offsets and lengths denoting where IO data has been skipped.
+
+      normalize: array
+
+    - name: io.bytes_skipped.offset
+      level: extended
+      type: number
+      description: >
+        The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
+
+    - name: io.bytes_skipped.length
+      level: extended
+      type: number
+      description: >
+        The length of bytes skipped.
+
+    # future addition (NOT TO BE INCLUDED IN THIS RFC)
+    - name: io.bytes
+      level: extended
+      type: binary
+      description: >
+        A base64 encoded string of binary data read or written by a process. It's preferable to use process.io.text instead, where possible, to improve searchability.

From 474ba6d74008a079664193ae64b09b313aae5008 Mon Sep 17 00:00:00 2001
From: Alexander Wert <AlexanderWert@users.noreply.github.com>
Date: Thu, 18 Aug 2022 08:04:55 +0200
Subject: [PATCH 028/186] Device fields RFC stage 2 and schema change (#2030)

* Added device schema file

* Update 0034-device-fields.md

* Added changelog entry for device field set
---
 CHANGELOG.next.md                             |  2 +
 docs/fields/field-details.asciidoc            | 89 +++++++++++++++++++
 docs/fields/fields.asciidoc                   |  2 +
 experimental/generated/beats/fields.ecs.yml   | 47 ++++++++++
 experimental/generated/csv/fields.csv         |  4 +
 experimental/generated/ecs/ecs_flat.yml       | 50 +++++++++++
 experimental/generated/ecs/ecs_nested.yml     | 67 ++++++++++++++
 .../composable/component/device.json          | 36 ++++++++
 .../elasticsearch/composable/template.json    |  1 +
 .../elasticsearch/legacy/template.json        | 24 +++++
 generated/beats/fields.ecs.yml                | 47 ++++++++++
 generated/csv/fields.csv                      |  4 +
 generated/ecs/ecs_flat.yml                    | 50 +++++++++++
 generated/ecs/ecs_nested.yml                  | 67 ++++++++++++++
 .../composable/component/device.json          | 36 ++++++++
 .../elasticsearch/composable/template.json    |  1 +
 generated/elasticsearch/legacy/template.json  | 24 +++++
 rfcs/text/0034-device-fields.md               |  3 +-
 schemas/device.yml                            | 45 ++++++++++
 schemas/subsets/main.yml                      |  2 +
 20 files changed, 600 insertions(+), 1 deletion(-)
 create mode 100644 experimental/generated/elasticsearch/composable/component/device.json
 create mode 100644 generated/elasticsearch/composable/component/device.json
 create mode 100644 schemas/device.yml

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 0d413ef0cc..eaa251c05f 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -16,6 +16,8 @@ Thanks, you're awesome :-) -->
 
 #### Added
 
+* Added `device.*` field set as beta. #2030
+
 #### Improvements
 
 #### Deprecated
diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index 49738c4993..135fae5ee2 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -1591,6 +1591,95 @@ example: `co.uk`
 |=====
 
 
+[[ecs-device]]
+=== Device Fields
+
+Fields that describe a device instance and its characteristics.  Data collected for applications and processes running on a (mobile) device can be enriched with these fields to describe the identity, type and other characteristics of the device.
+
+This field group definition is based on the Device namespace of the OpenTelemetry Semantic Conventions (https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/device/).
+
+beta::[ These fields are in beta and are subject to change.]
+
+[discrete]
+==== Device Field Details
+
+[options="header"]
+|=====
+| Field  | Description | Level
+
+// ===============================================================
+
+|
+[[field-device-id]]
+<<field-device-id, device.id>>
+
+a| The unique identifier of a device. The identifier must not change across application sessions but stay fixex for an instance of a (mobile) device. 
+
+On iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor). On Android, this value must be equal to the Firebase Installation ID or a globally unique UUID which is persisted across sessions in your application.
+
+For GDPR and data protection law reasons this identifier should not carry information that would allow to identify a user.
+
+type: keyword
+
+
+
+example: `00000000-54b3-e7c7-0000-000046bffd97`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-device-manufacturer]]
+<<field-device-manufacturer, device.manufacturer>>
+
+a| The vendor name of the device manufacturer.
+
+type: keyword
+
+
+
+example: `Samsung`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-device-model-identifier]]
+<<field-device-model-identifier, device.model.identifier>>
+
+a| The machine readable identifier of the device model.
+
+type: keyword
+
+
+
+example: `SM-G920F`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-device-model-name]]
+<<field-device-model-name, device.model.name>>
+
+a| The human readable marketing name of the device model.
+
+type: keyword
+
+
+
+example: `Samsung Galaxy S6`
+
+| extended
+
+// ===============================================================
+
+|=====
+
+
 [[ecs-dll]]
 === DLL Fields
 
diff --git a/docs/fields/fields.asciidoc b/docs/fields/fields.asciidoc
index ca7f3e17e1..a80ed79388 100644
--- a/docs/fields/fields.asciidoc
+++ b/docs/fields/fields.asciidoc
@@ -38,6 +38,8 @@ For a single page representation of all fields, please see the
 
 | <<ecs-destination,Destination>> | Fields about the destination side of a network connection, used with source.
 
+| <<ecs-device,Device>> | Fields characterizing a (mobile) device a process or application is running on.
+
 | <<ecs-dll,DLL>> | These fields contain information about code libraries dynamically loaded into processes.
 
 | <<ecs-dns,DNS>> | Fields describing DNS queries and answers.
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index eee2fa3f27..779dc89cb3 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -1286,6 +1286,53 @@
       description: Array of user roles at the time of the event.
       example: '["kibana_admin", "reporting_user"]'
       default_field: false
+  - name: device
+    title: Device
+    group: 2
+    description: 'Fields that describe a device instance and its characteristics.  Data
+      collected for applications and processes running on a (mobile) device can be
+      enriched with these fields to describe the identity, type and other characteristics
+      of the device.
+
+      This field group definition is based on the Device namespace of the OpenTelemetry
+      Semantic Conventions (https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/device/).'
+    type: group
+    default_field: true
+    fields:
+    - name: id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: "The unique identifier of a device. The identifier must not change\
+        \ across application sessions but stay fixex for an instance of a (mobile)\
+        \ device. \nOn iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor).\
+        \ On Android, this value must be equal to the Firebase Installation ID or\
+        \ a globally unique UUID which is persisted across sessions in your application.\n\
+        For GDPR and data protection law reasons this identifier should not carry\
+        \ information that would allow to identify a user."
+      example: 00000000-54b3-e7c7-0000-000046bffd97
+      default_field: false
+    - name: manufacturer
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The vendor name of the device manufacturer.
+      example: Samsung
+      default_field: false
+    - name: model.identifier
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The machine readable identifier of the device model.
+      example: SM-G920F
+      default_field: false
+    - name: model.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The human readable marketing name of the device model.
+      example: Samsung Galaxy S6
+      default_field: false
   - name: dll
     title: DLL
     group: 2
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index 693a6b9c36..d5794b4ae4 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -141,6 +141,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0-dev+exp,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
 8.6.0-dev+exp,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
 8.6.0-dev+exp,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.6.0-dev+exp,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device.
+8.6.0-dev+exp,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer.
+8.6.0-dev+exp,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model.
+8.6.0-dev+exp,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model.
 8.6.0-dev+exp,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
 8.6.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
 8.6.0-dev+exp,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index efd75b2107..b56c568515 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -1700,6 +1700,56 @@ destination.user.roles:
   original_fieldset: user
   short: Array of user roles at the time of the event.
   type: keyword
+device.id:
+  dashed_name: device-id
+  description: "The unique identifier of a device. The identifier must not change\
+    \ across application sessions but stay fixex for an instance of a (mobile) device.\
+    \ \nOn iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor).\
+    \ On Android, this value must be equal to the Firebase Installation ID or a globally\
+    \ unique UUID which is persisted across sessions in your application.\nFor GDPR\
+    \ and data protection law reasons this identifier should not carry information\
+    \ that would allow to identify a user."
+  example: 00000000-54b3-e7c7-0000-000046bffd97
+  flat_name: device.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  short: The unique identifier of a device.
+  type: keyword
+device.manufacturer:
+  dashed_name: device-manufacturer
+  description: The vendor name of the device manufacturer.
+  example: Samsung
+  flat_name: device.manufacturer
+  ignore_above: 1024
+  level: extended
+  name: manufacturer
+  normalize: []
+  short: The vendor name of the device manufacturer.
+  type: keyword
+device.model.identifier:
+  dashed_name: device-model-identifier
+  description: The machine readable identifier of the device model.
+  example: SM-G920F
+  flat_name: device.model.identifier
+  ignore_above: 1024
+  level: extended
+  name: model.identifier
+  normalize: []
+  short: The machine readable identifier of the device model.
+  type: keyword
+device.model.name:
+  dashed_name: device-model-name
+  description: The human readable marketing name of the device model.
+  example: Samsung Galaxy S6
+  flat_name: device.model.name
+  ignore_above: 1024
+  level: extended
+  name: model.name
+  normalize: []
+  short: The human readable marketing name of the device model.
+  type: keyword
 dll.code_signature.digest_algorithm:
   dashed_name: dll-code-signature-digest-algorithm
   description: 'The hashing algorithm used to sign the process.
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index dae5fd455b..dc925b395b 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -2142,6 +2142,73 @@ destination:
   short: Fields about the destination side of a network connection, used with source.
   title: Destination
   type: group
+device:
+  beta: These fields are in beta and are subject to change.
+  description: 'Fields that describe a device instance and its characteristics.  Data
+    collected for applications and processes running on a (mobile) device can be enriched
+    with these fields to describe the identity, type and other characteristics of
+    the device.
+
+    This field group definition is based on the Device namespace of the OpenTelemetry
+    Semantic Conventions (https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/device/).'
+  fields:
+    device.id:
+      dashed_name: device-id
+      description: "The unique identifier of a device. The identifier must not change\
+        \ across application sessions but stay fixex for an instance of a (mobile)\
+        \ device. \nOn iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor).\
+        \ On Android, this value must be equal to the Firebase Installation ID or\
+        \ a globally unique UUID which is persisted across sessions in your application.\n\
+        For GDPR and data protection law reasons this identifier should not carry\
+        \ information that would allow to identify a user."
+      example: 00000000-54b3-e7c7-0000-000046bffd97
+      flat_name: device.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      short: The unique identifier of a device.
+      type: keyword
+    device.manufacturer:
+      dashed_name: device-manufacturer
+      description: The vendor name of the device manufacturer.
+      example: Samsung
+      flat_name: device.manufacturer
+      ignore_above: 1024
+      level: extended
+      name: manufacturer
+      normalize: []
+      short: The vendor name of the device manufacturer.
+      type: keyword
+    device.model.identifier:
+      dashed_name: device-model-identifier
+      description: The machine readable identifier of the device model.
+      example: SM-G920F
+      flat_name: device.model.identifier
+      ignore_above: 1024
+      level: extended
+      name: model.identifier
+      normalize: []
+      short: The machine readable identifier of the device model.
+      type: keyword
+    device.model.name:
+      dashed_name: device-model-name
+      description: The human readable marketing name of the device model.
+      example: Samsung Galaxy S6
+      flat_name: device.model.name
+      ignore_above: 1024
+      level: extended
+      name: model.name
+      normalize: []
+      short: The human readable marketing name of the device model.
+      type: keyword
+  group: 2
+  name: device
+  prefix: device.
+  short: Fields characterizing a (mobile) device a process or application is running
+    on.
+  title: Device
+  type: group
 dll:
   description: 'These fields contain information about code libraries dynamically
     loaded into processes.
diff --git a/experimental/generated/elasticsearch/composable/component/device.json b/experimental/generated/elasticsearch/composable/component/device.json
new file mode 100644
index 0000000000..07a1b46999
--- /dev/null
+++ b/experimental/generated/elasticsearch/composable/component/device.json
@@ -0,0 +1,36 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-device.html",
+    "ecs_version": "8.6.0-dev+exp"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "device": {
+          "properties": {
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "manufacturer": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "model": {
+              "properties": {
+                "identifier": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/experimental/generated/elasticsearch/composable/template.json b/experimental/generated/elasticsearch/composable/template.json
index ca6daa1a59..ea8d864740 100644
--- a/experimental/generated/elasticsearch/composable/template.json
+++ b/experimental/generated/elasticsearch/composable/template.json
@@ -12,6 +12,7 @@
     "ecs_8.6.0-dev-exp_container",
     "ecs_8.6.0-dev-exp_data_stream",
     "ecs_8.6.0-dev-exp_destination",
+    "ecs_8.6.0-dev-exp_device",
     "ecs_8.6.0-dev-exp_dll",
     "ecs_8.6.0-dev-exp_dns",
     "ecs_8.6.0-dev-exp_ecs",
diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json
index 8a775c4a9c..af8a93e97c 100644
--- a/experimental/generated/elasticsearch/legacy/template.json
+++ b/experimental/generated/elasticsearch/legacy/template.json
@@ -754,6 +754,30 @@
           }
         }
       },
+      "device": {
+        "properties": {
+          "id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "manufacturer": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "model": {
+            "properties": {
+              "identifier": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          }
+        }
+      },
       "dll": {
         "properties": {
           "code_signature": {
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 120dbc5b94..3c3a5336bf 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -1236,6 +1236,53 @@
       description: Array of user roles at the time of the event.
       example: '["kibana_admin", "reporting_user"]'
       default_field: false
+  - name: device
+    title: Device
+    group: 2
+    description: 'Fields that describe a device instance and its characteristics.  Data
+      collected for applications and processes running on a (mobile) device can be
+      enriched with these fields to describe the identity, type and other characteristics
+      of the device.
+
+      This field group definition is based on the Device namespace of the OpenTelemetry
+      Semantic Conventions (https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/device/).'
+    type: group
+    default_field: true
+    fields:
+    - name: id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: "The unique identifier of a device. The identifier must not change\
+        \ across application sessions but stay fixex for an instance of a (mobile)\
+        \ device. \nOn iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor).\
+        \ On Android, this value must be equal to the Firebase Installation ID or\
+        \ a globally unique UUID which is persisted across sessions in your application.\n\
+        For GDPR and data protection law reasons this identifier should not carry\
+        \ information that would allow to identify a user."
+      example: 00000000-54b3-e7c7-0000-000046bffd97
+      default_field: false
+    - name: manufacturer
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The vendor name of the device manufacturer.
+      example: Samsung
+      default_field: false
+    - name: model.identifier
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The machine readable identifier of the device model.
+      example: SM-G920F
+      default_field: false
+    - name: model.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The human readable marketing name of the device model.
+      example: Samsung Galaxy S6
+      default_field: false
   - name: dll
     title: DLL
     group: 2
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index 60cbbdedd9..e2d5207665 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -134,6 +134,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0-dev,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
 8.6.0-dev,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
 8.6.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.6.0-dev,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device.
+8.6.0-dev,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer.
+8.6.0-dev,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model.
+8.6.0-dev,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model.
 8.6.0-dev,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
 8.6.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
 8.6.0-dev,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 71fc8833a8..cc1435fe19 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -1631,6 +1631,56 @@ destination.user.roles:
   original_fieldset: user
   short: Array of user roles at the time of the event.
   type: keyword
+device.id:
+  dashed_name: device-id
+  description: "The unique identifier of a device. The identifier must not change\
+    \ across application sessions but stay fixex for an instance of a (mobile) device.\
+    \ \nOn iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor).\
+    \ On Android, this value must be equal to the Firebase Installation ID or a globally\
+    \ unique UUID which is persisted across sessions in your application.\nFor GDPR\
+    \ and data protection law reasons this identifier should not carry information\
+    \ that would allow to identify a user."
+  example: 00000000-54b3-e7c7-0000-000046bffd97
+  flat_name: device.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  short: The unique identifier of a device.
+  type: keyword
+device.manufacturer:
+  dashed_name: device-manufacturer
+  description: The vendor name of the device manufacturer.
+  example: Samsung
+  flat_name: device.manufacturer
+  ignore_above: 1024
+  level: extended
+  name: manufacturer
+  normalize: []
+  short: The vendor name of the device manufacturer.
+  type: keyword
+device.model.identifier:
+  dashed_name: device-model-identifier
+  description: The machine readable identifier of the device model.
+  example: SM-G920F
+  flat_name: device.model.identifier
+  ignore_above: 1024
+  level: extended
+  name: model.identifier
+  normalize: []
+  short: The machine readable identifier of the device model.
+  type: keyword
+device.model.name:
+  dashed_name: device-model-name
+  description: The human readable marketing name of the device model.
+  example: Samsung Galaxy S6
+  flat_name: device.model.name
+  ignore_above: 1024
+  level: extended
+  name: model.name
+  normalize: []
+  short: The human readable marketing name of the device model.
+  type: keyword
 dll.code_signature.digest_algorithm:
   dashed_name: dll-code-signature-digest-algorithm
   description: 'The hashing algorithm used to sign the process.
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index e2b99a624f..ea0f14828e 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -2062,6 +2062,73 @@ destination:
   short: Fields about the destination side of a network connection, used with source.
   title: Destination
   type: group
+device:
+  beta: These fields are in beta and are subject to change.
+  description: 'Fields that describe a device instance and its characteristics.  Data
+    collected for applications and processes running on a (mobile) device can be enriched
+    with these fields to describe the identity, type and other characteristics of
+    the device.
+
+    This field group definition is based on the Device namespace of the OpenTelemetry
+    Semantic Conventions (https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/device/).'
+  fields:
+    device.id:
+      dashed_name: device-id
+      description: "The unique identifier of a device. The identifier must not change\
+        \ across application sessions but stay fixex for an instance of a (mobile)\
+        \ device. \nOn iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor).\
+        \ On Android, this value must be equal to the Firebase Installation ID or\
+        \ a globally unique UUID which is persisted across sessions in your application.\n\
+        For GDPR and data protection law reasons this identifier should not carry\
+        \ information that would allow to identify a user."
+      example: 00000000-54b3-e7c7-0000-000046bffd97
+      flat_name: device.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      short: The unique identifier of a device.
+      type: keyword
+    device.manufacturer:
+      dashed_name: device-manufacturer
+      description: The vendor name of the device manufacturer.
+      example: Samsung
+      flat_name: device.manufacturer
+      ignore_above: 1024
+      level: extended
+      name: manufacturer
+      normalize: []
+      short: The vendor name of the device manufacturer.
+      type: keyword
+    device.model.identifier:
+      dashed_name: device-model-identifier
+      description: The machine readable identifier of the device model.
+      example: SM-G920F
+      flat_name: device.model.identifier
+      ignore_above: 1024
+      level: extended
+      name: model.identifier
+      normalize: []
+      short: The machine readable identifier of the device model.
+      type: keyword
+    device.model.name:
+      dashed_name: device-model-name
+      description: The human readable marketing name of the device model.
+      example: Samsung Galaxy S6
+      flat_name: device.model.name
+      ignore_above: 1024
+      level: extended
+      name: model.name
+      normalize: []
+      short: The human readable marketing name of the device model.
+      type: keyword
+  group: 2
+  name: device
+  prefix: device.
+  short: Fields characterizing a (mobile) device a process or application is running
+    on.
+  title: Device
+  type: group
 dll:
   description: 'These fields contain information about code libraries dynamically
     loaded into processes.
diff --git a/generated/elasticsearch/composable/component/device.json b/generated/elasticsearch/composable/component/device.json
new file mode 100644
index 0000000000..32670bb94d
--- /dev/null
+++ b/generated/elasticsearch/composable/component/device.json
@@ -0,0 +1,36 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-device.html",
+    "ecs_version": "8.6.0-dev"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "device": {
+          "properties": {
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "manufacturer": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "model": {
+              "properties": {
+                "identifier": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/generated/elasticsearch/composable/template.json b/generated/elasticsearch/composable/template.json
index f776e950e7..1d0a80f672 100644
--- a/generated/elasticsearch/composable/template.json
+++ b/generated/elasticsearch/composable/template.json
@@ -11,6 +11,7 @@
     "ecs_8.6.0-dev_container",
     "ecs_8.6.0-dev_data_stream",
     "ecs_8.6.0-dev_destination",
+    "ecs_8.6.0-dev_device",
     "ecs_8.6.0-dev_dll",
     "ecs_8.6.0-dev_dns",
     "ecs_8.6.0-dev_ecs",
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index 32cd305c61..7b06a421b7 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -712,6 +712,30 @@
           }
         }
       },
+      "device": {
+        "properties": {
+          "id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "manufacturer": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "model": {
+            "properties": {
+              "identifier": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          }
+        }
+      },
       "dll": {
         "properties": {
           "code_signature": {
diff --git a/rfcs/text/0034-device-fields.md b/rfcs/text/0034-device-fields.md
index cd57376999..378d2f90c9 100644
--- a/rfcs/text/0034-device-fields.md
+++ b/rfcs/text/0034-device-fields.md
@@ -1,7 +1,7 @@
 # 0034: Adding device fields
 <!-- Leave this ID at 0000. The ECS team will assign a unique, contiguous RFC number upon merging the initial stage of this RFC. -->
 
-- Stage: **1 (draft)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
+- Stage: **2 (candidate)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
 - Date: **2022-08-16** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
 
 <!--
@@ -136,6 +136,7 @@ e.g.:
 * Stage 0: https://github.com/elastic/ecs/pull/2013
     * Correction: https://github.com/elastic/ecs/pull/2021
 * Stage 1: https://github.com/elastic/ecs/pull/2026
+* Stage 2: https://github.com/elastic/ecs/pull/2030
 <!--
 * Stage 1: https://github.com/elastic/ecs/pull/NNN
 ...
diff --git a/schemas/device.yml b/schemas/device.yml
new file mode 100644
index 0000000000..7ef2e19172
--- /dev/null
+++ b/schemas/device.yml
@@ -0,0 +1,45 @@
+---
+- name: device
+  title: Device
+  group: 2
+  short: Fields characterizing a (mobile) device a process or application is running on.
+  description: >
+    Fields that describe a device instance and its characteristics. 
+    Data collected for applications and processes running on a (mobile) device can be enriched with these fields
+    to describe the identity, type and other characteristics of the device.
+
+    This field group definition is based on the Device namespace of the OpenTelemetry Semantic Conventions (https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/device/).
+  beta: >
+    These fields are in beta and are subject to change.
+  type: group
+  fields:
+    - name: id
+      level: extended
+      example: 00000000-54b3-e7c7-0000-000046bffd97
+      type: keyword
+      short: The unique identifier of a device. 
+      description: >
+        The unique identifier of a device. The identifier must not change across application sessions but stay fixex for an instance of a (mobile) device. 
+
+        On iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor).
+        On Android, this value must be equal to the Firebase Installation ID or a globally unique UUID which is persisted across sessions in your application.
+
+        For GDPR and data protection law reasons this identifier should not carry information that would allow to identify a user. 
+    - name: model.name
+      level: extended
+      example: Samsung Galaxy S6
+      type: keyword
+      description: >
+        The human readable marketing name of the device model.
+    - name: model.identifier
+      level: extended
+      example: SM-G920F
+      type: keyword
+      description: >
+        The machine readable identifier of the device model.
+    - name: manufacturer
+      level: extended
+      example: Samsung
+      type: keyword
+      description: >
+        The vendor name of the device manufacturer. 
diff --git a/schemas/subsets/main.yml b/schemas/subsets/main.yml
index 9e9e5dd68c..a0a5c16385 100644
--- a/schemas/subsets/main.yml
+++ b/schemas/subsets/main.yml
@@ -19,6 +19,8 @@ fields:
     fields: "*"
   destination:
     fields: "*"
+  device:
+    fields: "*"
   dll:
     fields: "*"
   dns:

From 230098aee98f79950575ff62c4b6529ec4cdc8ed Mon Sep 17 00:00:00 2001
From: monoidic <36573837+monoidic@users.noreply.github.com>
Date: Mon, 22 Aug 2022 13:56:28 +0000
Subject: [PATCH 029/186] Update implementation.asciidoc (#2032)

Small corrections to eTLD terminology
---
 docs/using-ecs/guidelines/implementation.asciidoc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/using-ecs/guidelines/implementation.asciidoc b/docs/using-ecs/guidelines/implementation.asciidoc
index 3fba442ab0..7ea0d1c152 100644
--- a/docs/using-ecs/guidelines/implementation.asciidoc
+++ b/docs/using-ecs/guidelines/implementation.asciidoc
@@ -197,8 +197,8 @@ A URL can also break down into its discrete parts.
 ----
 
 Domain names::
-Extract the registered domain (also known as the effective top-level domain),
-sub-domain, and top-level domain from a fully-qualified domain name (FQDN).
+Extract the registered domain (also known as the effective top-level domain plus one),
+sub-domain, and effective top-level domain from a fully-qualified domain name (FQDN).
 
 [source,json]
 ----

From 84535cacbf632a28555995105811c6ec0f0b8d95 Mon Sep 17 00:00:00 2001
From: Michael Davis <mdavis332@gmail.com>
Date: Wed, 24 Aug 2022 09:45:12 -0500
Subject: [PATCH 030/186] feature/tlp_2.0 (#2034)

---
 CHANGELOG.next.md                           | 2 ++
 docs/fields/field-details.asciidoc          | 4 +++-
 experimental/generated/beats/fields.ecs.yml | 2 +-
 experimental/generated/csv/fields.csv       | 2 +-
 experimental/generated/ecs/ecs_flat.yml     | 4 +++-
 experimental/generated/ecs/ecs_nested.yml   | 4 +++-
 generated/beats/fields.ecs.yml              | 2 +-
 generated/csv/fields.csv                    | 2 +-
 generated/ecs/ecs_flat.yml                  | 4 +++-
 generated/ecs/ecs_nested.yml                | 4 +++-
 schemas/threat.yml                          | 4 +++-
 11 files changed, 24 insertions(+), 10 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index eaa251c05f..b6915aeb5a 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -20,6 +20,8 @@ Thanks, you're awesome :-) -->
 
 #### Improvements
 
+* Added `CLEAR` and `AMBER+STRICT` as valid values for `threat.indicator.marking.tlp` to accept new [TLP 2.0](https://www.first.org/tlp/) markings - [#2022](https://github.com/elastic/ecs/issues/2022)
+
 #### Deprecated
 
 ### Tooling and Artifact Changes
diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index 135fae5ee2..9003b023f2 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -9834,15 +9834,17 @@ a| Traffic Light Protocol sharing markings.
 Expected values for this field:
 
 * `WHITE`
+* `CLEAR`
 * `GREEN`
 * `AMBER`
+* `AMBER+STRICT`
 * `RED`
 
 type: keyword
 
 
 
-example: `WHITE`
+example: `CLEAR`
 
 | extended
 
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 779dc89cb3..aeee63a4e2 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -10737,7 +10737,7 @@
       type: keyword
       ignore_above: 1024
       description: Traffic Light Protocol sharing markings.
-      example: WHITE
+      example: CLEAR
       default_field: false
     - name: indicator.modified_at
       level: extended
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index d5794b4ae4..1356a9c466 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -1286,7 +1286,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0-dev+exp,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
 8.6.0-dev+exp,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
 8.6.0-dev+exp,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-8.6.0-dev+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,WHITE,Indicator TLP marking
+8.6.0-dev+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
 8.6.0-dev+exp,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
 8.6.0-dev+exp,true,threat,threat.indicator.port,long,extended,,443,Indicator port
 8.6.0-dev+exp,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index b56c568515..c80f99e9d6 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -16271,11 +16271,13 @@ threat.indicator.last_seen:
 threat.indicator.marking.tlp:
   dashed_name: threat-indicator-marking-tlp
   description: Traffic Light Protocol sharing markings.
-  example: WHITE
+  example: CLEAR
   expected_values:
   - WHITE
+  - CLEAR
   - GREEN
   - AMBER
+  - AMBER+STRICT
   - RED
   flat_name: threat.indicator.marking.tlp
   ignore_above: 1024
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index dc925b395b..f5b9e97dc1 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -18457,11 +18457,13 @@ threat:
     threat.indicator.marking.tlp:
       dashed_name: threat-indicator-marking-tlp
       description: Traffic Light Protocol sharing markings.
-      example: WHITE
+      example: CLEAR
       expected_values:
       - WHITE
+      - CLEAR
       - GREEN
       - AMBER
+      - AMBER+STRICT
       - RED
       flat_name: threat.indicator.marking.tlp
       ignore_above: 1024
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 3c3a5336bf..7b29dbd6b4 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -10588,7 +10588,7 @@
       type: keyword
       ignore_above: 1024
       description: Traffic Light Protocol sharing markings.
-      example: WHITE
+      example: CLEAR
       default_field: false
     - name: indicator.modified_at
       level: extended
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index e2d5207665..cc4baa9974 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -1273,7 +1273,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0-dev,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
 8.6.0-dev,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
 8.6.0-dev,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-8.6.0-dev,true,threat,threat.indicator.marking.tlp,keyword,extended,,WHITE,Indicator TLP marking
+8.6.0-dev,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
 8.6.0-dev,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
 8.6.0-dev,true,threat,threat.indicator.port,long,extended,,443,Indicator port
 8.6.0-dev,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index cc1435fe19..55d0dcd98b 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -16122,11 +16122,13 @@ threat.indicator.last_seen:
 threat.indicator.marking.tlp:
   dashed_name: threat-indicator-marking-tlp
   description: Traffic Light Protocol sharing markings.
-  example: WHITE
+  example: CLEAR
   expected_values:
   - WHITE
+  - CLEAR
   - GREEN
   - AMBER
+  - AMBER+STRICT
   - RED
   flat_name: threat.indicator.marking.tlp
   ignore_above: 1024
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index ea0f14828e..ed94f30d11 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -18201,11 +18201,13 @@ threat:
     threat.indicator.marking.tlp:
       dashed_name: threat-indicator-marking-tlp
       description: Traffic Light Protocol sharing markings.
-      example: WHITE
+      example: CLEAR
       expected_values:
       - WHITE
+      - CLEAR
       - GREEN
       - AMBER
+      - AMBER+STRICT
       - RED
       flat_name: threat.indicator.marking.tlp
       ignore_above: 1024
diff --git a/schemas/threat.yml b/schemas/threat.yml
index 36c1ba4e87..456ad0b0be 100644
--- a/schemas/threat.yml
+++ b/schemas/threat.yml
@@ -451,10 +451,12 @@
         Traffic Light Protocol sharing markings.
       expected_values:
         - WHITE
+        - CLEAR
         - GREEN
         - AMBER
+        - AMBER+STRICT
         - RED
-      example: WHITE
+      example: CLEAR
 
     - name: indicator.reference
       level: extended

From 6c8f9879467562849625c097ed6e4f9d6313f796 Mon Sep 17 00:00:00 2001
From: Kylie Geller <kylie.geller@elastic.co>
Date: Wed, 24 Aug 2022 14:41:40 -0400
Subject: [PATCH 031/186] [main] 8.4 changelog (#2040)

---
 CHANGELOG.md      | 19 +++++++++++++++++++
 CHANGELOG.next.md | 23 -----------------------
 2 files changed, 19 insertions(+), 23 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 87ab71e926..acc1571123 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,25 @@
 # CHANGELOG
 All notable changes to this project will be documented in this file based on the [Keep a Changelog](http://keepachangelog.com/) Standard. This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [8.4.0](https://github.com/elastic/ecs/compare/v8.3.1...v8.4.0)
+
+### Schema Changes
+
+#### Added
+
+* Initial set of `expected_values`. #1962
+* Adding `service.node.roles`. #1981
+
+### Tooling and Artifact Changes
+
+#### Added
+
+* Introduce `expected_values` attribute. #1952
+
+#### Improvements
+
+* Additional type annotations. #1950
+
 ## [8.3.1](https://github.com/elastic/ecs/compare/v8.3.0...v8.3.1)
 
 ### Schema Changes
diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index b6915aeb5a..d48c2f8730 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -69,29 +69,6 @@ Thanks, you're awesome :-) -->
 
 #### Deprecated
 
-## 8.4.0 (Hard Feature Freeze)
-
-### Schema Changes
-
-#### Added
-
-* Initial set of `expected_values`. #1962
-* Adding `service.node.roles`. #1981
-
-### Tooling and Artifact Changes
-
-#### Breaking changes
-
-#### Added
-
-* Introduce `expected_values` attribute. #1952
-
-#### Improvements
-
-* Additional type annotations. #1950
-
-#### Deprecated
-
 <!-- All empty sections:
 
 ## Unreleased

From 9a3611bc818228c3e91e76094ccf0ffe4fe14867 Mon Sep 17 00:00:00 2001
From: Kylie Geller <kylie.geller@elastic.co>
Date: Wed, 24 Aug 2022 15:02:57 -0400
Subject: [PATCH 032/186] [main] 8.4 release notes (#2036) (#2042)

---
 docs/release-notes/8.4.asciidoc | 27 ++++++++++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/docs/release-notes/8.4.asciidoc b/docs/release-notes/8.4.asciidoc
index e1550bacd9..e26cdd06c3 100644
--- a/docs/release-notes/8.4.asciidoc
+++ b/docs/release-notes/8.4.asciidoc
@@ -1,4 +1,29 @@
 [[ecs-release-notes-8.4.0]]
 === 8.4.0
 
-coming[8.4.0]
+[[schema-changes-8.4.0]]
+[float]
+==== Schema changes
+
+[[schema-added-8.4.0]]
+[float]
+===== Added
+
+* Initial set of `expected_values`. {ecs_pull}1962[#1962]
+* Adding `service.node.roles`. {ecs_pull}1981[#1981]
+
+[[tooling-changes-8.4.0]]
+[float]
+==== Tooling and artifact changes
+
+[[tooling-added-8.4.0]]
+[float]
+===== Added
+
+* Introduce `expected_values` attribute. {ecs_pull}1952[#1952]
+
+[[tooling-improvements-8.4.0]]
+[float]
+===== Improvements
+
+* Additional type annotations. # {ecs_pull}1950[#1950]

From ad6100033d5d776847df8e08279665890cffb76b Mon Sep 17 00:00:00 2001
From: Maxwell Borden <Tacklebox@users.noreply.github.com>
Date: Thu, 25 Aug 2022 09:42:58 -0700
Subject: [PATCH 033/186] Changed type of process.env_vars to show shadowing
 (#2038)

* Changed type of process.env_vars to show shadowing

Updated the type of process.env_vars to be an array of string keywords
to support shadowed variables, i.e. duplicated names with different
values.

* updated CHANGELOG.next.md

Co-authored-by: Kylie Geller <kylie.geller@elastic.co>
---
 CHANGELOG.next.md                                |  2 ++
 docs/fields/field-details.asciidoc               | 11 +++++++----
 experimental/generated/beats/fields.ecs.yml      | 11 ++++++-----
 experimental/generated/csv/fields.csv            |  2 +-
 experimental/generated/ecs/ecs_flat.yml          | 16 +++++++++-------
 experimental/generated/ecs/ecs_nested.yml        | 16 +++++++++-------
 .../composable/component/process.json            |  3 ++-
 .../generated/elasticsearch/legacy/template.json |  3 ++-
 generated/beats/fields.ecs.yml                   | 11 ++++++-----
 generated/csv/fields.csv                         |  2 +-
 generated/ecs/ecs_flat.yml                       | 16 +++++++++-------
 generated/ecs/ecs_nested.yml                     | 16 +++++++++-------
 .../composable/component/process.json            |  3 ++-
 generated/elasticsearch/legacy/template.json     |  3 ++-
 schemas/process.yml                              | 14 ++++++++------
 15 files changed, 75 insertions(+), 54 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index d48c2f8730..e76f3efb84 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -38,6 +38,8 @@ Thanks, you're awesome :-) -->
 
 ## 8.5.0 (Soft Feature Freeze)
 
+* Changed `process.env_vars` field type to be an array of keywords. #2038
+
 ### Schema Changes
 
 #### Breaking changes
diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index 9003b023f2..a79f89ae41 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -7350,15 +7350,18 @@ type: keyword
 
 a| beta:[ This field is beta and subject to change. ]
 
-Environment variables (`env_vars`) set at the time of the event. May be filtered to protect sensitive information.
+Array of environment variable bindings. Captured from a snapshot of the environment at the time of execution.
 
-The field should not contain nested objects. All values should use `keyword`.
+May be filtered to protect sensitive information.
 
-type: object
+type: keyword
+
+
+Note: this field should contain an array of values.
 
 
 
-example: `{"USER": "elastic","LANG": "en_US.UTF-8","HOME": "/home/elastic"}`
+example: `["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]`
 
 | extended
 
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index aeee63a4e2..c857369ed9 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -5549,12 +5549,13 @@
       default_field: false
     - name: env_vars
       level: extended
-      type: object
-      description: 'Environment variables (`env_vars`) set at the time of the event.
-        May be filtered to protect sensitive information.
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
 
-        The field should not contain nested objects. All values should use `keyword`.'
-      example: '{"USER": "elastic","LANG": "en_US.UTF-8","HOME": "/home/elastic"}'
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
       default_field: false
     - name: executable
       level: extended
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index 1356a9c466..b9ea06c02d 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -613,7 +613,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0-dev+exp,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
 8.6.0-dev+exp,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
 8.6.0-dev+exp,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.6.0-dev+exp,true,process,process.env_vars,object,extended,,"{""USER"": ""elastic"",""LANG"": ""en_US.UTF-8"",""HOME"": ""/home/elastic""}",Environment variables set at the time of the event.
+8.6.0-dev+exp,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
 8.6.0-dev+exp,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.6.0-dev+exp,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.6.0-dev+exp,true,process,process.exit_code,long,extended,,137,The exit code of the process.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index c80f99e9d6..1127d55c7f 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -7947,17 +7947,19 @@ process.entry_leader.working_directory:
 process.env_vars:
   beta: This field is beta and subject to change.
   dashed_name: process-env-vars
-  description: 'Environment variables (`env_vars`) set at the time of the event. May
-    be filtered to protect sensitive information.
+  description: 'Array of environment variable bindings. Captured from a snapshot of
+    the environment at the time of execution.
 
-    The field should not contain nested objects. All values should use `keyword`.'
-  example: '{"USER": "elastic","LANG": "en_US.UTF-8","HOME": "/home/elastic"}'
+    May be filtered to protect sensitive information.'
+  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
   flat_name: process.env_vars
+  ignore_above: 1024
   level: extended
   name: env_vars
-  normalize: []
-  short: Environment variables set at the time of the event.
-  type: object
+  normalize:
+  - array
+  short: Array of environment variable bindings.
+  type: keyword
 process.executable:
   dashed_name: process-executable
   description: Absolute path to the process executable.
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index f5b9e97dc1..8dfc6c4370 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -9668,17 +9668,19 @@ process:
     process.env_vars:
       beta: This field is beta and subject to change.
       dashed_name: process-env-vars
-      description: 'Environment variables (`env_vars`) set at the time of the event.
-        May be filtered to protect sensitive information.
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
 
-        The field should not contain nested objects. All values should use `keyword`.'
-      example: '{"USER": "elastic","LANG": "en_US.UTF-8","HOME": "/home/elastic"}'
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
       flat_name: process.env_vars
+      ignore_above: 1024
       level: extended
       name: env_vars
-      normalize: []
-      short: Environment variables set at the time of the event.
-      type: object
+      normalize:
+      - array
+      short: Array of environment variable bindings.
+      type: keyword
     process.executable:
       dashed_name: process-executable
       description: Absolute path to the process executable.
diff --git a/experimental/generated/elasticsearch/composable/component/process.json b/experimental/generated/elasticsearch/composable/component/process.json
index b480c995e8..3d198e115c 100644
--- a/experimental/generated/elasticsearch/composable/component/process.json
+++ b/experimental/generated/elasticsearch/composable/component/process.json
@@ -403,7 +403,8 @@
               }
             },
             "env_vars": {
-              "type": "object"
+              "ignore_above": 1024,
+              "type": "keyword"
             },
             "executable": {
               "fields": {
diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json
index af8a93e97c..be2b16996b 100644
--- a/experimental/generated/elasticsearch/legacy/template.json
+++ b/experimental/generated/elasticsearch/legacy/template.json
@@ -2923,7 +2923,8 @@
             }
           },
           "env_vars": {
-            "type": "object"
+            "ignore_above": 1024,
+            "type": "keyword"
           },
           "executable": {
             "fields": {
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 7b29dbd6b4..a252c8258d 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -5453,12 +5453,13 @@
       default_field: false
     - name: env_vars
       level: extended
-      type: object
-      description: 'Environment variables (`env_vars`) set at the time of the event.
-        May be filtered to protect sensitive information.
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
 
-        The field should not contain nested objects. All values should use `keyword`.'
-      example: '{"USER": "elastic","LANG": "en_US.UTF-8","HOME": "/home/elastic"}'
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
       default_field: false
     - name: executable
       level: extended
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index cc4baa9974..af5a8eda2b 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -600,7 +600,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0-dev,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
 8.6.0-dev,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
 8.6.0-dev,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.6.0-dev,true,process,process.env_vars,object,extended,,"{""USER"": ""elastic"",""LANG"": ""en_US.UTF-8"",""HOME"": ""/home/elastic""}",Environment variables set at the time of the event.
+8.6.0-dev,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
 8.6.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.6.0-dev,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.6.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 55d0dcd98b..d89882262d 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -7798,17 +7798,19 @@ process.entry_leader.working_directory:
 process.env_vars:
   beta: This field is beta and subject to change.
   dashed_name: process-env-vars
-  description: 'Environment variables (`env_vars`) set at the time of the event. May
-    be filtered to protect sensitive information.
+  description: 'Array of environment variable bindings. Captured from a snapshot of
+    the environment at the time of execution.
 
-    The field should not contain nested objects. All values should use `keyword`.'
-  example: '{"USER": "elastic","LANG": "en_US.UTF-8","HOME": "/home/elastic"}'
+    May be filtered to protect sensitive information.'
+  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
   flat_name: process.env_vars
+  ignore_above: 1024
   level: extended
   name: env_vars
-  normalize: []
-  short: Environment variables set at the time of the event.
-  type: object
+  normalize:
+  - array
+  short: Array of environment variable bindings.
+  type: keyword
 process.executable:
   dashed_name: process-executable
   description: Absolute path to the process executable.
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index ed94f30d11..47cd60cbe4 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -9504,17 +9504,19 @@ process:
     process.env_vars:
       beta: This field is beta and subject to change.
       dashed_name: process-env-vars
-      description: 'Environment variables (`env_vars`) set at the time of the event.
-        May be filtered to protect sensitive information.
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
 
-        The field should not contain nested objects. All values should use `keyword`.'
-      example: '{"USER": "elastic","LANG": "en_US.UTF-8","HOME": "/home/elastic"}'
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
       flat_name: process.env_vars
+      ignore_above: 1024
       level: extended
       name: env_vars
-      normalize: []
-      short: Environment variables set at the time of the event.
-      type: object
+      normalize:
+      - array
+      short: Array of environment variable bindings.
+      type: keyword
     process.executable:
       dashed_name: process-executable
       description: Absolute path to the process executable.
diff --git a/generated/elasticsearch/composable/component/process.json b/generated/elasticsearch/composable/component/process.json
index 2562eec8c4..c117fc17a4 100644
--- a/generated/elasticsearch/composable/component/process.json
+++ b/generated/elasticsearch/composable/component/process.json
@@ -403,7 +403,8 @@
               }
             },
             "env_vars": {
-              "type": "object"
+              "ignore_above": 1024,
+              "type": "keyword"
             },
             "executable": {
               "fields": {
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index 7b06a421b7..d14a1e8026 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -2857,7 +2857,8 @@
             }
           },
           "env_vars": {
-            "type": "object"
+            "ignore_above": 1024,
+            "type": "keyword"
           },
           "executable": {
             "fields": {
diff --git a/schemas/process.yml b/schemas/process.yml
index b4a148222c..497f7d4095 100644
--- a/schemas/process.yml
+++ b/schemas/process.yml
@@ -280,15 +280,17 @@
 
     - name: env_vars
       level: extended
-      type: object
+      type: keyword
       beta: This field is beta and subject to change.
-      short: Environment variables set at the time of the event.
+      short: Array of environment variable bindings.
       description: >
-        Environment variables (`env_vars`) set at the time of the event.
-        May be filtered to protect sensitive information.
+        Array of environment variable bindings.
+        Captured from a snapshot of the environment at the time of execution.
 
-        The field should not contain nested objects. All values should use `keyword`.
-      example: "{\"USER\": \"elastic\",\"LANG\": \"en_US.UTF-8\",\"HOME\": \"/home/elastic\"}"
+        May be filtered to protect sensitive information.
+      example: "[\"PATH=/usr/local/bin:/usr/bin\", \"USER=ubuntu\"]"
+      normalize:
+        - array
 
     - name: entry_meta.type
       level: extended

From e2107b7f46c0ed1bc77f872b086c41b82c86862b Mon Sep 17 00:00:00 2001
From: Karl Godard <karl.godard@elastic.co>
Date: Tue, 30 Aug 2022 08:53:06 -0700
Subject: [PATCH 034/186] [RFC Stage-2] Process IO events (#2031)

* rfc 0035 fields added to schema as beta fields. Also, added two new fields to the process.tty object for tracking terminal window size

* generator.py artifacts

* changelog file updated

* more build artifacts

* renamed lines to rows

* rebuilt

* cleanup

* cleanup

* field rename consistency

Co-authored-by: Karl Godard <karlgodard@elastic.co>
---
 CHANGELOG.next.md                             |   2 +
 docs/fields/field-details.asciidoc            |  46 +++++++-
 experimental/generated/beats/fields.ecs.yml   |  48 +++++---
 experimental/generated/csv/fields.csv         |  22 ++--
 experimental/generated/ecs/ecs_flat.yml       |  58 +++++++---
 experimental/generated/ecs/ecs_nested.yml     |  58 +++++++---
 .../composable/component/process.json         |   6 +
 .../elasticsearch/legacy/template.json        |   6 +
 generated/beats/fields.ecs.yml                |  48 +++++---
 generated/csv/fields.csv                      |  22 ++--
 generated/ecs/ecs_flat.yml                    |  58 +++++++---
 generated/ecs/ecs_nested.yml                  |  58 +++++++---
 .../composable/component/process.json         |   6 +
 generated/elasticsearch/legacy/template.json  |   6 +
 rfcs/text/0035-tty-output.md                  |   9 +-
 rfcs/text/0035/process.yml                    |  22 ++++
 schemas/process.yml                           | 103 +++++++++++++++++-
 17 files changed, 461 insertions(+), 117 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index e76f3efb84..abd4621cac 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -49,6 +49,8 @@ Thanks, you're awesome :-) -->
 #### Added
 
 * Adding `risk.*` fields as experimental. #1994, #2010
+* Adding `process.io.*` as beta fields. #1956, #2031
+* Adding `process.tty.rows` and `process.tty.columns` as beta fields. #2031
 
 #### Improvements
 
diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index a79f89ae41..39abb80525 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -7609,13 +7609,13 @@ type: object
 
 a| beta:[ This field is beta and subject to change. ]
 
-The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0. For more details, please refer to the Linux kernel documentation.
+The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation.
 
 type: long
 
 
 
-example: `1`
+example: `4`
 
 | extended
 
@@ -7633,7 +7633,47 @@ type: long
 
 
 
-example: `128`
+example: `1`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-process-tty-columns]]
+<<field-process-tty-columns, process.tty.columns>>
+
+a| beta:[ This field is beta and subject to change. ]
+
+The number of character columns per line. e.g terminal width
+
+Terminal sizes can change, so this value reflects the maximum value for a given IO event. i.e. where event.action = 'text_output'
+
+type: long
+
+
+
+example: `80`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-process-tty-rows]]
+<<field-process-tty-rows, process.tty.rows>>
+
+a| beta:[ This field is beta and subject to change. ]
+
+The number of character rows in the terminal. e.g terminal height
+
+Terminal sizes can change, so this value reflects the maximum value for a given IO event. i.e. where event.action = 'text_output'
+
+type: long
+
+
+
+example: `24`
 
 | extended
 
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index c857369ed9..1c5110c332 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -5507,9 +5507,9 @@
       type: long
       description: The major number identifies the driver associated with the device.
         The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0.
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
         For more details, please refer to the Linux kernel documentation.
-      example: 1
+      example: 4
       default_field: false
     - name: entry_leader.tty.char_device.minor
       level: extended
@@ -5518,7 +5518,7 @@
         \ number; other parts of the kernel don\u2019t use it, and merely pass it\
         \ along to the driver. It is common for a driver to control several devices;\
         \ the minor number provides a way for the driver to differentiate among them."
-      example: 128
+      example: 1
       default_field: false
     - name: entry_leader.user.id
       level: core
@@ -5791,9 +5791,9 @@
       type: long
       description: The major number identifies the driver associated with the device.
         The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0.
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
         For more details, please refer to the Linux kernel documentation.
-      example: 1
+      example: 4
       default_field: false
     - name: group_leader.tty.char_device.minor
       level: extended
@@ -5802,7 +5802,7 @@
         \ number; other parts of the kernel don\u2019t use it, and merely pass it\
         \ along to the driver. It is common for a driver to control several devices;\
         \ the minor number provides a way for the driver to differentiate among them."
-      example: 128
+      example: 1
       default_field: false
     - name: group_leader.user.id
       level: core
@@ -6529,9 +6529,9 @@
       type: long
       description: The major number identifies the driver associated with the device.
         The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0.
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
         For more details, please refer to the Linux kernel documentation.
-      example: 1
+      example: 4
       default_field: false
     - name: parent.tty.char_device.minor
       level: extended
@@ -6540,7 +6540,7 @@
         \ number; other parts of the kernel don\u2019t use it, and merely pass it\
         \ along to the driver. It is common for a driver to control several devices;\
         \ the minor number provides a way for the driver to differentiate among them."
-      example: 128
+      example: 1
       default_field: false
     - name: parent.uptime
       level: extended
@@ -7012,9 +7012,9 @@
       type: long
       description: The major number identifies the driver associated with the device.
         The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0.
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
         For more details, please refer to the Linux kernel documentation.
-      example: 1
+      example: 4
       default_field: false
     - name: session_leader.tty.char_device.minor
       level: extended
@@ -7023,7 +7023,7 @@
         \ number; other parts of the kernel don\u2019t use it, and merely pass it\
         \ along to the driver. It is common for a driver to control several devices;\
         \ the minor number provides a way for the driver to differentiate among them."
-      example: 128
+      example: 1
       default_field: false
     - name: session_leader.user.id
       level: core
@@ -7104,9 +7104,9 @@
       type: long
       description: The major number identifies the driver associated with the device.
         The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0.
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
         For more details, please refer to the Linux kernel documentation.
-      example: 1
+      example: 4
       default_field: false
     - name: tty.char_device.minor
       level: extended
@@ -7115,7 +7115,25 @@
         \ number; other parts of the kernel don\u2019t use it, and merely pass it\
         \ along to the driver. It is common for a driver to control several devices;\
         \ the minor number provides a way for the driver to differentiate among them."
-      example: 128
+      example: 1
+      default_field: false
+    - name: tty.columns
+      level: extended
+      type: long
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      default_field: false
+    - name: tty.rows
+      level: extended
+      type: long
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
       default_field: false
     - name: uptime
       level: extended
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index b9ea06c02d..519ff5779c 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -606,8 +606,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0-dev+exp,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 8.6.0-dev+exp,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
 8.6.0-dev+exp,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.6.0-dev+exp,true,process,process.entry_leader.tty.char_device.major,long,extended,,1,The TTY character device's major number.
-8.6.0-dev+exp,true,process,process.entry_leader.tty.char_device.minor,long,extended,,128,The TTY character device's minor number.
+8.6.0-dev+exp,true,process,process.entry_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.6.0-dev+exp,true,process,process.entry_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
 8.6.0-dev+exp,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.6.0-dev+exp,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
 8.6.0-dev+exp,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
@@ -645,8 +645,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0-dev+exp,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 8.6.0-dev+exp,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
 8.6.0-dev+exp,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.6.0-dev+exp,true,process,process.group_leader.tty.char_device.major,long,extended,,1,The TTY character device's major number.
-8.6.0-dev+exp,true,process,process.group_leader.tty.char_device.minor,long,extended,,128,The TTY character device's minor number.
+8.6.0-dev+exp,true,process,process.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.6.0-dev+exp,true,process,process.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
 8.6.0-dev+exp,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.6.0-dev+exp,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
 8.6.0-dev+exp,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
@@ -752,8 +752,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0-dev+exp,true,process,process.parent.title,keyword,extended,,,Process title.
 8.6.0-dev+exp,true,process,process.parent.title.text,match_only_text,extended,,,Process title.
 8.6.0-dev+exp,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device.
-8.6.0-dev+exp,true,process,process.parent.tty.char_device.major,long,extended,,1,The TTY character device's major number.
-8.6.0-dev+exp,true,process,process.parent.tty.char_device.minor,long,extended,,128,The TTY character device's minor number.
+8.6.0-dev+exp,true,process,process.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.6.0-dev+exp,true,process,process.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
 8.6.0-dev+exp,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
 8.6.0-dev+exp,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.6.0-dev+exp,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
@@ -818,8 +818,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0-dev+exp,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 8.6.0-dev+exp,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
 8.6.0-dev+exp,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.6.0-dev+exp,true,process,process.session_leader.tty.char_device.major,long,extended,,1,The TTY character device's major number.
-8.6.0-dev+exp,true,process,process.session_leader.tty.char_device.minor,long,extended,,128,The TTY character device's minor number.
+8.6.0-dev+exp,true,process,process.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.6.0-dev+exp,true,process,process.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
 8.6.0-dev+exp,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.6.0-dev+exp,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
 8.6.0-dev+exp,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
@@ -833,8 +833,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0-dev+exp,true,process,process.title,keyword,extended,,,Process title.
 8.6.0-dev+exp,true,process,process.title.text,match_only_text,extended,,,Process title.
 8.6.0-dev+exp,true,process,process.tty,object,extended,,,Information about the controlling TTY device.
-8.6.0-dev+exp,true,process,process.tty.char_device.major,long,extended,,1,The TTY character device's major number.
-8.6.0-dev+exp,true,process,process.tty.char_device.minor,long,extended,,128,The TTY character device's minor number.
+8.6.0-dev+exp,true,process,process.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.6.0-dev+exp,true,process,process.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.6.0-dev+exp,true,process,process.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
+8.6.0-dev+exp,true,process,process.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
 8.6.0-dev+exp,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
 8.6.0-dev+exp,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.6.0-dev+exp,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 1127d55c7f..a4dc079211 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -7875,9 +7875,9 @@ process.entry_leader.tty.char_device.major:
   dashed_name: process-entry-leader-tty-char-device-major
   description: The major number identifies the driver associated with the device.
     The character device's major and minor numbers can be algorithmically combined
-    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0.
+    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
     For more details, please refer to the Linux kernel documentation.
-  example: 1
+  example: 4
   flat_name: process.entry_leader.tty.char_device.major
   level: extended
   name: tty.char_device.major
@@ -7892,7 +7892,7 @@ process.entry_leader.tty.char_device.minor:
     \ number; other parts of the kernel don\u2019t use it, and merely pass it along\
     \ to the driver. It is common for a driver to control several devices; the minor\
     \ number provides a way for the driver to differentiate among them."
-  example: 128
+  example: 1
   flat_name: process.entry_leader.tty.char_device.minor
   level: extended
   name: tty.char_device.minor
@@ -8328,9 +8328,9 @@ process.group_leader.tty.char_device.major:
   dashed_name: process-group-leader-tty-char-device-major
   description: The major number identifies the driver associated with the device.
     The character device's major and minor numbers can be algorithmically combined
-    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0.
+    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
     For more details, please refer to the Linux kernel documentation.
-  example: 1
+  example: 4
   flat_name: process.group_leader.tty.char_device.major
   level: extended
   name: tty.char_device.major
@@ -8345,7 +8345,7 @@ process.group_leader.tty.char_device.minor:
     \ number; other parts of the kernel don\u2019t use it, and merely pass it along\
     \ to the driver. It is common for a driver to control several devices; the minor\
     \ number provides a way for the driver to differentiate among them."
-  example: 128
+  example: 1
   flat_name: process.group_leader.tty.char_device.minor
   level: extended
   name: tty.char_device.minor
@@ -9579,9 +9579,9 @@ process.parent.tty.char_device.major:
   dashed_name: process-parent-tty-char-device-major
   description: The major number identifies the driver associated with the device.
     The character device's major and minor numbers can be algorithmically combined
-    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0.
+    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
     For more details, please refer to the Linux kernel documentation.
-  example: 1
+  example: 4
   flat_name: process.parent.tty.char_device.major
   level: extended
   name: tty.char_device.major
@@ -9596,7 +9596,7 @@ process.parent.tty.char_device.minor:
     \ number; other parts of the kernel don\u2019t use it, and merely pass it along\
     \ to the driver. It is common for a driver to control several devices; the minor\
     \ number provides a way for the driver to differentiate among them."
-  example: 128
+  example: 1
   flat_name: process.parent.tty.char_device.minor
   level: extended
   name: tty.char_device.minor
@@ -10360,9 +10360,9 @@ process.session_leader.tty.char_device.major:
   dashed_name: process-session-leader-tty-char-device-major
   description: The major number identifies the driver associated with the device.
     The character device's major and minor numbers can be algorithmically combined
-    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0.
+    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
     For more details, please refer to the Linux kernel documentation.
-  example: 1
+  example: 4
   flat_name: process.session_leader.tty.char_device.major
   level: extended
   name: tty.char_device.major
@@ -10377,7 +10377,7 @@ process.session_leader.tty.char_device.minor:
     \ number; other parts of the kernel don\u2019t use it, and merely pass it along\
     \ to the driver. It is common for a driver to control several devices; the minor\
     \ number provides a way for the driver to differentiate among them."
-  example: 128
+  example: 1
   flat_name: process.session_leader.tty.char_device.minor
   level: extended
   name: tty.char_device.minor
@@ -10516,9 +10516,9 @@ process.tty.char_device.major:
   dashed_name: process-tty-char-device-major
   description: The major number identifies the driver associated with the device.
     The character device's major and minor numbers can be algorithmically combined
-    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0.
+    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
     For more details, please refer to the Linux kernel documentation.
-  example: 1
+  example: 4
   flat_name: process.tty.char_device.major
   level: extended
   name: tty.char_device.major
@@ -10532,13 +10532,41 @@ process.tty.char_device.minor:
     \ number; other parts of the kernel don\u2019t use it, and merely pass it along\
     \ to the driver. It is common for a driver to control several devices; the minor\
     \ number provides a way for the driver to differentiate among them."
-  example: 128
+  example: 1
   flat_name: process.tty.char_device.minor
   level: extended
   name: tty.char_device.minor
   normalize: []
   short: The TTY character device's minor number.
   type: long
+process.tty.columns:
+  beta: This field is beta and subject to change.
+  dashed_name: process-tty-columns
+  description: 'The number of character columns per line. e.g terminal width
+
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 80
+  flat_name: process.tty.columns
+  level: extended
+  name: tty.columns
+  normalize: []
+  short: The number of character columns per line. e.g terminal width
+  type: long
+process.tty.rows:
+  beta: This field is beta and subject to change.
+  dashed_name: process-tty-rows
+  description: 'The number of character rows in the terminal. e.g terminal height
+
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 24
+  flat_name: process.tty.rows
+  level: extended
+  name: tty.rows
+  normalize: []
+  short: The number of character rows in the terminal. e.g terminal height
+  type: long
 process.uptime:
   dashed_name: process-uptime
   description: Seconds the process has been up.
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 8dfc6c4370..1ee6299408 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -9596,9 +9596,9 @@ process:
       dashed_name: process-entry-leader-tty-char-device-major
       description: The major number identifies the driver associated with the device.
         The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0.
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
         For more details, please refer to the Linux kernel documentation.
-      example: 1
+      example: 4
       flat_name: process.entry_leader.tty.char_device.major
       level: extended
       name: tty.char_device.major
@@ -9613,7 +9613,7 @@ process:
         \ number; other parts of the kernel don\u2019t use it, and merely pass it\
         \ along to the driver. It is common for a driver to control several devices;\
         \ the minor number provides a way for the driver to differentiate among them."
-      example: 128
+      example: 1
       flat_name: process.entry_leader.tty.char_device.minor
       level: extended
       name: tty.char_device.minor
@@ -10049,9 +10049,9 @@ process:
       dashed_name: process-group-leader-tty-char-device-major
       description: The major number identifies the driver associated with the device.
         The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0.
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
         For more details, please refer to the Linux kernel documentation.
-      example: 1
+      example: 4
       flat_name: process.group_leader.tty.char_device.major
       level: extended
       name: tty.char_device.major
@@ -10066,7 +10066,7 @@ process:
         \ number; other parts of the kernel don\u2019t use it, and merely pass it\
         \ along to the driver. It is common for a driver to control several devices;\
         \ the minor number provides a way for the driver to differentiate among them."
-      example: 128
+      example: 1
       flat_name: process.group_leader.tty.char_device.minor
       level: extended
       name: tty.char_device.minor
@@ -11300,9 +11300,9 @@ process:
       dashed_name: process-parent-tty-char-device-major
       description: The major number identifies the driver associated with the device.
         The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0.
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
         For more details, please refer to the Linux kernel documentation.
-      example: 1
+      example: 4
       flat_name: process.parent.tty.char_device.major
       level: extended
       name: tty.char_device.major
@@ -11317,7 +11317,7 @@ process:
         \ number; other parts of the kernel don\u2019t use it, and merely pass it\
         \ along to the driver. It is common for a driver to control several devices;\
         \ the minor number provides a way for the driver to differentiate among them."
-      example: 128
+      example: 1
       flat_name: process.parent.tty.char_device.minor
       level: extended
       name: tty.char_device.minor
@@ -12081,9 +12081,9 @@ process:
       dashed_name: process-session-leader-tty-char-device-major
       description: The major number identifies the driver associated with the device.
         The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0.
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
         For more details, please refer to the Linux kernel documentation.
-      example: 1
+      example: 4
       flat_name: process.session_leader.tty.char_device.major
       level: extended
       name: tty.char_device.major
@@ -12098,7 +12098,7 @@ process:
         \ number; other parts of the kernel don\u2019t use it, and merely pass it\
         \ along to the driver. It is common for a driver to control several devices;\
         \ the minor number provides a way for the driver to differentiate among them."
-      example: 128
+      example: 1
       flat_name: process.session_leader.tty.char_device.minor
       level: extended
       name: tty.char_device.minor
@@ -12237,9 +12237,9 @@ process:
       dashed_name: process-tty-char-device-major
       description: The major number identifies the driver associated with the device.
         The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0.
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
         For more details, please refer to the Linux kernel documentation.
-      example: 1
+      example: 4
       flat_name: process.tty.char_device.major
       level: extended
       name: tty.char_device.major
@@ -12253,13 +12253,41 @@ process:
         \ number; other parts of the kernel don\u2019t use it, and merely pass it\
         \ along to the driver. It is common for a driver to control several devices;\
         \ the minor number provides a way for the driver to differentiate among them."
-      example: 128
+      example: 1
       flat_name: process.tty.char_device.minor
       level: extended
       name: tty.char_device.minor
       normalize: []
       short: The TTY character device's minor number.
       type: long
+    process.tty.columns:
+      beta: This field is beta and subject to change.
+      dashed_name: process-tty-columns
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      flat_name: process.tty.columns
+      level: extended
+      name: tty.columns
+      normalize: []
+      short: The number of character columns per line. e.g terminal width
+      type: long
+    process.tty.rows:
+      beta: This field is beta and subject to change.
+      dashed_name: process-tty-rows
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
+      flat_name: process.tty.rows
+      level: extended
+      name: tty.rows
+      normalize: []
+      short: The number of character rows in the terminal. e.g terminal height
+      type: long
     process.uptime:
       dashed_name: process-uptime
       description: Seconds the process has been up.
diff --git a/experimental/generated/elasticsearch/composable/component/process.json b/experimental/generated/elasticsearch/composable/component/process.json
index 3d198e115c..a987ce8623 100644
--- a/experimental/generated/elasticsearch/composable/component/process.json
+++ b/experimental/generated/elasticsearch/composable/component/process.json
@@ -1448,6 +1448,12 @@
                       "type": "long"
                     }
                   }
+                },
+                "columns": {
+                  "type": "long"
+                },
+                "rows": {
+                  "type": "long"
                 }
               },
               "type": "object"
diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json
index be2b16996b..b3272a4b64 100644
--- a/experimental/generated/elasticsearch/legacy/template.json
+++ b/experimental/generated/elasticsearch/legacy/template.json
@@ -3968,6 +3968,12 @@
                     "type": "long"
                   }
                 }
+              },
+              "columns": {
+                "type": "long"
+              },
+              "rows": {
+                "type": "long"
               }
             },
             "type": "object"
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index a252c8258d..4a5dbeb26d 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -5411,9 +5411,9 @@
       type: long
       description: The major number identifies the driver associated with the device.
         The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0.
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
         For more details, please refer to the Linux kernel documentation.
-      example: 1
+      example: 4
       default_field: false
     - name: entry_leader.tty.char_device.minor
       level: extended
@@ -5422,7 +5422,7 @@
         \ number; other parts of the kernel don\u2019t use it, and merely pass it\
         \ along to the driver. It is common for a driver to control several devices;\
         \ the minor number provides a way for the driver to differentiate among them."
-      example: 128
+      example: 1
       default_field: false
     - name: entry_leader.user.id
       level: core
@@ -5695,9 +5695,9 @@
       type: long
       description: The major number identifies the driver associated with the device.
         The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0.
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
         For more details, please refer to the Linux kernel documentation.
-      example: 1
+      example: 4
       default_field: false
     - name: group_leader.tty.char_device.minor
       level: extended
@@ -5706,7 +5706,7 @@
         \ number; other parts of the kernel don\u2019t use it, and merely pass it\
         \ along to the driver. It is common for a driver to control several devices;\
         \ the minor number provides a way for the driver to differentiate among them."
-      example: 128
+      example: 1
       default_field: false
     - name: group_leader.user.id
       level: core
@@ -6433,9 +6433,9 @@
       type: long
       description: The major number identifies the driver associated with the device.
         The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0.
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
         For more details, please refer to the Linux kernel documentation.
-      example: 1
+      example: 4
       default_field: false
     - name: parent.tty.char_device.minor
       level: extended
@@ -6444,7 +6444,7 @@
         \ number; other parts of the kernel don\u2019t use it, and merely pass it\
         \ along to the driver. It is common for a driver to control several devices;\
         \ the minor number provides a way for the driver to differentiate among them."
-      example: 128
+      example: 1
       default_field: false
     - name: parent.uptime
       level: extended
@@ -6916,9 +6916,9 @@
       type: long
       description: The major number identifies the driver associated with the device.
         The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0.
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
         For more details, please refer to the Linux kernel documentation.
-      example: 1
+      example: 4
       default_field: false
     - name: session_leader.tty.char_device.minor
       level: extended
@@ -6927,7 +6927,7 @@
         \ number; other parts of the kernel don\u2019t use it, and merely pass it\
         \ along to the driver. It is common for a driver to control several devices;\
         \ the minor number provides a way for the driver to differentiate among them."
-      example: 128
+      example: 1
       default_field: false
     - name: session_leader.user.id
       level: core
@@ -7008,9 +7008,9 @@
       type: long
       description: The major number identifies the driver associated with the device.
         The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0.
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
         For more details, please refer to the Linux kernel documentation.
-      example: 1
+      example: 4
       default_field: false
     - name: tty.char_device.minor
       level: extended
@@ -7019,7 +7019,25 @@
         \ number; other parts of the kernel don\u2019t use it, and merely pass it\
         \ along to the driver. It is common for a driver to control several devices;\
         \ the minor number provides a way for the driver to differentiate among them."
-      example: 128
+      example: 1
+      default_field: false
+    - name: tty.columns
+      level: extended
+      type: long
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      default_field: false
+    - name: tty.rows
+      level: extended
+      type: long
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
       default_field: false
     - name: uptime
       level: extended
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index af5a8eda2b..d736c50f3d 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -593,8 +593,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0-dev,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 8.6.0-dev,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
 8.6.0-dev,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.6.0-dev,true,process,process.entry_leader.tty.char_device.major,long,extended,,1,The TTY character device's major number.
-8.6.0-dev,true,process,process.entry_leader.tty.char_device.minor,long,extended,,128,The TTY character device's minor number.
+8.6.0-dev,true,process,process.entry_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.6.0-dev,true,process,process.entry_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
 8.6.0-dev,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.6.0-dev,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
 8.6.0-dev,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
@@ -632,8 +632,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0-dev,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 8.6.0-dev,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
 8.6.0-dev,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.6.0-dev,true,process,process.group_leader.tty.char_device.major,long,extended,,1,The TTY character device's major number.
-8.6.0-dev,true,process,process.group_leader.tty.char_device.minor,long,extended,,128,The TTY character device's minor number.
+8.6.0-dev,true,process,process.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.6.0-dev,true,process,process.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
 8.6.0-dev,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.6.0-dev,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
 8.6.0-dev,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
@@ -739,8 +739,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0-dev,true,process,process.parent.title,keyword,extended,,,Process title.
 8.6.0-dev,true,process,process.parent.title.text,match_only_text,extended,,,Process title.
 8.6.0-dev,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device.
-8.6.0-dev,true,process,process.parent.tty.char_device.major,long,extended,,1,The TTY character device's major number.
-8.6.0-dev,true,process,process.parent.tty.char_device.minor,long,extended,,128,The TTY character device's minor number.
+8.6.0-dev,true,process,process.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.6.0-dev,true,process,process.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
 8.6.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
 8.6.0-dev,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.6.0-dev,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
@@ -805,8 +805,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0-dev,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 8.6.0-dev,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
 8.6.0-dev,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.6.0-dev,true,process,process.session_leader.tty.char_device.major,long,extended,,1,The TTY character device's major number.
-8.6.0-dev,true,process,process.session_leader.tty.char_device.minor,long,extended,,128,The TTY character device's minor number.
+8.6.0-dev,true,process,process.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.6.0-dev,true,process,process.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
 8.6.0-dev,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.6.0-dev,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
 8.6.0-dev,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
@@ -820,8 +820,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0-dev,true,process,process.title,keyword,extended,,,Process title.
 8.6.0-dev,true,process,process.title.text,match_only_text,extended,,,Process title.
 8.6.0-dev,true,process,process.tty,object,extended,,,Information about the controlling TTY device.
-8.6.0-dev,true,process,process.tty.char_device.major,long,extended,,1,The TTY character device's major number.
-8.6.0-dev,true,process,process.tty.char_device.minor,long,extended,,128,The TTY character device's minor number.
+8.6.0-dev,true,process,process.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.6.0-dev,true,process,process.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.6.0-dev,true,process,process.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
+8.6.0-dev,true,process,process.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
 8.6.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
 8.6.0-dev,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.6.0-dev,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index d89882262d..bc0a3f36ca 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -7726,9 +7726,9 @@ process.entry_leader.tty.char_device.major:
   dashed_name: process-entry-leader-tty-char-device-major
   description: The major number identifies the driver associated with the device.
     The character device's major and minor numbers can be algorithmically combined
-    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0.
+    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
     For more details, please refer to the Linux kernel documentation.
-  example: 1
+  example: 4
   flat_name: process.entry_leader.tty.char_device.major
   level: extended
   name: tty.char_device.major
@@ -7743,7 +7743,7 @@ process.entry_leader.tty.char_device.minor:
     \ number; other parts of the kernel don\u2019t use it, and merely pass it along\
     \ to the driver. It is common for a driver to control several devices; the minor\
     \ number provides a way for the driver to differentiate among them."
-  example: 128
+  example: 1
   flat_name: process.entry_leader.tty.char_device.minor
   level: extended
   name: tty.char_device.minor
@@ -8179,9 +8179,9 @@ process.group_leader.tty.char_device.major:
   dashed_name: process-group-leader-tty-char-device-major
   description: The major number identifies the driver associated with the device.
     The character device's major and minor numbers can be algorithmically combined
-    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0.
+    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
     For more details, please refer to the Linux kernel documentation.
-  example: 1
+  example: 4
   flat_name: process.group_leader.tty.char_device.major
   level: extended
   name: tty.char_device.major
@@ -8196,7 +8196,7 @@ process.group_leader.tty.char_device.minor:
     \ number; other parts of the kernel don\u2019t use it, and merely pass it along\
     \ to the driver. It is common for a driver to control several devices; the minor\
     \ number provides a way for the driver to differentiate among them."
-  example: 128
+  example: 1
   flat_name: process.group_leader.tty.char_device.minor
   level: extended
   name: tty.char_device.minor
@@ -9430,9 +9430,9 @@ process.parent.tty.char_device.major:
   dashed_name: process-parent-tty-char-device-major
   description: The major number identifies the driver associated with the device.
     The character device's major and minor numbers can be algorithmically combined
-    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0.
+    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
     For more details, please refer to the Linux kernel documentation.
-  example: 1
+  example: 4
   flat_name: process.parent.tty.char_device.major
   level: extended
   name: tty.char_device.major
@@ -9447,7 +9447,7 @@ process.parent.tty.char_device.minor:
     \ number; other parts of the kernel don\u2019t use it, and merely pass it along\
     \ to the driver. It is common for a driver to control several devices; the minor\
     \ number provides a way for the driver to differentiate among them."
-  example: 128
+  example: 1
   flat_name: process.parent.tty.char_device.minor
   level: extended
   name: tty.char_device.minor
@@ -10211,9 +10211,9 @@ process.session_leader.tty.char_device.major:
   dashed_name: process-session-leader-tty-char-device-major
   description: The major number identifies the driver associated with the device.
     The character device's major and minor numbers can be algorithmically combined
-    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0.
+    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
     For more details, please refer to the Linux kernel documentation.
-  example: 1
+  example: 4
   flat_name: process.session_leader.tty.char_device.major
   level: extended
   name: tty.char_device.major
@@ -10228,7 +10228,7 @@ process.session_leader.tty.char_device.minor:
     \ number; other parts of the kernel don\u2019t use it, and merely pass it along\
     \ to the driver. It is common for a driver to control several devices; the minor\
     \ number provides a way for the driver to differentiate among them."
-  example: 128
+  example: 1
   flat_name: process.session_leader.tty.char_device.minor
   level: extended
   name: tty.char_device.minor
@@ -10367,9 +10367,9 @@ process.tty.char_device.major:
   dashed_name: process-tty-char-device-major
   description: The major number identifies the driver associated with the device.
     The character device's major and minor numbers can be algorithmically combined
-    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0.
+    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
     For more details, please refer to the Linux kernel documentation.
-  example: 1
+  example: 4
   flat_name: process.tty.char_device.major
   level: extended
   name: tty.char_device.major
@@ -10383,13 +10383,41 @@ process.tty.char_device.minor:
     \ number; other parts of the kernel don\u2019t use it, and merely pass it along\
     \ to the driver. It is common for a driver to control several devices; the minor\
     \ number provides a way for the driver to differentiate among them."
-  example: 128
+  example: 1
   flat_name: process.tty.char_device.minor
   level: extended
   name: tty.char_device.minor
   normalize: []
   short: The TTY character device's minor number.
   type: long
+process.tty.columns:
+  beta: This field is beta and subject to change.
+  dashed_name: process-tty-columns
+  description: 'The number of character columns per line. e.g terminal width
+
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 80
+  flat_name: process.tty.columns
+  level: extended
+  name: tty.columns
+  normalize: []
+  short: The number of character columns per line. e.g terminal width
+  type: long
+process.tty.rows:
+  beta: This field is beta and subject to change.
+  dashed_name: process-tty-rows
+  description: 'The number of character rows in the terminal. e.g terminal height
+
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 24
+  flat_name: process.tty.rows
+  level: extended
+  name: tty.rows
+  normalize: []
+  short: The number of character rows in the terminal. e.g terminal height
+  type: long
 process.uptime:
   dashed_name: process-uptime
   description: Seconds the process has been up.
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 47cd60cbe4..7b3c1ff8a4 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -9432,9 +9432,9 @@ process:
       dashed_name: process-entry-leader-tty-char-device-major
       description: The major number identifies the driver associated with the device.
         The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0.
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
         For more details, please refer to the Linux kernel documentation.
-      example: 1
+      example: 4
       flat_name: process.entry_leader.tty.char_device.major
       level: extended
       name: tty.char_device.major
@@ -9449,7 +9449,7 @@ process:
         \ number; other parts of the kernel don\u2019t use it, and merely pass it\
         \ along to the driver. It is common for a driver to control several devices;\
         \ the minor number provides a way for the driver to differentiate among them."
-      example: 128
+      example: 1
       flat_name: process.entry_leader.tty.char_device.minor
       level: extended
       name: tty.char_device.minor
@@ -9885,9 +9885,9 @@ process:
       dashed_name: process-group-leader-tty-char-device-major
       description: The major number identifies the driver associated with the device.
         The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0.
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
         For more details, please refer to the Linux kernel documentation.
-      example: 1
+      example: 4
       flat_name: process.group_leader.tty.char_device.major
       level: extended
       name: tty.char_device.major
@@ -9902,7 +9902,7 @@ process:
         \ number; other parts of the kernel don\u2019t use it, and merely pass it\
         \ along to the driver. It is common for a driver to control several devices;\
         \ the minor number provides a way for the driver to differentiate among them."
-      example: 128
+      example: 1
       flat_name: process.group_leader.tty.char_device.minor
       level: extended
       name: tty.char_device.minor
@@ -11136,9 +11136,9 @@ process:
       dashed_name: process-parent-tty-char-device-major
       description: The major number identifies the driver associated with the device.
         The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0.
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
         For more details, please refer to the Linux kernel documentation.
-      example: 1
+      example: 4
       flat_name: process.parent.tty.char_device.major
       level: extended
       name: tty.char_device.major
@@ -11153,7 +11153,7 @@ process:
         \ number; other parts of the kernel don\u2019t use it, and merely pass it\
         \ along to the driver. It is common for a driver to control several devices;\
         \ the minor number provides a way for the driver to differentiate among them."
-      example: 128
+      example: 1
       flat_name: process.parent.tty.char_device.minor
       level: extended
       name: tty.char_device.minor
@@ -11917,9 +11917,9 @@ process:
       dashed_name: process-session-leader-tty-char-device-major
       description: The major number identifies the driver associated with the device.
         The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0.
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
         For more details, please refer to the Linux kernel documentation.
-      example: 1
+      example: 4
       flat_name: process.session_leader.tty.char_device.major
       level: extended
       name: tty.char_device.major
@@ -11934,7 +11934,7 @@ process:
         \ number; other parts of the kernel don\u2019t use it, and merely pass it\
         \ along to the driver. It is common for a driver to control several devices;\
         \ the minor number provides a way for the driver to differentiate among them."
-      example: 128
+      example: 1
       flat_name: process.session_leader.tty.char_device.minor
       level: extended
       name: tty.char_device.minor
@@ -12073,9 +12073,9 @@ process:
       dashed_name: process-tty-char-device-major
       description: The major number identifies the driver associated with the device.
         The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0.
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
         For more details, please refer to the Linux kernel documentation.
-      example: 1
+      example: 4
       flat_name: process.tty.char_device.major
       level: extended
       name: tty.char_device.major
@@ -12089,13 +12089,41 @@ process:
         \ number; other parts of the kernel don\u2019t use it, and merely pass it\
         \ along to the driver. It is common for a driver to control several devices;\
         \ the minor number provides a way for the driver to differentiate among them."
-      example: 128
+      example: 1
       flat_name: process.tty.char_device.minor
       level: extended
       name: tty.char_device.minor
       normalize: []
       short: The TTY character device's minor number.
       type: long
+    process.tty.columns:
+      beta: This field is beta and subject to change.
+      dashed_name: process-tty-columns
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      flat_name: process.tty.columns
+      level: extended
+      name: tty.columns
+      normalize: []
+      short: The number of character columns per line. e.g terminal width
+      type: long
+    process.tty.rows:
+      beta: This field is beta and subject to change.
+      dashed_name: process-tty-rows
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
+      flat_name: process.tty.rows
+      level: extended
+      name: tty.rows
+      normalize: []
+      short: The number of character rows in the terminal. e.g terminal height
+      type: long
     process.uptime:
       dashed_name: process-uptime
       description: Seconds the process has been up.
diff --git a/generated/elasticsearch/composable/component/process.json b/generated/elasticsearch/composable/component/process.json
index c117fc17a4..3ee5351ad7 100644
--- a/generated/elasticsearch/composable/component/process.json
+++ b/generated/elasticsearch/composable/component/process.json
@@ -1448,6 +1448,12 @@
                       "type": "long"
                     }
                   }
+                },
+                "columns": {
+                  "type": "long"
+                },
+                "rows": {
+                  "type": "long"
                 }
               },
               "type": "object"
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index d14a1e8026..900adf8352 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -3902,6 +3902,12 @@
                     "type": "long"
                   }
                 }
+              },
+              "columns": {
+                "type": "long"
+              },
+              "rows": {
+                "type": "long"
               }
             },
             "type": "object"
diff --git a/rfcs/text/0035-tty-output.md b/rfcs/text/0035-tty-output.md
index 15e6bd2f9b..e68013528f 100644
--- a/rfcs/text/0035-tty-output.md
+++ b/rfcs/text/0035-tty-output.md
@@ -43,6 +43,11 @@ A new "io" field is added to the top level process fieldset. The key use case is
 - process.io.bytes_skipped.offset (type: number)
 - process.io.bytes_skipped.length (type: number)
 
+Two new fields will be added to the process.tty object to track terminal window size
+- process.tty.rows (type: long, the height of the terminal)
+- process.tty.columns (type: long, the max character width of each line)
+
+
 Possible future additions to support non utf-8 data:
 - process.io.bytes (type: binary, a single base64 encoded string)
 
@@ -82,7 +87,9 @@ Stage 1: Provide a high-level description of example sources of data. This does
         char_device: {
           major: 1,
           minor: 128
-        }
+        },
+        rows: 24,
+        columns: 80,
       },
 
       io: {
diff --git a/rfcs/text/0035/process.yml b/rfcs/text/0035/process.yml
index 669a9875ca..c940fbdc0a 100644
--- a/rfcs/text/0035/process.yml
+++ b/rfcs/text/0035/process.yml
@@ -23,6 +23,28 @@
       description: >
         The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation.
 
+    - name: tty.rows
+      level: extended
+      type: long
+      beta: This field is beta and subject to change.
+      short: The number of character rows in the terminal. e.g terminal height
+      description: >
+        The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a given IO event. i.e. where event.action = 'text_output'
+      example: 24
+
+    - name: tty.columns
+      level: extended
+      type: long
+      beta: This field is beta and subject to change.
+      short: The number of character columns per line. e.g terminal width
+      description: >
+        The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a given IO event. i.e. where event.action = 'text_output'
+      example: 80
+
     # new 'io' properties for tracking tty output
     - name: io
       level: extended
diff --git a/schemas/process.yml b/schemas/process.yml
index 497f7d4095..83405e5c5b 100644
--- a/schemas/process.yml
+++ b/schemas/process.yml
@@ -326,8 +326,8 @@
       beta: This field is beta and subject to change.
       short: The TTY character device's major number.
       description: >
-        The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0. For more details, please refer to the Linux kernel documentation.
-      example: 1
+        The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation.
+      example: 4
 
     - name: tty.char_device.minor
       level: extended
@@ -336,4 +336,101 @@
       short: The TTY character device's minor number.
       description: >
         The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them.
-      example: 128
+      example: 1
+
+    - name: tty.rows
+      level: extended
+      type: long
+      beta: This field is beta and subject to change.
+      short: The number of character rows in the terminal. e.g terminal height
+      description: >
+        The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a given IO event. i.e. where event.action = 'text_output'
+      example: 24
+
+    - name: tty.columns
+      level: extended
+      type: long
+      beta: This field is beta and subject to change.
+      short: The number of character columns per line. e.g terminal width
+      description: >
+        The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a given IO event. i.e. where event.action = 'text_output'
+      example: 80
+
+    - name: io
+      level: extended
+      type: object
+      beta: This field is beta and subject to change.
+      short: A chunk of input or output (IO) from a single process.
+      description: >
+        A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process that wrote the output or read the input.
+
+    - name: io.type
+      level: extended
+      type: keyword
+      beta: This field is beta and subject to change.
+      short: The type of object on which the IO action (read or write) was taken.
+      description: >
+        The type of object on which the IO action (read or write) was taken.
+
+        Currently only 'tty' is supported. Other types may be added in the future for 'file' and 'socket' support.
+
+    - name: io.text
+      level: extended
+      type: wildcard
+      beta: This field is beta and subject to change.
+      short: A chunk of output or input sanitized to UTF-8.
+      description: >
+        A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events. Assumptions should NOT be made that multiple lines will appear in the same event. TTY output may contain terminal control codes such as for cursor movement, so some string queries may not match due to terminal codes inserted between characters of a word.
+
+    - name: io.total_bytes_captured
+      level: extended
+      type: number
+      beta: This field is beta and subject to change.
+      description: >
+        The total number of bytes captured in this event.
+
+    - name: io.total_bytes_skipped
+      level: extended
+      type: number
+      beta: This field is beta and subject to change.
+      short: The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
+      description: >
+        The total number of bytes that were not captured due to implementation restrictions such as buffer size limits. Implementors should strive to ensure this value is always zero
+
+    - name: io.max_bytes_per_process_exceeded
+      level: extended
+      type: boolean
+      beta: This field is beta and subject to change.
+      description: >
+        If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting.
+
+    - name: io.bytes_skipped
+      level: extended
+      type: object
+      beta: This field is beta and subject to change.
+      description: >
+        An array of byte offsets and lengths denoting where IO data has been skipped.
+
+      normalize: array
+
+    - name: io.bytes_skipped.offset
+      level: extended
+      type: number
+      beta: This field is beta and subject to change.
+      description: >
+        The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
+
+    - name: io.bytes_skipped.length
+      level: extended
+      type: number
+      beta: This field is beta and subject to change.
+      description: >
+        The length of bytes skipped.

From 2db2a96b1cae379d24c5c6545265bb79a1038dc3 Mon Sep 17 00:00:00 2001
From: Apoorva Joshi <30438249+ajosh0504@users.noreply.github.com>
Date: Wed, 31 Aug 2022 15:53:58 -0400
Subject: [PATCH 035/186] [RFC] Risk Fields- Stage 2 (#2027)

* Stage 2

* Adding link to Stage 2

* Adding example alert

* Specify what kind of alerts

* Small edit

Co-authored-by: Kylie Geller <kylie.geller@elastic.co>
---
 rfcs/text/0031-risk-fields.md     | 141 ++++---
 rfcs/text/0031/example-alert.json | 622 ++++++++++++++++++++++++++++++
 2 files changed, 702 insertions(+), 61 deletions(-)
 create mode 100644 rfcs/text/0031/example-alert.json

diff --git a/rfcs/text/0031-risk-fields.md b/rfcs/text/0031-risk-fields.md
index 313e9781f2..7e62120854 100644
--- a/rfcs/text/0031-risk-fields.md
+++ b/rfcs/text/0031-risk-fields.md
@@ -1,26 +1,16 @@
 # 0031: Risk fields for multiple entities
 
-- Stage: **1 (draft)**
-- Date: **2022/07/12**
+- Stage: **2 (candidate)**
+- Date: **2022/08/15**
 
-<!--
-Stage 0: Provide a high level summary of the premise of these changes. Briefly describe the nature, purpose, and impact of the changes. ~2-5 sentences.
--->
 In 7.16, we released an experimental feature in the Security solution, called [Host Risk Score](https://www.elastic.co/guide/en/security/7.17/host-risk-score.html). Initially, the requirement of the feature was limited to surfacing risky hosts in a customer environment. As the feature matures, we want to further integrate it into the Security solution, and be able to perform filtering and sorting operations based on the risk information. Furthermore, there's also work currently in progress for a User Risk Score functionality, which will highlight users at risk within the Security solution. Both these features (and potentially others) currently could benefit from having a reusable risk field set highlighting information like risk score, risk level, contributors to risk etc.
 
-<!--
-Stage 1: If the changes include field additions or modifications, please create a folder titled as the RFC number under rfcs/text/. This will be where proposed schema changes as standalone YAML files or extended example mappings and larger source documents will go as the RFC is iterated upon.
--->
-
 <!--
 Stage X: Provide a brief explanation of why the proposal is being marked as abandoned. This is useful context for anyone revisiting this proposal or considering similar changes later on.
 -->
 
 ## Fields
 
-<!--
-Stage 1: Describe at a high level how this change affects fields. Include new or updated yml field definitions for all of the essential fields in this draft. While not exhaustive, the fields documented here should be comprehensive enough to deeply evaluate the technical considerations of this change. The goal here is to validate the technical details for all essential fields and to provide a basis for adding experimental field definitions to the schema. Use GitHub code blocks with yml syntax formatting, and add them to the corresponding RFC folder.
--->
 The `risk` fields being proposed are as follows:
 
 Field | Type | Example | Description | Use Case
@@ -33,6 +23,7 @@ risk.calculated_level | keyword | High | A risk classification level calculated
 risk.static_level | keyword | High | A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform | Can be used to indicate the projected risk of a particular host based on a trusted third party intelligence feed
 
 ### Nesting `risk.*` fields under other fields
+
 The `risk.*` fields mentioned above can be used to quantify the amount of risk associated with entities like hosts, users etc. For example, a host with a high risk score would imply that the probability of the host being exposed to harm during a cyber attack or breach is high. Attaching risk to entities can help analysts identify entities that require their immediate attention and hence drive investigations in a more systematic manner.
 
 To begin with, the `risk.*` fields could be nested under the existing `host.*` and `user.*` fields, since hosts and users tend to be important entities during investigations.
@@ -43,9 +34,6 @@ Stage 2: Add or update all remaining field definitions. The list should now be e
 
 ## Usage
 
-<!--
-Stage 1: Describe at a high-level how these field changes will be used in practice. Real world examples are encouraged. The goal here is to understand how people would leverage these fields to gain insights or solve problems. ~1-3 paragraphs.
--->
 As mentioned previously, we have released an experimental feature called Host Risk Score in the Security solution recently. As of 7.16, the feature has some real estate on the Overview page and the Alert Flyout within the Security solution, as documented [here](https://www.elastic.co/guide/en/security/8.0/host-risk-score.html). In 8.1, users will also be able to see host risk information on the Hosts page and Host Details page as well. 
 
 In addition to Host Risk Score, there is work currently in progress to introduce a Users page in the Security solution and a User Risk Scoring capability. Entities at risk is a new concept for users of the Security solution. Defining and normalizing this concept of entity risk using the `risk` fields will be crucial for users to get the most out of the Host and User Risk Scoring capabilities when they go GA.
@@ -59,33 +47,87 @@ Furthermore, these `risk` fields will provide users with an additional vector to
 
 ## Source data
 
-<!--
-Stage 1: Provide a high-level description of example sources of data. This does not yet need to be a concrete example of a source document, but instead can simply describe a potential source (e.g. nginx access log). This will ultimately be fleshed out to include literal source examples in a future stage. The goal here is to identify practical sources for these fields in the real world. ~1-3 sentences or unordered list.
--->
-The Host and User Risk Score views in the Security solution are/will be backed by indices produced as a result of running [transforms](https://www.elastic.co/guide/en/elasticsearch/reference/current/put-transform.html) on a variety of data sources, not limited to the alerts data streams. An example document produced by the Host Risk Score transform in the absence of ECS `risk` fields looks as follows:
+* Host Risk Score Transform
+* User Risk Score Transform
+* Security Alerts 
+* [Potential] Data sources related to other assets
 
-```
+### Host Risk Score Transform
+
+An example of a mapped document produced by the host risk score transform is as follows:
+
+```json
 {
-  "risk_stats": {
-    "risk_score": 78.61701409613882
+  "host": {
+    "name": "My-PC",
+    "risk": {
+      "rule_risks": [
+        {
+          "rule_id": "499a4611-1a4b-11ed-bb53-ad8c26f4d942",
+          "rule_name": "Malicious Behavior Prevention Alert: Regsvr32 Scriptlet Execution",
+          "rule_risk": 73
+        },
+        {
+          "rule_id": "499a4611-1a4b-11ed-bb53-ad8c26f4d942",
+          "rule_name": "Malicious Behavior Prevention Alert: Remote File Execution via MSIEXEC",
+          "rule_risk": 73
+        },
+        {
+          "rule_id": "499a4611-1a4b-11ed-bb53-ad8c26f4d942",
+          "rule_name": "Malicious Behavior Prevention Alert: Script Execution via Microsoft HTML Application",
+          "rule_risk": 73
+        }
+      ],
+      "calculated_score_norm": 96.68615013176895,
+      "multipliers": [
+        "Host is a server"
+      ],
+      "calculated_level": "Critical"
+    }
   },
-  "risk": "High"
+  "ingest_timestamp": "2022-08-15T16:32:16.142561766Z",
+  "@timestamp": "2022-08-12T14:45:36.171Z"
 }
 ```
 
-With the introduction of ECS `risk` fields, fields in the above document would look as follows:
+### User Risk Score Transform
 
-```
+An example of a mapped document produced by the user risk score transform is as follows:
+
+```json
 {
-  "risk": {
-    "calculated_risk_score_norm": 78.61701409613882,
-    "calculated_level": "High"
-  }
+  "user": {
+    "name": "random-user",
+    "risk": {
+      "rule_risks": [
+        {
+          "rule_id": "499a4611-1a4b-11ed-bb53-ad8c26f4d942",
+          "rule_name": "Malicious Behavior Prevention Alert: Regsvr32 Scriptlet Execution",
+          "rule_risk": 73
+        },
+        {
+          "rule_id": "499a4611-1a4b-11ed-bb53-ad8c26f4d942",
+          "rule_name": "Malicious Behavior Prevention Alert: Remote File Execution via MSIEXEC",
+          "rule_risk": 73
+        },
+        {
+          "rule_id": "499a4611-1a4b-11ed-bb53-ad8c26f4d942",
+          "rule_name": "Malicious Behavior Prevention Alert: Script Execution via Microsoft HTML Application",
+          "rule_risk": 73
+        }
+      ],
+      "calculated_score_norm": 96.68615013176895,
+      "calculated_level": "Critical"
+    }
+  },
+  "ingest_timestamp": "2022-08-15T16:32:16.142561766Z",
+  "@timestamp": "2022-08-12T14:45:36.171Z"
 }
 ```
-<!--
-Stage 2: Included a real world example source document. Ideally this example comes from the source(s) identified in stage 1. If not, it should replace them. The goal here is to validate the utility of these field changes in the context of a real world example. Format with the source name as a ### header and the example document in a GitHub code block with json formatting, or if on the larger side, add them to the corresponding RFC folder.
--->
+
+### Alerts
+
+The risk fields can be used to enrich alerts with entity risk information coming from internal systems such as host and user risk score, as well as external sources such as third-party threat intelligence feeds. An example of an alert document enriched with entity risk data from internal and external sources is provided in the RFC folder `0031`.
 
 <!--
 Stage 3: Add more real world example source documents so we have at least 2 total, but ideally 3. Format as described in stage 2.
@@ -93,24 +135,13 @@ Stage 3: Add more real world example source documents so we have at least 2 tota
 
 ## Scope of impact
 
-<!--
-Stage 2: Identifies scope of impact of changes. Are breaking changes required? Should deprecation strategies be adopted? Will significant refactoring be involved? Break the impact down into:
- * Ingestion mechanisms (e.g. beats/logstash)
- * Usage mechanisms (e.g. Kibana applications, detections)
- * ECS project (e.g. docs, tooling)
-The goal here is to research and understand the impact of these changes on users in the community and development teams across Elastic. 2-5 sentences each.
--->
+We have several views (Hosts page, Overview page, Alerts flyouts) in the Security Solution which are populated by the Host and User Risk Score indices. These views will need to be updated to use the new ECS fields. Any new workflows built on top of Host Risk Score will also need to adopt these new fields. 
 
-## Concerns
+We currently have a small number (<50) of customer clusters that have deployed Host Risk Score in its experimental state. If these users were to upgrade to a Kibana version where the Security App uses these ECS fields, they will have to recreate the Host Risk Score transforms, and index mappings. These users will also need to be informed that any host risk-related views in the Security App will cease to work on old (before upgrade) data.    
 
-<!--
-Stage 1: Identify potential concerns, implementation challenges, or complexity. Spend some time on this. Play devil's advocate. Try to identify the sort of non-obvious challenges that tend to surface later. The goal here is to surface risks early, allow everyone the time to work through them, and ultimately document resolution for posterity's sake.
--->
-Events and detection rules in the Security solution already have a risk score and/or severity associated with them. We might need to update these assets to use the new `risk` fieldset, otherwise it might potentially get confusing for users. 
+## Concerns
 
-<!--
-Stage 2: Document new concerns or resolutions to previously listed concerns. It's not critical that all concerns have resolutions at this point, but it would be helpful if resolutions were taking shape for the most significant concerns.
--->
+Certain views in the Security App will not work on older data for current users of Host Risk Score. Users will need to recreate the Host Risk Score transforms and related index mappings.   
 
 <!--
 Stage 3: Document resolutions for all existing concerns. Any new concerns should be documented along with their resolution. The goal here is to eliminate risk of churn and instability by ensuring all concerns have been addressed.
@@ -123,20 +154,6 @@ The following are the people that consulted on the contents of this RFC.
 * @ajosh0504 | author
 * @ajosh0504 | sponsor
 
-<!--
-Who will be or has been consulted on the contents of this RFC? Identify authorship and sponsorship, and optionally identify the nature of involvement of others. Link to GitHub aliases where possible. This list will likely change or grow stage after stage.
-
-e.g.:
-
-* @Yasmina | author
-* @Monique | sponsor
-* @EunJung | subject matter expert
-* @MikePaquette | subject matter expert
-* @JaneDoe | grammar, spelling, prose
-* @Mariana
--->
-
-
 ## References
 
 <!-- Insert any links appropriate to this RFC in this section. -->
@@ -148,3 +165,5 @@ e.g.:
 * Stage 0: https://github.com/elastic/ecs/pull/1740
 
 * Stage 1: https://github.com/elastic/ecs/pull/1744
+
+* Stage 2: https://github.com/elastic/ecs/pull/2027
diff --git a/rfcs/text/0031/example-alert.json b/rfcs/text/0031/example-alert.json
new file mode 100644
index 0000000000..e535f35afa
--- /dev/null
+++ b/rfcs/text/0031/example-alert.json
@@ -0,0 +1,622 @@
+{
+  "kibana.version": "8.3.0",
+  "kibana.alert.rule.category": "Custom Query Rule",
+  "kibana.alert.rule.consumer": "siem",
+  "kibana.alert.rule.execution.uuid": "515246d5-c825-491f-9411-85015f46947f",
+  "kibana.alert.rule.name": "Malicious Behavior Prevention Alert: Regsvr32 Scriptlet Execution",
+  "kibana.alert.rule.producer": "siem",
+  "kibana.alert.rule.rule_type_id": "siem.queryRule",
+  "kibana.alert.rule.uuid": "499a4611-1a4b-11ed-bb53-ad8c26f4d942",
+  "kibana.space_ids": [
+    "default"
+  ],
+  "kibana.alert.rule.tags": [
+    "Elastic",
+    "Endpoint Security"
+  ],
+  "@timestamp": "2022-08-12T14:45:36.171Z",
+  "agent": {
+    "build": {
+      "original": "version: 8.3.0, compiled: Thu Jun 23 19:00:00 2022, branch: 8.3, commit: 0565bb1d16a5e6444bbe8fbc082969cf030df3ea"
+    },
+    "id": "d463a3c2-d9ae-4ae9-91da-fa85867b51e1",
+    "type": "endpoint",
+    "version": "8.3.0"
+  },
+  "process": {
+    "Ext": {
+      "ancestry": [
+        "ZDQ2M2EzYzItZDlhZS00YWU5LTkxZGEtZmE4NTg2N2I1MWUxLTExNDEyLTEzMzA0Nzg4ODE5Ljc1OTE4MDIwMA==",
+        "ZDQ2M2EzYzItZDlhZS00YWU5LTkxZGEtZmE4NTg2N2I1MWUxLTU5NTItMTMzMDQ3ODg4MTkuNzIwOTgwNDAw",
+        "ZDQ2M2EzYzItZDlhZS00YWU5LTkxZGEtZmE4NTg2N2I1MWUxLTM2MzYtMTMzMDQ3ODg2NDIuMjMxNTA2MTAw",
+        "ZDQ2M2EzYzItZDlhZS00YWU5LTkxZGEtZmE4NTg2N2I1MWUxLTYxODAtMTMzMDQ3ODgxNjYuNDA2NDExMDAw"
+      ],
+      "code_signature": [
+        {
+          "trusted": true,
+          "subject_name": "Microsoft Windows",
+          "exists": true,
+          "status": "trusted"
+        }
+      ],
+      "authentication_id": "0x1dd63c",
+      "token": {
+        "integrity_level_name": "medium",
+        "security_attributes": [
+          "TSA://ProcUnique"
+        ],
+        "elevation_level": "limited"
+      }
+    },
+    "parent": {
+      "args": [
+        "C:\\Python27\\python.exe",
+        "C:\\Users\\random-user\\Downloads\\test\\RTA-master\\RTA-master\\red_ttp\\regsvr32_scrobj.py"
+      ],
+      "name": "python.exe",
+      "pid": 11412,
+      "args_count": 2,
+      "entity_id": "ZDQ2M2EzYzItZDlhZS00YWU5LTkxZGEtZmE4NTg2N2I1MWUxLTExNDEyLTEzMzA0Nzg4ODE5Ljc1OTE4MDIwMA==",
+      "command_line": "C:\\Python27\\python.exe  C:\\Users\\random-user\\Downloads\\test\\RTA-master\\RTA-master\\red_ttp\\regsvr32_scrobj.py",
+      "executable": "C:\\Python27\\python.exe"
+    },
+    "pid": 4896,
+    "working_directory": "C:\\Users\\random-user\\Downloads\\test\\RTA-master\\RTA-master\\red_ttp\\",
+    "entity_id": "ZDQ2M2EzYzItZDlhZS00YWU5LTkxZGEtZmE4NTg2N2I1MWUxLTQ4OTYtMTMzMDQ3ODg4MjIuNjA0OTQ5MDA=",
+    "executable": "C:\\Windows\\System32\\regsvr32.exe",
+    "args": [
+      "regsvr32.exe",
+      "/u",
+      "/n",
+      "/s",
+      "/i:http://10.128.0.78:8000/bin/notepad.sct",
+      "scrobj.dll"
+    ],
+    "code_signature": {
+      "trusted": true,
+      "subject_name": "Microsoft Windows",
+      "exists": true,
+      "status": "trusted"
+    },
+    "pe": {
+      "original_file_name": "REGSVR32.EXE"
+    },
+    "name": "regsvr32.exe",
+    "args_count": 6,
+    "command_line": "regsvr32.exe /u /n /s /i:http://10.128.0.78:8000/bin/notepad.sct scrobj.dll",
+    "hash": {
+      "sha1": "855a676f3018e78a37a9fb4aaa159584ec21c85c",
+      "sha256": "9f68f5fc21270a06bb934b5f3fa5aee2068a56a1260d4e7e4b48f2dca501b8c9",
+      "md5": "266aedbec51e35277729294996a213dd"
+    }
+  },
+  "rule": {
+    "reference": [],
+    "name": "Regsvr32 Scriptlet Execution",
+    "ruleset": "production",
+    "description": "Identifies the native Windows tool, regsvr32.exe, executing a scriptlet file. This can allow an attacker to bypass whitelisting and run arbitrary scripts.",
+    "id": "0524c24c-e45e-4220-b21a-abdba0c46c4d",
+    "version": "1.0.7"
+  },
+  "message": "Malicious Behavior Prevention Alert: Regsvr32 Scriptlet Execution",
+  "Responses": [
+    {
+      "result": 0,
+      "process": {
+        "name": "regsvr32.exe",
+        "pid": 4896,
+        "entity_id": "ZDQ2M2EzYzItZDlhZS00YWU5LTkxZGEtZmE4NTg2N2I1MWUxLTQ4OTYtMTMzMDQ3ODg4MjIuNjA0OTQ5MDA="
+      },
+      "@timestamp": "2022-08-12T14:40:22.0861985Z",
+      "action": {
+        "field": "process.entity_id",
+        "action": "kill_process",
+        "state": 0
+      },
+      "message": "Success"
+    }
+  ],
+  "Endpoint": {
+    "policy": {
+      "applied": {
+        "artifacts": {
+          "global": {
+            "identifiers": [
+              {
+                "sha256": "e57a7d5638060e9655c64ac1d02f7949b87e5f5f27f2074329608db1e06d645b",
+                "name": "diagnostic-configuration-v1"
+              },
+              {
+                "sha256": "17d8695f22d3817c426a0e08a477b88ecdb6088bc253dfbccc760224600afcfd",
+                "name": "diagnostic-endpointpe-v4-blocklist"
+              },
+              {
+                "sha256": "32d8d3e1fb323d29aa09ea2e565a4f62685c381dbb0f7d7a982acb958f3305d7",
+                "name": "diagnostic-endpointpe-v4-exceptionlist"
+              },
+              {
+                "sha256": "75b0772c6a5c0ad4abfcefe3d35b09f8ed0f04e70757547b3b904ed76ba9dc41",
+                "name": "diagnostic-endpointpe-v4-model"
+              },
+              {
+                "sha256": "12dbe46b1df6c58bbbbc844a959c56426e22a7bd3a5ce8902979309d0f115284",
+                "name": "diagnostic-malware-signature-v1-windows"
+              },
+              {
+                "sha256": "92ec3c0262dd3acff20ff74f971b601e66c404267db3572ba50dc23d6cdb48e5",
+                "name": "diagnostic-ransomware-v1-windows"
+              },
+              {
+                "sha256": "5def544b81f11aa7f1d1d79011c8cde4e426cabd51f9e3acbf208e84578138b8",
+                "name": "diagnostic-rules-windows-v1"
+              },
+              {
+                "sha256": "906beb3e15d4e71a5ccd47fef85effcb5d9dea02ea060caa514c95fdcc5ea7a5",
+                "name": "endpointpe-v4-blocklist"
+              },
+              {
+                "sha256": "da25c2dc5ea3bcbbdfb2f9221ec101b40cc9ca0d9475841f119ddefeb231b41a",
+                "name": "endpointpe-v4-exceptionlist"
+              },
+              {
+                "sha256": "73a7ab1de37d02e69c440fbd0583d30c064c3f37c6201c01a27f95a10ff59bfb",
+                "name": "endpointpe-v4-model"
+              },
+              {
+                "sha256": "2a747a4548ed22bf57db8c651bb41b0eb96ffe791d8c3a1efa8e13a58f4d8e74",
+                "name": "global-configuration-v1"
+              },
+              {
+                "sha256": "d309bfb8fb555c9d3fba65ce7db66f46a0a14021db0cdc8c015eaf35c011e2dc",
+                "name": "global-eventfilterlist-windows-v1"
+              },
+              {
+                "sha256": "17e35994ba8f93f9b72295b714a501af1e88c0df4b3921449dc25058fbdaa894",
+                "name": "global-exceptionlist-windows"
+              },
+              {
+                "sha256": "3534acb69ccdf5967bb9c6e98dc613edf43b3b8a7ca2853e8009f54d738a6884",
+                "name": "global-trustlist-windows-v1"
+              },
+              {
+                "sha256": "49bd59b2b8cc83cf4553ecde831830379508d2338c62a4f293e250ab15272faf",
+                "name": "production-malware-signature-v1-windows"
+              },
+              {
+                "sha256": "fdf6f1192b79ec71142fb35b5f98508259d9d587764bf92c0d884ae30ddc0eca",
+                "name": "production-ransomware-v1-windows"
+              },
+              {
+                "sha256": "3d602fee30ddd73bcd7729cbe6b8a5cdb6f71fe6d4c743b410a0701c2cd3b8ce",
+                "name": "production-rules-windows-v1"
+              }
+            ],
+            "version": "1.0.357"
+          },
+          "user": {
+            "identifiers": [
+              {
+                "sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
+                "name": "endpoint-blocklist-windows-v1"
+              },
+              {
+                "sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
+                "name": "endpoint-eventfilterlist-windows-v1"
+              },
+              {
+                "sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
+                "name": "endpoint-exceptionlist-windows-v1"
+              },
+              {
+                "sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
+                "name": "endpoint-hostisolationexceptionlist-windows-v1"
+              },
+              {
+                "sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
+                "name": "endpoint-trustlist-windows-v1"
+              }
+            ],
+            "version": "1.0.0"
+          }
+        }
+      }
+    }
+  },
+  "ecs": {
+    "version": "1.11.0"
+  },
+  "Events": [
+    {
+      "process": {
+        "Ext": {
+          "ancestry": [
+            "ZDQ2M2EzYzItZDlhZS00YWU5LTkxZGEtZmE4NTg2N2I1MWUxLTExNDEyLTEzMzA0Nzg4ODE5Ljc1OTE4MDIwMA==",
+            "ZDQ2M2EzYzItZDlhZS00YWU5LTkxZGEtZmE4NTg2N2I1MWUxLTU5NTItMTMzMDQ3ODg4MTkuNzIwOTgwNDAw",
+            "ZDQ2M2EzYzItZDlhZS00YWU5LTkxZGEtZmE4NTg2N2I1MWUxLTM2MzYtMTMzMDQ3ODg2NDIuMjMxNTA2MTAw",
+            "ZDQ2M2EzYzItZDlhZS00YWU5LTkxZGEtZmE4NTg2N2I1MWUxLTYxODAtMTMzMDQ3ODgxNjYuNDA2NDExMDAw"
+          ],
+          "code_signature": [
+            {
+              "trusted": true,
+              "subject_name": "Microsoft Windows",
+              "exists": true,
+              "status": "trusted"
+            }
+          ],
+          "authentication_id": "0x1dd63c",
+          "token": {
+            "integrity_level_name": "medium",
+            "security_attributes": [
+              "TSA://ProcUnique"
+            ],
+            "elevation_level": "limited"
+          }
+        },
+        "parent": {
+          "args": [
+            "C:\\Python27\\python.exe",
+            "C:\\Users\\random-user\\Downloads\\test\\RTA-master\\RTA-master\\red_ttp\\regsvr32_scrobj.py"
+          ],
+          "name": "python.exe",
+          "pid": 11412,
+          "args_count": 2,
+          "entity_id": "ZDQ2M2EzYzItZDlhZS00YWU5LTkxZGEtZmE4NTg2N2I1MWUxLTExNDEyLTEzMzA0Nzg4ODE5Ljc1OTE4MDIwMA==",
+          "command_line": "C:\\Python27\\python.exe  C:\\Users\\random-user\\Downloads\\test\\RTA-master\\RTA-master\\red_ttp\\regsvr32_scrobj.py",
+          "executable": "C:\\Python27\\python.exe"
+        },
+        "pid": 4896,
+        "working_directory": "C:\\Users\\random-user\\Downloads\\test\\RTA-master\\RTA-master\\red_ttp\\",
+        "entity_id": "ZDQ2M2EzYzItZDlhZS00YWU5LTkxZGEtZmE4NTg2N2I1MWUxLTQ4OTYtMTMzMDQ3ODg4MjIuNjA0OTQ5MDA=",
+        "executable": "C:\\Windows\\System32\\regsvr32.exe",
+        "args": [
+          "regsvr32.exe",
+          "/u",
+          "/n",
+          "/s",
+          "/i:http://10.128.0.78:8000/bin/notepad.sct",
+          "scrobj.dll"
+        ],
+        "code_signature": {
+          "trusted": true,
+          "subject_name": "Microsoft Windows",
+          "exists": true,
+          "status": "trusted"
+        },
+        "pe": {
+          "original_file_name": "REGSVR32.EXE"
+        },
+        "name": "regsvr32.exe",
+        "args_count": 6,
+        "command_line": "regsvr32.exe /u /n /s /i:http://10.128.0.78:8000/bin/notepad.sct scrobj.dll",
+        "hash": {
+          "sha1": "855a676f3018e78a37a9fb4aaa159584ec21c85c",
+          "sha256": "9f68f5fc21270a06bb934b5f3fa5aee2068a56a1260d4e7e4b48f2dca501b8c9",
+          "md5": "266aedbec51e35277729294996a213dd"
+        }
+      },
+      "@timestamp": "2022-08-12T14:40:22.0604949Z",
+      "_state": 0,
+      "host": {
+        "hostname": "My-PC",
+        "os": {
+          "Ext": {
+            "variant": "Windows Server 2022 Datacenter"
+          },
+          "kernel": "21H2 (10.0.20348.825)",
+          "name": "Windows",
+          "family": "windows",
+          "type": "windows",
+          "version": "21H2 (10.0.20348.825)",
+          "platform": "windows",
+          "full": "Windows Server 2022 Datacenter 21H2 (10.0.20348.825)"
+        },
+        "ip": [
+          "10.128.0.78",
+          "fe80::9148:b822:a74a:c6f3",
+          "127.0.0.1",
+          "::1"
+        ],
+        "name": "My-PC",
+        "id": "13748c2e-ae9b-446d-97f6-028c1ee61ef8",
+        "mac": [
+          "42:01:0a:80:00:4e"
+        ],
+        "architecture": "x86_64"
+      },
+      "event": {
+        "created": "2022-08-12T14:40:22.0604949Z",
+        "kind": "event",
+        "action": "start",
+        "id": "MjNYqa6SWNxdFW4U+++++AjX",
+        "category": [
+          "process"
+        ],
+        "type": [
+          "start"
+        ]
+      },
+      "message": "Endpoint process event",
+      "user": {
+        "domain": "RANDOM-USER",
+        "name": "random-user",
+        "id": "S-1-5-21-3922267609-3102133550-311164941-1000"
+      },
+      "_label": "regsvr32_suspicious_args"
+    }
+  ],
+  "data_stream": {
+    "namespace": "default",
+    "type": "logs",
+    "dataset": "endpoint.alerts"
+  },
+  "elastic": {
+    "agent": {
+      "id": "d463a3c2-d9ae-4ae9-91da-fa85867b51e1"
+    }
+  },
+  "host": {
+    "hostname": "My-PC",
+    "os": {
+      "Ext": {
+        "variant": "Windows Server 2022 Datacenter"
+      },
+      "kernel": "21H2 (10.0.20348.825)",
+      "name": "Windows",
+      "family": "windows",
+      "type": "windows",
+      "version": "21H2 (10.0.20348.825)",
+      "platform": "windows",
+      "full": "Windows Server 2022 Datacenter 21H2 (10.0.20348.825)"
+    },
+    "ip": [
+      "10.128.0.78",
+      "fe80::9148:b822:a74a:c6f3",
+      "127.0.0.1",
+      "::1"
+    ],
+    "name": "My-PC",
+    "id": "13748c2e-ae9b-446d-97f6-028c1ee61ef8",
+    "mac": [
+      "42:01:0a:80:00:4e"
+    ],
+    "architecture": "x86_64",
+    "risk": {
+      "calculated_score": 880.73,
+      "calculated_score_norm": 88.73,
+      "calculated_level": "High",
+      "static_score": 900.0,
+      "static_score_norm": 90.0,
+      "static_level": "High"
+
+    }
+  },
+  "threat": [
+    {
+      "framework": "MITRE ATT&CK",
+      "technique": [
+        {
+          "reference": "https://attack.mitre.org/techniques/T1218/",
+          "name": "Signed Binary Proxy Execution",
+          "subtechnique": [
+            {
+              "reference": "https://attack.mitre.org/techniques/T1218/010/",
+              "name": "Regsvr32",
+              "id": "T1218.010"
+            }
+          ],
+          "id": "T1218"
+        }
+      ],
+      "tactic": {
+        "reference": "https://attack.mitre.org/tactics/TA0005/",
+        "name": "Defense Evasion",
+        "id": "TA0005"
+      }
+    }
+  ],
+  "user": {
+    "domain": "RANDOM-USER",
+    "name": "random-user",
+    "id": "S-1-5-21-3922267609-3102133550-311164941-1000",
+    "risk": {
+        "calculated_score": 950.7,
+        "calculated_score_norm": 95.7,
+        "calculated_level": "Critical"
+    }
+  },
+  "event.severity": 73,
+  "event.code": "behavior",
+  "event.risk_score": 73,
+  "event.created": "2022-08-12T14:40:22.0700886Z",
+  "event.kind": "signal",
+  "event.module": "endpoint",
+  "event.type": [
+    "info",
+    "allowed"
+  ],
+  "event.agent_id_status": "verified",
+  "event.sequence": 22330,
+  "event.ingested": "2022-08-12T14:40:52Z",
+  "event.action": "rule_detection",
+  "event.id": "MjNYqa6SWNxdFW4U+++++Ajf",
+  "event.category": [
+    "malware",
+    "intrusion_detection"
+  ],
+  "event.dataset": "endpoint.alerts",
+  "event.outcome": "success",
+  "kibana.alert.original_time": "2022-08-12T14:40:22.070Z",
+  "kibana.alert.ancestors": [
+    {
+      "id": "tL-AkoIBiLzffz6DOFhn",
+      "type": "event",
+      "index": ".ds-logs-endpoint.alerts-default-2022.08.12-000001",
+      "depth": 0
+    }
+  ],
+  "kibana.alert.status": "active",
+  "kibana.alert.workflow_status": "open",
+  "kibana.alert.depth": 1,
+  "kibana.alert.reason": "malware, intrusion_detection event with process regsvr32.exe, parent process python.exe, by random-user on My-PC created high alert Malicious Behavior Prevention Alert: Regsvr32 Scriptlet Execution.",
+  "kibana.alert.severity": "high",
+  "kibana.alert.risk_score": 73,
+  "kibana.alert.rule.parameters": {
+    "description": "Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts.",
+    "risk_score": 47,
+    "severity": "medium",
+    "license": "Elastic License v2",
+    "rule_name_override": "message",
+    "timestamp_override": "event.ingested",
+    "author": [
+      "Elastic"
+    ],
+    "false_positives": [],
+    "from": "now-10m",
+    "rule_id": "9a1a2dae-0b5f-4c3d-8305-a268d404c306",
+    "max_signals": 10000,
+    "risk_score_mapping": [
+      {
+        "field": "event.risk_score",
+        "operator": "equals",
+        "value": ""
+      }
+    ],
+    "severity_mapping": [
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "low",
+        "value": "21"
+      },
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "medium",
+        "value": "47"
+      },
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "high",
+        "value": "73"
+      },
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "critical",
+        "value": "99"
+      }
+    ],
+    "threat": [],
+    "to": "now",
+    "references": [],
+    "version": 3,
+    "exceptions_list": [
+      {
+        "id": "endpoint_list",
+        "list_id": "endpoint_list",
+        "namespace_type": "agnostic",
+        "type": "endpoint"
+      }
+    ],
+    "immutable": true,
+    "related_integrations": [],
+    "required_fields": [],
+    "setup": "",
+    "type": "query",
+    "language": "kuery",
+    "index": [
+      "logs-endpoint.alerts-*"
+    ],
+    "query": "event.kind:alert and event.module:(endpoint and not endgame)\n"
+  },
+  "kibana.alert.rule.actions": [],
+  "kibana.alert.rule.author": [
+    "Elastic"
+  ],
+  "kibana.alert.rule.created_at": "2022-08-12T14:30:20.316Z",
+  "kibana.alert.rule.created_by": "4139736004",
+  "kibana.alert.rule.description": "Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts.",
+  "kibana.alert.rule.enabled": true,
+  "kibana.alert.rule.exceptions_list": [
+    {
+      "id": "endpoint_list",
+      "list_id": "endpoint_list",
+      "namespace_type": "agnostic",
+      "type": "endpoint"
+    }
+  ],
+  "kibana.alert.rule.false_positives": [],
+  "kibana.alert.rule.from": "now-10m",
+  "kibana.alert.rule.immutable": true,
+  "kibana.alert.rule.interval": "5m",
+  "kibana.alert.rule.license": "Elastic License v2",
+  "kibana.alert.rule.max_signals": 10000,
+  "kibana.alert.rule.references": [],
+  "kibana.alert.rule.risk_score_mapping": [
+    {
+      "field": "event.risk_score",
+      "operator": "equals",
+      "value": ""
+    }
+  ],
+  "kibana.alert.rule.rule_id": "9a1a2dae-0b5f-4c3d-8305-a268d404c306",
+  "kibana.alert.rule.rule_name_override": "message",
+  "kibana.alert.rule.severity_mapping": [
+    {
+      "field": "event.severity",
+      "operator": "equals",
+      "severity": "low",
+      "value": "21"
+    },
+    {
+      "field": "event.severity",
+      "operator": "equals",
+      "severity": "medium",
+      "value": "47"
+    },
+    {
+      "field": "event.severity",
+      "operator": "equals",
+      "severity": "high",
+      "value": "73"
+    },
+    {
+      "field": "event.severity",
+      "operator": "equals",
+      "severity": "critical",
+      "value": "99"
+    }
+  ],
+  "kibana.alert.rule.threat": [],
+  "kibana.alert.rule.timestamp_override": "event.ingested",
+  "kibana.alert.rule.to": "now",
+  "kibana.alert.rule.type": "query",
+  "kibana.alert.rule.updated_at": "2022-08-12T14:30:20.316Z",
+  "kibana.alert.rule.updated_by": "4139736004",
+  "kibana.alert.rule.version": 3,
+  "kibana.alert.rule.risk_score": 47,
+  "kibana.alert.rule.severity": "medium",
+  "kibana.alert.original_event.severity": 73,
+  "kibana.alert.original_event.code": "behavior",
+  "kibana.alert.original_event.risk_score": 73,
+  "kibana.alert.original_event.created": "2022-08-12T14:40:22.0700886Z",
+  "kibana.alert.original_event.kind": "alert",
+  "kibana.alert.original_event.module": "endpoint",
+  "kibana.alert.original_event.type": [
+    "info",
+    "allowed"
+  ],
+  "kibana.alert.original_event.agent_id_status": "verified",
+  "kibana.alert.original_event.sequence": 22330,
+  "kibana.alert.original_event.ingested": "2022-08-12T14:40:52Z",
+  "kibana.alert.original_event.action": "rule_detection",
+  "kibana.alert.original_event.id": "MjNYqa6SWNxdFW4U+++++Ajf",
+  "kibana.alert.original_event.category": [
+    "malware",
+    "intrusion_detection"
+  ],
+  "kibana.alert.original_event.dataset": "endpoint.alerts",
+  "kibana.alert.original_event.outcome": "success",
+  "kibana.alert.uuid": "bbef4313d1ced5ff3c8558ebdd11a4dd7ea5df5df5bb391335f60845d361eba5"
+}
\ No newline at end of file

From 5ac642b044719ee7a37d6100f476be64ad9f0fca Mon Sep 17 00:00:00 2001
From: Kylie Geller <kylie.geller@elastic.co>
Date: Tue, 20 Sep 2022 11:36:41 -0400
Subject: [PATCH 036/186] Adding `risk.*` as beta (#2051)

---
 CHANGELOG.next.md                             |   4 +-
 docs/fields/field-details.asciidoc            | 140 +++
 docs/fields/fields.asciidoc                   |   2 +
 experimental/generated/beats/fields.ecs.yml   | 191 +++-
 experimental/generated/csv/fields.csv         |  24 +
 experimental/generated/ecs/ecs_flat.yml       | 320 +++++++
 experimental/generated/ecs/ecs_nested.yml     | 333 ++++++-
 .../composable/component/client.json          |  24 +
 .../composable/component/destination.json     |  24 +
 .../composable/component/server.json          |  24 +
 .../composable/component/source.json          |  24 +
 .../elasticsearch/legacy/template.json        |  96 ++
 experimental/schemas/subsets/experimental.yml |   2 -
 generated/beats/fields.ecs.yml                | 470 ++++++++++
 generated/csv/fields.csv                      |  54 ++
 generated/ecs/ecs_flat.yml                    | 720 +++++++++++++++
 generated/ecs/ecs_nested.yml                  | 823 ++++++++++++++++++
 .../composable/component/client.json          |  24 +
 .../composable/component/destination.json     |  24 +
 .../composable/component/host.json            |  24 +
 .../composable/component/server.json          |  24 +
 .../composable/component/source.json          |  24 +
 .../composable/component/user.json            |  96 ++
 generated/elasticsearch/legacy/template.json  | 216 +++++
 {experimental/schemas => schemas}/risk.yml    |  10 +-
 schemas/subsets/main.yml                      |   2 +
 26 files changed, 3705 insertions(+), 14 deletions(-)
 rename {experimental/schemas => schemas}/risk.yml (82%)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index abd4621cac..9b22c3b2ce 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -38,8 +38,6 @@ Thanks, you're awesome :-) -->
 
 ## 8.5.0 (Soft Feature Freeze)
 
-* Changed `process.env_vars` field type to be an array of keywords. #2038
-
 ### Schema Changes
 
 #### Breaking changes
@@ -51,6 +49,8 @@ Thanks, you're awesome :-) -->
 * Adding `risk.*` fields as experimental. #1994, #2010
 * Adding `process.io.*` as beta fields. #1956, #2031
 * Adding `process.tty.rows` and `process.tty.columns` as beta fields. #2031
+* Changed `process.env_vars` field type to be an array of keywords. #2038
+* Added `risk.*` fieldset to beta. #2051
 
 #### Improvements
 
diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index 39abb80525..a8083198b0 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -5145,6 +5145,13 @@ example: `1325`
 // ===============================================================
 
 
+| `host.risk.*`
+| <<ecs-risk,risk>>
+| Fields for describing risk score and level.
+
+// ===============================================================
+
+
 |=====
 
 
@@ -8184,6 +8191,132 @@ Note: this field should contain an array of values.
 |=====
 
 
+[[ecs-risk]]
+=== Risk information Fields
+
+Fields for describing risk score and risk level of entities such as hosts and users.  These fields are not allowed to be nested under `event.*`. Please continue to use  `event.risk_score` and `event.risk_score_norm` for event risk.
+
+beta::[ These fields are in beta and are subject to change.]
+
+[discrete]
+==== Risk information Field Details
+
+[options="header"]
+|=====
+| Field  | Description | Level
+
+// ===============================================================
+
+|
+[[field-risk-calculated-level]]
+<<field-risk-calculated-level, risk.calculated_level>>
+
+a| A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+
+type: keyword
+
+
+
+example: `High`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-risk-calculated-score]]
+<<field-risk-calculated-score, risk.calculated_score>>
+
+a| A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+
+type: float
+
+
+
+example: `880.73`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-risk-calculated-score-norm]]
+<<field-risk-calculated-score-norm, risk.calculated_score_norm>>
+
+a| A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100.
+
+type: float
+
+
+
+example: `88.73`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-risk-static-level]]
+<<field-risk-static-level, risk.static_level>>
+
+a| A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform.
+
+type: keyword
+
+
+
+example: `High`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-risk-static-score]]
+<<field-risk-static-score, risk.static_score>>
+
+a| A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform.
+
+type: float
+
+
+
+example: `830.0`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-risk-static-score-norm]]
+<<field-risk-static-score-norm, risk.static_score_norm>>
+
+a| A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100.
+
+type: float
+
+
+
+example: `83.0`
+
+| extended
+
+// ===============================================================
+
+|=====
+
+[discrete]
+==== Field Reuse
+
+The `risk` fields are expected to be nested at:
+
+
+* `host.risk`
+
+* `user.risk`
+
+
+Note also that the `risk` fields are not expected to be used directly at the root of the events.
 [[ecs-rule]]
 === Rule Fields
 
@@ -11549,6 +11682,13 @@ Note also that the `user` fields may be used directly at the root of the events.
 // ===============================================================
 
 
+| `user.risk.*`
+| <<ecs-risk,risk>>
+| Fields for describing risk score and level.
+
+// ===============================================================
+
+
 | `user.target.*`
 | <<ecs-user,user>>
 | Targeted user of action taken.
diff --git a/docs/fields/fields.asciidoc b/docs/fields/fields.asciidoc
index a80ed79388..bcfe711552 100644
--- a/docs/fields/fields.asciidoc
+++ b/docs/fields/fields.asciidoc
@@ -92,6 +92,8 @@ For a single page representation of all fields, please see the
 
 | <<ecs-related,Related>> | Fields meant to facilitate pivoting around a piece of data.
 
+| <<ecs-risk,Risk information>> | Fields for describing risk score and level.
+
 | <<ecs-rule,Rule>> | Fields to capture details about rules used to generate alerts or other notable events.
 
 | <<ecs-server,Server>> | Fields about the server side of a network connection, used with client.
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 1c5110c332..6a81f1d149 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -481,6 +481,52 @@
         default_field: false
       description: Short name or login of the user.
       example: a.einstein
+    - name: user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
     - name: user.roles
       level: extended
       type: keyword
@@ -1279,6 +1325,52 @@
         default_field: false
       description: Short name or login of the user.
       example: a.einstein
+    - name: user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
     - name: user.roles
       level: extended
       type: keyword
@@ -7276,9 +7368,12 @@
       description: All the user names or other user identifiers seen on the event.
       default_field: false
   - name: risk
-    title: Risk score information
+    title: Risk information
     group: 2
-    description: Fields for describing the risk score and level.
+    description: Fields for describing risk score and risk level of entities such
+      as hosts and users.  These fields are not allowed to be nested under `event.*`.
+      Please continue to use  `event.risk_score` and `event.risk_score_norm` for event
+      risk.
     type: group
     default_field: true
     fields:
@@ -7706,6 +7801,52 @@
         default_field: false
       description: Short name or login of the user.
       example: a.einstein
+    - name: user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
     - name: user.roles
       level: extended
       type: keyword
@@ -8434,6 +8575,52 @@
         default_field: false
       description: Short name or login of the user.
       example: a.einstein
+    - name: user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
     - name: user.roles
       level: extended
       type: keyword
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index 519ff5779c..20eacbc393 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -53,6 +53,12 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0-dev+exp,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.6.0-dev+exp,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
 8.6.0-dev+exp,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,client,client.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.6.0-dev+exp,true,client,client.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.6.0-dev+exp,true,client,client.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.6.0-dev+exp,true,client,client.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.6.0-dev+exp,true,client,client.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.6.0-dev+exp,true,client,client.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
 8.6.0-dev+exp,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 8.6.0-dev+exp,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
 8.6.0-dev+exp,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
@@ -140,6 +146,12 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0-dev+exp,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.6.0-dev+exp,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
 8.6.0-dev+exp,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,destination,destination.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.6.0-dev+exp,true,destination,destination.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.6.0-dev+exp,true,destination,destination.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.6.0-dev+exp,true,destination,destination.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.6.0-dev+exp,true,destination,destination.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.6.0-dev+exp,true,destination,destination.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
 8.6.0-dev+exp,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 8.6.0-dev+exp,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device.
 8.6.0-dev+exp,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer.
@@ -901,6 +913,12 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0-dev+exp,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.6.0-dev+exp,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
 8.6.0-dev+exp,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,server,server.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.6.0-dev+exp,true,server,server.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.6.0-dev+exp,true,server,server.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.6.0-dev+exp,true,server,server.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.6.0-dev+exp,true,server,server.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.6.0-dev+exp,true,server,server.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
 8.6.0-dev+exp,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 8.6.0-dev+exp,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
 8.6.0-dev+exp,true,service,service.environment,keyword,extended,,production,Environment of the service.
@@ -972,6 +990,12 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0-dev+exp,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.6.0-dev+exp,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
 8.6.0-dev+exp,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,source,source.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.6.0-dev+exp,true,source,source.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.6.0-dev+exp,true,source,source.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.6.0-dev+exp,true,source,source.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.6.0-dev+exp,true,source,source.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.6.0-dev+exp,true,source,source.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
 8.6.0-dev+exp,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 8.6.0-dev+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
 8.6.0-dev+exp,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index a4dc079211..a2f70943af 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -616,6 +616,86 @@ client.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+client.user.risk.calculated_level:
+  dashed_name: client-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: client.user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+client.user.risk.calculated_score:
+  dashed_name: client-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: client.user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+client.user.risk.calculated_score_norm:
+  dashed_name: client-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: client.user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+client.user.risk.static_level:
+  dashed_name: client-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: client.user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+client.user.risk.static_score:
+  dashed_name: client-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: client.user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+client.user.risk.static_score_norm:
+  dashed_name: client-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: client.user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
 client.user.roles:
   dashed_name: client-user-roles
   description: Array of user roles at the time of the event.
@@ -1687,6 +1767,86 @@ destination.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+destination.user.risk.calculated_level:
+  dashed_name: destination-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: destination.user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+destination.user.risk.calculated_score:
+  dashed_name: destination-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: destination.user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+destination.user.risk.calculated_score_norm:
+  dashed_name: destination-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: destination.user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+destination.user.risk.static_level:
+  dashed_name: destination-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: destination.user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+destination.user.risk.static_score:
+  dashed_name: destination-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: destination.user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+destination.user.risk.static_score_norm:
+  dashed_name: destination-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: destination.user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
 destination.user.roles:
   dashed_name: destination-user-roles
   description: Array of user roles at the time of the event.
@@ -11324,6 +11484,86 @@ server.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+server.user.risk.calculated_level:
+  dashed_name: server-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: server.user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+server.user.risk.calculated_score:
+  dashed_name: server-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: server.user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+server.user.risk.calculated_score_norm:
+  dashed_name: server-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: server.user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+server.user.risk.static_level:
+  dashed_name: server-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: server.user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+server.user.risk.static_score:
+  dashed_name: server-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: server.user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+server.user.risk.static_score_norm:
+  dashed_name: server-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: server.user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
 server.user.roles:
   dashed_name: server-user-roles
   description: Array of user roles at the time of the event.
@@ -12371,6 +12611,86 @@ source.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+source.user.risk.calculated_level:
+  dashed_name: source-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: source.user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+source.user.risk.calculated_score:
+  dashed_name: source-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: source.user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+source.user.risk.calculated_score_norm:
+  dashed_name: source-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: source.user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+source.user.risk.static_level:
+  dashed_name: source-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: source.user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+source.user.risk.static_score:
+  dashed_name: source-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: source.user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+source.user.risk.static_score_norm:
+  dashed_name: source-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: source.user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
 source.user.roles:
   dashed_name: source-user-roles
   description: Array of user roles at the time of the event.
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 1ee6299408..461afa34a5 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -779,6 +779,86 @@ client:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
+    client.user.risk.calculated_level:
+      dashed_name: client-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: client.user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    client.user.risk.calculated_score:
+      dashed_name: client-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: client.user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    client.user.risk.calculated_score_norm:
+      dashed_name: client-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: client.user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    client.user.risk.static_level:
+      dashed_name: client-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: client.user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    client.user.risk.static_score:
+      dashed_name: client-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: client.user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    client.user.risk.static_score_norm:
+      dashed_name: client-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: client.user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
     client.user.roles:
       dashed_name: client-user-roles
       description: Array of user roles at the time of the event.
@@ -2109,6 +2189,86 @@ destination:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
+    destination.user.risk.calculated_level:
+      dashed_name: destination-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: destination.user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    destination.user.risk.calculated_score:
+      dashed_name: destination-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: destination.user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    destination.user.risk.calculated_score_norm:
+      dashed_name: destination-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: destination.user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    destination.user.risk.static_level:
+      dashed_name: destination-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: destination.user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    destination.user.risk.static_score:
+      dashed_name: destination-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: destination.user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    destination.user.risk.static_score_norm:
+      dashed_name: destination-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: destination.user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
     destination.user.roles:
       dashed_name: destination-user-roles
       description: Array of user roles at the time of the event.
@@ -6706,7 +6866,7 @@ host:
     short: OS fields contain information about the operating system.
   - full: host.risk
     schema_name: risk
-    short: Fields for describing the risk score and level.
+    short: Fields for describing risk score and level.
   short: Fields describing the relevant computing instance.
   title: Host
   type: group
@@ -12710,7 +12870,10 @@ related:
   title: Related
   type: group
 risk:
-  description: Fields for describing the risk score and level.
+  beta: These fields are in beta and are subject to change.
+  description: Fields for describing risk score and risk level of entities such as
+    hosts and users.  These fields are not allowed to be nested under `event.*`. Please
+    continue to use  `event.risk_score` and `event.risk_score_norm` for event risk.
   fields:
     risk.calculated_level:
       dashed_name: risk-calculated-level
@@ -12798,8 +12961,8 @@ risk:
       at: user
       full: user.risk
     top_level: false
-  short: Fields for describing the risk score and level.
-  title: Risk score information
+  short: Fields for describing risk score and level.
+  title: Risk information
   type: group
 rule:
   description: 'Rule fields are used to capture the specifics of any observer or agent
@@ -13406,6 +13569,86 @@ server:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
+    server.user.risk.calculated_level:
+      dashed_name: server-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: server.user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    server.user.risk.calculated_score:
+      dashed_name: server-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: server.user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    server.user.risk.calculated_score_norm:
+      dashed_name: server-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: server.user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    server.user.risk.static_level:
+      dashed_name: server-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: server.user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    server.user.risk.static_score:
+      dashed_name: server-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: server.user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    server.user.risk.static_score_norm:
+      dashed_name: server-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: server.user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
     server.user.roles:
       dashed_name: server-user-roles
       description: Array of user roles at the time of the event.
@@ -14541,6 +14784,86 @@ source:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
+    source.user.risk.calculated_level:
+      dashed_name: source-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: source.user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    source.user.risk.calculated_score:
+      dashed_name: source-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: source.user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    source.user.risk.calculated_score_norm:
+      dashed_name: source-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: source.user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    source.user.risk.static_level:
+      dashed_name: source-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: source.user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    source.user.risk.static_score:
+      dashed_name: source-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: source.user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    source.user.risk.static_score_norm:
+      dashed_name: source-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: source.user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
     source.user.roles:
       dashed_name: source-user-roles
       description: Array of user roles at the time of the event.
@@ -21675,7 +21998,7 @@ user:
     short: User's group relevant to the event.
   - full: user.risk
     schema_name: risk
-    short: Fields for describing the risk score and level.
+    short: Fields for describing risk score and level.
   - full: user.target
     schema_name: user
     short: Targeted user of action taken.
diff --git a/experimental/generated/elasticsearch/composable/component/client.json b/experimental/generated/elasticsearch/composable/component/client.json
index 355ba5edb7..0215b97296 100644
--- a/experimental/generated/elasticsearch/composable/component/client.json
+++ b/experimental/generated/elasticsearch/composable/component/client.json
@@ -173,6 +173,30 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "risk": {
+                  "properties": {
+                    "calculated_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "calculated_score": {
+                      "type": "float"
+                    },
+                    "calculated_score_norm": {
+                      "type": "float"
+                    },
+                    "static_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "static_score": {
+                      "type": "float"
+                    },
+                    "static_score_norm": {
+                      "type": "float"
+                    }
+                  }
+                },
                 "roles": {
                   "ignore_above": 1024,
                   "type": "keyword"
diff --git a/experimental/generated/elasticsearch/composable/component/destination.json b/experimental/generated/elasticsearch/composable/component/destination.json
index 487d9736bb..f838ce51fc 100644
--- a/experimental/generated/elasticsearch/composable/component/destination.json
+++ b/experimental/generated/elasticsearch/composable/component/destination.json
@@ -173,6 +173,30 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "risk": {
+                  "properties": {
+                    "calculated_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "calculated_score": {
+                      "type": "float"
+                    },
+                    "calculated_score_norm": {
+                      "type": "float"
+                    },
+                    "static_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "static_score": {
+                      "type": "float"
+                    },
+                    "static_score_norm": {
+                      "type": "float"
+                    }
+                  }
+                },
                 "roles": {
                   "ignore_above": 1024,
                   "type": "keyword"
diff --git a/experimental/generated/elasticsearch/composable/component/server.json b/experimental/generated/elasticsearch/composable/component/server.json
index 281a2d37a4..6d10607e07 100644
--- a/experimental/generated/elasticsearch/composable/component/server.json
+++ b/experimental/generated/elasticsearch/composable/component/server.json
@@ -173,6 +173,30 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "risk": {
+                  "properties": {
+                    "calculated_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "calculated_score": {
+                      "type": "float"
+                    },
+                    "calculated_score_norm": {
+                      "type": "float"
+                    },
+                    "static_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "static_score": {
+                      "type": "float"
+                    },
+                    "static_score_norm": {
+                      "type": "float"
+                    }
+                  }
+                },
                 "roles": {
                   "ignore_above": 1024,
                   "type": "keyword"
diff --git a/experimental/generated/elasticsearch/composable/component/source.json b/experimental/generated/elasticsearch/composable/component/source.json
index 06d1f03fd6..d8a7c30fb2 100644
--- a/experimental/generated/elasticsearch/composable/component/source.json
+++ b/experimental/generated/elasticsearch/composable/component/source.json
@@ -173,6 +173,30 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "risk": {
+                  "properties": {
+                    "calculated_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "calculated_score": {
+                      "type": "float"
+                    },
+                    "calculated_score_norm": {
+                      "type": "float"
+                    },
+                    "static_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "static_score": {
+                      "type": "float"
+                    },
+                    "static_score_norm": {
+                      "type": "float"
+                    }
+                  }
+                },
                 "roles": {
                   "ignore_above": 1024,
                   "type": "keyword"
diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json
index b3272a4b64..07f7b557d6 100644
--- a/experimental/generated/elasticsearch/legacy/template.json
+++ b/experimental/generated/elasticsearch/legacy/template.json
@@ -263,6 +263,30 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "risk": {
+                "properties": {
+                  "calculated_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "calculated_score": {
+                    "type": "float"
+                  },
+                  "calculated_score_norm": {
+                    "type": "float"
+                  },
+                  "static_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "static_score": {
+                    "type": "float"
+                  },
+                  "static_score_norm": {
+                    "type": "float"
+                  }
+                }
+              },
               "roles": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -746,6 +770,30 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "risk": {
+                "properties": {
+                  "calculated_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "calculated_score": {
+                    "type": "float"
+                  },
+                  "calculated_score_norm": {
+                    "type": "float"
+                  },
+                  "static_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "static_score": {
+                    "type": "float"
+                  },
+                  "static_score_norm": {
+                    "type": "float"
+                  }
+                }
+              },
               "roles": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -4274,6 +4322,30 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "risk": {
+                "properties": {
+                  "calculated_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "calculated_score": {
+                    "type": "float"
+                  },
+                  "calculated_score_norm": {
+                    "type": "float"
+                  },
+                  "static_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "static_score": {
+                    "type": "float"
+                  },
+                  "static_score_norm": {
+                    "type": "float"
+                  }
+                }
+              },
               "roles": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -4605,6 +4677,30 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "risk": {
+                "properties": {
+                  "calculated_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "calculated_score": {
+                    "type": "float"
+                  },
+                  "calculated_score_norm": {
+                    "type": "float"
+                  },
+                  "static_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "static_score": {
+                    "type": "float"
+                  },
+                  "static_score_norm": {
+                    "type": "float"
+                  }
+                }
+              },
               "roles": {
                 "ignore_above": 1024,
                 "type": "keyword"
diff --git a/experimental/schemas/subsets/experimental.yml b/experimental/schemas/subsets/experimental.yml
index c3c13aea8d..379fff2e86 100644
--- a/experimental/schemas/subsets/experimental.yml
+++ b/experimental/schemas/subsets/experimental.yml
@@ -3,5 +3,3 @@ name: experimental
 fields:
   cgroup:
     fields: "*"
-  risk:
-    fields: "*"
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 4a5dbeb26d..be0d934310 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -431,6 +431,52 @@
         default_field: false
       description: Short name or login of the user.
       example: a.einstein
+    - name: user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
     - name: user.roles
       level: extended
       type: keyword
@@ -1229,6 +1275,52 @@
         default_field: false
       description: Short name or login of the user.
       example: a.einstein
+    - name: user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
     - name: user.roles
       level: extended
       type: keyword
@@ -3650,6 +3742,52 @@
         system (nsfs). Unsigned int inum in include/linux/ns_common.h.
       example: 256383
       default_field: false
+    - name: risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
     - name: type
       level: core
       type: keyword
@@ -7179,6 +7317,62 @@
       ignore_above: 1024
       description: All the user names or other user identifiers seen on the event.
       default_field: false
+  - name: risk
+    title: Risk information
+    group: 2
+    description: Fields for describing risk score and risk level of entities such
+      as hosts and users.  These fields are not allowed to be nested under `event.*`.
+      Please continue to use  `event.risk_score` and `event.risk_score_norm` for event
+      risk.
+    type: group
+    default_field: true
+    fields:
+    - name: calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
   - name: rule
     title: Rule
     group: 2
@@ -7557,6 +7751,52 @@
         default_field: false
       description: Short name or login of the user.
       example: a.einstein
+    - name: user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
     - name: user.roles
       level: extended
       type: keyword
@@ -8285,6 +8525,52 @@
         default_field: false
       description: Short name or login of the user.
       example: a.einstein
+    - name: user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
     - name: user.roles
       level: extended
       type: keyword
@@ -12004,6 +12290,52 @@
       description: Short name or login of the user.
       example: a.einstein
       default_field: false
+    - name: changes.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: changes.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: changes.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: changes.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: changes.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: changes.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
     - name: changes.roles
       level: extended
       type: keyword
@@ -12089,6 +12421,52 @@
       description: Short name or login of the user.
       example: a.einstein
       default_field: false
+    - name: effective.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: effective.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: effective.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: effective.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: effective.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: effective.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
     - name: effective.roles
       level: extended
       type: keyword
@@ -12153,6 +12531,52 @@
         default_field: false
       description: Short name or login of the user.
       example: a.einstein
+    - name: risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
     - name: roles
       level: extended
       type: keyword
@@ -12231,6 +12655,52 @@
       description: Short name or login of the user.
       example: a.einstein
       default_field: false
+    - name: target.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: target.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: target.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: target.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: target.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: target.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
     - name: target.roles
       level: extended
       type: keyword
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index d736c50f3d..83e2ea90c6 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -46,6 +46,12 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0-dev,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.6.0-dev,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
 8.6.0-dev,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,client,client.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.6.0-dev,true,client,client.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.6.0-dev,true,client,client.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.6.0-dev,true,client,client.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.6.0-dev,true,client,client.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.6.0-dev,true,client,client.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
 8.6.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 8.6.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
 8.6.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
@@ -133,6 +139,12 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0-dev,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.6.0-dev,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
 8.6.0-dev,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,destination,destination.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.6.0-dev,true,destination,destination.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.6.0-dev,true,destination,destination.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.6.0-dev,true,destination,destination.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.6.0-dev,true,destination,destination.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.6.0-dev,true,destination,destination.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
 8.6.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 8.6.0-dev,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device.
 8.6.0-dev,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer.
@@ -390,6 +402,12 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
 8.6.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
 8.6.0-dev,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode
+8.6.0-dev,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.6.0-dev,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.6.0-dev,true,host,host.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.6.0-dev,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.6.0-dev,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.6.0-dev,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
 8.6.0-dev,true,host,host.type,keyword,core,,,Type of host.
 8.6.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
 8.6.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
@@ -888,6 +906,12 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0-dev,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.6.0-dev,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
 8.6.0-dev,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,server,server.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.6.0-dev,true,server,server.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.6.0-dev,true,server,server.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.6.0-dev,true,server,server.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.6.0-dev,true,server,server.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.6.0-dev,true,server,server.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
 8.6.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 8.6.0-dev,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
 8.6.0-dev,true,service,service.environment,keyword,extended,,production,Environment of the service.
@@ -959,6 +983,12 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0-dev,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.6.0-dev,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
 8.6.0-dev,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,source,source.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.6.0-dev,true,source,source.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.6.0-dev,true,source,source.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.6.0-dev,true,source,source.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.6.0-dev,true,source,source.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.6.0-dev,true,source,source.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
 8.6.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 8.6.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
 8.6.0-dev,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event.
@@ -1453,6 +1483,12 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0-dev,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.6.0-dev,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
 8.6.0-dev,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,user,user.changes.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.6.0-dev,true,user,user.changes.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.6.0-dev,true,user,user.changes.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.6.0-dev,true,user,user.changes.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.6.0-dev,true,user,user.changes.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.6.0-dev,true,user,user.changes.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
 8.6.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 8.6.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
 8.6.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
@@ -1466,6 +1502,12 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0-dev,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.6.0-dev,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
 8.6.0-dev,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,user,user.effective.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.6.0-dev,true,user,user.effective.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.6.0-dev,true,user,user.effective.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.6.0-dev,true,user,user.effective.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.6.0-dev,true,user,user.effective.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.6.0-dev,true,user,user.effective.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
 8.6.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 8.6.0-dev,true,user,user.email,keyword,extended,,,User email address.
 8.6.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
@@ -1477,6 +1519,12 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0-dev,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.6.0-dev,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user.
 8.6.0-dev,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.6.0-dev,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.6.0-dev,true,user,user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.6.0-dev,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.6.0-dev,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.6.0-dev,true,user,user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
 8.6.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 8.6.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
 8.6.0-dev,true,user,user.target.email,keyword,extended,,,User email address.
@@ -1489,6 +1537,12 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0-dev,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.6.0-dev,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
 8.6.0-dev,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,user,user.target.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.6.0-dev,true,user,user.target.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.6.0-dev,true,user,user.target.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.6.0-dev,true,user,user.target.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.6.0-dev,true,user,user.target.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.6.0-dev,true,user,user.target.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
 8.6.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 8.6.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
 8.6.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index bc0a3f36ca..c141542940 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -547,6 +547,86 @@ client.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+client.user.risk.calculated_level:
+  dashed_name: client-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: client.user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+client.user.risk.calculated_score:
+  dashed_name: client-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: client.user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+client.user.risk.calculated_score_norm:
+  dashed_name: client-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: client.user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+client.user.risk.static_level:
+  dashed_name: client-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: client.user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+client.user.risk.static_score:
+  dashed_name: client-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: client.user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+client.user.risk.static_score_norm:
+  dashed_name: client-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: client.user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
 client.user.roles:
   dashed_name: client-user-roles
   description: Array of user roles at the time of the event.
@@ -1618,6 +1698,86 @@ destination.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+destination.user.risk.calculated_level:
+  dashed_name: destination-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: destination.user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+destination.user.risk.calculated_score:
+  dashed_name: destination-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: destination.user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+destination.user.risk.calculated_score_norm:
+  dashed_name: destination-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: destination.user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+destination.user.risk.static_level:
+  dashed_name: destination-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: destination.user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+destination.user.risk.static_score:
+  dashed_name: destination-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: destination.user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+destination.user.risk.static_score_norm:
+  dashed_name: destination-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: destination.user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
 destination.user.roles:
   dashed_name: destination-user-roles
   description: Array of user roles at the time of the event.
@@ -5231,6 +5391,86 @@ host.pid_ns_ino:
   normalize: []
   short: Pid namespace inode
   type: keyword
+host.risk.calculated_level:
+  dashed_name: host-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: host.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+host.risk.calculated_score:
+  dashed_name: host-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: host.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+host.risk.calculated_score_norm:
+  dashed_name: host-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: host.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+host.risk.static_level:
+  dashed_name: host-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: host.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+host.risk.static_score:
+  dashed_name: host-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: host.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+host.risk.static_score_norm:
+  dashed_name: host-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: host.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
 host.type:
   dashed_name: host-type
   description: 'Type of host.
@@ -11175,6 +11415,86 @@ server.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+server.user.risk.calculated_level:
+  dashed_name: server-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: server.user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+server.user.risk.calculated_score:
+  dashed_name: server-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: server.user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+server.user.risk.calculated_score_norm:
+  dashed_name: server-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: server.user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+server.user.risk.static_level:
+  dashed_name: server-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: server.user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+server.user.risk.static_score:
+  dashed_name: server-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: server.user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+server.user.risk.static_score_norm:
+  dashed_name: server-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: server.user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
 server.user.roles:
   dashed_name: server-user-roles
   description: Array of user roles at the time of the event.
@@ -12222,6 +12542,86 @@ source.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+source.user.risk.calculated_level:
+  dashed_name: source-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: source.user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+source.user.risk.calculated_score:
+  dashed_name: source-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: source.user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+source.user.risk.calculated_score_norm:
+  dashed_name: source-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: source.user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+source.user.risk.static_level:
+  dashed_name: source-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: source.user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+source.user.risk.static_score:
+  dashed_name: source-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: source.user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+source.user.risk.static_score_norm:
+  dashed_name: source-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: source.user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
 source.user.roles:
   dashed_name: source-user-roles
   description: Array of user roles at the time of the event.
@@ -18419,6 +18819,86 @@ user.changes.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+user.changes.risk.calculated_level:
+  dashed_name: user-changes-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: user.changes.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+user.changes.risk.calculated_score:
+  dashed_name: user-changes-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: user.changes.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+user.changes.risk.calculated_score_norm:
+  dashed_name: user-changes-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: user.changes.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+user.changes.risk.static_level:
+  dashed_name: user-changes-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: user.changes.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+user.changes.risk.static_score:
+  dashed_name: user-changes-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: user.changes.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+user.changes.risk.static_score_norm:
+  dashed_name: user-changes-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: user.changes.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
 user.changes.roles:
   dashed_name: user-changes-roles
   description: Array of user roles at the time of the event.
@@ -18562,6 +19042,86 @@ user.effective.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+user.effective.risk.calculated_level:
+  dashed_name: user-effective-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: user.effective.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+user.effective.risk.calculated_score:
+  dashed_name: user-effective-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: user.effective.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+user.effective.risk.calculated_score_norm:
+  dashed_name: user-effective-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: user.effective.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+user.effective.risk.static_level:
+  dashed_name: user-effective-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: user.effective.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+user.effective.risk.static_score:
+  dashed_name: user-effective-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: user.effective.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+user.effective.risk.static_score_norm:
+  dashed_name: user-effective-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: user.effective.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
 user.effective.roles:
   dashed_name: user-effective-roles
   description: Array of user roles at the time of the event.
@@ -18675,6 +19235,86 @@ user.name:
   normalize: []
   short: Short name or login of the user.
   type: keyword
+user.risk.calculated_level:
+  dashed_name: user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+user.risk.calculated_score:
+  dashed_name: user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+user.risk.calculated_score_norm:
+  dashed_name: user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+user.risk.static_level:
+  dashed_name: user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+user.risk.static_score:
+  dashed_name: user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+user.risk.static_score_norm:
+  dashed_name: user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
 user.roles:
   dashed_name: user-roles
   description: Array of user roles at the time of the event.
@@ -18805,6 +19445,86 @@ user.target.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+user.target.risk.calculated_level:
+  dashed_name: user-target-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: user.target.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+user.target.risk.calculated_score:
+  dashed_name: user-target-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: user.target.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+user.target.risk.calculated_score_norm:
+  dashed_name: user-target-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: user.target.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+user.target.risk.static_level:
+  dashed_name: user-target-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: user.target.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+user.target.risk.static_score:
+  dashed_name: user-target-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: user.target.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+user.target.risk.static_score_norm:
+  dashed_name: user-target-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: user.target.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
 user.target.roles:
   dashed_name: user-target-roles
   description: Array of user roles at the time of the event.
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 7b3c1ff8a4..4d87897f6f 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -699,6 +699,86 @@ client:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
+    client.user.risk.calculated_level:
+      dashed_name: client-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: client.user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    client.user.risk.calculated_score:
+      dashed_name: client-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: client.user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    client.user.risk.calculated_score_norm:
+      dashed_name: client-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: client.user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    client.user.risk.static_level:
+      dashed_name: client-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: client.user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    client.user.risk.static_score:
+      dashed_name: client-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: client.user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    client.user.risk.static_score_norm:
+      dashed_name: client-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: client.user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
     client.user.roles:
       dashed_name: client-user-roles
       description: Array of user roles at the time of the event.
@@ -2029,6 +2109,86 @@ destination:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
+    destination.user.risk.calculated_level:
+      dashed_name: destination-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: destination.user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    destination.user.risk.calculated_score:
+      dashed_name: destination-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: destination.user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    destination.user.risk.calculated_score_norm:
+      dashed_name: destination-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: destination.user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    destination.user.risk.static_level:
+      dashed_name: destination-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: destination.user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    destination.user.risk.static_score:
+      dashed_name: destination-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: destination.user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    destination.user.risk.static_score_norm:
+      dashed_name: destination-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: destination.user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
     destination.user.roles:
       dashed_name: destination-user-roles
       description: Array of user roles at the time of the event.
@@ -6506,6 +6666,86 @@ host:
       normalize: []
       short: Pid namespace inode
       type: keyword
+    host.risk.calculated_level:
+      dashed_name: host-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: host.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    host.risk.calculated_score:
+      dashed_name: host-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: host.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    host.risk.calculated_score_norm:
+      dashed_name: host-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: host.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    host.risk.static_level:
+      dashed_name: host-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: host.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    host.risk.static_score:
+      dashed_name: host-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: host.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    host.risk.static_score_norm:
+      dashed_name: host-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: host.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
     host.type:
       dashed_name: host-type
       description: 'Type of host.
@@ -6535,6 +6775,7 @@ host:
   nestings:
   - host.geo
   - host.os
+  - host.risk
   prefix: host.
   reused_here:
   - full: host.geo
@@ -6543,6 +6784,9 @@ host:
   - full: host.os
     schema_name: os
     short: OS fields contain information about the operating system.
+  - full: host.risk
+    schema_name: risk
+    short: Fields for describing risk score and level.
   short: Fields describing the relevant computing instance.
   title: Host
   type: group
@@ -12545,6 +12789,101 @@ related:
   short: Fields meant to facilitate pivoting around a piece of data.
   title: Related
   type: group
+risk:
+  beta: These fields are in beta and are subject to change.
+  description: Fields for describing risk score and risk level of entities such as
+    hosts and users.  These fields are not allowed to be nested under `event.*`. Please
+    continue to use  `event.risk_score` and `event.risk_score_norm` for event risk.
+  fields:
+    risk.calculated_level:
+      dashed_name: risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    risk.calculated_score:
+      dashed_name: risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    risk.calculated_score_norm:
+      dashed_name: risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    risk.static_level:
+      dashed_name: risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    risk.static_score:
+      dashed_name: risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    risk.static_score_norm:
+      dashed_name: risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      short: A normalized risk score calculated by an external system.
+      type: float
+  group: 2
+  name: risk
+  prefix: risk.
+  reusable:
+    expected:
+    - as: risk
+      at: host
+      full: host.risk
+    - as: risk
+      at: user
+      full: user.risk
+    top_level: false
+  short: Fields for describing risk score and level.
+  title: Risk information
+  type: group
 rule:
   description: 'Rule fields are used to capture the specifics of any observer or agent
     rules that generate alerts or other notable events.
@@ -13150,6 +13489,86 @@ server:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
+    server.user.risk.calculated_level:
+      dashed_name: server-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: server.user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    server.user.risk.calculated_score:
+      dashed_name: server-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: server.user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    server.user.risk.calculated_score_norm:
+      dashed_name: server-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: server.user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    server.user.risk.static_level:
+      dashed_name: server-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: server.user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    server.user.risk.static_score:
+      dashed_name: server-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: server.user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    server.user.risk.static_score_norm:
+      dashed_name: server-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: server.user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
     server.user.roles:
       dashed_name: server-user-roles
       description: Array of user roles at the time of the event.
@@ -14285,6 +14704,86 @@ source:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
+    source.user.risk.calculated_level:
+      dashed_name: source-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: source.user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    source.user.risk.calculated_score:
+      dashed_name: source-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: source.user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    source.user.risk.calculated_score_norm:
+      dashed_name: source-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: source.user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    source.user.risk.static_level:
+      dashed_name: source-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: source.user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    source.user.risk.static_score:
+      dashed_name: source-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: source.user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    source.user.risk.static_score_norm:
+      dashed_name: source-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: source.user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
     source.user.roles:
       dashed_name: source-user-roles
       description: Array of user roles at the time of the event.
@@ -20643,6 +21142,86 @@ user:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
+    user.changes.risk.calculated_level:
+      dashed_name: user-changes-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: user.changes.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    user.changes.risk.calculated_score:
+      dashed_name: user-changes-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: user.changes.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    user.changes.risk.calculated_score_norm:
+      dashed_name: user-changes-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: user.changes.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    user.changes.risk.static_level:
+      dashed_name: user-changes-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: user.changes.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    user.changes.risk.static_score:
+      dashed_name: user-changes-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: user.changes.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    user.changes.risk.static_score_norm:
+      dashed_name: user-changes-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: user.changes.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
     user.changes.roles:
       dashed_name: user-changes-roles
       description: Array of user roles at the time of the event.
@@ -20786,6 +21365,86 @@ user:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
+    user.effective.risk.calculated_level:
+      dashed_name: user-effective-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: user.effective.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    user.effective.risk.calculated_score:
+      dashed_name: user-effective-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: user.effective.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    user.effective.risk.calculated_score_norm:
+      dashed_name: user-effective-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: user.effective.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    user.effective.risk.static_level:
+      dashed_name: user-effective-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: user.effective.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    user.effective.risk.static_score:
+      dashed_name: user-effective-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: user.effective.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    user.effective.risk.static_score_norm:
+      dashed_name: user-effective-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: user.effective.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
     user.effective.roles:
       dashed_name: user-effective-roles
       description: Array of user roles at the time of the event.
@@ -20899,6 +21558,86 @@ user:
       normalize: []
       short: Short name or login of the user.
       type: keyword
+    user.risk.calculated_level:
+      dashed_name: user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    user.risk.calculated_score:
+      dashed_name: user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    user.risk.calculated_score_norm:
+      dashed_name: user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    user.risk.static_level:
+      dashed_name: user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    user.risk.static_score:
+      dashed_name: user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    user.risk.static_score_norm:
+      dashed_name: user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
     user.roles:
       dashed_name: user-roles
       description: Array of user roles at the time of the event.
@@ -21029,6 +21768,86 @@ user:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
+    user.target.risk.calculated_level:
+      dashed_name: user-target-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: user.target.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    user.target.risk.calculated_score:
+      dashed_name: user-target-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: user.target.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    user.target.risk.calculated_score_norm:
+      dashed_name: user-target-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: user.target.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    user.target.risk.static_level:
+      dashed_name: user-target-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: user.target.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    user.target.risk.static_score:
+      dashed_name: user-target-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: user.target.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    user.target.risk.static_score_norm:
+      dashed_name: user-target-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: user.target.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
     user.target.roles:
       dashed_name: user-target-roles
       description: Array of user roles at the time of the event.
@@ -21048,6 +21867,7 @@ user:
   - user.changes
   - user.effective
   - user.group
+  - user.risk
   - user.target
   prefix: user.
   reusable:
@@ -21096,6 +21916,9 @@ user:
   - full: user.group
     schema_name: group
     short: User's group relevant to the event.
+  - full: user.risk
+    schema_name: risk
+    short: Fields for describing risk score and level.
   - full: user.target
     schema_name: user
     short: Targeted user of action taken.
diff --git a/generated/elasticsearch/composable/component/client.json b/generated/elasticsearch/composable/component/client.json
index a2b0135e7d..e2cf0292f7 100644
--- a/generated/elasticsearch/composable/component/client.json
+++ b/generated/elasticsearch/composable/component/client.json
@@ -173,6 +173,30 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "risk": {
+                  "properties": {
+                    "calculated_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "calculated_score": {
+                      "type": "float"
+                    },
+                    "calculated_score_norm": {
+                      "type": "float"
+                    },
+                    "static_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "static_score": {
+                      "type": "float"
+                    },
+                    "static_score_norm": {
+                      "type": "float"
+                    }
+                  }
+                },
                 "roles": {
                   "ignore_above": 1024,
                   "type": "keyword"
diff --git a/generated/elasticsearch/composable/component/destination.json b/generated/elasticsearch/composable/component/destination.json
index 1e7b28beef..2b351e5f80 100644
--- a/generated/elasticsearch/composable/component/destination.json
+++ b/generated/elasticsearch/composable/component/destination.json
@@ -173,6 +173,30 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "risk": {
+                  "properties": {
+                    "calculated_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "calculated_score": {
+                      "type": "float"
+                    },
+                    "calculated_score_norm": {
+                      "type": "float"
+                    },
+                    "static_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "static_score": {
+                      "type": "float"
+                    },
+                    "static_score_norm": {
+                      "type": "float"
+                    }
+                  }
+                },
                 "roles": {
                   "ignore_above": 1024,
                   "type": "keyword"
diff --git a/generated/elasticsearch/composable/component/host.json b/generated/elasticsearch/composable/component/host.json
index 2c5cd8746d..d49d77f4ce 100644
--- a/generated/elasticsearch/composable/component/host.json
+++ b/generated/elasticsearch/composable/component/host.json
@@ -186,6 +186,30 @@
               "ignore_above": 1024,
               "type": "keyword"
             },
+            "risk": {
+              "properties": {
+                "calculated_level": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "calculated_score": {
+                  "type": "float"
+                },
+                "calculated_score_norm": {
+                  "type": "float"
+                },
+                "static_level": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "static_score": {
+                  "type": "float"
+                },
+                "static_score_norm": {
+                  "type": "float"
+                }
+              }
+            },
             "type": {
               "ignore_above": 1024,
               "type": "keyword"
diff --git a/generated/elasticsearch/composable/component/server.json b/generated/elasticsearch/composable/component/server.json
index 414356f855..591352a1df 100644
--- a/generated/elasticsearch/composable/component/server.json
+++ b/generated/elasticsearch/composable/component/server.json
@@ -173,6 +173,30 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "risk": {
+                  "properties": {
+                    "calculated_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "calculated_score": {
+                      "type": "float"
+                    },
+                    "calculated_score_norm": {
+                      "type": "float"
+                    },
+                    "static_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "static_score": {
+                      "type": "float"
+                    },
+                    "static_score_norm": {
+                      "type": "float"
+                    }
+                  }
+                },
                 "roles": {
                   "ignore_above": 1024,
                   "type": "keyword"
diff --git a/generated/elasticsearch/composable/component/source.json b/generated/elasticsearch/composable/component/source.json
index 3230d465c8..c5f1c281c9 100644
--- a/generated/elasticsearch/composable/component/source.json
+++ b/generated/elasticsearch/composable/component/source.json
@@ -173,6 +173,30 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "risk": {
+                  "properties": {
+                    "calculated_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "calculated_score": {
+                      "type": "float"
+                    },
+                    "calculated_score_norm": {
+                      "type": "float"
+                    },
+                    "static_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "static_score": {
+                      "type": "float"
+                    },
+                    "static_score_norm": {
+                      "type": "float"
+                    }
+                  }
+                },
                 "roles": {
                   "ignore_above": 1024,
                   "type": "keyword"
diff --git a/generated/elasticsearch/composable/component/user.json b/generated/elasticsearch/composable/component/user.json
index 82116d6a69..219b4b046f 100644
--- a/generated/elasticsearch/composable/component/user.json
+++ b/generated/elasticsearch/composable/component/user.json
@@ -60,6 +60,30 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "risk": {
+                  "properties": {
+                    "calculated_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "calculated_score": {
+                      "type": "float"
+                    },
+                    "calculated_score_norm": {
+                      "type": "float"
+                    },
+                    "static_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "static_score": {
+                      "type": "float"
+                    },
+                    "static_score_norm": {
+                      "type": "float"
+                    }
+                  }
+                },
                 "roles": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -122,6 +146,30 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "risk": {
+                  "properties": {
+                    "calculated_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "calculated_score": {
+                      "type": "float"
+                    },
+                    "calculated_score_norm": {
+                      "type": "float"
+                    },
+                    "static_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "static_score": {
+                      "type": "float"
+                    },
+                    "static_score_norm": {
+                      "type": "float"
+                    }
+                  }
+                },
                 "roles": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -174,6 +222,30 @@
               "ignore_above": 1024,
               "type": "keyword"
             },
+            "risk": {
+              "properties": {
+                "calculated_level": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "calculated_score": {
+                  "type": "float"
+                },
+                "calculated_score_norm": {
+                  "type": "float"
+                },
+                "static_level": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "static_score": {
+                  "type": "float"
+                },
+                "static_score_norm": {
+                  "type": "float"
+                }
+              }
+            },
             "roles": {
               "ignore_above": 1024,
               "type": "keyword"
@@ -230,6 +302,30 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "risk": {
+                  "properties": {
+                    "calculated_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "calculated_score": {
+                      "type": "float"
+                    },
+                    "calculated_score_norm": {
+                      "type": "float"
+                    },
+                    "static_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "static_score": {
+                      "type": "float"
+                    },
+                    "static_score_norm": {
+                      "type": "float"
+                    }
+                  }
+                },
                 "roles": {
                   "ignore_above": 1024,
                   "type": "keyword"
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index 900adf8352..c51951be7d 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -221,6 +221,30 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "risk": {
+                "properties": {
+                  "calculated_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "calculated_score": {
+                    "type": "float"
+                  },
+                  "calculated_score_norm": {
+                    "type": "float"
+                  },
+                  "static_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "static_score": {
+                    "type": "float"
+                  },
+                  "static_score_norm": {
+                    "type": "float"
+                  }
+                }
+              },
               "roles": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -704,6 +728,30 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "risk": {
+                "properties": {
+                  "calculated_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "calculated_score": {
+                    "type": "float"
+                  },
+                  "calculated_score_norm": {
+                    "type": "float"
+                  },
+                  "static_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "static_score": {
+                    "type": "float"
+                  },
+                  "static_score_norm": {
+                    "type": "float"
+                  }
+                }
+              },
               "roles": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -1864,6 +1912,30 @@
             "ignore_above": 1024,
             "type": "keyword"
           },
+          "risk": {
+            "properties": {
+              "calculated_level": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "calculated_score": {
+                "type": "float"
+              },
+              "calculated_score_norm": {
+                "type": "float"
+              },
+              "static_level": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "static_score": {
+                "type": "float"
+              },
+              "static_score_norm": {
+                "type": "float"
+              }
+            }
+          },
           "type": {
             "ignore_above": 1024,
             "type": "keyword"
@@ -4208,6 +4280,30 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "risk": {
+                "properties": {
+                  "calculated_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "calculated_score": {
+                    "type": "float"
+                  },
+                  "calculated_score_norm": {
+                    "type": "float"
+                  },
+                  "static_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "static_score": {
+                    "type": "float"
+                  },
+                  "static_score_norm": {
+                    "type": "float"
+                  }
+                }
+              },
               "roles": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -4539,6 +4635,30 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "risk": {
+                "properties": {
+                  "calculated_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "calculated_score": {
+                    "type": "float"
+                  },
+                  "calculated_score_norm": {
+                    "type": "float"
+                  },
+                  "static_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "static_score": {
+                    "type": "float"
+                  },
+                  "static_score_norm": {
+                    "type": "float"
+                  }
+                }
+              },
               "roles": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -6722,6 +6842,30 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "risk": {
+                "properties": {
+                  "calculated_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "calculated_score": {
+                    "type": "float"
+                  },
+                  "calculated_score_norm": {
+                    "type": "float"
+                  },
+                  "static_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "static_score": {
+                    "type": "float"
+                  },
+                  "static_score_norm": {
+                    "type": "float"
+                  }
+                }
+              },
               "roles": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -6784,6 +6928,30 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "risk": {
+                "properties": {
+                  "calculated_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "calculated_score": {
+                    "type": "float"
+                  },
+                  "calculated_score_norm": {
+                    "type": "float"
+                  },
+                  "static_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "static_score": {
+                    "type": "float"
+                  },
+                  "static_score_norm": {
+                    "type": "float"
+                  }
+                }
+              },
               "roles": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -6836,6 +7004,30 @@
             "ignore_above": 1024,
             "type": "keyword"
           },
+          "risk": {
+            "properties": {
+              "calculated_level": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "calculated_score": {
+                "type": "float"
+              },
+              "calculated_score_norm": {
+                "type": "float"
+              },
+              "static_level": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "static_score": {
+                "type": "float"
+              },
+              "static_score_norm": {
+                "type": "float"
+              }
+            }
+          },
           "roles": {
             "ignore_above": 1024,
             "type": "keyword"
@@ -6892,6 +7084,30 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "risk": {
+                "properties": {
+                  "calculated_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "calculated_score": {
+                    "type": "float"
+                  },
+                  "calculated_score_norm": {
+                    "type": "float"
+                  },
+                  "static_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "static_score": {
+                    "type": "float"
+                  },
+                  "static_score_norm": {
+                    "type": "float"
+                  }
+                }
+              },
               "roles": {
                 "ignore_above": 1024,
                 "type": "keyword"
diff --git a/experimental/schemas/risk.yml b/schemas/risk.yml
similarity index 82%
rename from experimental/schemas/risk.yml
rename to schemas/risk.yml
index 72f4ebd846..b70640c473 100644
--- a/experimental/schemas/risk.yml
+++ b/schemas/risk.yml
@@ -1,10 +1,14 @@
 ---
 - name: risk
-  title: Risk score information
+  title: Risk information
   group: 2
-  short: Fields for describing the risk score and level.
+  short: Fields for describing risk score and level.
+  beta: >
+    These fields are in beta and are subject to change.
   description: >
-    Fields for describing the risk score and level.
+     Fields for describing risk score and risk level of entities such as hosts and users. 
+     These fields are not allowed to be nested under `event.*`. Please continue to use 
+     `event.risk_score` and `event.risk_score_norm` for event risk.
   reusable:
     top_level: false
     expected:
diff --git a/schemas/subsets/main.yml b/schemas/subsets/main.yml
index a0a5c16385..5185608f29 100644
--- a/schemas/subsets/main.yml
+++ b/schemas/subsets/main.yml
@@ -373,6 +373,8 @@ fields:
     fields: "*"
   related:
     fields: "*"
+  risk:
+    fields: "*"
   rule:
     fields: "*"
   server:

From 16d2cbba82f75e950b2148a3ca9a5e0547db168b Mon Sep 17 00:00:00 2001
From: Apoorva Joshi <30438249+ajosh0504@users.noreply.github.com>
Date: Tue, 20 Sep 2022 09:47:15 -0700
Subject: [PATCH 037/186] [RFC] Risk Fields- Stage 3 (#2048)

* Updating some sections

* Updating stage 3 PR link

* Adding  anote about existing event risk fields and plan forward
---
 rfcs/text/0031-risk-fields.md | 48 +++++++++++++++++------------------
 1 file changed, 23 insertions(+), 25 deletions(-)

diff --git a/rfcs/text/0031-risk-fields.md b/rfcs/text/0031-risk-fields.md
index 7e62120854..15bea1efad 100644
--- a/rfcs/text/0031-risk-fields.md
+++ b/rfcs/text/0031-risk-fields.md
@@ -1,9 +1,9 @@
 # 0031: Risk fields for multiple entities
 
-- Stage: **2 (candidate)**
-- Date: **2022/08/15**
+- Stage: **3 (finished)**
+- Date: **2022/09/08**
 
-In 7.16, we released an experimental feature in the Security solution, called [Host Risk Score](https://www.elastic.co/guide/en/security/7.17/host-risk-score.html). Initially, the requirement of the feature was limited to surfacing risky hosts in a customer environment. As the feature matures, we want to further integrate it into the Security solution, and be able to perform filtering and sorting operations based on the risk information. Furthermore, there's also work currently in progress for a User Risk Score functionality, which will highlight users at risk within the Security solution. Both these features (and potentially others) currently could benefit from having a reusable risk field set highlighting information like risk score, risk level, contributors to risk etc.
+In 7.16, we released an experimental feature in the Security solution, called [Host Risk Score](https://www.elastic.co/guide/en/security/7.17/host-risk-score.html) to surface risky hosts in a customer environment. In 8.3, we released a similar feature called [User Risk Score](https://www.elastic.co/guide/en/security/current/user-risk-score.html) to expose at-risk users. As the two features mature, we want to further integrate them into the Security App, and enable users to perform filtering, sorting and enrichment based on the risk information. To that effect, we propose a reusable risk field set highlighting information like risk score, risk level etc., which could be used to express entity risk in the Security App.
 
 <!--
 Stage X: Provide a brief explanation of why the proposal is being marked as abandoned. This is useful context for anyone revisiting this proposal or considering similar changes later on.
@@ -28,22 +28,19 @@ The `risk.*` fields mentioned above can be used to quantify the amount of risk a
 
 To begin with, the `risk.*` fields could be nested under the existing `host.*` and `user.*` fields, since hosts and users tend to be important entities during investigations.
 
-<!--
-Stage 2: Add or update all remaining field definitions. The list should now be exhaustive. The goal here is to validate the technical details of all remaining fields and to provide a basis for releasing these field definitions as beta in the schema. Use GitHub code blocks with yml syntax formatting, and add them to the corresponding RFC folder.
--->
-
 ## Usage
 
-As mentioned previously, we have released an experimental feature called Host Risk Score in the Security solution recently. As of 7.16, the feature has some real estate on the Overview page and the Alert Flyout within the Security solution, as documented [here](https://www.elastic.co/guide/en/security/8.0/host-risk-score.html). In 8.1, users will also be able to see host risk information on the Hosts page and Host Details page as well. 
+As mentioned previously, we currently have two experimental entity risk features in the Security App, namely Host Risk Score and User Risk Score. Host risk information can be viewed in [several locations](https://www.elastic.co/guide/en/security/8.4/host-risk-score.html#_additional_places_to_visualize_host_risk_score_data) in the Security App, including the Overview tab and the Hosts page.
+
+User risk information can be found on the [Users page](https://www.elastic.co/guide/en/security/8.4/user-risk-score.html#view-user-risk-score) in the Security App.
 
-In addition to Host Risk Score, there is work currently in progress to introduce a Users page in the Security solution and a User Risk Scoring capability. Entities at risk is a new concept for users of the Security solution. Defining and normalizing this concept of entity risk using the `risk` fields will be crucial for users to get the most out of the Host and User Risk Scoring capabilities when they go GA.
+Alerts are also being enriched with host and user risk information to help with alert investigation and triage.
 
-Furthermore, these `risk` fields will provide users with an additional vector to filter, sort and correlate information within the Security solution. For example, users will be able to start investigations by running queries like the following:
+With `risk` information available in multiple locations in the Security App, users can use it as an additional vector to filter, sort and correlate information within the Security App. For example, users will be able to start investigations by running queries like the following:
 * "Show me the most critical and high-risk Windows hosts in my environment"
 * "Show me the activity that contributed towards making Host X high-risk"
-* "Show me how the risk of Host X changed over time"
-* "Show me Critical and high-risk users on Host X"
-
+* "Show me the alerts corresponding to high-risk users in my environment"
+* "Show me how the risk of User X changed over time"
 
 ## Source data
 
@@ -127,25 +124,23 @@ An example of a mapped document produced by the user risk score transform is as
 
 ### Alerts
 
-The risk fields can be used to enrich alerts with entity risk information coming from internal systems such as host and user risk score, as well as external sources such as third-party threat intelligence feeds. An example of an alert document enriched with entity risk data from internal and external sources is provided in the RFC folder `0031`.
-
-<!--
-Stage 3: Add more real world example source documents so we have at least 2 total, but ideally 3. Format as described in stage 2.
--->
+The risk fields will be used to enrich alerts with entity risk information coming from internal systems such as host and user risk score, as well as external sources such as third-party threat intelligence feeds. An example of an alert document enriched with entity risk data from internal and external sources is provided in the RFC folder `0031`.
 
 ## Scope of impact
 
-We have several views (Hosts page, Overview page, Alerts flyouts) in the Security Solution which are populated by the Host and User Risk Score indices. These views will need to be updated to use the new ECS fields. Any new workflows built on top of Host Risk Score will also need to adopt these new fields. 
+We have several views in the Security App where host and user risk information is displayed. These views will need to be updated to use the new ECS fields. Any new workflows built on top of host and user risk scores will also need to adopt these new fields. 
+
+We currently have a small number (~60) of customer clusters that have deployed Host Risk Score in its experimental state. If these users were to upgrade to a Kibana version where the Security App uses the new ECS fields, they will also need to install the new Host Risk Score transforms and Lens dashboards. These users will also need to be informed that any views involving host risk in the Security App will cease to work on old (before upgrade) data.
 
-We currently have a small number (<50) of customer clusters that have deployed Host Risk Score in its experimental state. If these users were to upgrade to a Kibana version where the Security App uses these ECS fields, they will have to recreate the Host Risk Score transforms, and index mappings. These users will also need to be informed that any host risk-related views in the Security App will cease to work on old (before upgrade) data.    
+A similar process will follow for customers who have already enabled User Risk Score.
 
 ## Concerns
 
-Certain views in the Security App will not work on older data for current users of Host Risk Score. Users will need to recreate the Host Risk Score transforms and related index mappings.   
+We have an internal plan in place to port the Host and User Risk Score transforms, dashboards, and any existing host and user risk views in the Security App, to use the new ECS fields.
 
-<!--
-Stage 3: Document resolutions for all existing concerns. Any new concerns should be documented along with their resolution. The goal here is to eliminate risk of churn and instability by ensuring all concerns have been addressed.
--->
+For existing users, migrate buttons on the host and user risk score cards on the Overview page will delete existing artifacts and re-install new ones. This migration strategy does not involve preserving historical risk data- this is left up to the user since the features are still experimental. However, we will be sure to communicate this clearly via documentation and in the UI.
+
+We currently have two risk fields, `risk_score` and `risk_score_norm` that can be associated with `event` object. We will clarify this in the description for the new risk fields, stating that these new fields apply to entities only and should not be nested under the event object.
 
 ## People
 
@@ -156,7 +151,8 @@ The following are the people that consulted on the contents of this RFC.
 
 ## References
 
-<!-- Insert any links appropriate to this RFC in this section. -->
+* [About Host Risk Score](https://www.elastic.co/guide/en/security/8.4/host-risk-score.html)
+* [About User Risk Score](https://www.elastic.co/guide/en/security/8.4/user-risk-score.html)
 
 ### RFC Pull Requests
 
@@ -167,3 +163,5 @@ The following are the people that consulted on the contents of this RFC.
 * Stage 1: https://github.com/elastic/ecs/pull/1744
 
 * Stage 2: https://github.com/elastic/ecs/pull/2027
+
+* Stage 3: https://github.com/elastic/ecs/pull/2048

From 266cf6aa62e46bff1965342a61191ce5ffe1b0d7 Mon Sep 17 00:00:00 2001
From: Daniel Araujo Almeida <daniel-almeida@users.noreply.github.com>
Date: Tue, 20 Sep 2022 10:14:55 -0700
Subject: [PATCH 038/186] Add attested user and groups to process (#2050)

* Add attested user and group to process

* Drop auid, make attested groups an array, and clarify that attestation is based on an external source

* Update short description and add process.attested_user and attested_groups to CHANGELOG

* subset file updated for process.entry_leader.attested_user and attested_groups

* updates from make

Co-authored-by: Karl Godard <karlgodard@elastic.co>
Co-authored-by: Kylie Geller <kylie.geller@elastic.co>
---
 CHANGELOG.next.md                             |  1 +
 docs/fields/field-details.asciidoc            | 22 ++++++
 experimental/generated/beats/fields.ecs.yml   | 23 +++++++
 experimental/generated/csv/fields.csv         |  4 ++
 experimental/generated/ecs/ecs_flat.yml       | 39 +++++++++++
 experimental/generated/ecs/ecs_nested.yml     | 67 +++++++++++++++++++
 .../composable/component/process.json         | 25 +++++++
 .../elasticsearch/legacy/template.json        | 25 +++++++
 generated/beats/fields.ecs.yml                | 23 +++++++
 generated/csv/fields.csv                      |  4 ++
 generated/ecs/ecs_flat.yml                    | 39 +++++++++++
 generated/ecs/ecs_nested.yml                  | 67 +++++++++++++++++++
 .../composable/component/process.json         | 25 +++++++
 generated/elasticsearch/legacy/template.json  | 25 +++++++
 schemas/group.yml                             |  6 ++
 schemas/subsets/main.yml                      |  7 ++
 schemas/user.yml                              |  4 ++
 17 files changed, 406 insertions(+)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 9b22c3b2ce..bbb750ba35 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -50,6 +50,7 @@ Thanks, you're awesome :-) -->
 * Adding `process.io.*` as beta fields. #1956, #2031
 * Adding `process.tty.rows` and `process.tty.columns` as beta fields. #2031
 * Changed `process.env_vars` field type to be an array of keywords. #2038
+* `process.attested_user` and `process.attested_groups` as beta fields. #2050
 * Added `risk.*` fieldset to beta. #2051
 
 #### Improvements
diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index a8083198b0..797c34d30f 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -4621,6 +4621,8 @@ type: keyword
 The `group` fields are expected to be nested at:
 
 
+* `process.attested_groups`
+
 * `process.group`
 
 * `process.real_group`
@@ -7766,6 +7768,24 @@ Note also that the `process` fields may be used directly at the root of the even
 // ===============================================================
 
 
+| `process.attested_groups.*`
+| <<ecs-group,group>>| beta:[ Reusing the `group` fields in this location is currently considered beta.]
+
+The externally attested groups based on an external source such as the Kube API.
+
+Note: this reuse should contain an array of group field set objects.
+
+// ===============================================================
+
+
+| `process.attested_user.*`
+| <<ecs-user,user>>| beta:[ Reusing the `user` fields in this location is currently considered beta.]
+
+The externally attested user based on an external source such as the Kube API.
+
+// ===============================================================
+
+
 | `process.code_signature.*`
 | <<ecs-code_signature,code_signature>>
 | These fields contain information about binary code signatures.
@@ -11631,6 +11651,8 @@ The `user` fields are expected to be nested at:
 
 * `destination.user`
 
+* `process.attested_user`
+
 * `process.real_user`
 
 * `process.saved_user`
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 6a81f1d149..5532c2688c 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -5334,6 +5334,29 @@
         indication of suspicious activity.'
       example: 4
       default_field: false
+    - name: entry_leader.attested_groups.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: entry_leader.attested_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: entry_leader.attested_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
     - name: entry_leader.command_line
       level: extended
       type: wildcard
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index 20eacbc393..463cc2bf10 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -584,6 +584,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0-dev+exp,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
 8.6.0-dev+exp,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
 8.6.0-dev+exp,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array.
+8.6.0-dev+exp,true,process,process.entry_leader.attested_groups.name,keyword,extended,,,Name of the group.
+8.6.0-dev+exp,true,process,process.entry_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev+exp,true,process,process.entry_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev+exp,true,process,process.entry_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
 8.6.0-dev+exp,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
 8.6.0-dev+exp,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
 8.6.0-dev+exp,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index a2f70943af..64d2d9021f 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -7615,6 +7615,45 @@ process.entry_leader.args_count:
   original_fieldset: process
   short: Length of the process.args array.
   type: long
+process.entry_leader.attested_groups.name:
+  dashed_name: process-entry-leader-attested-groups-name
+  description: Name of the group.
+  flat_name: process.entry_leader.attested_groups.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.attested_user.id:
+  dashed_name: process-entry-leader-attested-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.entry_leader.attested_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.entry_leader.attested_user.name:
+  dashed_name: process-entry-leader-attested-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.entry_leader.attested_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.entry_leader.attested_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
 process.entry_leader.command_line:
   dashed_name: process-entry-leader-command-line
   description: 'Full command line that started the process, including the absolute
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 461afa34a5..d90a8e8156 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -6189,6 +6189,14 @@ group:
       normalize:
       - array
       short_override: An array of supplemental groups.
+    - as: attested_groups
+      at: process
+      beta: Reusing the `group` fields in this location is currently considered beta.
+      full: process.attested_groups
+      normalize:
+      - array
+      short_override: The externally attested groups based on an external source such
+        as the Kube API.
     top_level: true
   short: User's group relevant to the event.
   title: Group
@@ -9336,6 +9344,45 @@ process:
       original_fieldset: process
       short: Length of the process.args array.
       type: long
+    process.entry_leader.attested_groups.name:
+      dashed_name: process-entry-leader-attested-groups-name
+      description: Name of the group.
+      flat_name: process.entry_leader.attested_groups.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.attested_user.id:
+      dashed_name: process-entry-leader-attested-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.entry_leader.attested_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.entry_leader.attested_user.name:
+      dashed_name: process-entry-leader-attested-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.entry_leader.attested_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.entry_leader.attested_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
     process.entry_leader.command_line:
       dashed_name: process-entry-leader-command-line
       description: 'Full command line that started the process, including the absolute
@@ -12504,6 +12551,8 @@ process:
   group: 2
   name: process
   nestings:
+  - process.attested_groups
+  - process.attested_user
   - process.code_signature
   - process.elf
   - process.entry_leader
@@ -12618,6 +12667,13 @@ process:
     - array
     schema_name: group
     short: An array of supplemental groups.
+  - beta: Reusing the `group` fields in this location is currently considered beta.
+    full: process.attested_groups
+    normalize:
+    - array
+    schema_name: group
+    short: The externally attested groups based on an external source such as the
+      Kube API.
   - full: process.hash
     schema_name: hash
     short: Hashes, usually file hashes.
@@ -12647,6 +12703,11 @@ process:
     full: process.real_user
     schema_name: user
     short: The real user (ruid). Identifies the real owner of the process.
+  - beta: Reusing the `user` fields in this location is currently considered beta.
+    full: process.attested_user
+    schema_name: user
+    short: The externally attested user based on an external source such as the Kube
+      API.
   - full: process.parent
     schema_name: process
     short: Information about the parent process.
@@ -21991,6 +22052,12 @@ user:
       beta: Reusing the `user` fields in this location is currently considered beta.
       full: process.real_user
       short_override: The real user (ruid). Identifies the real owner of the process.
+    - as: attested_user
+      at: process
+      beta: Reusing the `user` fields in this location is currently considered beta.
+      full: process.attested_user
+      short_override: The externally attested user based on an external source such
+        as the Kube API.
     top_level: true
   reused_here:
   - full: user.group
diff --git a/experimental/generated/elasticsearch/composable/component/process.json b/experimental/generated/elasticsearch/composable/component/process.json
index a987ce8623..8a9a78cd29 100644
--- a/experimental/generated/elasticsearch/composable/component/process.json
+++ b/experimental/generated/elasticsearch/composable/component/process.json
@@ -192,6 +192,31 @@
                 "args_count": {
                   "type": "long"
                 },
+                "attested_groups": {
+                  "properties": {
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "attested_user": {
+                  "properties": {
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
                 "command_line": {
                   "fields": {
                     "text": {
diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json
index 07f7b557d6..6f6c9c8008 100644
--- a/experimental/generated/elasticsearch/legacy/template.json
+++ b/experimental/generated/elasticsearch/legacy/template.json
@@ -2760,6 +2760,31 @@
               "args_count": {
                 "type": "long"
               },
+              "attested_groups": {
+                "properties": {
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "attested_user": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
               "command_line": {
                 "fields": {
                   "text": {
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index be0d934310..32629d878c 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -5284,6 +5284,29 @@
         indication of suspicious activity.'
       example: 4
       default_field: false
+    - name: entry_leader.attested_groups.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: entry_leader.attested_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: entry_leader.attested_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
     - name: entry_leader.command_line
       level: extended
       type: wildcard
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index 83e2ea90c6..aab536a8e9 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -577,6 +577,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
 8.6.0-dev,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
 8.6.0-dev,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array.
+8.6.0-dev,true,process,process.entry_leader.attested_groups.name,keyword,extended,,,Name of the group.
+8.6.0-dev,true,process,process.entry_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.6.0-dev,true,process,process.entry_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.6.0-dev,true,process,process.entry_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
 8.6.0-dev,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
 8.6.0-dev,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
 8.6.0-dev,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index c141542940..7e76a38f3d 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -7546,6 +7546,45 @@ process.entry_leader.args_count:
   original_fieldset: process
   short: Length of the process.args array.
   type: long
+process.entry_leader.attested_groups.name:
+  dashed_name: process-entry-leader-attested-groups-name
+  description: Name of the group.
+  flat_name: process.entry_leader.attested_groups.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.attested_user.id:
+  dashed_name: process-entry-leader-attested-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.entry_leader.attested_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.entry_leader.attested_user.name:
+  dashed_name: process-entry-leader-attested-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.entry_leader.attested_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.entry_leader.attested_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
 process.entry_leader.command_line:
   dashed_name: process-entry-leader-command-line
   description: 'Full command line that started the process, including the absolute
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 4d87897f6f..515632615c 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -6109,6 +6109,14 @@ group:
       normalize:
       - array
       short_override: An array of supplemental groups.
+    - as: attested_groups
+      at: process
+      beta: Reusing the `group` fields in this location is currently considered beta.
+      full: process.attested_groups
+      normalize:
+      - array
+      short_override: The externally attested groups based on an external source such
+        as the Kube API.
     top_level: true
   short: User's group relevant to the event.
   title: Group
@@ -9256,6 +9264,45 @@ process:
       original_fieldset: process
       short: Length of the process.args array.
       type: long
+    process.entry_leader.attested_groups.name:
+      dashed_name: process-entry-leader-attested-groups-name
+      description: Name of the group.
+      flat_name: process.entry_leader.attested_groups.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.attested_user.id:
+      dashed_name: process-entry-leader-attested-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.entry_leader.attested_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.entry_leader.attested_user.name:
+      dashed_name: process-entry-leader-attested-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.entry_leader.attested_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.entry_leader.attested_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
     process.entry_leader.command_line:
       dashed_name: process-entry-leader-command-line
       description: 'Full command line that started the process, including the absolute
@@ -12424,6 +12471,8 @@ process:
   group: 2
   name: process
   nestings:
+  - process.attested_groups
+  - process.attested_user
   - process.code_signature
   - process.elf
   - process.entry_leader
@@ -12538,6 +12587,13 @@ process:
     - array
     schema_name: group
     short: An array of supplemental groups.
+  - beta: Reusing the `group` fields in this location is currently considered beta.
+    full: process.attested_groups
+    normalize:
+    - array
+    schema_name: group
+    short: The externally attested groups based on an external source such as the
+      Kube API.
   - full: process.hash
     schema_name: hash
     short: Hashes, usually file hashes.
@@ -12567,6 +12623,11 @@ process:
     full: process.real_user
     schema_name: user
     short: The real user (ruid). Identifies the real owner of the process.
+  - beta: Reusing the `user` fields in this location is currently considered beta.
+    full: process.attested_user
+    schema_name: user
+    short: The externally attested user based on an external source such as the Kube
+      API.
   - full: process.parent
     schema_name: process
     short: Information about the parent process.
@@ -21911,6 +21972,12 @@ user:
       beta: Reusing the `user` fields in this location is currently considered beta.
       full: process.real_user
       short_override: The real user (ruid). Identifies the real owner of the process.
+    - as: attested_user
+      at: process
+      beta: Reusing the `user` fields in this location is currently considered beta.
+      full: process.attested_user
+      short_override: The externally attested user based on an external source such
+        as the Kube API.
     top_level: true
   reused_here:
   - full: user.group
diff --git a/generated/elasticsearch/composable/component/process.json b/generated/elasticsearch/composable/component/process.json
index 3ee5351ad7..8f90a4f7d8 100644
--- a/generated/elasticsearch/composable/component/process.json
+++ b/generated/elasticsearch/composable/component/process.json
@@ -192,6 +192,31 @@
                 "args_count": {
                   "type": "long"
                 },
+                "attested_groups": {
+                  "properties": {
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "attested_user": {
+                  "properties": {
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
                 "command_line": {
                   "fields": {
                     "text": {
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index c51951be7d..a57759aa3c 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -2718,6 +2718,31 @@
               "args_count": {
                 "type": "long"
               },
+              "attested_groups": {
+                "properties": {
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "attested_user": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
               "command_line": {
                 "fields": {
                   "text": {
diff --git a/schemas/group.yml b/schemas/group.yml
index 19c698baaf..9f51403042 100644
--- a/schemas/group.yml
+++ b/schemas/group.yml
@@ -47,6 +47,12 @@
         beta: Reusing the `group` fields in this location is currently considered beta.
         normalize:
           - array
+      - at: process
+        as: attested_groups
+        short_override: The externally attested groups based on an external source such as the Kube API.
+        beta: Reusing the `group` fields in this location is currently considered beta.
+        normalize:
+          - array
 
   fields:
 
diff --git a/schemas/subsets/main.yml b/schemas/subsets/main.yml
index 5185608f29..1fa4ed3644 100644
--- a/schemas/subsets/main.yml
+++ b/schemas/subsets/main.yml
@@ -141,6 +141,13 @@ fields:
             fields:
               id: {}
               name: {}
+          attested_user:
+            fields:
+              id: {}
+              name: {}
+          attested_groups:
+            fields:
+              name: {}
       entry_meta:
         fields:
           type:
diff --git a/schemas/user.yml b/schemas/user.yml
index 4e16664c05..a12f9f9beb 100644
--- a/schemas/user.yml
+++ b/schemas/user.yml
@@ -54,6 +54,10 @@
         as: real_user
         short_override: The real user (ruid). Identifies the real owner of the process.
         beta: Reusing the `user` fields in this location is currently considered beta.
+      - at: process
+        as: attested_user
+        short_override: The externally attested user based on an external source such as the Kube API.
+        beta: Reusing the `user` fields in this location is currently considered beta.
 
   type: group
   fields:

From 41ac7c728f38a95d7a9299371d146725a035c198 Mon Sep 17 00:00:00 2001
From: Kylie Geller <kylie.geller@elastic.co>
Date: Tue, 27 Sep 2022 09:25:36 -0400
Subject: [PATCH 039/186] Add vulnerability to event.category (#2029)

---
 CHANGELOG.next.md                         |  1 +
 docs/fields/field-details.asciidoc        |  2 +-
 docs/fields/field-values.asciidoc         | 13 +++++++++++++
 experimental/generated/ecs/ecs_flat.yml   |  6 ++++++
 experimental/generated/ecs/ecs_nested.yml |  6 ++++++
 generated/ecs/ecs_flat.yml                |  6 ++++++
 generated/ecs/ecs_nested.yml              |  6 ++++++
 schemas/event.yml                         |  5 +++++
 8 files changed, 44 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index bbb750ba35..f178346981 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -16,6 +16,7 @@ Thanks, you're awesome :-) -->
 
 #### Added
 
+* Adding `vulnerability` option for `event.catgeory`. #2029
 * Added `device.*` field set as beta. #2030
 
 #### Improvements
diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index 797c34d30f..7944632967 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -3241,7 +3241,7 @@ Note: this field should contain an array of values.
 
 *Important*: The field value must be one of the following:
 
-authentication, configuration, database, driver, email, file, host, iam, intrusion_detection, malware, network, package, process, registry, session, threat, web
+authentication, configuration, database, driver, email, file, host, iam, intrusion_detection, malware, network, package, process, registry, session, threat, vulnerability, web
 
 To learn more about when to use which value, visit the page
 <<ecs-allowed-values-event-category,allowed values for event.category>>
diff --git a/docs/fields/field-values.asciidoc b/docs/fields/field-values.asciidoc
index 6b8eb3421e..3e784a7279 100644
--- a/docs/fields/field-values.asciidoc
+++ b/docs/fields/field-values.asciidoc
@@ -148,6 +148,7 @@ This field is an array. This will allow proper categorization of some events tha
 * <<ecs-event-category-registry,registry>>
 * <<ecs-event-category-session,session>>
 * <<ecs-event-category-threat,threat>>
+* <<ecs-event-category-vulnerability,vulnerability>>
 * <<ecs-event-category-web,web>>
 
 [float]
@@ -352,6 +353,18 @@ Use this category to visualize and analyze events describing threat actors' targ
 indicator
 
 
+[float]
+[[ecs-event-category-vulnerability]]
+==== vulnerability
+
+Relating to vulnerability scan results. Use this category to analyze vulnerabilities detected by Tenable, Qualys, internal scanners, and other vulnerability management sources.
+
+
+*Expected event types for category vulnerability:*
+
+info
+
+
 [float]
 [[ecs-event-category-web]]
 ==== web
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 64d2d9021f..9853469b7b 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -3091,6 +3091,12 @@ event.category:
     expected_event_types:
     - indicator
     name: threat
+  - description: Relating to vulnerability scan results. Use this category to analyze
+      vulnerabilities detected by Tenable, Qualys, internal scanners, and other vulnerability
+      management sources.
+    expected_event_types:
+    - info
+    name: vulnerability
   - description: 'Relating to web server access. Use this category to create a dashboard
       of web server/proxy activity from apache, IIS, nginx web servers, etc. Note:
       events from network observers such as Zeek http log may also be included in
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index d90a8e8156..d2f8f8e3a7 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -3979,6 +3979,12 @@ event:
         expected_event_types:
         - indicator
         name: threat
+      - description: Relating to vulnerability scan results. Use this category to
+          analyze vulnerabilities detected by Tenable, Qualys, internal scanners,
+          and other vulnerability management sources.
+        expected_event_types:
+        - info
+        name: vulnerability
       - description: 'Relating to web server access. Use this category to create a
           dashboard of web server/proxy activity from apache, IIS, nginx web servers,
           etc. Note: events from network observers such as Zeek http log may also
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 7e76a38f3d..1fd5e16572 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -3022,6 +3022,12 @@ event.category:
     expected_event_types:
     - indicator
     name: threat
+  - description: Relating to vulnerability scan results. Use this category to analyze
+      vulnerabilities detected by Tenable, Qualys, internal scanners, and other vulnerability
+      management sources.
+    expected_event_types:
+    - info
+    name: vulnerability
   - description: 'Relating to web server access. Use this category to create a dashboard
       of web server/proxy activity from apache, IIS, nginx web servers, etc. Note:
       events from network observers such as Zeek http log may also be included in
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 515632615c..eb0432f5d6 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -3899,6 +3899,12 @@ event:
         expected_event_types:
         - indicator
         name: threat
+      - description: Relating to vulnerability scan results. Use this category to
+          analyze vulnerabilities detected by Tenable, Qualys, internal scanners,
+          and other vulnerability management sources.
+        expected_event_types:
+        - info
+        name: vulnerability
       - description: 'Relating to web server access. Use this category to create a
           dashboard of web server/proxy activity from apache, IIS, nginx web servers,
           etc. Note: events from network observers such as Zeek http log may also
diff --git a/schemas/event.yml b/schemas/event.yml
index 2ed233da1f..497d4e9898 100644
--- a/schemas/event.yml
+++ b/schemas/event.yml
@@ -335,6 +335,11 @@
             Use this category to visualize and analyze events describing threat actors' targets, motives, or behaviors.
           expected_event_types:
             - indicator
+        - name: vulnerability
+          description: >
+            Relating to vulnerability scan results. Use this category to analyze vulnerabilities detected by Tenable, Qualys, internal scanners, and other vulnerability management sources.
+          expected_event_types:
+            - info
         - name: web
           description: >
             Relating to web server access. Use this category to create a dashboard of

From 965eb5eaf112c484c1870b0a04eeb04045718a2b Mon Sep 17 00:00:00 2001
From: Dominic Page <11043991+djptek@users.noreply.github.com>
Date: Wed, 28 Sep 2022 15:54:15 +0200
Subject: [PATCH 040/186] SFF 8.6 update ./version file to 8.7.0-dev (#2063)

* update ./version file & update artifacts to 8.7.0-dev
---
 docs/fields/fields.asciidoc                   |    2 +-
 docs/index.asciidoc                           |    2 +-
 experimental/generated/beats/fields.ecs.yml   |    2 +-
 experimental/generated/csv/fields.csv         | 3168 ++++++++---------
 .../composable/component/agent.json           |    2 +-
 .../composable/component/base.json            |    2 +-
 .../composable/component/cgroup.json          |    2 +-
 .../composable/component/client.json          |    2 +-
 .../composable/component/cloud.json           |    2 +-
 .../composable/component/container.json       |    2 +-
 .../composable/component/data_stream.json     |    2 +-
 .../composable/component/destination.json     |    2 +-
 .../composable/component/device.json          |    2 +-
 .../composable/component/dll.json             |    2 +-
 .../composable/component/dns.json             |    2 +-
 .../composable/component/ecs.json             |    2 +-
 .../composable/component/email.json           |    2 +-
 .../composable/component/error.json           |    2 +-
 .../composable/component/event.json           |    2 +-
 .../composable/component/faas.json            |    2 +-
 .../composable/component/file.json            |    2 +-
 .../composable/component/group.json           |    2 +-
 .../composable/component/host.json            |    2 +-
 .../composable/component/http.json            |    2 +-
 .../composable/component/log.json             |    2 +-
 .../composable/component/network.json         |    2 +-
 .../composable/component/observer.json        |    2 +-
 .../composable/component/orchestrator.json    |    2 +-
 .../composable/component/organization.json    |    2 +-
 .../composable/component/package.json         |    2 +-
 .../composable/component/process.json         |    2 +-
 .../composable/component/registry.json        |    2 +-
 .../composable/component/related.json         |    2 +-
 .../composable/component/rule.json            |    2 +-
 .../composable/component/server.json          |    2 +-
 .../composable/component/service.json         |    2 +-
 .../composable/component/source.json          |    2 +-
 .../composable/component/threat.json          |    2 +-
 .../composable/component/tls.json             |    2 +-
 .../composable/component/tracing.json         |    2 +-
 .../composable/component/url.json             |    2 +-
 .../composable/component/user.json            |    2 +-
 .../composable/component/user_agent.json      |    2 +-
 .../composable/component/vulnerability.json   |    2 +-
 .../elasticsearch/composable/template.json    |   82 +-
 .../elasticsearch/legacy/template.json        |    2 +-
 generated/beats/fields.ecs.yml                |    2 +-
 generated/csv/fields.csv                      | 3154 ++++++++--------
 .../composable/component/agent.json           |    2 +-
 .../composable/component/base.json            |    2 +-
 .../composable/component/client.json          |    2 +-
 .../composable/component/cloud.json           |    2 +-
 .../composable/component/container.json       |    2 +-
 .../composable/component/data_stream.json     |    2 +-
 .../composable/component/destination.json     |    2 +-
 .../composable/component/device.json          |    2 +-
 .../composable/component/dll.json             |    2 +-
 .../composable/component/dns.json             |    2 +-
 .../composable/component/ecs.json             |    2 +-
 .../composable/component/email.json           |    2 +-
 .../composable/component/error.json           |    2 +-
 .../composable/component/event.json           |    2 +-
 .../composable/component/faas.json            |    2 +-
 .../composable/component/file.json            |    2 +-
 .../composable/component/group.json           |    2 +-
 .../composable/component/host.json            |    2 +-
 .../composable/component/http.json            |    2 +-
 .../composable/component/log.json             |    2 +-
 .../composable/component/network.json         |    2 +-
 .../composable/component/observer.json        |    2 +-
 .../composable/component/orchestrator.json    |    2 +-
 .../composable/component/organization.json    |    2 +-
 .../composable/component/package.json         |    2 +-
 .../composable/component/process.json         |    2 +-
 .../composable/component/registry.json        |    2 +-
 .../composable/component/related.json         |    2 +-
 .../composable/component/rule.json            |    2 +-
 .../composable/component/server.json          |    2 +-
 .../composable/component/service.json         |    2 +-
 .../composable/component/source.json          |    2 +-
 .../composable/component/threat.json          |    2 +-
 .../composable/component/tls.json             |    2 +-
 .../composable/component/tracing.json         |    2 +-
 .../composable/component/url.json             |    2 +-
 .../composable/component/user.json            |    2 +-
 .../composable/component/user_agent.json      |    2 +-
 .../composable/component/vulnerability.json   |    2 +-
 .../elasticsearch/composable/template.json    |   80 +-
 generated/elasticsearch/legacy/template.json  |    2 +-
 version                                       |    2 +-
 90 files changed, 3328 insertions(+), 3328 deletions(-)

diff --git a/docs/fields/fields.asciidoc b/docs/fields/fields.asciidoc
index bcfe711552..b64367d443 100644
--- a/docs/fields/fields.asciidoc
+++ b/docs/fields/fields.asciidoc
@@ -1,7 +1,7 @@
 [[ecs-field-reference]]
 == {ecs} Field Reference
 
-This is the documentation of ECS version 8.6.0-dev.
+This is the documentation of ECS version 8.7.0-dev.
 
 ECS defines multiple groups of related fields. They are called "field sets".
 The <<ecs-base,Base>> field set is the only one whose fields are defined
diff --git a/docs/index.asciidoc b/docs/index.asciidoc
index c864468e22..2e6965fcc9 100644
--- a/docs/index.asciidoc
+++ b/docs/index.asciidoc
@@ -13,7 +13,7 @@ include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
 [[ecs-reference]]
 == Overview
 
-This is the documentation of ECS version 8.6.0-dev.
+This is the documentation of ECS version 8.7.0-dev.
 
 [float]
 === What is ECS?
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 5532c2688c..ade4eec2d7 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -1,5 +1,5 @@
 # WARNING! Do not edit this file directly, it was generated by the ECS project,
-# based on ECS version 8.6.0-dev+exp.
+# based on ECS version 8.7.0-dev+exp.
 # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields.
 
 - key: ecs
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index 463cc2bf10..babe1d61e7 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -1,1585 +1,1585 @@
 ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
-8.6.0-dev+exp,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
-8.6.0-dev+exp,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
-8.6.0-dev+exp,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer.
-8.6.0-dev+exp,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
-8.6.0-dev+exp,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
-8.6.0-dev+exp,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
-8.6.0-dev+exp,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
-8.6.0-dev+exp,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
-8.6.0-dev+exp,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
-8.6.0-dev+exp,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
-8.6.0-dev+exp,true,cgroup,cgroup.cpu.periods,long,extended,,454839343,Number of period intervals that have elapsed.
-8.6.0-dev+exp,true,cgroup,cgroup.cpu.throttled.us,long,extended,,15000,Microseconds of CPU throttled time.
-8.6.0-dev+exp,true,cgroup,cgroup.cpu.usage,scaled_float,extended,,,"CPU usage, normalized by the CPU count."
-8.6.0-dev+exp,true,cgroup,cgroup.memory.limit,long,extended,,256,Memory limit within the cgroup.
-8.6.0-dev+exp,true,cgroup,cgroup.memory.swap.usage,long,extended,,5600,The amount of cgroup memory in swap.
-8.6.0-dev+exp,true,cgroup,cgroup.memory.usage,long,extended,,25600,Memory usage in bytes
-8.6.0-dev+exp,true,cgroup,cgroup.version,long,extended,,,The cgroup version linked to the metrics
-8.6.0-dev+exp,true,client,client.address,keyword,extended,,,Client network address.
-8.6.0-dev+exp,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.6.0-dev+exp,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.6.0-dev+exp,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.6.0-dev+exp,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
-8.6.0-dev+exp,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client.
-8.6.0-dev+exp,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
-8.6.0-dev+exp,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
-8.6.0-dev+exp,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.6.0-dev+exp,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.6.0-dev+exp,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
-8.6.0-dev+exp,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.6.0-dev+exp,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.6.0-dev+exp,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
-8.6.0-dev+exp,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.6.0-dev+exp,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
-8.6.0-dev+exp,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.6.0-dev+exp,true,client,client.ip,ip,core,,,IP address of the client.
-8.6.0-dev+exp,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
-8.6.0-dev+exp,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
-8.6.0-dev+exp,true,client,client.nat.port,long,extended,,,Client NAT port
-8.6.0-dev+exp,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
-8.6.0-dev+exp,true,client,client.port,long,core,,,Port of the client.
-8.6.0-dev+exp,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
-8.6.0-dev+exp,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.6.0-dev+exp,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.6.0-dev+exp,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.6.0-dev+exp,true,client,client.user.email,keyword,extended,,,User email address.
-8.6.0-dev+exp,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.6.0-dev+exp,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.6.0-dev+exp,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.6.0-dev+exp,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev+exp,true,client,client.user.group.name,keyword,extended,,,Name of the group.
-8.6.0-dev+exp,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.6.0-dev+exp,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev+exp,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,client,client.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.6.0-dev+exp,true,client,client.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.6.0-dev+exp,true,client,client.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.6.0-dev+exp,true,client,client.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.6.0-dev+exp,true,client,client.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.6.0-dev+exp,true,client,client.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-8.6.0-dev+exp,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.6.0-dev+exp,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.6.0-dev+exp,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.6.0-dev+exp,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.6.0-dev+exp,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.6.0-dev+exp,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
-8.6.0-dev+exp,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.6.0-dev+exp,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.6.0-dev+exp,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.6.0-dev+exp,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.6.0-dev+exp,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.6.0-dev+exp,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine.
-8.6.0-dev+exp,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.6.0-dev+exp,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id.
-8.6.0-dev+exp,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name.
-8.6.0-dev+exp,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider.
-8.6.0-dev+exp,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.6.0-dev+exp,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name.
-8.6.0-dev+exp,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
-8.6.0-dev+exp,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
-8.6.0-dev+exp,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
-8.6.0-dev+exp,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.6.0-dev+exp,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name.
-8.6.0-dev+exp,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.6.0-dev+exp,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.6.0-dev+exp,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.6.0-dev+exp,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.6.0-dev+exp,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine.
-8.6.0-dev+exp,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.6.0-dev+exp,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id.
-8.6.0-dev+exp,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name.
-8.6.0-dev+exp,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider.
-8.6.0-dev+exp,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.6.0-dev+exp,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name.
-8.6.0-dev+exp,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
-8.6.0-dev+exp,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
-8.6.0-dev+exp,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
-8.6.0-dev+exp,true,container,container.id,keyword,core,,,Unique container id.
-8.6.0-dev+exp,true,container,container.image.hash.all,keyword,extended,array,[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26],An array of digests of the image the container was built on.
-8.6.0-dev+exp,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
-8.6.0-dev+exp,true,container,container.image.tag,keyword,extended,array,,Container image tags.
-8.6.0-dev+exp,true,container,container.labels,object,extended,,,Image labels.
-8.6.0-dev+exp,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1."
-8.6.0-dev+exp,true,container,container.name,keyword,extended,,,Container name.
-8.6.0-dev+exp,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
-8.6.0-dev+exp,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
-8.6.0-dev+exp,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
-8.6.0-dev+exp,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
-8.6.0-dev+exp,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
-8.6.0-dev+exp,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
-8.6.0-dev+exp,true,destination,destination.address,keyword,extended,,,Destination network address.
-8.6.0-dev+exp,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.6.0-dev+exp,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.6.0-dev+exp,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.6.0-dev+exp,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
-8.6.0-dev+exp,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination.
-8.6.0-dev+exp,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
-8.6.0-dev+exp,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
-8.6.0-dev+exp,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.6.0-dev+exp,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.6.0-dev+exp,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
-8.6.0-dev+exp,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.6.0-dev+exp,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.6.0-dev+exp,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
-8.6.0-dev+exp,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.6.0-dev+exp,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
-8.6.0-dev+exp,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.6.0-dev+exp,true,destination,destination.ip,ip,core,,,IP address of the destination.
-8.6.0-dev+exp,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
-8.6.0-dev+exp,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
-8.6.0-dev+exp,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
-8.6.0-dev+exp,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
-8.6.0-dev+exp,true,destination,destination.port,long,core,,,Port of the destination.
-8.6.0-dev+exp,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
-8.6.0-dev+exp,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.6.0-dev+exp,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.6.0-dev+exp,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.6.0-dev+exp,true,destination,destination.user.email,keyword,extended,,,User email address.
-8.6.0-dev+exp,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.6.0-dev+exp,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.6.0-dev+exp,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.6.0-dev+exp,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev+exp,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
-8.6.0-dev+exp,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.6.0-dev+exp,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev+exp,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,destination,destination.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.6.0-dev+exp,true,destination,destination.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.6.0-dev+exp,true,destination,destination.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.6.0-dev+exp,true,destination,destination.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.6.0-dev+exp,true,destination,destination.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.6.0-dev+exp,true,destination,destination.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-8.6.0-dev+exp,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.6.0-dev+exp,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device.
-8.6.0-dev+exp,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer.
-8.6.0-dev+exp,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model.
-8.6.0-dev+exp,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model.
-8.6.0-dev+exp,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.6.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.6.0-dev+exp,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.6.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.6.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.6.0-dev+exp,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.6.0-dev+exp,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.6.0-dev+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.6.0-dev+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.6.0-dev+exp,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
-8.6.0-dev+exp,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
-8.6.0-dev+exp,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
-8.6.0-dev+exp,true,dll,dll.hash.sha384,keyword,extended,,,SHA384 hash.
-8.6.0-dev+exp,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
-8.6.0-dev+exp,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.6.0-dev+exp,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash.
-8.6.0-dev+exp,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
-8.6.0-dev+exp,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
-8.6.0-dev+exp,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.6.0-dev+exp,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.6.0-dev+exp,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.6.0-dev+exp,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.6.0-dev+exp,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.6.0-dev+exp,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.6.0-dev+exp,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.6.0-dev+exp,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.6.0-dev+exp,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
-8.6.0-dev+exp,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
-8.6.0-dev+exp,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
-8.6.0-dev+exp,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
-8.6.0-dev+exp,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
-8.6.0-dev+exp,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
-8.6.0-dev+exp,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
-8.6.0-dev+exp,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
-8.6.0-dev+exp,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
-8.6.0-dev+exp,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
-8.6.0-dev+exp,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
-8.6.0-dev+exp,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
-8.6.0-dev+exp,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
-8.6.0-dev+exp,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.6.0-dev+exp,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
-8.6.0-dev+exp,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
-8.6.0-dev+exp,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
-8.6.0-dev+exp,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
-8.6.0-dev+exp,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
-8.6.0-dev+exp,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
-8.6.0-dev+exp,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
-8.6.0-dev+exp,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash.
-8.6.0-dev+exp,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.6.0-dev+exp,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.6.0-dev+exp,true,email,email.attachments.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.6.0-dev+exp,true,email,email.attachments.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.6.0-dev+exp,true,email,email.attachments.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.6.0-dev+exp,true,email,email.attachments.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.6.0-dev+exp,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file.
-8.6.0-dev+exp,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file.
-8.6.0-dev+exp,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size.
-8.6.0-dev+exp,true,email,email.bcc.address,keyword,extended,array,bcc.user1@example.com,Email address of BCC recipient
-8.6.0-dev+exp,true,email,email.cc.address,keyword,extended,array,cc.user1@example.com,Email address of CC recipient
-8.6.0-dev+exp,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message.
-8.6.0-dev+exp,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered.
-8.6.0-dev+exp,true,email,email.direction,keyword,extended,,inbound,Direction of the message.
-8.6.0-dev+exp,true,email,email.from.address,keyword,extended,array,sender@example.com,The sender's email address.
-8.6.0-dev+exp,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source.
-8.6.0-dev+exp,true,email,email.message_id,wildcard,extended,,81ce15$8r2j59@mail01.example.com,Value from the Message-ID header.
-8.6.0-dev+exp,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed.
-8.6.0-dev+exp,true,email,email.reply_to.address,keyword,extended,array,reply.here@example.com,Address replies should be delivered to.
-8.6.0-dev+exp,true,email,email.sender.address,keyword,extended,,,Address of the message sender.
-8.6.0-dev+exp,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message.
-8.6.0-dev+exp,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
-8.6.0-dev+exp,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient
-8.6.0-dev+exp,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
-8.6.0-dev+exp,true,error,error.code,keyword,core,,,Error code describing the error.
-8.6.0-dev+exp,true,error,error.id,keyword,core,,,Unique identifier for the error.
-8.6.0-dev+exp,true,error,error.message,match_only_text,core,,,Error message.
-8.6.0-dev+exp,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
-8.6.0-dev+exp,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text.
-8.6.0-dev+exp,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
-8.6.0-dev+exp,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
-8.6.0-dev+exp,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field.
-8.6.0-dev+exp,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
-8.6.0-dev+exp,true,event,event.code,keyword,extended,,4648,Identification code for this event.
-8.6.0-dev+exp,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
-8.6.0-dev+exp,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
-8.6.0-dev+exp,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
-8.6.0-dev+exp,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed.
-8.6.0-dev+exp,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
-8.6.0-dev+exp,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
-8.6.0-dev+exp,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
-8.6.0-dev+exp,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
-8.6.0-dev+exp,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
-8.6.0-dev+exp,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
-8.6.0-dev+exp,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
-8.6.0-dev+exp,true,event,event.provider,keyword,extended,,kernel,Source of the event.
-8.6.0-dev+exp,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
-8.6.0-dev+exp,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
-8.6.0-dev+exp,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
-8.6.0-dev+exp,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
-8.6.0-dev+exp,true,event,event.sequence,long,extended,,,Sequence number of the event.
-8.6.0-dev+exp,true,event,event.severity,long,core,,7,Numeric severity of the event.
-8.6.0-dev+exp,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed.
-8.6.0-dev+exp,true,event,event.timezone,keyword,extended,,,Event time zone.
-8.6.0-dev+exp,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
-8.6.0-dev+exp,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
-8.6.0-dev+exp,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function.
-8.6.0-dev+exp,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution.
-8.6.0-dev+exp,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function.
-8.6.0-dev+exp,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function.
-8.6.0-dev+exp,true,faas,faas.trigger,nested,extended,,,Details about the function trigger.
-8.6.0-dev+exp,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc."
-8.6.0-dev+exp,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution.
-8.6.0-dev+exp,true,faas,faas.version,keyword,extended,,123,The version of a serverless function.
-8.6.0-dev+exp,true,file,file.accessed,date,extended,,,Last time the file was accessed.
-8.6.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.6.0-dev+exp,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.6.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.6.0-dev+exp,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.6.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.6.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.6.0-dev+exp,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.6.0-dev+exp,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.6.0-dev+exp,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.6.0-dev+exp,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.6.0-dev+exp,true,file,file.created,date,extended,,,File creation time.
-8.6.0-dev+exp,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.6.0-dev+exp,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
-8.6.0-dev+exp,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.6.0-dev+exp,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.6.0-dev+exp,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.6.0-dev+exp,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.6.0-dev+exp,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.6.0-dev+exp,true,file,file.elf.creation_date,date,extended,,,Build or compile date.
-8.6.0-dev+exp,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.6.0-dev+exp,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.6.0-dev+exp,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.6.0-dev+exp,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.6.0-dev+exp,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.6.0-dev+exp,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.6.0-dev+exp,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.6.0-dev+exp,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.6.0-dev+exp,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.6.0-dev+exp,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.6.0-dev+exp,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.6.0-dev+exp,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.6.0-dev+exp,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.6.0-dev+exp,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.6.0-dev+exp,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.6.0-dev+exp,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.6.0-dev+exp,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.6.0-dev+exp,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.6.0-dev+exp,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.6.0-dev+exp,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.6.0-dev+exp,true,file,file.elf.segments,nested,extended,array,,ELF object segment list.
-8.6.0-dev+exp,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.6.0-dev+exp,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.6.0-dev+exp,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.6.0-dev+exp,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.6.0-dev+exp,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.6.0-dev+exp,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.6.0-dev+exp,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.6.0-dev+exp,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
-8.6.0-dev+exp,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
-8.6.0-dev+exp,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.6.0-dev+exp,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.6.0-dev+exp,true,file,file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.6.0-dev+exp,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.6.0-dev+exp,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.6.0-dev+exp,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.6.0-dev+exp,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.6.0-dev+exp,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.6.0-dev+exp,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.6.0-dev+exp,true,file,file.mtime,date,extended,,,Last time the file content was modified.
-8.6.0-dev+exp,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.6.0-dev+exp,true,file,file.owner,keyword,extended,,alice,File owner's username.
-8.6.0-dev+exp,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.6.0-dev+exp,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.6.0-dev+exp,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.6.0-dev+exp,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.6.0-dev+exp,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.6.0-dev+exp,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.6.0-dev+exp,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.6.0-dev+exp,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.6.0-dev+exp,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.6.0-dev+exp,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.6.0-dev+exp,true,file,file.size,long,extended,,16384,File size in bytes.
-8.6.0-dev+exp,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
-8.6.0-dev+exp,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.6.0-dev+exp,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.6.0-dev+exp,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.6.0-dev+exp,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.6.0-dev+exp,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.6.0-dev+exp,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.6.0-dev+exp,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.6.0-dev+exp,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.6.0-dev+exp,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.6.0-dev+exp,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.6.0-dev+exp,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.6.0-dev+exp,true,file,file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.6.0-dev+exp,true,file,file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.6.0-dev+exp,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.6.0-dev+exp,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.6.0-dev+exp,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.6.0-dev+exp,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.6.0-dev+exp,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.6.0-dev+exp,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.6.0-dev+exp,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.6.0-dev+exp,true,file,file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.6.0-dev+exp,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.6.0-dev+exp,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.6.0-dev+exp,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.6.0-dev+exp,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.6.0-dev+exp,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.6.0-dev+exp,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.6.0-dev+exp,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.6.0-dev+exp,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev+exp,true,group,group.name,keyword,extended,,,Name of the group.
-8.6.0-dev+exp,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
-8.6.0-dev+exp,true,host,host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id
-8.6.0-dev+exp,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
-8.6.0-dev+exp,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
-8.6.0-dev+exp,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
-8.6.0-dev+exp,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
-8.6.0-dev+exp,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
-8.6.0-dev+exp,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
-8.6.0-dev+exp,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.6.0-dev+exp,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.6.0-dev+exp,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
-8.6.0-dev+exp,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.6.0-dev+exp,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.6.0-dev+exp,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
-8.6.0-dev+exp,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.6.0-dev+exp,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
-8.6.0-dev+exp,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.6.0-dev+exp,true,host,host.hostname,keyword,core,,,Hostname of the host.
-8.6.0-dev+exp,true,host,host.id,keyword,core,,,Unique host id.
-8.6.0-dev+exp,true,host,host.ip,ip,core,array,,Host ip addresses.
-8.6.0-dev+exp,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
-8.6.0-dev+exp,true,host,host.name,keyword,core,,,Name of the host.
-8.6.0-dev+exp,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
-8.6.0-dev+exp,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
-8.6.0-dev+exp,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
-8.6.0-dev+exp,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
-8.6.0-dev+exp,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.6.0-dev+exp,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.6.0-dev+exp,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.6.0-dev+exp,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.6.0-dev+exp,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.6.0-dev+exp,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.6.0-dev+exp,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.6.0-dev+exp,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-8.6.0-dev+exp,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.6.0-dev+exp,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode
-8.6.0-dev+exp,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.6.0-dev+exp,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.6.0-dev+exp,true,host,host.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.6.0-dev+exp,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.6.0-dev+exp,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.6.0-dev+exp,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-8.6.0-dev+exp,true,host,host.type,keyword,core,,,Type of host.
-8.6.0-dev+exp,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
-8.6.0-dev+exp,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
-8.6.0-dev+exp,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
-8.6.0-dev+exp,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body.
-8.6.0-dev+exp,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
-8.6.0-dev+exp,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
-8.6.0-dev+exp,true,http,http.request.method,keyword,extended,,POST,HTTP request method.
-8.6.0-dev+exp,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
-8.6.0-dev+exp,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
-8.6.0-dev+exp,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
-8.6.0-dev+exp,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
-8.6.0-dev+exp,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body.
-8.6.0-dev+exp,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
-8.6.0-dev+exp,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
-8.6.0-dev+exp,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
-8.6.0-dev+exp,true,http,http.version,keyword,extended,,1.1,HTTP version.
-8.6.0-dev+exp,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
-8.6.0-dev+exp,true,log,log.level,keyword,core,,error,Log level of the log event.
-8.6.0-dev+exp,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
-8.6.0-dev+exp,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event.
-8.6.0-dev+exp,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
-8.6.0-dev+exp,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
-8.6.0-dev+exp,true,log,log.syslog,object,extended,,,Syslog metadata
-8.6.0-dev+exp,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message.
-8.6.0-dev+exp,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
-8.6.0-dev+exp,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
-8.6.0-dev+exp,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message.
-8.6.0-dev+exp,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message.
-8.6.0-dev+exp,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
-8.6.0-dev+exp,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message.
-8.6.0-dev+exp,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
-8.6.0-dev+exp,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
-8.6.0-dev+exp,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages.
-8.6.0-dev+exp,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version.
-8.6.0-dev+exp,true,network,network.application,keyword,extended,,aim,Application level protocol name.
-8.6.0-dev+exp,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
-8.6.0-dev+exp,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
-8.6.0-dev+exp,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
-8.6.0-dev+exp,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
-8.6.0-dev+exp,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
-8.6.0-dev+exp,true,network,network.inner,object,extended,,,Inner VLAN tag information
-8.6.0-dev+exp,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.6.0-dev+exp,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.6.0-dev+exp,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
-8.6.0-dev+exp,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
-8.6.0-dev+exp,true,network,network.protocol,keyword,core,,http,Application protocol name.
-8.6.0-dev+exp,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
-8.6.0-dev+exp,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
-8.6.0-dev+exp,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.6.0-dev+exp,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.6.0-dev+exp,true,observer,observer.egress,object,extended,,,Object field for egress information
-8.6.0-dev+exp,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
-8.6.0-dev+exp,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
-8.6.0-dev+exp,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
-8.6.0-dev+exp,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.6.0-dev+exp,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.6.0-dev+exp,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
-8.6.0-dev+exp,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
-8.6.0-dev+exp,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code.
-8.6.0-dev+exp,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.6.0-dev+exp,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.6.0-dev+exp,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
-8.6.0-dev+exp,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.6.0-dev+exp,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.6.0-dev+exp,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code.
-8.6.0-dev+exp,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.6.0-dev+exp,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
-8.6.0-dev+exp,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.6.0-dev+exp,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
-8.6.0-dev+exp,true,observer,observer.ingress,object,extended,,,Object field for ingress information
-8.6.0-dev+exp,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
-8.6.0-dev+exp,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
-8.6.0-dev+exp,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
-8.6.0-dev+exp,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.6.0-dev+exp,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.6.0-dev+exp,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
-8.6.0-dev+exp,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
-8.6.0-dev+exp,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer.
-8.6.0-dev+exp,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
-8.6.0-dev+exp,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.6.0-dev+exp,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.6.0-dev+exp,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.6.0-dev+exp,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.6.0-dev+exp,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.6.0-dev+exp,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.6.0-dev+exp,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.6.0-dev+exp,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-8.6.0-dev+exp,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.6.0-dev+exp,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
-8.6.0-dev+exp,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
-8.6.0-dev+exp,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
-8.6.0-dev+exp,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
-8.6.0-dev+exp,true,observer,observer.version,keyword,core,,,Observer version.
-8.6.0-dev+exp,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action
-8.6.0-dev+exp,true,orchestrator,orchestrator.cluster.id,keyword,extended,,,Unique ID of the cluster.
-8.6.0-dev+exp,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster.
-8.6.0-dev+exp,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster.
-8.6.0-dev+exp,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster.
-8.6.0-dev+exp,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place.
-8.6.0-dev+exp,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups).
-8.6.0-dev+exp,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon.
-8.6.0-dev+exp,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed.
-8.6.0-dev+exp,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon.
-8.6.0-dev+exp,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed.
-8.6.0-dev+exp,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon.
-8.6.0-dev+exp,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)."
-8.6.0-dev+exp,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
-8.6.0-dev+exp,true,organization,organization.name,keyword,extended,,,Organization name.
-8.6.0-dev+exp,true,organization,organization.name.text,match_only_text,extended,,,Organization name.
-8.6.0-dev+exp,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
-8.6.0-dev+exp,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
-8.6.0-dev+exp,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
-8.6.0-dev+exp,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
-8.6.0-dev+exp,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
-8.6.0-dev+exp,true,package,package.installed,date,extended,,,Time when package was installed.
-8.6.0-dev+exp,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
-8.6.0-dev+exp,true,package,package.name,keyword,extended,,go,Package name
-8.6.0-dev+exp,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
-8.6.0-dev+exp,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
-8.6.0-dev+exp,true,package,package.size,long,extended,,62231,Package size in bytes.
-8.6.0-dev+exp,true,package,package.type,keyword,extended,,rpm,Package type
-8.6.0-dev+exp,true,package,package.version,keyword,extended,,1.12.9,Package version
-8.6.0-dev+exp,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.6.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array.
-8.6.0-dev+exp,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.6.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.6.0-dev+exp,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.6.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.6.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.6.0-dev+exp,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.6.0-dev+exp,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.6.0-dev+exp,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.6.0-dev+exp,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.6.0-dev+exp,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.6.0-dev+exp,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.6.0-dev+exp,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.6.0-dev+exp,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.6.0-dev+exp,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.6.0-dev+exp,true,process,process.elf.creation_date,date,extended,,,Build or compile date.
-8.6.0-dev+exp,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.6.0-dev+exp,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.6.0-dev+exp,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.6.0-dev+exp,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.6.0-dev+exp,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.6.0-dev+exp,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.6.0-dev+exp,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.6.0-dev+exp,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.6.0-dev+exp,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.6.0-dev+exp,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.6.0-dev+exp,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.6.0-dev+exp,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.6.0-dev+exp,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.6.0-dev+exp,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.6.0-dev+exp,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.6.0-dev+exp,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.6.0-dev+exp,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.6.0-dev+exp,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.6.0-dev+exp,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.6.0-dev+exp,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.6.0-dev+exp,true,process,process.elf.segments,nested,extended,array,,ELF object segment list.
-8.6.0-dev+exp,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.6.0-dev+exp,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.6.0-dev+exp,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.6.0-dev+exp,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.6.0-dev+exp,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-8.6.0-dev+exp,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.6.0-dev+exp,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.6.0-dev+exp,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array.
-8.6.0-dev+exp,true,process,process.entry_leader.attested_groups.name,keyword,extended,,,Name of the group.
-8.6.0-dev+exp,true,process,process.entry_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev+exp,true,process,process.entry_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,process,process.entry_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.6.0-dev+exp,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.6.0-dev+exp,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.6.0-dev+exp,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
-8.6.0-dev+exp,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
-8.6.0-dev+exp,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.6.0-dev+exp,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.6.0-dev+exp,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev+exp,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group.
-8.6.0-dev+exp,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.6.0-dev+exp,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name.
-8.6.0-dev+exp,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.6.0-dev+exp,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.6.0-dev+exp,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id.
-8.6.0-dev+exp,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.6.0-dev+exp,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id.
-8.6.0-dev+exp,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.6.0-dev+exp,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.6.0-dev+exp,true,process,process.entry_leader.pid,long,core,,4242,Process id.
-8.6.0-dev+exp,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev+exp,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group.
-8.6.0-dev+exp,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev+exp,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,process,process.entry_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.6.0-dev+exp,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev+exp,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.6.0-dev+exp,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev+exp,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,process,process.entry_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.6.0-dev+exp,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev+exp,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.6.0-dev+exp,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.6.0-dev+exp,true,process,process.entry_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.6.0-dev+exp,true,process,process.entry_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.6.0-dev+exp,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev+exp,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.6.0-dev+exp,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.6.0-dev+exp,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
-8.6.0-dev+exp,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.6.0-dev+exp,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.6.0-dev+exp,true,process,process.exit_code,long,extended,,137,The exit code of the process.
-8.6.0-dev+exp,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.6.0-dev+exp,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array.
-8.6.0-dev+exp,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.6.0-dev+exp,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.6.0-dev+exp,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.6.0-dev+exp,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.6.0-dev+exp,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.6.0-dev+exp,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev+exp,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group.
-8.6.0-dev+exp,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.6.0-dev+exp,true,process,process.group_leader.name,keyword,extended,,ssh,Process name.
-8.6.0-dev+exp,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.6.0-dev+exp,true,process,process.group_leader.pid,long,core,,4242,Process id.
-8.6.0-dev+exp,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev+exp,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group.
-8.6.0-dev+exp,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev+exp,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,process,process.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.6.0-dev+exp,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev+exp,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.6.0-dev+exp,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev+exp,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,process,process.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.6.0-dev+exp,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev+exp,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.6.0-dev+exp,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.6.0-dev+exp,true,process,process.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.6.0-dev+exp,true,process,process.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.6.0-dev+exp,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev+exp,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.6.0-dev+exp,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.6.0-dev+exp,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
-8.6.0-dev+exp,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
-8.6.0-dev+exp,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
-8.6.0-dev+exp,true,process,process.hash.sha384,keyword,extended,,,SHA384 hash.
-8.6.0-dev+exp,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
-8.6.0-dev+exp,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.6.0-dev+exp,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash.
-8.6.0-dev+exp,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.6.0-dev+exp,true,process,process.name,keyword,extended,,ssh,Process name.
-8.6.0-dev+exp,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
-8.6.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.6.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
-8.6.0-dev+exp,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.6.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.6.0-dev+exp,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.6.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.6.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.6.0-dev+exp,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.6.0-dev+exp,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.6.0-dev+exp,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.6.0-dev+exp,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.6.0-dev+exp,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.6.0-dev+exp,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.6.0-dev+exp,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.6.0-dev+exp,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.6.0-dev+exp,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.6.0-dev+exp,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date.
-8.6.0-dev+exp,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.6.0-dev+exp,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.6.0-dev+exp,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.6.0-dev+exp,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.6.0-dev+exp,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.6.0-dev+exp,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.6.0-dev+exp,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.6.0-dev+exp,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.6.0-dev+exp,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.6.0-dev+exp,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.6.0-dev+exp,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.6.0-dev+exp,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.6.0-dev+exp,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.6.0-dev+exp,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.6.0-dev+exp,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.6.0-dev+exp,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.6.0-dev+exp,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.6.0-dev+exp,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.6.0-dev+exp,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.6.0-dev+exp,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.6.0-dev+exp,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list.
-8.6.0-dev+exp,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.6.0-dev+exp,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.6.0-dev+exp,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.6.0-dev+exp,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.6.0-dev+exp,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-8.6.0-dev+exp,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.6.0-dev+exp,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.6.0-dev+exp,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.6.0-dev+exp,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
-8.6.0-dev+exp,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev+exp,true,process,process.parent.group.name,keyword,extended,,,Name of the group.
-8.6.0-dev+exp,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.6.0-dev+exp,true,process,process.parent.group_leader.pid,long,core,,4242,Process id.
-8.6.0-dev+exp,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.6.0-dev+exp,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
-8.6.0-dev+exp,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
-8.6.0-dev+exp,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
-8.6.0-dev+exp,true,process,process.parent.hash.sha384,keyword,extended,,,SHA384 hash.
-8.6.0-dev+exp,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
-8.6.0-dev+exp,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.6.0-dev+exp,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash.
-8.6.0-dev+exp,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.6.0-dev+exp,true,process,process.parent.name,keyword,extended,,ssh,Process name.
-8.6.0-dev+exp,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
-8.6.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.6.0-dev+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.6.0-dev+exp,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.6.0-dev+exp,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.6.0-dev+exp,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.6.0-dev+exp,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.6.0-dev+exp,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.6.0-dev+exp,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.6.0-dev+exp,true,process,process.parent.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
-8.6.0-dev+exp,true,process,process.parent.pid,long,core,,4242,Process id.
-8.6.0-dev+exp,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev+exp,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group.
-8.6.0-dev+exp,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev+exp,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,process,process.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev+exp,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group.
-8.6.0-dev+exp,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev+exp,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,process,process.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.6.0-dev+exp,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev+exp,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.6.0-dev+exp,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
-8.6.0-dev+exp,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
-8.6.0-dev+exp,true,process,process.parent.title,keyword,extended,,,Process title.
-8.6.0-dev+exp,true,process,process.parent.title.text,match_only_text,extended,,,Process title.
-8.6.0-dev+exp,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device.
-8.6.0-dev+exp,true,process,process.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.6.0-dev+exp,true,process,process.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.6.0-dev+exp,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
-8.6.0-dev+exp,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev+exp,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.6.0-dev+exp,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.6.0-dev+exp,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.6.0-dev+exp,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.6.0-dev+exp,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.6.0-dev+exp,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.6.0-dev+exp,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.6.0-dev+exp,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.6.0-dev+exp,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.6.0-dev+exp,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.6.0-dev+exp,true,process,process.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
-8.6.0-dev+exp,true,process,process.pid,long,core,,4242,Process id.
-8.6.0-dev+exp,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.6.0-dev+exp,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array.
-8.6.0-dev+exp,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.6.0-dev+exp,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.6.0-dev+exp,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev+exp,true,process,process.real_group.name,keyword,extended,,,Name of the group.
-8.6.0-dev+exp,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev+exp,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,process,process.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev+exp,true,process,process.saved_group.name,keyword,extended,,,Name of the group.
-8.6.0-dev+exp,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev+exp,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,process,process.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.6.0-dev+exp,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array.
-8.6.0-dev+exp,true,process,process.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.6.0-dev+exp,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.6.0-dev+exp,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.6.0-dev+exp,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.6.0-dev+exp,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.6.0-dev+exp,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev+exp,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group.
-8.6.0-dev+exp,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.6.0-dev+exp,true,process,process.session_leader.name,keyword,extended,,ssh,Process name.
-8.6.0-dev+exp,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.6.0-dev+exp,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.6.0-dev+exp,true,process,process.session_leader.parent.pid,long,core,,4242,Process id.
-8.6.0-dev+exp,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.6.0-dev+exp,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id.
-8.6.0-dev+exp,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.6.0-dev+exp,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.6.0-dev+exp,true,process,process.session_leader.pid,long,core,,4242,Process id.
-8.6.0-dev+exp,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev+exp,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group.
-8.6.0-dev+exp,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev+exp,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,process,process.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.6.0-dev+exp,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev+exp,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.6.0-dev+exp,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev+exp,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,process,process.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.6.0-dev+exp,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev+exp,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.6.0-dev+exp,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.6.0-dev+exp,true,process,process.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.6.0-dev+exp,true,process,process.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.6.0-dev+exp,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev+exp,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.6.0-dev+exp,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.6.0-dev+exp,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.6.0-dev+exp,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev+exp,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.6.0-dev+exp,true,process,process.thread.id,long,extended,,4242,Thread ID.
-8.6.0-dev+exp,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
-8.6.0-dev+exp,true,process,process.title,keyword,extended,,,Process title.
-8.6.0-dev+exp,true,process,process.title.text,match_only_text,extended,,,Process title.
-8.6.0-dev+exp,true,process,process.tty,object,extended,,,Information about the controlling TTY device.
-8.6.0-dev+exp,true,process,process.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.6.0-dev+exp,true,process,process.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.6.0-dev+exp,true,process,process.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
-8.6.0-dev+exp,true,process,process.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
-8.6.0-dev+exp,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
-8.6.0-dev+exp,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev+exp,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.6.0-dev+exp,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.6.0-dev+exp,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.6.0-dev+exp,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.6.0-dev+exp,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.6.0-dev+exp,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.6.0-dev+exp,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.6.0-dev+exp,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.6.0-dev+exp,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
-8.6.0-dev+exp,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
-8.6.0-dev+exp,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
-8.6.0-dev+exp,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
-8.6.0-dev+exp,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event.
-8.6.0-dev+exp,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
-8.6.0-dev+exp,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
-8.6.0-dev+exp,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
-8.6.0-dev+exp,true,rule,rule.id,keyword,extended,,101,Rule ID
-8.6.0-dev+exp,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
-8.6.0-dev+exp,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
-8.6.0-dev+exp,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
-8.6.0-dev+exp,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
-8.6.0-dev+exp,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
-8.6.0-dev+exp,true,rule,rule.version,keyword,extended,,1.1,Rule version
-8.6.0-dev+exp,true,server,server.address,keyword,extended,,,Server network address.
-8.6.0-dev+exp,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.6.0-dev+exp,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.6.0-dev+exp,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.6.0-dev+exp,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
-8.6.0-dev+exp,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server.
-8.6.0-dev+exp,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
-8.6.0-dev+exp,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
-8.6.0-dev+exp,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.6.0-dev+exp,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.6.0-dev+exp,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
-8.6.0-dev+exp,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.6.0-dev+exp,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.6.0-dev+exp,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
-8.6.0-dev+exp,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.6.0-dev+exp,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
-8.6.0-dev+exp,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.6.0-dev+exp,true,server,server.ip,ip,core,,,IP address of the server.
-8.6.0-dev+exp,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
-8.6.0-dev+exp,true,server,server.nat.ip,ip,extended,,,Server NAT ip
-8.6.0-dev+exp,true,server,server.nat.port,long,extended,,,Server NAT port
-8.6.0-dev+exp,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
-8.6.0-dev+exp,true,server,server.port,long,core,,,Port of the server.
-8.6.0-dev+exp,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
-8.6.0-dev+exp,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.6.0-dev+exp,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.6.0-dev+exp,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.6.0-dev+exp,true,server,server.user.email,keyword,extended,,,User email address.
-8.6.0-dev+exp,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.6.0-dev+exp,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.6.0-dev+exp,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.6.0-dev+exp,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev+exp,true,server,server.user.group.name,keyword,extended,,,Name of the group.
-8.6.0-dev+exp,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.6.0-dev+exp,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev+exp,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,server,server.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.6.0-dev+exp,true,server,server.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.6.0-dev+exp,true,server,server.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.6.0-dev+exp,true,server,server.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.6.0-dev+exp,true,server,server.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.6.0-dev+exp,true,server,server.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-8.6.0-dev+exp,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.6.0-dev+exp,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.6.0-dev+exp,true,service,service.environment,keyword,extended,,production,Environment of the service.
-8.6.0-dev+exp,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.6.0-dev+exp,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.6.0-dev+exp,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.6.0-dev+exp,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.6.0-dev+exp,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.6.0-dev+exp,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.6.0-dev+exp,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.6.0-dev+exp,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
-8.6.0-dev+exp,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.6.0-dev+exp,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.6.0-dev+exp,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.6.0-dev+exp,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.6.0-dev+exp,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.6.0-dev+exp,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.6.0-dev+exp,true,service,service.origin.state,keyword,core,,,Current state of the service.
-8.6.0-dev+exp,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service.
-8.6.0-dev+exp,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service.
-8.6.0-dev+exp,true,service,service.state,keyword,core,,,Current state of the service.
-8.6.0-dev+exp,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.6.0-dev+exp,true,service,service.target.environment,keyword,extended,,production,Environment of the service.
-8.6.0-dev+exp,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.6.0-dev+exp,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.6.0-dev+exp,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.6.0-dev+exp,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.6.0-dev+exp,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.6.0-dev+exp,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.6.0-dev+exp,true,service,service.target.state,keyword,core,,,Current state of the service.
-8.6.0-dev+exp,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service.
-8.6.0-dev+exp,true,service,service.target.version,keyword,core,,3.2.4,Version of the service.
-8.6.0-dev+exp,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
-8.6.0-dev+exp,true,service,service.version,keyword,core,,3.2.4,Version of the service.
-8.6.0-dev+exp,true,source,source.address,keyword,extended,,,Source network address.
-8.6.0-dev+exp,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.6.0-dev+exp,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.6.0-dev+exp,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.6.0-dev+exp,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
-8.6.0-dev+exp,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source.
-8.6.0-dev+exp,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
-8.6.0-dev+exp,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
-8.6.0-dev+exp,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.6.0-dev+exp,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.6.0-dev+exp,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
-8.6.0-dev+exp,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.6.0-dev+exp,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.6.0-dev+exp,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
-8.6.0-dev+exp,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.6.0-dev+exp,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
-8.6.0-dev+exp,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.6.0-dev+exp,true,source,source.ip,ip,core,,,IP address of the source.
-8.6.0-dev+exp,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
-8.6.0-dev+exp,true,source,source.nat.ip,ip,extended,,,Source NAT ip
-8.6.0-dev+exp,true,source,source.nat.port,long,extended,,,Source NAT port
-8.6.0-dev+exp,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
-8.6.0-dev+exp,true,source,source.port,long,core,,,Port of the source.
-8.6.0-dev+exp,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-8.6.0-dev+exp,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.6.0-dev+exp,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.6.0-dev+exp,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.6.0-dev+exp,true,source,source.user.email,keyword,extended,,,User email address.
-8.6.0-dev+exp,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.6.0-dev+exp,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.6.0-dev+exp,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.6.0-dev+exp,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev+exp,true,source,source.user.group.name,keyword,extended,,,Name of the group.
-8.6.0-dev+exp,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.6.0-dev+exp,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev+exp,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,source,source.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.6.0-dev+exp,true,source,source.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.6.0-dev+exp,true,source,source.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.6.0-dev+exp,true,source,source.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.6.0-dev+exp,true,source,source.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.6.0-dev+exp,true,source,source.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-8.6.0-dev+exp,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.6.0-dev+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
-8.6.0-dev+exp,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.6.0-dev+exp,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,WHITE,Indicator TLP marking
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.6.0-dev+exp,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.6.0-dev+exp,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.6.0-dev+exp,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value
-8.6.0-dev+exp,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field
-8.6.0-dev+exp,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier
-8.6.0-dev+exp,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index
-8.6.0-dev+exp,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05T17:00:58.326Z,Date of match
-8.6.0-dev+exp,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match
-8.6.0-dev+exp,true,threat,threat.feed.dashboard_id,keyword,extended,,5ba16340-72e6-11eb-a3e3-b3cc7c78a70f,Feed dashboard ID.
-8.6.0-dev+exp,true,threat,threat.feed.description,keyword,extended,,Threat feed from the AlienVault Open Threat eXchange network.,Description of the threat feed.
-8.6.0-dev+exp,true,threat,threat.feed.name,keyword,extended,,AlienVault OTX,Name of the threat feed.
-8.6.0-dev+exp,true,threat,threat.feed.reference,keyword,extended,,https://otx.alienvault.com,Reference for the threat feed.
-8.6.0-dev+exp,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
-8.6.0-dev+exp,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group.
-8.6.0-dev+exp,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group.
-8.6.0-dev+exp,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group.
-8.6.0-dev+exp,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group.
-8.6.0-dev+exp,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.6.0-dev+exp,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.6.0-dev+exp,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.6.0-dev+exp,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
-8.6.0-dev+exp,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
-8.6.0-dev+exp,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
-8.6.0-dev+exp,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed.
-8.6.0-dev+exp,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.6.0-dev+exp,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.6.0-dev+exp,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.6.0-dev+exp,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.6.0-dev+exp,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.6.0-dev+exp,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.6.0-dev+exp,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.6.0-dev+exp,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.6.0-dev+exp,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.6.0-dev+exp,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.6.0-dev+exp,true,threat,threat.indicator.file.created,date,extended,,,File creation time.
-8.6.0-dev+exp,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.6.0-dev+exp,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
-8.6.0-dev+exp,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.6.0-dev+exp,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.6.0-dev+exp,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.6.0-dev+exp,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.6.0-dev+exp,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.6.0-dev+exp,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
-8.6.0-dev+exp,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.6.0-dev+exp,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.6.0-dev+exp,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.6.0-dev+exp,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.6.0-dev+exp,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.6.0-dev+exp,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.6.0-dev+exp,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.6.0-dev+exp,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.6.0-dev+exp,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.6.0-dev+exp,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.6.0-dev+exp,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.6.0-dev+exp,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.6.0-dev+exp,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.6.0-dev+exp,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.6.0-dev+exp,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.6.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.6.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.6.0-dev+exp,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.6.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.6.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.6.0-dev+exp,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
-8.6.0-dev+exp,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.6.0-dev+exp,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.6.0-dev+exp,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.6.0-dev+exp,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.6.0-dev+exp,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.6.0-dev+exp,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.6.0-dev+exp,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.6.0-dev+exp,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
-8.6.0-dev+exp,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
-8.6.0-dev+exp,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.6.0-dev+exp,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.6.0-dev+exp,true,threat,threat.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.6.0-dev+exp,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.6.0-dev+exp,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.6.0-dev+exp,true,threat,threat.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.6.0-dev+exp,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.6.0-dev+exp,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.6.0-dev+exp,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.6.0-dev+exp,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified.
-8.6.0-dev+exp,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.6.0-dev+exp,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username.
-8.6.0-dev+exp,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.6.0-dev+exp,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.6.0-dev+exp,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.6.0-dev+exp,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.6.0-dev+exp,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.6.0-dev+exp,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.6.0-dev+exp,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.6.0-dev+exp,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.6.0-dev+exp,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.6.0-dev+exp,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.6.0-dev+exp,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes.
-8.6.0-dev+exp,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
-8.6.0-dev+exp,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.6.0-dev+exp,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.6.0-dev+exp,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.6.0-dev+exp,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.6.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.6.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.6.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.6.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.6.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.6.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.6.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.6.0-dev+exp,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.6.0-dev+exp,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.6.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.6.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.6.0-dev+exp,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.6.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.6.0-dev+exp,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.6.0-dev+exp,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.6.0-dev+exp,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.6.0-dev+exp,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.6.0-dev+exp,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.6.0-dev+exp,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.6.0-dev+exp,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.6.0-dev+exp,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.6.0-dev+exp,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.6.0-dev+exp,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.6.0-dev+exp,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
-8.6.0-dev+exp,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name.
-8.6.0-dev+exp,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code.
-8.6.0-dev+exp,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.6.0-dev+exp,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.6.0-dev+exp,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name.
-8.6.0-dev+exp,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.6.0-dev+exp,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.6.0-dev+exp,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code.
-8.6.0-dev+exp,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.6.0-dev+exp,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name.
-8.6.0-dev+exp,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.6.0-dev+exp,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
-8.6.0-dev+exp,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-8.6.0-dev+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
-8.6.0-dev+exp,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
-8.6.0-dev+exp,true,threat,threat.indicator.port,long,extended,,443,Indicator port
-8.6.0-dev+exp,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
-8.6.0-dev+exp,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
-8.6.0-dev+exp,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.6.0-dev+exp,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.6.0-dev+exp,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.6.0-dev+exp,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.6.0-dev+exp,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.6.0-dev+exp,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.6.0-dev+exp,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
-8.6.0-dev+exp,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics
-8.6.0-dev+exp,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed
-8.6.0-dev+exp,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
-8.6.0-dev+exp,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.6.0-dev+exp,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.6.0-dev+exp,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.6.0-dev+exp,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.6.0-dev+exp,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.6.0-dev+exp,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.6.0-dev+exp,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.6.0-dev+exp,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request.
-8.6.0-dev+exp,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.6.0-dev+exp,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
-8.6.0-dev+exp,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request.
-8.6.0-dev+exp,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.6.0-dev+exp,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
-8.6.0-dev+exp,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.6.0-dev+exp,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.6.0-dev+exp,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request.
-8.6.0-dev+exp,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.6.0-dev+exp,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.6.0-dev+exp,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.6.0-dev+exp,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.6.0-dev+exp,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.6.0-dev+exp,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.6.0-dev+exp,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.6.0-dev+exp,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.6.0-dev+exp,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.6.0-dev+exp,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.6.0-dev+exp,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.6.0-dev+exp,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.6.0-dev+exp,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.6.0-dev+exp,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.6.0-dev+exp,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.6.0-dev+exp,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.6.0-dev+exp,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.6.0-dev+exp,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.6.0-dev+exp,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.6.0-dev+exp,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.6.0-dev+exp,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.6.0-dev+exp,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.6.0-dev+exp,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.6.0-dev+exp,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.6.0-dev+exp,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software
-8.6.0-dev+exp,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software
-8.6.0-dev+exp,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software.
-8.6.0-dev+exp,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software.
-8.6.0-dev+exp,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL.
-8.6.0-dev+exp,true,threat,threat.software.type,keyword,extended,,Tool,Software type.
-8.6.0-dev+exp,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
-8.6.0-dev+exp,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
-8.6.0-dev+exp,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
-8.6.0-dev+exp,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
-8.6.0-dev+exp,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
-8.6.0-dev+exp,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name.
-8.6.0-dev+exp,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
-8.6.0-dev+exp,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
-8.6.0-dev+exp,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
-8.6.0-dev+exp,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
-8.6.0-dev+exp,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
-8.6.0-dev+exp,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
-8.6.0-dev+exp,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
-8.6.0-dev+exp,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
-8.6.0-dev+exp,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
-8.6.0-dev+exp,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
-8.6.0-dev+exp,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
-8.6.0-dev+exp,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
-8.6.0-dev+exp,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
-8.6.0-dev+exp,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
-8.6.0-dev+exp,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
-8.6.0-dev+exp,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
-8.6.0-dev+exp,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
-8.6.0-dev+exp,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
-8.6.0-dev+exp,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.6.0-dev+exp,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.6.0-dev+exp,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.6.0-dev+exp,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.6.0-dev+exp,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.6.0-dev+exp,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.6.0-dev+exp,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.6.0-dev+exp,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.6.0-dev+exp,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.6.0-dev+exp,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.6.0-dev+exp,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.6.0-dev+exp,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.6.0-dev+exp,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.6.0-dev+exp,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.6.0-dev+exp,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.6.0-dev+exp,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.6.0-dev+exp,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.6.0-dev+exp,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.6.0-dev+exp,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.6.0-dev+exp,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.6.0-dev+exp,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.6.0-dev+exp,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.6.0-dev+exp,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.6.0-dev+exp,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.6.0-dev+exp,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
-8.6.0-dev+exp,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
-8.6.0-dev+exp,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
-8.6.0-dev+exp,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
-8.6.0-dev+exp,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
-8.6.0-dev+exp,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
-8.6.0-dev+exp,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
-8.6.0-dev+exp,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
-8.6.0-dev+exp,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
-8.6.0-dev+exp,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
-8.6.0-dev+exp,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
-8.6.0-dev+exp,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
-8.6.0-dev+exp,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
-8.6.0-dev+exp,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
-8.6.0-dev+exp,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.6.0-dev+exp,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.6.0-dev+exp,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.6.0-dev+exp,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.6.0-dev+exp,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.6.0-dev+exp,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.6.0-dev+exp,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.6.0-dev+exp,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.6.0-dev+exp,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.6.0-dev+exp,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.6.0-dev+exp,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.6.0-dev+exp,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.6.0-dev+exp,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.6.0-dev+exp,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.6.0-dev+exp,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.6.0-dev+exp,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.6.0-dev+exp,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.6.0-dev+exp,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.6.0-dev+exp,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.6.0-dev+exp,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.6.0-dev+exp,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.6.0-dev+exp,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.6.0-dev+exp,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.6.0-dev+exp,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.6.0-dev+exp,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
-8.6.0-dev+exp,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
-8.6.0-dev+exp,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
-8.6.0-dev+exp,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
-8.6.0-dev+exp,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.6.0-dev+exp,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.6.0-dev+exp,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.6.0-dev+exp,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.6.0-dev+exp,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.6.0-dev+exp,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.6.0-dev+exp,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.6.0-dev+exp,true,url,url.password,keyword,extended,,,Password of the request.
-8.6.0-dev+exp,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.6.0-dev+exp,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
-8.6.0-dev+exp,true,url,url.query,keyword,extended,,,Query string of the request.
-8.6.0-dev+exp,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.6.0-dev+exp,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
-8.6.0-dev+exp,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.6.0-dev+exp,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.6.0-dev+exp,true,url,url.username,keyword,extended,,,Username of the request.
-8.6.0-dev+exp,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.6.0-dev+exp,true,user,user.changes.email,keyword,extended,,,User email address.
-8.6.0-dev+exp,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.6.0-dev+exp,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.6.0-dev+exp,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.6.0-dev+exp,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev+exp,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
-8.6.0-dev+exp,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.6.0-dev+exp,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev+exp,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,user,user.changes.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.6.0-dev+exp,true,user,user.changes.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.6.0-dev+exp,true,user,user.changes.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.6.0-dev+exp,true,user,user.changes.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.6.0-dev+exp,true,user,user.changes.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.6.0-dev+exp,true,user,user.changes.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-8.6.0-dev+exp,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.6.0-dev+exp,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.6.0-dev+exp,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.6.0-dev+exp,true,user,user.effective.email,keyword,extended,,,User email address.
-8.6.0-dev+exp,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.6.0-dev+exp,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.6.0-dev+exp,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.6.0-dev+exp,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev+exp,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
-8.6.0-dev+exp,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.6.0-dev+exp,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev+exp,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,user,user.effective.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.6.0-dev+exp,true,user,user.effective.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.6.0-dev+exp,true,user,user.effective.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.6.0-dev+exp,true,user,user.effective.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.6.0-dev+exp,true,user,user.effective.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.6.0-dev+exp,true,user,user.effective.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-8.6.0-dev+exp,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.6.0-dev+exp,true,user,user.email,keyword,extended,,,User email address.
-8.6.0-dev+exp,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.6.0-dev+exp,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.6.0-dev+exp,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.6.0-dev+exp,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev+exp,true,user,user.group.name,keyword,extended,,,Name of the group.
-8.6.0-dev+exp,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.6.0-dev+exp,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev+exp,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.6.0-dev+exp,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.6.0-dev+exp,true,user,user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.6.0-dev+exp,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.6.0-dev+exp,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.6.0-dev+exp,true,user,user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-8.6.0-dev+exp,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.6.0-dev+exp,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.6.0-dev+exp,true,user,user.target.email,keyword,extended,,,User email address.
-8.6.0-dev+exp,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.6.0-dev+exp,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.6.0-dev+exp,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.6.0-dev+exp,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev+exp,true,user,user.target.group.name,keyword,extended,,,Name of the group.
-8.6.0-dev+exp,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.6.0-dev+exp,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev+exp,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev+exp,true,user,user.target.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.6.0-dev+exp,true,user,user.target.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.6.0-dev+exp,true,user,user.target.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.6.0-dev+exp,true,user,user.target.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.6.0-dev+exp,true,user,user.target.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.6.0-dev+exp,true,user,user.target.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-8.6.0-dev+exp,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.6.0-dev+exp,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
-8.6.0-dev+exp,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
-8.6.0-dev+exp,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-8.6.0-dev+exp,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-8.6.0-dev+exp,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.6.0-dev+exp,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.6.0-dev+exp,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.6.0-dev+exp,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.6.0-dev+exp,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.6.0-dev+exp,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.6.0-dev+exp,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.6.0-dev+exp,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-8.6.0-dev+exp,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.6.0-dev+exp,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
-8.6.0-dev+exp,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
-8.6.0-dev+exp,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
-8.6.0-dev+exp,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-8.6.0-dev+exp,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-8.6.0-dev+exp,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
-8.6.0-dev+exp,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
-8.6.0-dev+exp,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
-8.6.0-dev+exp,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
-8.6.0-dev+exp,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
-8.6.0-dev+exp,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
-8.6.0-dev+exp,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
-8.6.0-dev+exp,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
-8.6.0-dev+exp,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
-8.6.0-dev+exp,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
+8.7.0-dev+exp,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
+8.7.0-dev+exp,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
+8.7.0-dev+exp,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer.
+8.7.0-dev+exp,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
+8.7.0-dev+exp,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
+8.7.0-dev+exp,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
+8.7.0-dev+exp,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
+8.7.0-dev+exp,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
+8.7.0-dev+exp,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
+8.7.0-dev+exp,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
+8.7.0-dev+exp,true,cgroup,cgroup.cpu.periods,long,extended,,454839343,Number of period intervals that have elapsed.
+8.7.0-dev+exp,true,cgroup,cgroup.cpu.throttled.us,long,extended,,15000,Microseconds of CPU throttled time.
+8.7.0-dev+exp,true,cgroup,cgroup.cpu.usage,scaled_float,extended,,,"CPU usage, normalized by the CPU count."
+8.7.0-dev+exp,true,cgroup,cgroup.memory.limit,long,extended,,256,Memory limit within the cgroup.
+8.7.0-dev+exp,true,cgroup,cgroup.memory.swap.usage,long,extended,,5600,The amount of cgroup memory in swap.
+8.7.0-dev+exp,true,cgroup,cgroup.memory.usage,long,extended,,25600,Memory usage in bytes
+8.7.0-dev+exp,true,cgroup,cgroup.version,long,extended,,,The cgroup version linked to the metrics
+8.7.0-dev+exp,true,client,client.address,keyword,extended,,,Client network address.
+8.7.0-dev+exp,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.7.0-dev+exp,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.7.0-dev+exp,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.7.0-dev+exp,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
+8.7.0-dev+exp,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client.
+8.7.0-dev+exp,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
+8.7.0-dev+exp,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
+8.7.0-dev+exp,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.7.0-dev+exp,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.7.0-dev+exp,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
+8.7.0-dev+exp,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.7.0-dev+exp,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.7.0-dev+exp,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
+8.7.0-dev+exp,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.7.0-dev+exp,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
+8.7.0-dev+exp,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.7.0-dev+exp,true,client,client.ip,ip,core,,,IP address of the client.
+8.7.0-dev+exp,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
+8.7.0-dev+exp,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
+8.7.0-dev+exp,true,client,client.nat.port,long,extended,,,Client NAT port
+8.7.0-dev+exp,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
+8.7.0-dev+exp,true,client,client.port,long,core,,,Port of the client.
+8.7.0-dev+exp,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
+8.7.0-dev+exp,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.7.0-dev+exp,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.7.0-dev+exp,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.7.0-dev+exp,true,client,client.user.email,keyword,extended,,,User email address.
+8.7.0-dev+exp,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.7.0-dev+exp,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.7.0-dev+exp,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.7.0-dev+exp,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev+exp,true,client,client.user.group.name,keyword,extended,,,Name of the group.
+8.7.0-dev+exp,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.7.0-dev+exp,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev+exp,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,client,client.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.7.0-dev+exp,true,client,client.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.7.0-dev+exp,true,client,client.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.7.0-dev+exp,true,client,client.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.7.0-dev+exp,true,client,client.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.7.0-dev+exp,true,client,client.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+8.7.0-dev+exp,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.7.0-dev+exp,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.7.0-dev+exp,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.7.0-dev+exp,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.7.0-dev+exp,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.7.0-dev+exp,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
+8.7.0-dev+exp,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.7.0-dev+exp,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.7.0-dev+exp,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.7.0-dev+exp,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.7.0-dev+exp,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.7.0-dev+exp,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine.
+8.7.0-dev+exp,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.7.0-dev+exp,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id.
+8.7.0-dev+exp,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name.
+8.7.0-dev+exp,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider.
+8.7.0-dev+exp,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.7.0-dev+exp,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name.
+8.7.0-dev+exp,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
+8.7.0-dev+exp,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
+8.7.0-dev+exp,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
+8.7.0-dev+exp,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.7.0-dev+exp,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name.
+8.7.0-dev+exp,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.7.0-dev+exp,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.7.0-dev+exp,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.7.0-dev+exp,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.7.0-dev+exp,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine.
+8.7.0-dev+exp,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.7.0-dev+exp,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id.
+8.7.0-dev+exp,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name.
+8.7.0-dev+exp,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider.
+8.7.0-dev+exp,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.7.0-dev+exp,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name.
+8.7.0-dev+exp,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
+8.7.0-dev+exp,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
+8.7.0-dev+exp,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
+8.7.0-dev+exp,true,container,container.id,keyword,core,,,Unique container id.
+8.7.0-dev+exp,true,container,container.image.hash.all,keyword,extended,array,[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26],An array of digests of the image the container was built on.
+8.7.0-dev+exp,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
+8.7.0-dev+exp,true,container,container.image.tag,keyword,extended,array,,Container image tags.
+8.7.0-dev+exp,true,container,container.labels,object,extended,,,Image labels.
+8.7.0-dev+exp,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1."
+8.7.0-dev+exp,true,container,container.name,keyword,extended,,,Container name.
+8.7.0-dev+exp,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
+8.7.0-dev+exp,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+8.7.0-dev+exp,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
+8.7.0-dev+exp,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
+8.7.0-dev+exp,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
+8.7.0-dev+exp,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
+8.7.0-dev+exp,true,destination,destination.address,keyword,extended,,,Destination network address.
+8.7.0-dev+exp,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.7.0-dev+exp,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.7.0-dev+exp,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.7.0-dev+exp,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
+8.7.0-dev+exp,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination.
+8.7.0-dev+exp,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
+8.7.0-dev+exp,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
+8.7.0-dev+exp,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.7.0-dev+exp,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.7.0-dev+exp,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
+8.7.0-dev+exp,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.7.0-dev+exp,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.7.0-dev+exp,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
+8.7.0-dev+exp,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.7.0-dev+exp,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
+8.7.0-dev+exp,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.7.0-dev+exp,true,destination,destination.ip,ip,core,,,IP address of the destination.
+8.7.0-dev+exp,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
+8.7.0-dev+exp,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
+8.7.0-dev+exp,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
+8.7.0-dev+exp,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
+8.7.0-dev+exp,true,destination,destination.port,long,core,,,Port of the destination.
+8.7.0-dev+exp,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
+8.7.0-dev+exp,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.7.0-dev+exp,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.7.0-dev+exp,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.7.0-dev+exp,true,destination,destination.user.email,keyword,extended,,,User email address.
+8.7.0-dev+exp,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.7.0-dev+exp,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.7.0-dev+exp,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.7.0-dev+exp,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev+exp,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
+8.7.0-dev+exp,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.7.0-dev+exp,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev+exp,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,destination,destination.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.7.0-dev+exp,true,destination,destination.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.7.0-dev+exp,true,destination,destination.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.7.0-dev+exp,true,destination,destination.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.7.0-dev+exp,true,destination,destination.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.7.0-dev+exp,true,destination,destination.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+8.7.0-dev+exp,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.7.0-dev+exp,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device.
+8.7.0-dev+exp,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer.
+8.7.0-dev+exp,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model.
+8.7.0-dev+exp,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model.
+8.7.0-dev+exp,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.7.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.7.0-dev+exp,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.7.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.7.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.7.0-dev+exp,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.7.0-dev+exp,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.7.0-dev+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.7.0-dev+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.7.0-dev+exp,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
+8.7.0-dev+exp,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
+8.7.0-dev+exp,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
+8.7.0-dev+exp,true,dll,dll.hash.sha384,keyword,extended,,,SHA384 hash.
+8.7.0-dev+exp,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
+8.7.0-dev+exp,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.7.0-dev+exp,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash.
+8.7.0-dev+exp,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
+8.7.0-dev+exp,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
+8.7.0-dev+exp,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.7.0-dev+exp,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.7.0-dev+exp,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.7.0-dev+exp,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.7.0-dev+exp,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.7.0-dev+exp,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.7.0-dev+exp,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.7.0-dev+exp,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.7.0-dev+exp,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
+8.7.0-dev+exp,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
+8.7.0-dev+exp,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
+8.7.0-dev+exp,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
+8.7.0-dev+exp,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
+8.7.0-dev+exp,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
+8.7.0-dev+exp,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
+8.7.0-dev+exp,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
+8.7.0-dev+exp,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
+8.7.0-dev+exp,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
+8.7.0-dev+exp,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
+8.7.0-dev+exp,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
+8.7.0-dev+exp,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
+8.7.0-dev+exp,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.7.0-dev+exp,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
+8.7.0-dev+exp,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
+8.7.0-dev+exp,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
+8.7.0-dev+exp,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
+8.7.0-dev+exp,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
+8.7.0-dev+exp,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
+8.7.0-dev+exp,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
+8.7.0-dev+exp,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash.
+8.7.0-dev+exp,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.7.0-dev+exp,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.7.0-dev+exp,true,email,email.attachments.file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.7.0-dev+exp,true,email,email.attachments.file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.7.0-dev+exp,true,email,email.attachments.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.7.0-dev+exp,true,email,email.attachments.file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.7.0-dev+exp,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file.
+8.7.0-dev+exp,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file.
+8.7.0-dev+exp,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size.
+8.7.0-dev+exp,true,email,email.bcc.address,keyword,extended,array,bcc.user1@example.com,Email address of BCC recipient
+8.7.0-dev+exp,true,email,email.cc.address,keyword,extended,array,cc.user1@example.com,Email address of CC recipient
+8.7.0-dev+exp,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message.
+8.7.0-dev+exp,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered.
+8.7.0-dev+exp,true,email,email.direction,keyword,extended,,inbound,Direction of the message.
+8.7.0-dev+exp,true,email,email.from.address,keyword,extended,array,sender@example.com,The sender's email address.
+8.7.0-dev+exp,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source.
+8.7.0-dev+exp,true,email,email.message_id,wildcard,extended,,81ce15$8r2j59@mail01.example.com,Value from the Message-ID header.
+8.7.0-dev+exp,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed.
+8.7.0-dev+exp,true,email,email.reply_to.address,keyword,extended,array,reply.here@example.com,Address replies should be delivered to.
+8.7.0-dev+exp,true,email,email.sender.address,keyword,extended,,,Address of the message sender.
+8.7.0-dev+exp,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message.
+8.7.0-dev+exp,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
+8.7.0-dev+exp,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient
+8.7.0-dev+exp,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
+8.7.0-dev+exp,true,error,error.code,keyword,core,,,Error code describing the error.
+8.7.0-dev+exp,true,error,error.id,keyword,core,,,Unique identifier for the error.
+8.7.0-dev+exp,true,error,error.message,match_only_text,core,,,Error message.
+8.7.0-dev+exp,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
+8.7.0-dev+exp,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text.
+8.7.0-dev+exp,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
+8.7.0-dev+exp,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
+8.7.0-dev+exp,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field.
+8.7.0-dev+exp,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
+8.7.0-dev+exp,true,event,event.code,keyword,extended,,4648,Identification code for this event.
+8.7.0-dev+exp,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
+8.7.0-dev+exp,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
+8.7.0-dev+exp,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
+8.7.0-dev+exp,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed.
+8.7.0-dev+exp,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
+8.7.0-dev+exp,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
+8.7.0-dev+exp,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
+8.7.0-dev+exp,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
+8.7.0-dev+exp,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
+8.7.0-dev+exp,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
+8.7.0-dev+exp,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
+8.7.0-dev+exp,true,event,event.provider,keyword,extended,,kernel,Source of the event.
+8.7.0-dev+exp,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
+8.7.0-dev+exp,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
+8.7.0-dev+exp,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
+8.7.0-dev+exp,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
+8.7.0-dev+exp,true,event,event.sequence,long,extended,,,Sequence number of the event.
+8.7.0-dev+exp,true,event,event.severity,long,core,,7,Numeric severity of the event.
+8.7.0-dev+exp,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed.
+8.7.0-dev+exp,true,event,event.timezone,keyword,extended,,,Event time zone.
+8.7.0-dev+exp,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
+8.7.0-dev+exp,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
+8.7.0-dev+exp,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function.
+8.7.0-dev+exp,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution.
+8.7.0-dev+exp,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function.
+8.7.0-dev+exp,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function.
+8.7.0-dev+exp,true,faas,faas.trigger,nested,extended,,,Details about the function trigger.
+8.7.0-dev+exp,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc."
+8.7.0-dev+exp,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution.
+8.7.0-dev+exp,true,faas,faas.version,keyword,extended,,123,The version of a serverless function.
+8.7.0-dev+exp,true,file,file.accessed,date,extended,,,Last time the file was accessed.
+8.7.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.7.0-dev+exp,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.7.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.7.0-dev+exp,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.7.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.7.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.7.0-dev+exp,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.7.0-dev+exp,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.7.0-dev+exp,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.7.0-dev+exp,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.7.0-dev+exp,true,file,file.created,date,extended,,,File creation time.
+8.7.0-dev+exp,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.7.0-dev+exp,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
+8.7.0-dev+exp,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.7.0-dev+exp,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.7.0-dev+exp,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.7.0-dev+exp,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.7.0-dev+exp,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.7.0-dev+exp,true,file,file.elf.creation_date,date,extended,,,Build or compile date.
+8.7.0-dev+exp,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.7.0-dev+exp,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.7.0-dev+exp,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.7.0-dev+exp,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.7.0-dev+exp,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.7.0-dev+exp,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.7.0-dev+exp,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.7.0-dev+exp,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.7.0-dev+exp,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.7.0-dev+exp,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.7.0-dev+exp,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.7.0-dev+exp,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.7.0-dev+exp,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.7.0-dev+exp,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.7.0-dev+exp,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.7.0-dev+exp,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.7.0-dev+exp,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.7.0-dev+exp,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.7.0-dev+exp,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.7.0-dev+exp,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.7.0-dev+exp,true,file,file.elf.segments,nested,extended,array,,ELF object segment list.
+8.7.0-dev+exp,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.7.0-dev+exp,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.7.0-dev+exp,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.7.0-dev+exp,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.7.0-dev+exp,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.7.0-dev+exp,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.7.0-dev+exp,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.7.0-dev+exp,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
+8.7.0-dev+exp,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
+8.7.0-dev+exp,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.7.0-dev+exp,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.7.0-dev+exp,true,file,file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.7.0-dev+exp,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.7.0-dev+exp,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.7.0-dev+exp,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.7.0-dev+exp,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.7.0-dev+exp,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.7.0-dev+exp,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.7.0-dev+exp,true,file,file.mtime,date,extended,,,Last time the file content was modified.
+8.7.0-dev+exp,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.7.0-dev+exp,true,file,file.owner,keyword,extended,,alice,File owner's username.
+8.7.0-dev+exp,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.7.0-dev+exp,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.7.0-dev+exp,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.7.0-dev+exp,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.7.0-dev+exp,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.7.0-dev+exp,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.7.0-dev+exp,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.7.0-dev+exp,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.7.0-dev+exp,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.7.0-dev+exp,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.7.0-dev+exp,true,file,file.size,long,extended,,16384,File size in bytes.
+8.7.0-dev+exp,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
+8.7.0-dev+exp,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.7.0-dev+exp,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.7.0-dev+exp,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.7.0-dev+exp,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.7.0-dev+exp,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.7.0-dev+exp,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.7.0-dev+exp,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.7.0-dev+exp,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.7.0-dev+exp,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.7.0-dev+exp,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.7.0-dev+exp,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.7.0-dev+exp,true,file,file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.7.0-dev+exp,true,file,file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.7.0-dev+exp,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.7.0-dev+exp,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.7.0-dev+exp,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.7.0-dev+exp,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.7.0-dev+exp,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.7.0-dev+exp,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.7.0-dev+exp,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.7.0-dev+exp,true,file,file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.7.0-dev+exp,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.7.0-dev+exp,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.7.0-dev+exp,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.7.0-dev+exp,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.7.0-dev+exp,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.7.0-dev+exp,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.7.0-dev+exp,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.7.0-dev+exp,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev+exp,true,group,group.name,keyword,extended,,,Name of the group.
+8.7.0-dev+exp,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
+8.7.0-dev+exp,true,host,host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id
+8.7.0-dev+exp,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
+8.7.0-dev+exp,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
+8.7.0-dev+exp,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
+8.7.0-dev+exp,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
+8.7.0-dev+exp,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
+8.7.0-dev+exp,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
+8.7.0-dev+exp,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.7.0-dev+exp,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.7.0-dev+exp,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
+8.7.0-dev+exp,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.7.0-dev+exp,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.7.0-dev+exp,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
+8.7.0-dev+exp,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.7.0-dev+exp,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
+8.7.0-dev+exp,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.7.0-dev+exp,true,host,host.hostname,keyword,core,,,Hostname of the host.
+8.7.0-dev+exp,true,host,host.id,keyword,core,,,Unique host id.
+8.7.0-dev+exp,true,host,host.ip,ip,core,array,,Host ip addresses.
+8.7.0-dev+exp,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
+8.7.0-dev+exp,true,host,host.name,keyword,core,,,Name of the host.
+8.7.0-dev+exp,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
+8.7.0-dev+exp,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
+8.7.0-dev+exp,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+8.7.0-dev+exp,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
+8.7.0-dev+exp,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.7.0-dev+exp,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.7.0-dev+exp,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.7.0-dev+exp,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.7.0-dev+exp,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.7.0-dev+exp,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.7.0-dev+exp,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.7.0-dev+exp,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+8.7.0-dev+exp,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.7.0-dev+exp,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode
+8.7.0-dev+exp,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.7.0-dev+exp,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.7.0-dev+exp,true,host,host.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.7.0-dev+exp,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.7.0-dev+exp,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.7.0-dev+exp,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+8.7.0-dev+exp,true,host,host.type,keyword,core,,,Type of host.
+8.7.0-dev+exp,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
+8.7.0-dev+exp,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
+8.7.0-dev+exp,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
+8.7.0-dev+exp,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body.
+8.7.0-dev+exp,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
+8.7.0-dev+exp,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
+8.7.0-dev+exp,true,http,http.request.method,keyword,extended,,POST,HTTP request method.
+8.7.0-dev+exp,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
+8.7.0-dev+exp,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
+8.7.0-dev+exp,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
+8.7.0-dev+exp,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
+8.7.0-dev+exp,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body.
+8.7.0-dev+exp,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
+8.7.0-dev+exp,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
+8.7.0-dev+exp,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
+8.7.0-dev+exp,true,http,http.version,keyword,extended,,1.1,HTTP version.
+8.7.0-dev+exp,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
+8.7.0-dev+exp,true,log,log.level,keyword,core,,error,Log level of the log event.
+8.7.0-dev+exp,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
+8.7.0-dev+exp,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event.
+8.7.0-dev+exp,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
+8.7.0-dev+exp,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
+8.7.0-dev+exp,true,log,log.syslog,object,extended,,,Syslog metadata
+8.7.0-dev+exp,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message.
+8.7.0-dev+exp,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
+8.7.0-dev+exp,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
+8.7.0-dev+exp,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message.
+8.7.0-dev+exp,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message.
+8.7.0-dev+exp,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
+8.7.0-dev+exp,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message.
+8.7.0-dev+exp,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
+8.7.0-dev+exp,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
+8.7.0-dev+exp,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages.
+8.7.0-dev+exp,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version.
+8.7.0-dev+exp,true,network,network.application,keyword,extended,,aim,Application level protocol name.
+8.7.0-dev+exp,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
+8.7.0-dev+exp,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
+8.7.0-dev+exp,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
+8.7.0-dev+exp,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
+8.7.0-dev+exp,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
+8.7.0-dev+exp,true,network,network.inner,object,extended,,,Inner VLAN tag information
+8.7.0-dev+exp,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.7.0-dev+exp,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.7.0-dev+exp,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
+8.7.0-dev+exp,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
+8.7.0-dev+exp,true,network,network.protocol,keyword,core,,http,Application protocol name.
+8.7.0-dev+exp,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
+8.7.0-dev+exp,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
+8.7.0-dev+exp,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.7.0-dev+exp,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.7.0-dev+exp,true,observer,observer.egress,object,extended,,,Object field for egress information
+8.7.0-dev+exp,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
+8.7.0-dev+exp,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
+8.7.0-dev+exp,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
+8.7.0-dev+exp,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.7.0-dev+exp,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.7.0-dev+exp,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
+8.7.0-dev+exp,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
+8.7.0-dev+exp,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code.
+8.7.0-dev+exp,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.7.0-dev+exp,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.7.0-dev+exp,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
+8.7.0-dev+exp,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.7.0-dev+exp,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.7.0-dev+exp,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code.
+8.7.0-dev+exp,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.7.0-dev+exp,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
+8.7.0-dev+exp,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.7.0-dev+exp,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
+8.7.0-dev+exp,true,observer,observer.ingress,object,extended,,,Object field for ingress information
+8.7.0-dev+exp,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
+8.7.0-dev+exp,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
+8.7.0-dev+exp,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
+8.7.0-dev+exp,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.7.0-dev+exp,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.7.0-dev+exp,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
+8.7.0-dev+exp,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
+8.7.0-dev+exp,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer.
+8.7.0-dev+exp,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
+8.7.0-dev+exp,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.7.0-dev+exp,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.7.0-dev+exp,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.7.0-dev+exp,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.7.0-dev+exp,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.7.0-dev+exp,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.7.0-dev+exp,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.7.0-dev+exp,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+8.7.0-dev+exp,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.7.0-dev+exp,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
+8.7.0-dev+exp,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
+8.7.0-dev+exp,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
+8.7.0-dev+exp,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
+8.7.0-dev+exp,true,observer,observer.version,keyword,core,,,Observer version.
+8.7.0-dev+exp,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action
+8.7.0-dev+exp,true,orchestrator,orchestrator.cluster.id,keyword,extended,,,Unique ID of the cluster.
+8.7.0-dev+exp,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster.
+8.7.0-dev+exp,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster.
+8.7.0-dev+exp,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster.
+8.7.0-dev+exp,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place.
+8.7.0-dev+exp,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups).
+8.7.0-dev+exp,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon.
+8.7.0-dev+exp,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed.
+8.7.0-dev+exp,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon.
+8.7.0-dev+exp,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed.
+8.7.0-dev+exp,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon.
+8.7.0-dev+exp,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)."
+8.7.0-dev+exp,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
+8.7.0-dev+exp,true,organization,organization.name,keyword,extended,,,Organization name.
+8.7.0-dev+exp,true,organization,organization.name.text,match_only_text,extended,,,Organization name.
+8.7.0-dev+exp,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
+8.7.0-dev+exp,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
+8.7.0-dev+exp,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
+8.7.0-dev+exp,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
+8.7.0-dev+exp,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
+8.7.0-dev+exp,true,package,package.installed,date,extended,,,Time when package was installed.
+8.7.0-dev+exp,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
+8.7.0-dev+exp,true,package,package.name,keyword,extended,,go,Package name
+8.7.0-dev+exp,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
+8.7.0-dev+exp,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
+8.7.0-dev+exp,true,package,package.size,long,extended,,62231,Package size in bytes.
+8.7.0-dev+exp,true,package,package.type,keyword,extended,,rpm,Package type
+8.7.0-dev+exp,true,package,package.version,keyword,extended,,1.12.9,Package version
+8.7.0-dev+exp,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.7.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array.
+8.7.0-dev+exp,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.7.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.7.0-dev+exp,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.7.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.7.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.7.0-dev+exp,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.7.0-dev+exp,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.7.0-dev+exp,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.7.0-dev+exp,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.7.0-dev+exp,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.7.0-dev+exp,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.7.0-dev+exp,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.7.0-dev+exp,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.7.0-dev+exp,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.7.0-dev+exp,true,process,process.elf.creation_date,date,extended,,,Build or compile date.
+8.7.0-dev+exp,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.7.0-dev+exp,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.7.0-dev+exp,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.7.0-dev+exp,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.7.0-dev+exp,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.7.0-dev+exp,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.7.0-dev+exp,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.7.0-dev+exp,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.7.0-dev+exp,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.7.0-dev+exp,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.7.0-dev+exp,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.7.0-dev+exp,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.7.0-dev+exp,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.7.0-dev+exp,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.7.0-dev+exp,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.7.0-dev+exp,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.7.0-dev+exp,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.7.0-dev+exp,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.7.0-dev+exp,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.7.0-dev+exp,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.7.0-dev+exp,true,process,process.elf.segments,nested,extended,array,,ELF object segment list.
+8.7.0-dev+exp,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.7.0-dev+exp,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.7.0-dev+exp,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.7.0-dev+exp,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.7.0-dev+exp,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+8.7.0-dev+exp,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.7.0-dev+exp,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.7.0-dev+exp,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array.
+8.7.0-dev+exp,true,process,process.entry_leader.attested_groups.name,keyword,extended,,,Name of the group.
+8.7.0-dev+exp,true,process,process.entry_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev+exp,true,process,process.entry_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,process,process.entry_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.7.0-dev+exp,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.7.0-dev+exp,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.7.0-dev+exp,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
+8.7.0-dev+exp,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
+8.7.0-dev+exp,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.7.0-dev+exp,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.7.0-dev+exp,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev+exp,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group.
+8.7.0-dev+exp,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.7.0-dev+exp,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name.
+8.7.0-dev+exp,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name.
+8.7.0-dev+exp,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.7.0-dev+exp,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id.
+8.7.0-dev+exp,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.7.0-dev+exp,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id.
+8.7.0-dev+exp,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.7.0-dev+exp,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.7.0-dev+exp,true,process,process.entry_leader.pid,long,core,,4242,Process id.
+8.7.0-dev+exp,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev+exp,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group.
+8.7.0-dev+exp,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev+exp,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,process,process.entry_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+8.7.0-dev+exp,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev+exp,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group.
+8.7.0-dev+exp,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev+exp,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,process,process.entry_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.7.0-dev+exp,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev+exp,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.7.0-dev+exp,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device.
+8.7.0-dev+exp,true,process,process.entry_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.7.0-dev+exp,true,process,process.entry_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.7.0-dev+exp,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev+exp,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.7.0-dev+exp,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.7.0-dev+exp,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
+8.7.0-dev+exp,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.7.0-dev+exp,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.7.0-dev+exp,true,process,process.exit_code,long,extended,,137,The exit code of the process.
+8.7.0-dev+exp,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.7.0-dev+exp,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array.
+8.7.0-dev+exp,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.7.0-dev+exp,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.7.0-dev+exp,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.7.0-dev+exp,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.7.0-dev+exp,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.7.0-dev+exp,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev+exp,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group.
+8.7.0-dev+exp,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.7.0-dev+exp,true,process,process.group_leader.name,keyword,extended,,ssh,Process name.
+8.7.0-dev+exp,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name.
+8.7.0-dev+exp,true,process,process.group_leader.pid,long,core,,4242,Process id.
+8.7.0-dev+exp,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev+exp,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group.
+8.7.0-dev+exp,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev+exp,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,process,process.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+8.7.0-dev+exp,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev+exp,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group.
+8.7.0-dev+exp,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev+exp,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,process,process.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.7.0-dev+exp,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev+exp,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.7.0-dev+exp,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device.
+8.7.0-dev+exp,true,process,process.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.7.0-dev+exp,true,process,process.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.7.0-dev+exp,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev+exp,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.7.0-dev+exp,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.7.0-dev+exp,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
+8.7.0-dev+exp,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
+8.7.0-dev+exp,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
+8.7.0-dev+exp,true,process,process.hash.sha384,keyword,extended,,,SHA384 hash.
+8.7.0-dev+exp,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
+8.7.0-dev+exp,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.7.0-dev+exp,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash.
+8.7.0-dev+exp,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.7.0-dev+exp,true,process,process.name,keyword,extended,,ssh,Process name.
+8.7.0-dev+exp,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
+8.7.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.7.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
+8.7.0-dev+exp,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.7.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.7.0-dev+exp,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.7.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.7.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.7.0-dev+exp,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.7.0-dev+exp,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.7.0-dev+exp,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.7.0-dev+exp,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.7.0-dev+exp,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.7.0-dev+exp,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.7.0-dev+exp,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.7.0-dev+exp,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.7.0-dev+exp,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.7.0-dev+exp,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date.
+8.7.0-dev+exp,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.7.0-dev+exp,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.7.0-dev+exp,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.7.0-dev+exp,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.7.0-dev+exp,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.7.0-dev+exp,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.7.0-dev+exp,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.7.0-dev+exp,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.7.0-dev+exp,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.7.0-dev+exp,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.7.0-dev+exp,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.7.0-dev+exp,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.7.0-dev+exp,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.7.0-dev+exp,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.7.0-dev+exp,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.7.0-dev+exp,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.7.0-dev+exp,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.7.0-dev+exp,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.7.0-dev+exp,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.7.0-dev+exp,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.7.0-dev+exp,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list.
+8.7.0-dev+exp,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.7.0-dev+exp,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.7.0-dev+exp,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.7.0-dev+exp,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.7.0-dev+exp,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+8.7.0-dev+exp,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.7.0-dev+exp,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.7.0-dev+exp,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.7.0-dev+exp,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
+8.7.0-dev+exp,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev+exp,true,process,process.parent.group.name,keyword,extended,,,Name of the group.
+8.7.0-dev+exp,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.7.0-dev+exp,true,process,process.parent.group_leader.pid,long,core,,4242,Process id.
+8.7.0-dev+exp,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.7.0-dev+exp,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
+8.7.0-dev+exp,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
+8.7.0-dev+exp,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
+8.7.0-dev+exp,true,process,process.parent.hash.sha384,keyword,extended,,,SHA384 hash.
+8.7.0-dev+exp,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
+8.7.0-dev+exp,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.7.0-dev+exp,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash.
+8.7.0-dev+exp,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.7.0-dev+exp,true,process,process.parent.name,keyword,extended,,ssh,Process name.
+8.7.0-dev+exp,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
+8.7.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.7.0-dev+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.7.0-dev+exp,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.7.0-dev+exp,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.7.0-dev+exp,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.7.0-dev+exp,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.7.0-dev+exp,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.7.0-dev+exp,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.7.0-dev+exp,true,process,process.parent.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
+8.7.0-dev+exp,true,process,process.parent.pid,long,core,,4242,Process id.
+8.7.0-dev+exp,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev+exp,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group.
+8.7.0-dev+exp,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev+exp,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,process,process.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev+exp,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group.
+8.7.0-dev+exp,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev+exp,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,process,process.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.7.0-dev+exp,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev+exp,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.7.0-dev+exp,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
+8.7.0-dev+exp,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
+8.7.0-dev+exp,true,process,process.parent.title,keyword,extended,,,Process title.
+8.7.0-dev+exp,true,process,process.parent.title.text,match_only_text,extended,,,Process title.
+8.7.0-dev+exp,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device.
+8.7.0-dev+exp,true,process,process.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.7.0-dev+exp,true,process,process.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.7.0-dev+exp,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
+8.7.0-dev+exp,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev+exp,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.7.0-dev+exp,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.7.0-dev+exp,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.7.0-dev+exp,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.7.0-dev+exp,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.7.0-dev+exp,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.7.0-dev+exp,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.7.0-dev+exp,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.7.0-dev+exp,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.7.0-dev+exp,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.7.0-dev+exp,true,process,process.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
+8.7.0-dev+exp,true,process,process.pid,long,core,,4242,Process id.
+8.7.0-dev+exp,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.7.0-dev+exp,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array.
+8.7.0-dev+exp,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.7.0-dev+exp,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.7.0-dev+exp,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev+exp,true,process,process.real_group.name,keyword,extended,,,Name of the group.
+8.7.0-dev+exp,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev+exp,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,process,process.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev+exp,true,process,process.saved_group.name,keyword,extended,,,Name of the group.
+8.7.0-dev+exp,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev+exp,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,process,process.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.7.0-dev+exp,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array.
+8.7.0-dev+exp,true,process,process.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.7.0-dev+exp,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.7.0-dev+exp,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.7.0-dev+exp,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.7.0-dev+exp,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.7.0-dev+exp,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev+exp,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group.
+8.7.0-dev+exp,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.7.0-dev+exp,true,process,process.session_leader.name,keyword,extended,,ssh,Process name.
+8.7.0-dev+exp,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name.
+8.7.0-dev+exp,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.7.0-dev+exp,true,process,process.session_leader.parent.pid,long,core,,4242,Process id.
+8.7.0-dev+exp,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.7.0-dev+exp,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id.
+8.7.0-dev+exp,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.7.0-dev+exp,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.7.0-dev+exp,true,process,process.session_leader.pid,long,core,,4242,Process id.
+8.7.0-dev+exp,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev+exp,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group.
+8.7.0-dev+exp,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev+exp,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,process,process.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+8.7.0-dev+exp,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev+exp,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group.
+8.7.0-dev+exp,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev+exp,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,process,process.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.7.0-dev+exp,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev+exp,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.7.0-dev+exp,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device.
+8.7.0-dev+exp,true,process,process.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.7.0-dev+exp,true,process,process.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.7.0-dev+exp,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev+exp,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.7.0-dev+exp,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.7.0-dev+exp,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.7.0-dev+exp,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev+exp,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.7.0-dev+exp,true,process,process.thread.id,long,extended,,4242,Thread ID.
+8.7.0-dev+exp,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
+8.7.0-dev+exp,true,process,process.title,keyword,extended,,,Process title.
+8.7.0-dev+exp,true,process,process.title.text,match_only_text,extended,,,Process title.
+8.7.0-dev+exp,true,process,process.tty,object,extended,,,Information about the controlling TTY device.
+8.7.0-dev+exp,true,process,process.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.7.0-dev+exp,true,process,process.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.7.0-dev+exp,true,process,process.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
+8.7.0-dev+exp,true,process,process.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
+8.7.0-dev+exp,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
+8.7.0-dev+exp,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev+exp,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.7.0-dev+exp,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.7.0-dev+exp,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.7.0-dev+exp,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.7.0-dev+exp,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.7.0-dev+exp,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.7.0-dev+exp,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.7.0-dev+exp,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.7.0-dev+exp,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
+8.7.0-dev+exp,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
+8.7.0-dev+exp,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
+8.7.0-dev+exp,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
+8.7.0-dev+exp,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event.
+8.7.0-dev+exp,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
+8.7.0-dev+exp,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
+8.7.0-dev+exp,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
+8.7.0-dev+exp,true,rule,rule.id,keyword,extended,,101,Rule ID
+8.7.0-dev+exp,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
+8.7.0-dev+exp,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
+8.7.0-dev+exp,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
+8.7.0-dev+exp,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
+8.7.0-dev+exp,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
+8.7.0-dev+exp,true,rule,rule.version,keyword,extended,,1.1,Rule version
+8.7.0-dev+exp,true,server,server.address,keyword,extended,,,Server network address.
+8.7.0-dev+exp,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.7.0-dev+exp,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.7.0-dev+exp,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.7.0-dev+exp,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
+8.7.0-dev+exp,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server.
+8.7.0-dev+exp,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
+8.7.0-dev+exp,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
+8.7.0-dev+exp,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.7.0-dev+exp,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.7.0-dev+exp,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
+8.7.0-dev+exp,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.7.0-dev+exp,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.7.0-dev+exp,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
+8.7.0-dev+exp,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.7.0-dev+exp,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
+8.7.0-dev+exp,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.7.0-dev+exp,true,server,server.ip,ip,core,,,IP address of the server.
+8.7.0-dev+exp,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
+8.7.0-dev+exp,true,server,server.nat.ip,ip,extended,,,Server NAT ip
+8.7.0-dev+exp,true,server,server.nat.port,long,extended,,,Server NAT port
+8.7.0-dev+exp,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
+8.7.0-dev+exp,true,server,server.port,long,core,,,Port of the server.
+8.7.0-dev+exp,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
+8.7.0-dev+exp,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.7.0-dev+exp,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.7.0-dev+exp,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.7.0-dev+exp,true,server,server.user.email,keyword,extended,,,User email address.
+8.7.0-dev+exp,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.7.0-dev+exp,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.7.0-dev+exp,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.7.0-dev+exp,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev+exp,true,server,server.user.group.name,keyword,extended,,,Name of the group.
+8.7.0-dev+exp,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.7.0-dev+exp,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev+exp,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,server,server.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.7.0-dev+exp,true,server,server.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.7.0-dev+exp,true,server,server.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.7.0-dev+exp,true,server,server.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.7.0-dev+exp,true,server,server.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.7.0-dev+exp,true,server,server.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+8.7.0-dev+exp,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.7.0-dev+exp,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.7.0-dev+exp,true,service,service.environment,keyword,extended,,production,Environment of the service.
+8.7.0-dev+exp,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.7.0-dev+exp,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.7.0-dev+exp,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.7.0-dev+exp,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.7.0-dev+exp,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.7.0-dev+exp,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+8.7.0-dev+exp,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.7.0-dev+exp,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
+8.7.0-dev+exp,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.7.0-dev+exp,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.7.0-dev+exp,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.7.0-dev+exp,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.7.0-dev+exp,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.7.0-dev+exp,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+8.7.0-dev+exp,true,service,service.origin.state,keyword,core,,,Current state of the service.
+8.7.0-dev+exp,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service.
+8.7.0-dev+exp,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service.
+8.7.0-dev+exp,true,service,service.state,keyword,core,,,Current state of the service.
+8.7.0-dev+exp,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.7.0-dev+exp,true,service,service.target.environment,keyword,extended,,production,Environment of the service.
+8.7.0-dev+exp,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.7.0-dev+exp,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.7.0-dev+exp,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.7.0-dev+exp,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.7.0-dev+exp,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.7.0-dev+exp,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+8.7.0-dev+exp,true,service,service.target.state,keyword,core,,,Current state of the service.
+8.7.0-dev+exp,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service.
+8.7.0-dev+exp,true,service,service.target.version,keyword,core,,3.2.4,Version of the service.
+8.7.0-dev+exp,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
+8.7.0-dev+exp,true,service,service.version,keyword,core,,3.2.4,Version of the service.
+8.7.0-dev+exp,true,source,source.address,keyword,extended,,,Source network address.
+8.7.0-dev+exp,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.7.0-dev+exp,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.7.0-dev+exp,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.7.0-dev+exp,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
+8.7.0-dev+exp,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source.
+8.7.0-dev+exp,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
+8.7.0-dev+exp,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
+8.7.0-dev+exp,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.7.0-dev+exp,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.7.0-dev+exp,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
+8.7.0-dev+exp,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.7.0-dev+exp,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.7.0-dev+exp,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
+8.7.0-dev+exp,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.7.0-dev+exp,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
+8.7.0-dev+exp,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.7.0-dev+exp,true,source,source.ip,ip,core,,,IP address of the source.
+8.7.0-dev+exp,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
+8.7.0-dev+exp,true,source,source.nat.ip,ip,extended,,,Source NAT ip
+8.7.0-dev+exp,true,source,source.nat.port,long,extended,,,Source NAT port
+8.7.0-dev+exp,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
+8.7.0-dev+exp,true,source,source.port,long,core,,,Port of the source.
+8.7.0-dev+exp,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+8.7.0-dev+exp,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.7.0-dev+exp,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.7.0-dev+exp,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.7.0-dev+exp,true,source,source.user.email,keyword,extended,,,User email address.
+8.7.0-dev+exp,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.7.0-dev+exp,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.7.0-dev+exp,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.7.0-dev+exp,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev+exp,true,source,source.user.group.name,keyword,extended,,,Name of the group.
+8.7.0-dev+exp,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.7.0-dev+exp,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev+exp,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,source,source.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.7.0-dev+exp,true,source,source.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.7.0-dev+exp,true,source,source.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.7.0-dev+exp,true,source,source.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.7.0-dev+exp,true,source,source.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.7.0-dev+exp,true,source,source.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+8.7.0-dev+exp,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.7.0-dev+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
+8.7.0-dev+exp,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.7.0-dev+exp,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,WHITE,Indicator TLP marking
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.7.0-dev+exp,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.7.0-dev+exp,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value
+8.7.0-dev+exp,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field
+8.7.0-dev+exp,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier
+8.7.0-dev+exp,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index
+8.7.0-dev+exp,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05T17:00:58.326Z,Date of match
+8.7.0-dev+exp,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match
+8.7.0-dev+exp,true,threat,threat.feed.dashboard_id,keyword,extended,,5ba16340-72e6-11eb-a3e3-b3cc7c78a70f,Feed dashboard ID.
+8.7.0-dev+exp,true,threat,threat.feed.description,keyword,extended,,Threat feed from the AlienVault Open Threat eXchange network.,Description of the threat feed.
+8.7.0-dev+exp,true,threat,threat.feed.name,keyword,extended,,AlienVault OTX,Name of the threat feed.
+8.7.0-dev+exp,true,threat,threat.feed.reference,keyword,extended,,https://otx.alienvault.com,Reference for the threat feed.
+8.7.0-dev+exp,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
+8.7.0-dev+exp,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group.
+8.7.0-dev+exp,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group.
+8.7.0-dev+exp,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group.
+8.7.0-dev+exp,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group.
+8.7.0-dev+exp,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.7.0-dev+exp,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.7.0-dev+exp,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.7.0-dev+exp,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
+8.7.0-dev+exp,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
+8.7.0-dev+exp,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
+8.7.0-dev+exp,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed.
+8.7.0-dev+exp,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.7.0-dev+exp,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.7.0-dev+exp,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.7.0-dev+exp,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.7.0-dev+exp,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.7.0-dev+exp,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.7.0-dev+exp,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.7.0-dev+exp,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.7.0-dev+exp,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.7.0-dev+exp,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.7.0-dev+exp,true,threat,threat.indicator.file.created,date,extended,,,File creation time.
+8.7.0-dev+exp,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.7.0-dev+exp,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
+8.7.0-dev+exp,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.7.0-dev+exp,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.7.0-dev+exp,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.7.0-dev+exp,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.7.0-dev+exp,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.7.0-dev+exp,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
+8.7.0-dev+exp,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.7.0-dev+exp,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.7.0-dev+exp,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.7.0-dev+exp,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.7.0-dev+exp,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.7.0-dev+exp,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.7.0-dev+exp,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.7.0-dev+exp,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.7.0-dev+exp,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.7.0-dev+exp,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.7.0-dev+exp,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.7.0-dev+exp,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.7.0-dev+exp,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.7.0-dev+exp,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.7.0-dev+exp,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.7.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.7.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.7.0-dev+exp,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.7.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.7.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.7.0-dev+exp,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
+8.7.0-dev+exp,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.7.0-dev+exp,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.7.0-dev+exp,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.7.0-dev+exp,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.7.0-dev+exp,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.7.0-dev+exp,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.7.0-dev+exp,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.7.0-dev+exp,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
+8.7.0-dev+exp,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
+8.7.0-dev+exp,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.7.0-dev+exp,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.7.0-dev+exp,true,threat,threat.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.7.0-dev+exp,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.7.0-dev+exp,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.7.0-dev+exp,true,threat,threat.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.7.0-dev+exp,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.7.0-dev+exp,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.7.0-dev+exp,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.7.0-dev+exp,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified.
+8.7.0-dev+exp,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.7.0-dev+exp,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username.
+8.7.0-dev+exp,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.7.0-dev+exp,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.7.0-dev+exp,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.7.0-dev+exp,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.7.0-dev+exp,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.7.0-dev+exp,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.7.0-dev+exp,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.7.0-dev+exp,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.7.0-dev+exp,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.7.0-dev+exp,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.7.0-dev+exp,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes.
+8.7.0-dev+exp,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
+8.7.0-dev+exp,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.7.0-dev+exp,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.7.0-dev+exp,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.7.0-dev+exp,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.7.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.7.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.7.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.7.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.7.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.7.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.7.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.7.0-dev+exp,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.7.0-dev+exp,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.7.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.7.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.7.0-dev+exp,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.7.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.7.0-dev+exp,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.7.0-dev+exp,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.7.0-dev+exp,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.7.0-dev+exp,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.7.0-dev+exp,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.7.0-dev+exp,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.7.0-dev+exp,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.7.0-dev+exp,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.7.0-dev+exp,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.7.0-dev+exp,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.7.0-dev+exp,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
+8.7.0-dev+exp,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name.
+8.7.0-dev+exp,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code.
+8.7.0-dev+exp,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.7.0-dev+exp,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.7.0-dev+exp,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name.
+8.7.0-dev+exp,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.7.0-dev+exp,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.7.0-dev+exp,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code.
+8.7.0-dev+exp,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.7.0-dev+exp,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name.
+8.7.0-dev+exp,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.7.0-dev+exp,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
+8.7.0-dev+exp,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
+8.7.0-dev+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
+8.7.0-dev+exp,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
+8.7.0-dev+exp,true,threat,threat.indicator.port,long,extended,,443,Indicator port
+8.7.0-dev+exp,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
+8.7.0-dev+exp,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
+8.7.0-dev+exp,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.7.0-dev+exp,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.7.0-dev+exp,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.7.0-dev+exp,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.7.0-dev+exp,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.7.0-dev+exp,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.7.0-dev+exp,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
+8.7.0-dev+exp,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics
+8.7.0-dev+exp,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed
+8.7.0-dev+exp,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
+8.7.0-dev+exp,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.7.0-dev+exp,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.7.0-dev+exp,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.7.0-dev+exp,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.7.0-dev+exp,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.7.0-dev+exp,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.7.0-dev+exp,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.7.0-dev+exp,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request.
+8.7.0-dev+exp,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.7.0-dev+exp,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
+8.7.0-dev+exp,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request.
+8.7.0-dev+exp,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.7.0-dev+exp,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
+8.7.0-dev+exp,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.7.0-dev+exp,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.7.0-dev+exp,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request.
+8.7.0-dev+exp,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.7.0-dev+exp,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.7.0-dev+exp,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.7.0-dev+exp,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.7.0-dev+exp,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.7.0-dev+exp,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.7.0-dev+exp,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.7.0-dev+exp,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.7.0-dev+exp,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.7.0-dev+exp,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.7.0-dev+exp,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.7.0-dev+exp,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.7.0-dev+exp,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.7.0-dev+exp,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.7.0-dev+exp,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.7.0-dev+exp,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.7.0-dev+exp,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.7.0-dev+exp,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.7.0-dev+exp,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.7.0-dev+exp,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.7.0-dev+exp,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.7.0-dev+exp,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.7.0-dev+exp,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.7.0-dev+exp,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.7.0-dev+exp,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software
+8.7.0-dev+exp,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software
+8.7.0-dev+exp,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software.
+8.7.0-dev+exp,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software.
+8.7.0-dev+exp,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL.
+8.7.0-dev+exp,true,threat,threat.software.type,keyword,extended,,Tool,Software type.
+8.7.0-dev+exp,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
+8.7.0-dev+exp,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
+8.7.0-dev+exp,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
+8.7.0-dev+exp,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
+8.7.0-dev+exp,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
+8.7.0-dev+exp,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name.
+8.7.0-dev+exp,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
+8.7.0-dev+exp,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
+8.7.0-dev+exp,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
+8.7.0-dev+exp,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
+8.7.0-dev+exp,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
+8.7.0-dev+exp,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
+8.7.0-dev+exp,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
+8.7.0-dev+exp,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
+8.7.0-dev+exp,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
+8.7.0-dev+exp,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
+8.7.0-dev+exp,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
+8.7.0-dev+exp,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
+8.7.0-dev+exp,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
+8.7.0-dev+exp,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
+8.7.0-dev+exp,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
+8.7.0-dev+exp,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
+8.7.0-dev+exp,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
+8.7.0-dev+exp,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
+8.7.0-dev+exp,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.7.0-dev+exp,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.7.0-dev+exp,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.7.0-dev+exp,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.7.0-dev+exp,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.7.0-dev+exp,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.7.0-dev+exp,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.7.0-dev+exp,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.7.0-dev+exp,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.7.0-dev+exp,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.7.0-dev+exp,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.7.0-dev+exp,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.7.0-dev+exp,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.7.0-dev+exp,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.7.0-dev+exp,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.7.0-dev+exp,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.7.0-dev+exp,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.7.0-dev+exp,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.7.0-dev+exp,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.7.0-dev+exp,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.7.0-dev+exp,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.7.0-dev+exp,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.7.0-dev+exp,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.7.0-dev+exp,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.7.0-dev+exp,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
+8.7.0-dev+exp,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
+8.7.0-dev+exp,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
+8.7.0-dev+exp,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
+8.7.0-dev+exp,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
+8.7.0-dev+exp,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
+8.7.0-dev+exp,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
+8.7.0-dev+exp,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
+8.7.0-dev+exp,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
+8.7.0-dev+exp,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
+8.7.0-dev+exp,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
+8.7.0-dev+exp,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
+8.7.0-dev+exp,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
+8.7.0-dev+exp,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
+8.7.0-dev+exp,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.7.0-dev+exp,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.7.0-dev+exp,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.7.0-dev+exp,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.7.0-dev+exp,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.7.0-dev+exp,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.7.0-dev+exp,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.7.0-dev+exp,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.7.0-dev+exp,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.7.0-dev+exp,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.7.0-dev+exp,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.7.0-dev+exp,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.7.0-dev+exp,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.7.0-dev+exp,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.7.0-dev+exp,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.7.0-dev+exp,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.7.0-dev+exp,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.7.0-dev+exp,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.7.0-dev+exp,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.7.0-dev+exp,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.7.0-dev+exp,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.7.0-dev+exp,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.7.0-dev+exp,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.7.0-dev+exp,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.7.0-dev+exp,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
+8.7.0-dev+exp,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
+8.7.0-dev+exp,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
+8.7.0-dev+exp,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
+8.7.0-dev+exp,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.7.0-dev+exp,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.7.0-dev+exp,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.7.0-dev+exp,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.7.0-dev+exp,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.7.0-dev+exp,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.7.0-dev+exp,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.7.0-dev+exp,true,url,url.password,keyword,extended,,,Password of the request.
+8.7.0-dev+exp,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.7.0-dev+exp,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
+8.7.0-dev+exp,true,url,url.query,keyword,extended,,,Query string of the request.
+8.7.0-dev+exp,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.7.0-dev+exp,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
+8.7.0-dev+exp,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.7.0-dev+exp,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.7.0-dev+exp,true,url,url.username,keyword,extended,,,Username of the request.
+8.7.0-dev+exp,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.7.0-dev+exp,true,user,user.changes.email,keyword,extended,,,User email address.
+8.7.0-dev+exp,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.7.0-dev+exp,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.7.0-dev+exp,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.7.0-dev+exp,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev+exp,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
+8.7.0-dev+exp,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.7.0-dev+exp,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev+exp,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,user,user.changes.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.7.0-dev+exp,true,user,user.changes.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.7.0-dev+exp,true,user,user.changes.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.7.0-dev+exp,true,user,user.changes.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.7.0-dev+exp,true,user,user.changes.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.7.0-dev+exp,true,user,user.changes.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+8.7.0-dev+exp,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.7.0-dev+exp,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.7.0-dev+exp,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.7.0-dev+exp,true,user,user.effective.email,keyword,extended,,,User email address.
+8.7.0-dev+exp,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.7.0-dev+exp,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.7.0-dev+exp,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.7.0-dev+exp,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev+exp,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
+8.7.0-dev+exp,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.7.0-dev+exp,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev+exp,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,user,user.effective.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.7.0-dev+exp,true,user,user.effective.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.7.0-dev+exp,true,user,user.effective.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.7.0-dev+exp,true,user,user.effective.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.7.0-dev+exp,true,user,user.effective.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.7.0-dev+exp,true,user,user.effective.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+8.7.0-dev+exp,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.7.0-dev+exp,true,user,user.email,keyword,extended,,,User email address.
+8.7.0-dev+exp,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.7.0-dev+exp,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.7.0-dev+exp,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.7.0-dev+exp,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev+exp,true,user,user.group.name,keyword,extended,,,Name of the group.
+8.7.0-dev+exp,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.7.0-dev+exp,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev+exp,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.7.0-dev+exp,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.7.0-dev+exp,true,user,user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.7.0-dev+exp,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.7.0-dev+exp,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.7.0-dev+exp,true,user,user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+8.7.0-dev+exp,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.7.0-dev+exp,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.7.0-dev+exp,true,user,user.target.email,keyword,extended,,,User email address.
+8.7.0-dev+exp,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.7.0-dev+exp,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.7.0-dev+exp,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.7.0-dev+exp,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev+exp,true,user,user.target.group.name,keyword,extended,,,Name of the group.
+8.7.0-dev+exp,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.7.0-dev+exp,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev+exp,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev+exp,true,user,user.target.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.7.0-dev+exp,true,user,user.target.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.7.0-dev+exp,true,user,user.target.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.7.0-dev+exp,true,user,user.target.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.7.0-dev+exp,true,user,user.target.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.7.0-dev+exp,true,user,user.target.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+8.7.0-dev+exp,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.7.0-dev+exp,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
+8.7.0-dev+exp,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
+8.7.0-dev+exp,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+8.7.0-dev+exp,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+8.7.0-dev+exp,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.7.0-dev+exp,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.7.0-dev+exp,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.7.0-dev+exp,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.7.0-dev+exp,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.7.0-dev+exp,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.7.0-dev+exp,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.7.0-dev+exp,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+8.7.0-dev+exp,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.7.0-dev+exp,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
+8.7.0-dev+exp,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
+8.7.0-dev+exp,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
+8.7.0-dev+exp,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+8.7.0-dev+exp,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+8.7.0-dev+exp,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
+8.7.0-dev+exp,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
+8.7.0-dev+exp,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
+8.7.0-dev+exp,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
+8.7.0-dev+exp,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
+8.7.0-dev+exp,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
+8.7.0-dev+exp,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
+8.7.0-dev+exp,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
+8.7.0-dev+exp,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
+8.7.0-dev+exp,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
diff --git a/experimental/generated/elasticsearch/composable/component/agent.json b/experimental/generated/elasticsearch/composable/component/agent.json
index d1b80be6d9..39efdec673 100644
--- a/experimental/generated/elasticsearch/composable/component/agent.json
+++ b/experimental/generated/elasticsearch/composable/component/agent.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html",
-    "ecs_version": "8.6.0-dev+exp"
+    "ecs_version": "8.7.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/base.json b/experimental/generated/elasticsearch/composable/component/base.json
index 03ba4f0971..a405283633 100644
--- a/experimental/generated/elasticsearch/composable/component/base.json
+++ b/experimental/generated/elasticsearch/composable/component/base.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
-    "ecs_version": "8.6.0-dev+exp"
+    "ecs_version": "8.7.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/cgroup.json b/experimental/generated/elasticsearch/composable/component/cgroup.json
index 0a5fae57ad..4a85ffdb6c 100644
--- a/experimental/generated/elasticsearch/composable/component/cgroup.json
+++ b/experimental/generated/elasticsearch/composable/component/cgroup.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cgroup.html",
-    "ecs_version": "8.6.0-dev+exp"
+    "ecs_version": "8.7.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/client.json b/experimental/generated/elasticsearch/composable/component/client.json
index 0215b97296..89b4617461 100644
--- a/experimental/generated/elasticsearch/composable/component/client.json
+++ b/experimental/generated/elasticsearch/composable/component/client.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-client.html",
-    "ecs_version": "8.6.0-dev+exp"
+    "ecs_version": "8.7.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/cloud.json b/experimental/generated/elasticsearch/composable/component/cloud.json
index 42b4ff42ec..af88c146ef 100644
--- a/experimental/generated/elasticsearch/composable/component/cloud.json
+++ b/experimental/generated/elasticsearch/composable/component/cloud.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cloud.html",
-    "ecs_version": "8.6.0-dev+exp"
+    "ecs_version": "8.7.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/container.json b/experimental/generated/elasticsearch/composable/component/container.json
index 273e50282a..978f181787 100644
--- a/experimental/generated/elasticsearch/composable/component/container.json
+++ b/experimental/generated/elasticsearch/composable/component/container.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-container.html",
-    "ecs_version": "8.6.0-dev+exp"
+    "ecs_version": "8.7.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/data_stream.json b/experimental/generated/elasticsearch/composable/component/data_stream.json
index 53279d3e89..98f611d8b2 100644
--- a/experimental/generated/elasticsearch/composable/component/data_stream.json
+++ b/experimental/generated/elasticsearch/composable/component/data_stream.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-data_stream.html",
-    "ecs_version": "8.6.0-dev+exp"
+    "ecs_version": "8.7.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/destination.json b/experimental/generated/elasticsearch/composable/component/destination.json
index f838ce51fc..53cfa212a8 100644
--- a/experimental/generated/elasticsearch/composable/component/destination.json
+++ b/experimental/generated/elasticsearch/composable/component/destination.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-destination.html",
-    "ecs_version": "8.6.0-dev+exp"
+    "ecs_version": "8.7.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/device.json b/experimental/generated/elasticsearch/composable/component/device.json
index 07a1b46999..50ac72cf11 100644
--- a/experimental/generated/elasticsearch/composable/component/device.json
+++ b/experimental/generated/elasticsearch/composable/component/device.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-device.html",
-    "ecs_version": "8.6.0-dev+exp"
+    "ecs_version": "8.7.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/dll.json b/experimental/generated/elasticsearch/composable/component/dll.json
index 232e902250..abbb0883be 100644
--- a/experimental/generated/elasticsearch/composable/component/dll.json
+++ b/experimental/generated/elasticsearch/composable/component/dll.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dll.html",
-    "ecs_version": "8.6.0-dev+exp"
+    "ecs_version": "8.7.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/dns.json b/experimental/generated/elasticsearch/composable/component/dns.json
index dd4360329f..99300ea08e 100644
--- a/experimental/generated/elasticsearch/composable/component/dns.json
+++ b/experimental/generated/elasticsearch/composable/component/dns.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html",
-    "ecs_version": "8.6.0-dev+exp"
+    "ecs_version": "8.7.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/ecs.json b/experimental/generated/elasticsearch/composable/component/ecs.json
index 2efa0bd8b5..77e6e935a0 100644
--- a/experimental/generated/elasticsearch/composable/component/ecs.json
+++ b/experimental/generated/elasticsearch/composable/component/ecs.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html",
-    "ecs_version": "8.6.0-dev+exp"
+    "ecs_version": "8.7.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/email.json b/experimental/generated/elasticsearch/composable/component/email.json
index c2e9766c02..ed1c7c86ed 100644
--- a/experimental/generated/elasticsearch/composable/component/email.json
+++ b/experimental/generated/elasticsearch/composable/component/email.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-email.html",
-    "ecs_version": "8.6.0-dev+exp"
+    "ecs_version": "8.7.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/error.json b/experimental/generated/elasticsearch/composable/component/error.json
index 679dfe6f64..e4b17ee799 100644
--- a/experimental/generated/elasticsearch/composable/component/error.json
+++ b/experimental/generated/elasticsearch/composable/component/error.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-error.html",
-    "ecs_version": "8.6.0-dev+exp"
+    "ecs_version": "8.7.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/event.json b/experimental/generated/elasticsearch/composable/component/event.json
index f5660ca18c..7b78209293 100644
--- a/experimental/generated/elasticsearch/composable/component/event.json
+++ b/experimental/generated/elasticsearch/composable/component/event.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html",
-    "ecs_version": "8.6.0-dev+exp"
+    "ecs_version": "8.7.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/faas.json b/experimental/generated/elasticsearch/composable/component/faas.json
index b54e3f0397..5c3b0398c1 100644
--- a/experimental/generated/elasticsearch/composable/component/faas.json
+++ b/experimental/generated/elasticsearch/composable/component/faas.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-faas.html",
-    "ecs_version": "8.6.0-dev+exp"
+    "ecs_version": "8.7.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/file.json b/experimental/generated/elasticsearch/composable/component/file.json
index f76c5592ac..bb18576642 100644
--- a/experimental/generated/elasticsearch/composable/component/file.json
+++ b/experimental/generated/elasticsearch/composable/component/file.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html",
-    "ecs_version": "8.6.0-dev+exp"
+    "ecs_version": "8.7.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/group.json b/experimental/generated/elasticsearch/composable/component/group.json
index 78ec95ff47..d4365d1775 100644
--- a/experimental/generated/elasticsearch/composable/component/group.json
+++ b/experimental/generated/elasticsearch/composable/component/group.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-group.html",
-    "ecs_version": "8.6.0-dev+exp"
+    "ecs_version": "8.7.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/host.json b/experimental/generated/elasticsearch/composable/component/host.json
index 44a6bb8c4f..67888e5ec1 100644
--- a/experimental/generated/elasticsearch/composable/component/host.json
+++ b/experimental/generated/elasticsearch/composable/component/host.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-host.html",
-    "ecs_version": "8.6.0-dev+exp"
+    "ecs_version": "8.7.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/http.json b/experimental/generated/elasticsearch/composable/component/http.json
index 510e1a0266..ca58acd6a8 100644
--- a/experimental/generated/elasticsearch/composable/component/http.json
+++ b/experimental/generated/elasticsearch/composable/component/http.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-http.html",
-    "ecs_version": "8.6.0-dev+exp"
+    "ecs_version": "8.7.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/log.json b/experimental/generated/elasticsearch/composable/component/log.json
index 811944e3d7..8b0995bbcd 100644
--- a/experimental/generated/elasticsearch/composable/component/log.json
+++ b/experimental/generated/elasticsearch/composable/component/log.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-log.html",
-    "ecs_version": "8.6.0-dev+exp"
+    "ecs_version": "8.7.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/network.json b/experimental/generated/elasticsearch/composable/component/network.json
index 2cc0892fee..b37f5391bf 100644
--- a/experimental/generated/elasticsearch/composable/component/network.json
+++ b/experimental/generated/elasticsearch/composable/component/network.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html",
-    "ecs_version": "8.6.0-dev+exp"
+    "ecs_version": "8.7.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/observer.json b/experimental/generated/elasticsearch/composable/component/observer.json
index 57fc817539..22c7d8cbda 100644
--- a/experimental/generated/elasticsearch/composable/component/observer.json
+++ b/experimental/generated/elasticsearch/composable/component/observer.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html",
-    "ecs_version": "8.6.0-dev+exp"
+    "ecs_version": "8.7.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/orchestrator.json b/experimental/generated/elasticsearch/composable/component/orchestrator.json
index 61237f7aac..29e0e41a73 100644
--- a/experimental/generated/elasticsearch/composable/component/orchestrator.json
+++ b/experimental/generated/elasticsearch/composable/component/orchestrator.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-orchestrator.html",
-    "ecs_version": "8.6.0-dev+exp"
+    "ecs_version": "8.7.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/organization.json b/experimental/generated/elasticsearch/composable/component/organization.json
index 9e610f8120..f538a6df2e 100644
--- a/experimental/generated/elasticsearch/composable/component/organization.json
+++ b/experimental/generated/elasticsearch/composable/component/organization.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-organization.html",
-    "ecs_version": "8.6.0-dev+exp"
+    "ecs_version": "8.7.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/package.json b/experimental/generated/elasticsearch/composable/component/package.json
index 2cd39d5eee..867b222c24 100644
--- a/experimental/generated/elasticsearch/composable/component/package.json
+++ b/experimental/generated/elasticsearch/composable/component/package.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-package.html",
-    "ecs_version": "8.6.0-dev+exp"
+    "ecs_version": "8.7.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/process.json b/experimental/generated/elasticsearch/composable/component/process.json
index 8a9a78cd29..0053c776da 100644
--- a/experimental/generated/elasticsearch/composable/component/process.json
+++ b/experimental/generated/elasticsearch/composable/component/process.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-process.html",
-    "ecs_version": "8.6.0-dev+exp"
+    "ecs_version": "8.7.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/registry.json b/experimental/generated/elasticsearch/composable/component/registry.json
index 9e43ea6de0..b371d77795 100644
--- a/experimental/generated/elasticsearch/composable/component/registry.json
+++ b/experimental/generated/elasticsearch/composable/component/registry.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-registry.html",
-    "ecs_version": "8.6.0-dev+exp"
+    "ecs_version": "8.7.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/related.json b/experimental/generated/elasticsearch/composable/component/related.json
index 51e5f16a6a..c1a884fd23 100644
--- a/experimental/generated/elasticsearch/composable/component/related.json
+++ b/experimental/generated/elasticsearch/composable/component/related.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-related.html",
-    "ecs_version": "8.6.0-dev+exp"
+    "ecs_version": "8.7.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/rule.json b/experimental/generated/elasticsearch/composable/component/rule.json
index a51be09c6a..284c329c2b 100644
--- a/experimental/generated/elasticsearch/composable/component/rule.json
+++ b/experimental/generated/elasticsearch/composable/component/rule.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-rule.html",
-    "ecs_version": "8.6.0-dev+exp"
+    "ecs_version": "8.7.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/server.json b/experimental/generated/elasticsearch/composable/component/server.json
index 6d10607e07..76d32bbb92 100644
--- a/experimental/generated/elasticsearch/composable/component/server.json
+++ b/experimental/generated/elasticsearch/composable/component/server.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-server.html",
-    "ecs_version": "8.6.0-dev+exp"
+    "ecs_version": "8.7.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/service.json b/experimental/generated/elasticsearch/composable/component/service.json
index b517b95754..7a3a9714be 100644
--- a/experimental/generated/elasticsearch/composable/component/service.json
+++ b/experimental/generated/elasticsearch/composable/component/service.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-service.html",
-    "ecs_version": "8.6.0-dev+exp"
+    "ecs_version": "8.7.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/source.json b/experimental/generated/elasticsearch/composable/component/source.json
index d8a7c30fb2..7bf03e55e0 100644
--- a/experimental/generated/elasticsearch/composable/component/source.json
+++ b/experimental/generated/elasticsearch/composable/component/source.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-source.html",
-    "ecs_version": "8.6.0-dev+exp"
+    "ecs_version": "8.7.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/threat.json b/experimental/generated/elasticsearch/composable/component/threat.json
index 920b924d79..c659e1b512 100644
--- a/experimental/generated/elasticsearch/composable/component/threat.json
+++ b/experimental/generated/elasticsearch/composable/component/threat.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-threat.html",
-    "ecs_version": "8.6.0-dev+exp"
+    "ecs_version": "8.7.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/tls.json b/experimental/generated/elasticsearch/composable/component/tls.json
index 66c4dd082a..b5a39a8ef5 100644
--- a/experimental/generated/elasticsearch/composable/component/tls.json
+++ b/experimental/generated/elasticsearch/composable/component/tls.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tls.html",
-    "ecs_version": "8.6.0-dev+exp"
+    "ecs_version": "8.7.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/tracing.json b/experimental/generated/elasticsearch/composable/component/tracing.json
index 27090faee5..d8658ca2ad 100644
--- a/experimental/generated/elasticsearch/composable/component/tracing.json
+++ b/experimental/generated/elasticsearch/composable/component/tracing.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tracing.html",
-    "ecs_version": "8.6.0-dev+exp"
+    "ecs_version": "8.7.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/url.json b/experimental/generated/elasticsearch/composable/component/url.json
index 15eedc11ba..eb2a91de55 100644
--- a/experimental/generated/elasticsearch/composable/component/url.json
+++ b/experimental/generated/elasticsearch/composable/component/url.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-url.html",
-    "ecs_version": "8.6.0-dev+exp"
+    "ecs_version": "8.7.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/user.json b/experimental/generated/elasticsearch/composable/component/user.json
index dfad2d3bbf..96f5a38a30 100644
--- a/experimental/generated/elasticsearch/composable/component/user.json
+++ b/experimental/generated/elasticsearch/composable/component/user.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user.html",
-    "ecs_version": "8.6.0-dev+exp"
+    "ecs_version": "8.7.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/user_agent.json b/experimental/generated/elasticsearch/composable/component/user_agent.json
index 4d8d4ca5a6..16a5eb26e9 100644
--- a/experimental/generated/elasticsearch/composable/component/user_agent.json
+++ b/experimental/generated/elasticsearch/composable/component/user_agent.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html",
-    "ecs_version": "8.6.0-dev+exp"
+    "ecs_version": "8.7.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/vulnerability.json b/experimental/generated/elasticsearch/composable/component/vulnerability.json
index 829ebaaddb..b96a469ac0 100644
--- a/experimental/generated/elasticsearch/composable/component/vulnerability.json
+++ b/experimental/generated/elasticsearch/composable/component/vulnerability.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html",
-    "ecs_version": "8.6.0-dev+exp"
+    "ecs_version": "8.7.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/template.json b/experimental/generated/elasticsearch/composable/template.json
index ea8d864740..c485a08faf 100644
--- a/experimental/generated/elasticsearch/composable/template.json
+++ b/experimental/generated/elasticsearch/composable/template.json
@@ -1,49 +1,49 @@
 {
   "_meta": {
     "description": "Sample composable template that includes all ECS fields",
-    "ecs_version": "8.6.0-dev+exp"
+    "ecs_version": "8.7.0-dev+exp"
   },
   "composed_of": [
-    "ecs_8.6.0-dev-exp_cgroup",
-    "ecs_8.6.0-dev-exp_base",
-    "ecs_8.6.0-dev-exp_agent",
-    "ecs_8.6.0-dev-exp_client",
-    "ecs_8.6.0-dev-exp_cloud",
-    "ecs_8.6.0-dev-exp_container",
-    "ecs_8.6.0-dev-exp_data_stream",
-    "ecs_8.6.0-dev-exp_destination",
-    "ecs_8.6.0-dev-exp_device",
-    "ecs_8.6.0-dev-exp_dll",
-    "ecs_8.6.0-dev-exp_dns",
-    "ecs_8.6.0-dev-exp_ecs",
-    "ecs_8.6.0-dev-exp_email",
-    "ecs_8.6.0-dev-exp_error",
-    "ecs_8.6.0-dev-exp_event",
-    "ecs_8.6.0-dev-exp_faas",
-    "ecs_8.6.0-dev-exp_file",
-    "ecs_8.6.0-dev-exp_group",
-    "ecs_8.6.0-dev-exp_host",
-    "ecs_8.6.0-dev-exp_http",
-    "ecs_8.6.0-dev-exp_log",
-    "ecs_8.6.0-dev-exp_network",
-    "ecs_8.6.0-dev-exp_observer",
-    "ecs_8.6.0-dev-exp_orchestrator",
-    "ecs_8.6.0-dev-exp_organization",
-    "ecs_8.6.0-dev-exp_package",
-    "ecs_8.6.0-dev-exp_process",
-    "ecs_8.6.0-dev-exp_registry",
-    "ecs_8.6.0-dev-exp_related",
-    "ecs_8.6.0-dev-exp_rule",
-    "ecs_8.6.0-dev-exp_server",
-    "ecs_8.6.0-dev-exp_service",
-    "ecs_8.6.0-dev-exp_source",
-    "ecs_8.6.0-dev-exp_threat",
-    "ecs_8.6.0-dev-exp_tls",
-    "ecs_8.6.0-dev-exp_tracing",
-    "ecs_8.6.0-dev-exp_url",
-    "ecs_8.6.0-dev-exp_user_agent",
-    "ecs_8.6.0-dev-exp_user",
-    "ecs_8.6.0-dev-exp_vulnerability"
+    "ecs_8.7.0-dev-exp_cgroup",
+    "ecs_8.7.0-dev-exp_base",
+    "ecs_8.7.0-dev-exp_agent",
+    "ecs_8.7.0-dev-exp_client",
+    "ecs_8.7.0-dev-exp_cloud",
+    "ecs_8.7.0-dev-exp_container",
+    "ecs_8.7.0-dev-exp_data_stream",
+    "ecs_8.7.0-dev-exp_destination",
+    "ecs_8.7.0-dev-exp_device",
+    "ecs_8.7.0-dev-exp_dll",
+    "ecs_8.7.0-dev-exp_dns",
+    "ecs_8.7.0-dev-exp_ecs",
+    "ecs_8.7.0-dev-exp_email",
+    "ecs_8.7.0-dev-exp_error",
+    "ecs_8.7.0-dev-exp_event",
+    "ecs_8.7.0-dev-exp_faas",
+    "ecs_8.7.0-dev-exp_file",
+    "ecs_8.7.0-dev-exp_group",
+    "ecs_8.7.0-dev-exp_host",
+    "ecs_8.7.0-dev-exp_http",
+    "ecs_8.7.0-dev-exp_log",
+    "ecs_8.7.0-dev-exp_network",
+    "ecs_8.7.0-dev-exp_observer",
+    "ecs_8.7.0-dev-exp_orchestrator",
+    "ecs_8.7.0-dev-exp_organization",
+    "ecs_8.7.0-dev-exp_package",
+    "ecs_8.7.0-dev-exp_process",
+    "ecs_8.7.0-dev-exp_registry",
+    "ecs_8.7.0-dev-exp_related",
+    "ecs_8.7.0-dev-exp_rule",
+    "ecs_8.7.0-dev-exp_server",
+    "ecs_8.7.0-dev-exp_service",
+    "ecs_8.7.0-dev-exp_source",
+    "ecs_8.7.0-dev-exp_threat",
+    "ecs_8.7.0-dev-exp_tls",
+    "ecs_8.7.0-dev-exp_tracing",
+    "ecs_8.7.0-dev-exp_url",
+    "ecs_8.7.0-dev-exp_user_agent",
+    "ecs_8.7.0-dev-exp_user",
+    "ecs_8.7.0-dev-exp_vulnerability"
   ],
   "index_patterns": [
     "try-ecs-*"
diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json
index 6f6c9c8008..e63e5c1166 100644
--- a/experimental/generated/elasticsearch/legacy/template.json
+++ b/experimental/generated/elasticsearch/legacy/template.json
@@ -4,7 +4,7 @@
   ],
   "mappings": {
     "_meta": {
-      "version": "8.6.0-dev+exp"
+      "version": "8.7.0-dev+exp"
     },
     "date_detection": false,
     "dynamic_templates": [
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 32629d878c..69c9e44735 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -1,5 +1,5 @@
 # WARNING! Do not edit this file directly, it was generated by the ECS project,
-# based on ECS version 8.6.0-dev.
+# based on ECS version 8.7.0-dev.
 # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields.
 
 - key: ecs
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index aab536a8e9..5584f351d0 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -1,1578 +1,1578 @@
 ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
-8.6.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
-8.6.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
-8.6.0-dev,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer.
-8.6.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
-8.6.0-dev,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
-8.6.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
-8.6.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
-8.6.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
-8.6.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
-8.6.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
-8.6.0-dev,true,client,client.address,keyword,extended,,,Client network address.
-8.6.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.6.0-dev,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.6.0-dev,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.6.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
-8.6.0-dev,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client.
-8.6.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
-8.6.0-dev,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
-8.6.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.6.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.6.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
-8.6.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.6.0-dev,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.6.0-dev,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
-8.6.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.6.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
-8.6.0-dev,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.6.0-dev,true,client,client.ip,ip,core,,,IP address of the client.
-8.6.0-dev,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
-8.6.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
-8.6.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port
-8.6.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
-8.6.0-dev,true,client,client.port,long,core,,,Port of the client.
-8.6.0-dev,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
-8.6.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.6.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.6.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.6.0-dev,true,client,client.user.email,keyword,extended,,,User email address.
-8.6.0-dev,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.6.0-dev,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.6.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.6.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group.
-8.6.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.6.0-dev,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,client,client.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.6.0-dev,true,client,client.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.6.0-dev,true,client,client.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.6.0-dev,true,client,client.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.6.0-dev,true,client,client.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.6.0-dev,true,client,client.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-8.6.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.6.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.6.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.6.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.6.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.6.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
-8.6.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.6.0-dev,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.6.0-dev,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.6.0-dev,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.6.0-dev,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.6.0-dev,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine.
-8.6.0-dev,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.6.0-dev,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id.
-8.6.0-dev,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name.
-8.6.0-dev,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider.
-8.6.0-dev,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.6.0-dev,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name.
-8.6.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
-8.6.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
-8.6.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
-8.6.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.6.0-dev,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name.
-8.6.0-dev,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.6.0-dev,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.6.0-dev,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.6.0-dev,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.6.0-dev,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine.
-8.6.0-dev,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.6.0-dev,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id.
-8.6.0-dev,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name.
-8.6.0-dev,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider.
-8.6.0-dev,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.6.0-dev,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name.
-8.6.0-dev,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
-8.6.0-dev,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
-8.6.0-dev,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
-8.6.0-dev,true,container,container.id,keyword,core,,,Unique container id.
-8.6.0-dev,true,container,container.image.hash.all,keyword,extended,array,[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26],An array of digests of the image the container was built on.
-8.6.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
-8.6.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags.
-8.6.0-dev,true,container,container.labels,object,extended,,,Image labels.
-8.6.0-dev,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1."
-8.6.0-dev,true,container,container.name,keyword,extended,,,Container name.
-8.6.0-dev,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
-8.6.0-dev,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
-8.6.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
-8.6.0-dev,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
-8.6.0-dev,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
-8.6.0-dev,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
-8.6.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address.
-8.6.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.6.0-dev,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.6.0-dev,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.6.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
-8.6.0-dev,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination.
-8.6.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
-8.6.0-dev,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
-8.6.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.6.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.6.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
-8.6.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.6.0-dev,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.6.0-dev,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
-8.6.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.6.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
-8.6.0-dev,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.6.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination.
-8.6.0-dev,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
-8.6.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
-8.6.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
-8.6.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
-8.6.0-dev,true,destination,destination.port,long,core,,,Port of the destination.
-8.6.0-dev,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
-8.6.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.6.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.6.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.6.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address.
-8.6.0-dev,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.6.0-dev,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.6.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.6.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
-8.6.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.6.0-dev,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,destination,destination.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.6.0-dev,true,destination,destination.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.6.0-dev,true,destination,destination.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.6.0-dev,true,destination,destination.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.6.0-dev,true,destination,destination.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.6.0-dev,true,destination,destination.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-8.6.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.6.0-dev,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device.
-8.6.0-dev,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer.
-8.6.0-dev,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model.
-8.6.0-dev,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model.
-8.6.0-dev,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.6.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.6.0-dev,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.6.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.6.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.6.0-dev,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.6.0-dev,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.6.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.6.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.6.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
-8.6.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
-8.6.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
-8.6.0-dev,true,dll,dll.hash.sha384,keyword,extended,,,SHA384 hash.
-8.6.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
-8.6.0-dev,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.6.0-dev,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash.
-8.6.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
-8.6.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
-8.6.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.6.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.6.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.6.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.6.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.6.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.6.0-dev,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.6.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.6.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
-8.6.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
-8.6.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
-8.6.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
-8.6.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
-8.6.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
-8.6.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
-8.6.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
-8.6.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
-8.6.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
-8.6.0-dev,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
-8.6.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
-8.6.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
-8.6.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.6.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
-8.6.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
-8.6.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
-8.6.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
-8.6.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
-8.6.0-dev,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
-8.6.0-dev,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
-8.6.0-dev,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash.
-8.6.0-dev,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.6.0-dev,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.6.0-dev,true,email,email.attachments.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.6.0-dev,true,email,email.attachments.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.6.0-dev,true,email,email.attachments.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.6.0-dev,true,email,email.attachments.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.6.0-dev,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file.
-8.6.0-dev,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file.
-8.6.0-dev,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size.
-8.6.0-dev,true,email,email.bcc.address,keyword,extended,array,bcc.user1@example.com,Email address of BCC recipient
-8.6.0-dev,true,email,email.cc.address,keyword,extended,array,cc.user1@example.com,Email address of CC recipient
-8.6.0-dev,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message.
-8.6.0-dev,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered.
-8.6.0-dev,true,email,email.direction,keyword,extended,,inbound,Direction of the message.
-8.6.0-dev,true,email,email.from.address,keyword,extended,array,sender@example.com,The sender's email address.
-8.6.0-dev,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source.
-8.6.0-dev,true,email,email.message_id,wildcard,extended,,81ce15$8r2j59@mail01.example.com,Value from the Message-ID header.
-8.6.0-dev,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed.
-8.6.0-dev,true,email,email.reply_to.address,keyword,extended,array,reply.here@example.com,Address replies should be delivered to.
-8.6.0-dev,true,email,email.sender.address,keyword,extended,,,Address of the message sender.
-8.6.0-dev,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message.
-8.6.0-dev,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
-8.6.0-dev,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient
-8.6.0-dev,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
-8.6.0-dev,true,error,error.code,keyword,core,,,Error code describing the error.
-8.6.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error.
-8.6.0-dev,true,error,error.message,match_only_text,core,,,Error message.
-8.6.0-dev,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
-8.6.0-dev,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text.
-8.6.0-dev,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
-8.6.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
-8.6.0-dev,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field.
-8.6.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
-8.6.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event.
-8.6.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
-8.6.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
-8.6.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
-8.6.0-dev,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed.
-8.6.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
-8.6.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
-8.6.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
-8.6.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
-8.6.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
-8.6.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
-8.6.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
-8.6.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event.
-8.6.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
-8.6.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
-8.6.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
-8.6.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
-8.6.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event.
-8.6.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event.
-8.6.0-dev,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed.
-8.6.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone.
-8.6.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
-8.6.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
-8.6.0-dev,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function.
-8.6.0-dev,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution.
-8.6.0-dev,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function.
-8.6.0-dev,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function.
-8.6.0-dev,true,faas,faas.trigger,nested,extended,,,Details about the function trigger.
-8.6.0-dev,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc."
-8.6.0-dev,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution.
-8.6.0-dev,true,faas,faas.version,keyword,extended,,123,The version of a serverless function.
-8.6.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed.
-8.6.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.6.0-dev,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.6.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.6.0-dev,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.6.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.6.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.6.0-dev,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.6.0-dev,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.6.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.6.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.6.0-dev,true,file,file.created,date,extended,,,File creation time.
-8.6.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.6.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
-8.6.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.6.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.6.0-dev,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.6.0-dev,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.6.0-dev,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.6.0-dev,true,file,file.elf.creation_date,date,extended,,,Build or compile date.
-8.6.0-dev,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.6.0-dev,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.6.0-dev,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.6.0-dev,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.6.0-dev,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.6.0-dev,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.6.0-dev,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.6.0-dev,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.6.0-dev,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.6.0-dev,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.6.0-dev,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.6.0-dev,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.6.0-dev,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.6.0-dev,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.6.0-dev,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.6.0-dev,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.6.0-dev,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.6.0-dev,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.6.0-dev,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.6.0-dev,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.6.0-dev,true,file,file.elf.segments,nested,extended,array,,ELF object segment list.
-8.6.0-dev,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.6.0-dev,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.6.0-dev,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.6.0-dev,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.6.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.6.0-dev,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.6.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.6.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
-8.6.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
-8.6.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.6.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.6.0-dev,true,file,file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.6.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.6.0-dev,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.6.0-dev,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.6.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.6.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.6.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.6.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified.
-8.6.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.6.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username.
-8.6.0-dev,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.6.0-dev,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.6.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.6.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.6.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.6.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.6.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.6.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.6.0-dev,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.6.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.6.0-dev,true,file,file.size,long,extended,,16384,File size in bytes.
-8.6.0-dev,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
-8.6.0-dev,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.6.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.6.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.6.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.6.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.6.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.6.0-dev,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.6.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.6.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.6.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.6.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.6.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.6.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.6.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.6.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.6.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.6.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.6.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.6.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.6.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.6.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.6.0-dev,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.6.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.6.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.6.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.6.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.6.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.6.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.6.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev,true,group,group.name,keyword,extended,,,Name of the group.
-8.6.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
-8.6.0-dev,true,host,host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id
-8.6.0-dev,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
-8.6.0-dev,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
-8.6.0-dev,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
-8.6.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
-8.6.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
-8.6.0-dev,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
-8.6.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.6.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.6.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
-8.6.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.6.0-dev,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.6.0-dev,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
-8.6.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.6.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
-8.6.0-dev,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.6.0-dev,true,host,host.hostname,keyword,core,,,Hostname of the host.
-8.6.0-dev,true,host,host.id,keyword,core,,,Unique host id.
-8.6.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses.
-8.6.0-dev,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
-8.6.0-dev,true,host,host.name,keyword,core,,,Name of the host.
-8.6.0-dev,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
-8.6.0-dev,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
-8.6.0-dev,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
-8.6.0-dev,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
-8.6.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.6.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.6.0-dev,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.6.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.6.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.6.0-dev,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.6.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.6.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-8.6.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.6.0-dev,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode
-8.6.0-dev,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.6.0-dev,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.6.0-dev,true,host,host.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.6.0-dev,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.6.0-dev,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.6.0-dev,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-8.6.0-dev,true,host,host.type,keyword,core,,,Type of host.
-8.6.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
-8.6.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
-8.6.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
-8.6.0-dev,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body.
-8.6.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
-8.6.0-dev,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
-8.6.0-dev,true,http,http.request.method,keyword,extended,,POST,HTTP request method.
-8.6.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
-8.6.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
-8.6.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
-8.6.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
-8.6.0-dev,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body.
-8.6.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
-8.6.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
-8.6.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
-8.6.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version.
-8.6.0-dev,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
-8.6.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event.
-8.6.0-dev,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
-8.6.0-dev,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event.
-8.6.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
-8.6.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
-8.6.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata
-8.6.0-dev,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message.
-8.6.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
-8.6.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
-8.6.0-dev,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message.
-8.6.0-dev,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message.
-8.6.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
-8.6.0-dev,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message.
-8.6.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
-8.6.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
-8.6.0-dev,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages.
-8.6.0-dev,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version.
-8.6.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name.
-8.6.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
-8.6.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
-8.6.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
-8.6.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
-8.6.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
-8.6.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information
-8.6.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.6.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.6.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
-8.6.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
-8.6.0-dev,true,network,network.protocol,keyword,core,,http,Application protocol name.
-8.6.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
-8.6.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
-8.6.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.6.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.6.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information
-8.6.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
-8.6.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
-8.6.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
-8.6.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.6.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.6.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
-8.6.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
-8.6.0-dev,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code.
-8.6.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.6.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.6.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
-8.6.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.6.0-dev,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.6.0-dev,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code.
-8.6.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.6.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
-8.6.0-dev,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.6.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
-8.6.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information
-8.6.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
-8.6.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
-8.6.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
-8.6.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.6.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.6.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
-8.6.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
-8.6.0-dev,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer.
-8.6.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
-8.6.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.6.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.6.0-dev,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.6.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.6.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.6.0-dev,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.6.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.6.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-8.6.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.6.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
-8.6.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
-8.6.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
-8.6.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
-8.6.0-dev,true,observer,observer.version,keyword,core,,,Observer version.
-8.6.0-dev,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action
-8.6.0-dev,true,orchestrator,orchestrator.cluster.id,keyword,extended,,,Unique ID of the cluster.
-8.6.0-dev,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster.
-8.6.0-dev,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster.
-8.6.0-dev,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster.
-8.6.0-dev,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place.
-8.6.0-dev,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups).
-8.6.0-dev,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon.
-8.6.0-dev,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed.
-8.6.0-dev,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon.
-8.6.0-dev,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed.
-8.6.0-dev,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon.
-8.6.0-dev,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)."
-8.6.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
-8.6.0-dev,true,organization,organization.name,keyword,extended,,,Organization name.
-8.6.0-dev,true,organization,organization.name.text,match_only_text,extended,,,Organization name.
-8.6.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
-8.6.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
-8.6.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
-8.6.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
-8.6.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
-8.6.0-dev,true,package,package.installed,date,extended,,,Time when package was installed.
-8.6.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
-8.6.0-dev,true,package,package.name,keyword,extended,,go,Package name
-8.6.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
-8.6.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
-8.6.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes.
-8.6.0-dev,true,package,package.type,keyword,extended,,rpm,Package type
-8.6.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version
-8.6.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.6.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array.
-8.6.0-dev,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.6.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.6.0-dev,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.6.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.6.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.6.0-dev,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.6.0-dev,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.6.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.6.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.6.0-dev,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.6.0-dev,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.6.0-dev,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.6.0-dev,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.6.0-dev,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.6.0-dev,true,process,process.elf.creation_date,date,extended,,,Build or compile date.
-8.6.0-dev,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.6.0-dev,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.6.0-dev,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.6.0-dev,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.6.0-dev,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.6.0-dev,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.6.0-dev,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.6.0-dev,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.6.0-dev,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.6.0-dev,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.6.0-dev,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.6.0-dev,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.6.0-dev,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.6.0-dev,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.6.0-dev,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.6.0-dev,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.6.0-dev,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.6.0-dev,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.6.0-dev,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.6.0-dev,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.6.0-dev,true,process,process.elf.segments,nested,extended,array,,ELF object segment list.
-8.6.0-dev,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.6.0-dev,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.6.0-dev,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.6.0-dev,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.6.0-dev,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-8.6.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.6.0-dev,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.6.0-dev,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array.
-8.6.0-dev,true,process,process.entry_leader.attested_groups.name,keyword,extended,,,Name of the group.
-8.6.0-dev,true,process,process.entry_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev,true,process,process.entry_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,process,process.entry_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.6.0-dev,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.6.0-dev,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.6.0-dev,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
-8.6.0-dev,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
-8.6.0-dev,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.6.0-dev,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.6.0-dev,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group.
-8.6.0-dev,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.6.0-dev,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name.
-8.6.0-dev,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.6.0-dev,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.6.0-dev,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id.
-8.6.0-dev,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.6.0-dev,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id.
-8.6.0-dev,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.6.0-dev,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.6.0-dev,true,process,process.entry_leader.pid,long,core,,4242,Process id.
-8.6.0-dev,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group.
-8.6.0-dev,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,process,process.entry_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.6.0-dev,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.6.0-dev,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,process,process.entry_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.6.0-dev,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.6.0-dev,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.6.0-dev,true,process,process.entry_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.6.0-dev,true,process,process.entry_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.6.0-dev,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.6.0-dev,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.6.0-dev,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
-8.6.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.6.0-dev,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.6.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process.
-8.6.0-dev,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.6.0-dev,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array.
-8.6.0-dev,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.6.0-dev,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.6.0-dev,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.6.0-dev,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.6.0-dev,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.6.0-dev,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group.
-8.6.0-dev,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.6.0-dev,true,process,process.group_leader.name,keyword,extended,,ssh,Process name.
-8.6.0-dev,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.6.0-dev,true,process,process.group_leader.pid,long,core,,4242,Process id.
-8.6.0-dev,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group.
-8.6.0-dev,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,process,process.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.6.0-dev,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.6.0-dev,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,process,process.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.6.0-dev,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.6.0-dev,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.6.0-dev,true,process,process.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.6.0-dev,true,process,process.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.6.0-dev,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.6.0-dev,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.6.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
-8.6.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
-8.6.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
-8.6.0-dev,true,process,process.hash.sha384,keyword,extended,,,SHA384 hash.
-8.6.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
-8.6.0-dev,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.6.0-dev,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash.
-8.6.0-dev,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.6.0-dev,true,process,process.name,keyword,extended,,ssh,Process name.
-8.6.0-dev,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
-8.6.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.6.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
-8.6.0-dev,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.6.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.6.0-dev,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.6.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.6.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.6.0-dev,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.6.0-dev,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.6.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.6.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.6.0-dev,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.6.0-dev,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.6.0-dev,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.6.0-dev,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.6.0-dev,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.6.0-dev,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date.
-8.6.0-dev,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.6.0-dev,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.6.0-dev,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.6.0-dev,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.6.0-dev,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.6.0-dev,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.6.0-dev,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.6.0-dev,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.6.0-dev,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.6.0-dev,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.6.0-dev,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.6.0-dev,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.6.0-dev,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.6.0-dev,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.6.0-dev,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.6.0-dev,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.6.0-dev,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.6.0-dev,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.6.0-dev,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.6.0-dev,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.6.0-dev,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list.
-8.6.0-dev,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.6.0-dev,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.6.0-dev,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.6.0-dev,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.6.0-dev,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-8.6.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.6.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.6.0-dev,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.6.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
-8.6.0-dev,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev,true,process,process.parent.group.name,keyword,extended,,,Name of the group.
-8.6.0-dev,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.6.0-dev,true,process,process.parent.group_leader.pid,long,core,,4242,Process id.
-8.6.0-dev,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.6.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
-8.6.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
-8.6.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
-8.6.0-dev,true,process,process.parent.hash.sha384,keyword,extended,,,SHA384 hash.
-8.6.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
-8.6.0-dev,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.6.0-dev,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash.
-8.6.0-dev,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.6.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name.
-8.6.0-dev,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
-8.6.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.6.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.6.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.6.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.6.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.6.0-dev,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.6.0-dev,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.6.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.6.0-dev,true,process,process.parent.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
-8.6.0-dev,true,process,process.parent.pid,long,core,,4242,Process id.
-8.6.0-dev,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group.
-8.6.0-dev,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,process,process.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group.
-8.6.0-dev,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,process,process.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.6.0-dev,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.6.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
-8.6.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
-8.6.0-dev,true,process,process.parent.title,keyword,extended,,,Process title.
-8.6.0-dev,true,process,process.parent.title.text,match_only_text,extended,,,Process title.
-8.6.0-dev,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device.
-8.6.0-dev,true,process,process.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.6.0-dev,true,process,process.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.6.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
-8.6.0-dev,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.6.0-dev,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.6.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.6.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.6.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.6.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.6.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.6.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.6.0-dev,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.6.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.6.0-dev,true,process,process.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
-8.6.0-dev,true,process,process.pid,long,core,,4242,Process id.
-8.6.0-dev,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.6.0-dev,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array.
-8.6.0-dev,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.6.0-dev,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.6.0-dev,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev,true,process,process.real_group.name,keyword,extended,,,Name of the group.
-8.6.0-dev,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,process,process.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev,true,process,process.saved_group.name,keyword,extended,,,Name of the group.
-8.6.0-dev,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,process,process.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.6.0-dev,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array.
-8.6.0-dev,true,process,process.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.6.0-dev,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.6.0-dev,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.6.0-dev,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.6.0-dev,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.6.0-dev,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group.
-8.6.0-dev,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.6.0-dev,true,process,process.session_leader.name,keyword,extended,,ssh,Process name.
-8.6.0-dev,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.6.0-dev,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.6.0-dev,true,process,process.session_leader.parent.pid,long,core,,4242,Process id.
-8.6.0-dev,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.6.0-dev,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id.
-8.6.0-dev,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.6.0-dev,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.6.0-dev,true,process,process.session_leader.pid,long,core,,4242,Process id.
-8.6.0-dev,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group.
-8.6.0-dev,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,process,process.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.6.0-dev,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.6.0-dev,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,process,process.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.6.0-dev,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.6.0-dev,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.6.0-dev,true,process,process.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.6.0-dev,true,process,process.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.6.0-dev,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.6.0-dev,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.6.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.6.0-dev,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.6.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID.
-8.6.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
-8.6.0-dev,true,process,process.title,keyword,extended,,,Process title.
-8.6.0-dev,true,process,process.title.text,match_only_text,extended,,,Process title.
-8.6.0-dev,true,process,process.tty,object,extended,,,Information about the controlling TTY device.
-8.6.0-dev,true,process,process.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.6.0-dev,true,process,process.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.6.0-dev,true,process,process.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
-8.6.0-dev,true,process,process.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
-8.6.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
-8.6.0-dev,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.6.0-dev,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.6.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.6.0-dev,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.6.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.6.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.6.0-dev,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.6.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.6.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
-8.6.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
-8.6.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
-8.6.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
-8.6.0-dev,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event.
-8.6.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
-8.6.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
-8.6.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
-8.6.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID
-8.6.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
-8.6.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
-8.6.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
-8.6.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
-8.6.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
-8.6.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version
-8.6.0-dev,true,server,server.address,keyword,extended,,,Server network address.
-8.6.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.6.0-dev,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.6.0-dev,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.6.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
-8.6.0-dev,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server.
-8.6.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
-8.6.0-dev,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
-8.6.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.6.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.6.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
-8.6.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.6.0-dev,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.6.0-dev,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
-8.6.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.6.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
-8.6.0-dev,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.6.0-dev,true,server,server.ip,ip,core,,,IP address of the server.
-8.6.0-dev,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
-8.6.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip
-8.6.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port
-8.6.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
-8.6.0-dev,true,server,server.port,long,core,,,Port of the server.
-8.6.0-dev,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
-8.6.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.6.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.6.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.6.0-dev,true,server,server.user.email,keyword,extended,,,User email address.
-8.6.0-dev,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.6.0-dev,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.6.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.6.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group.
-8.6.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.6.0-dev,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,server,server.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.6.0-dev,true,server,server.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.6.0-dev,true,server,server.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.6.0-dev,true,server,server.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.6.0-dev,true,server,server.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.6.0-dev,true,server,server.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-8.6.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.6.0-dev,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.6.0-dev,true,service,service.environment,keyword,extended,,production,Environment of the service.
-8.6.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.6.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.6.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.6.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.6.0-dev,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.6.0-dev,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.6.0-dev,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.6.0-dev,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
-8.6.0-dev,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.6.0-dev,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.6.0-dev,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.6.0-dev,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.6.0-dev,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.6.0-dev,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.6.0-dev,true,service,service.origin.state,keyword,core,,,Current state of the service.
-8.6.0-dev,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service.
-8.6.0-dev,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service.
-8.6.0-dev,true,service,service.state,keyword,core,,,Current state of the service.
-8.6.0-dev,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.6.0-dev,true,service,service.target.environment,keyword,extended,,production,Environment of the service.
-8.6.0-dev,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.6.0-dev,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.6.0-dev,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.6.0-dev,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.6.0-dev,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.6.0-dev,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.6.0-dev,true,service,service.target.state,keyword,core,,,Current state of the service.
-8.6.0-dev,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service.
-8.6.0-dev,true,service,service.target.version,keyword,core,,3.2.4,Version of the service.
-8.6.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
-8.6.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service.
-8.6.0-dev,true,source,source.address,keyword,extended,,,Source network address.
-8.6.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.6.0-dev,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.6.0-dev,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.6.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
-8.6.0-dev,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source.
-8.6.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
-8.6.0-dev,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
-8.6.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.6.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.6.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
-8.6.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.6.0-dev,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.6.0-dev,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
-8.6.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.6.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
-8.6.0-dev,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.6.0-dev,true,source,source.ip,ip,core,,,IP address of the source.
-8.6.0-dev,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
-8.6.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip
-8.6.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port
-8.6.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
-8.6.0-dev,true,source,source.port,long,core,,,Port of the source.
-8.6.0-dev,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-8.6.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.6.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.6.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.6.0-dev,true,source,source.user.email,keyword,extended,,,User email address.
-8.6.0-dev,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.6.0-dev,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.6.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.6.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group.
-8.6.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.6.0-dev,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,source,source.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.6.0-dev,true,source,source.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.6.0-dev,true,source,source.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.6.0-dev,true,source,source.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.6.0-dev,true,source,source.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.6.0-dev,true,source,source.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-8.6.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.6.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
-8.6.0-dev,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event.
-8.6.0-dev,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event.
-8.6.0-dev,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.6.0-dev,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.6.0-dev,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.6.0-dev,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
-8.6.0-dev,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
-8.6.0-dev,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.6.0-dev,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.6.0-dev,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.6.0-dev,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
-8.6.0-dev,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name.
-8.6.0-dev,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code.
-8.6.0-dev,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.6.0-dev,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.6.0-dev,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name.
-8.6.0-dev,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.6.0-dev,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.6.0-dev,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code.
-8.6.0-dev,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.6.0-dev,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name.
-8.6.0-dev,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.6.0-dev,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
-8.6.0-dev,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-8.6.0-dev,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,WHITE,Indicator TLP marking
-8.6.0-dev,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
-8.6.0-dev,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
-8.6.0-dev,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
-8.6.0-dev,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
-8.6.0-dev,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.6.0-dev,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.6.0-dev,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.6.0-dev,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.6.0-dev,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.6.0-dev,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.6.0-dev,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
-8.6.0-dev,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics
-8.6.0-dev,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed
-8.6.0-dev,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
-8.6.0-dev,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.6.0-dev,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.6.0-dev,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.6.0-dev,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.6.0-dev,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.6.0-dev,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.6.0-dev,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.6.0-dev,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request.
-8.6.0-dev,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.6.0-dev,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
-8.6.0-dev,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request.
-8.6.0-dev,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.6.0-dev,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
-8.6.0-dev,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.6.0-dev,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.6.0-dev,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request.
-8.6.0-dev,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.6.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.6.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.6.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.6.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.6.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.6.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.6.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.6.0-dev,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.6.0-dev,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.6.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.6.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.6.0-dev,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.6.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.6.0-dev,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.6.0-dev,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.6.0-dev,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.6.0-dev,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.6.0-dev,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.6.0-dev,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.6.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.6.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.6.0-dev,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.6.0-dev,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.6.0-dev,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value
-8.6.0-dev,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field
-8.6.0-dev,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier
-8.6.0-dev,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index
-8.6.0-dev,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05T17:00:58.326Z,Date of match
-8.6.0-dev,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match
-8.6.0-dev,true,threat,threat.feed.dashboard_id,keyword,extended,,5ba16340-72e6-11eb-a3e3-b3cc7c78a70f,Feed dashboard ID.
-8.6.0-dev,true,threat,threat.feed.description,keyword,extended,,Threat feed from the AlienVault Open Threat eXchange network.,Description of the threat feed.
-8.6.0-dev,true,threat,threat.feed.name,keyword,extended,,AlienVault OTX,Name of the threat feed.
-8.6.0-dev,true,threat,threat.feed.reference,keyword,extended,,https://otx.alienvault.com,Reference for the threat feed.
-8.6.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
-8.6.0-dev,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group.
-8.6.0-dev,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group.
-8.6.0-dev,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group.
-8.6.0-dev,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group.
-8.6.0-dev,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.6.0-dev,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.6.0-dev,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.6.0-dev,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
-8.6.0-dev,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
-8.6.0-dev,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
-8.6.0-dev,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed.
-8.6.0-dev,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.6.0-dev,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.6.0-dev,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.6.0-dev,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.6.0-dev,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.6.0-dev,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.6.0-dev,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.6.0-dev,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.6.0-dev,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.6.0-dev,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.6.0-dev,true,threat,threat.indicator.file.created,date,extended,,,File creation time.
-8.6.0-dev,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.6.0-dev,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
-8.6.0-dev,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.6.0-dev,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.6.0-dev,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.6.0-dev,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.6.0-dev,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.6.0-dev,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
-8.6.0-dev,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.6.0-dev,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.6.0-dev,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.6.0-dev,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.6.0-dev,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.6.0-dev,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.6.0-dev,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.6.0-dev,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.6.0-dev,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.6.0-dev,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.6.0-dev,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.6.0-dev,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.6.0-dev,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.6.0-dev,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.6.0-dev,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.6.0-dev,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.6.0-dev,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.6.0-dev,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.6.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.6.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.6.0-dev,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
-8.6.0-dev,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.6.0-dev,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.6.0-dev,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.6.0-dev,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.6.0-dev,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.6.0-dev,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.6.0-dev,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.6.0-dev,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
-8.6.0-dev,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
-8.6.0-dev,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.6.0-dev,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.6.0-dev,true,threat,threat.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.6.0-dev,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.6.0-dev,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.6.0-dev,true,threat,threat.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.6.0-dev,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.6.0-dev,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.6.0-dev,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.6.0-dev,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified.
-8.6.0-dev,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.6.0-dev,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username.
-8.6.0-dev,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.6.0-dev,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.6.0-dev,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.6.0-dev,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.6.0-dev,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.6.0-dev,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.6.0-dev,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.6.0-dev,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.6.0-dev,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.6.0-dev,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.6.0-dev,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes.
-8.6.0-dev,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
-8.6.0-dev,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.6.0-dev,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.6.0-dev,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.6.0-dev,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.6.0-dev,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.6.0-dev,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.6.0-dev,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.6.0-dev,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.6.0-dev,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.6.0-dev,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.6.0-dev,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.6.0-dev,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.6.0-dev,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.6.0-dev,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.6.0-dev,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.6.0-dev,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.6.0-dev,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.6.0-dev,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.6.0-dev,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.6.0-dev,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.6.0-dev,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.6.0-dev,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.6.0-dev,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.6.0-dev,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.6.0-dev,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.6.0-dev,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.6.0-dev,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.6.0-dev,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
-8.6.0-dev,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name.
-8.6.0-dev,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code.
-8.6.0-dev,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.6.0-dev,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.6.0-dev,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name.
-8.6.0-dev,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.6.0-dev,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.6.0-dev,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code.
-8.6.0-dev,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.6.0-dev,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name.
-8.6.0-dev,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.6.0-dev,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
-8.6.0-dev,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-8.6.0-dev,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
-8.6.0-dev,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
-8.6.0-dev,true,threat,threat.indicator.port,long,extended,,443,Indicator port
-8.6.0-dev,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
-8.6.0-dev,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
-8.6.0-dev,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.6.0-dev,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.6.0-dev,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.6.0-dev,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.6.0-dev,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.6.0-dev,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.6.0-dev,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
-8.6.0-dev,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics
-8.6.0-dev,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed
-8.6.0-dev,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
-8.6.0-dev,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.6.0-dev,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.6.0-dev,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.6.0-dev,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.6.0-dev,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.6.0-dev,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.6.0-dev,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.6.0-dev,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request.
-8.6.0-dev,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.6.0-dev,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
-8.6.0-dev,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request.
-8.6.0-dev,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.6.0-dev,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
-8.6.0-dev,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.6.0-dev,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.6.0-dev,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request.
-8.6.0-dev,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.6.0-dev,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.6.0-dev,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.6.0-dev,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.6.0-dev,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.6.0-dev,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.6.0-dev,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.6.0-dev,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.6.0-dev,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.6.0-dev,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.6.0-dev,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.6.0-dev,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.6.0-dev,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.6.0-dev,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.6.0-dev,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.6.0-dev,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.6.0-dev,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.6.0-dev,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.6.0-dev,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.6.0-dev,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.6.0-dev,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.6.0-dev,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.6.0-dev,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.6.0-dev,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.6.0-dev,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software
-8.6.0-dev,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software
-8.6.0-dev,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software.
-8.6.0-dev,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software.
-8.6.0-dev,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL.
-8.6.0-dev,true,threat,threat.software.type,keyword,extended,,Tool,Software type.
-8.6.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
-8.6.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
-8.6.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
-8.6.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
-8.6.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
-8.6.0-dev,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name.
-8.6.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
-8.6.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
-8.6.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
-8.6.0-dev,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
-8.6.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
-8.6.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
-8.6.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
-8.6.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
-8.6.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
-8.6.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
-8.6.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
-8.6.0-dev,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
-8.6.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
-8.6.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
-8.6.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
-8.6.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
-8.6.0-dev,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
-8.6.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
-8.6.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.6.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.6.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.6.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.6.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.6.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.6.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.6.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.6.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.6.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.6.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.6.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.6.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.6.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.6.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.6.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.6.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.6.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.6.0-dev,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.6.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.6.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.6.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.6.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.6.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.6.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
-8.6.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
-8.6.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
-8.6.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
-8.6.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
-8.6.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
-8.6.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
-8.6.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
-8.6.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
-8.6.0-dev,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
-8.6.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
-8.6.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
-8.6.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
-8.6.0-dev,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
-8.6.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.6.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.6.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.6.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.6.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.6.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.6.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.6.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.6.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.6.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.6.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.6.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.6.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.6.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.6.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.6.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.6.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.6.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.6.0-dev,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.6.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.6.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.6.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.6.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.6.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.6.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
-8.6.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
-8.6.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
-8.6.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
-8.6.0-dev,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.6.0-dev,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.6.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.6.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.6.0-dev,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.6.0-dev,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.6.0-dev,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.6.0-dev,true,url,url.password,keyword,extended,,,Password of the request.
-8.6.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.6.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
-8.6.0-dev,true,url,url.query,keyword,extended,,,Query string of the request.
-8.6.0-dev,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.6.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
-8.6.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.6.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.6.0-dev,true,url,url.username,keyword,extended,,,Username of the request.
-8.6.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.6.0-dev,true,user,user.changes.email,keyword,extended,,,User email address.
-8.6.0-dev,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.6.0-dev,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.6.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.6.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
-8.6.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.6.0-dev,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,user,user.changes.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.6.0-dev,true,user,user.changes.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.6.0-dev,true,user,user.changes.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.6.0-dev,true,user,user.changes.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.6.0-dev,true,user,user.changes.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.6.0-dev,true,user,user.changes.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-8.6.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.6.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.6.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.6.0-dev,true,user,user.effective.email,keyword,extended,,,User email address.
-8.6.0-dev,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.6.0-dev,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.6.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.6.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
-8.6.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.6.0-dev,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,user,user.effective.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.6.0-dev,true,user,user.effective.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.6.0-dev,true,user,user.effective.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.6.0-dev,true,user,user.effective.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.6.0-dev,true,user,user.effective.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.6.0-dev,true,user,user.effective.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-8.6.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.6.0-dev,true,user,user.email,keyword,extended,,,User email address.
-8.6.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.6.0-dev,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.6.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.6.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group.
-8.6.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.6.0-dev,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.6.0-dev,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.6.0-dev,true,user,user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.6.0-dev,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.6.0-dev,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.6.0-dev,true,user,user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-8.6.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.6.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.6.0-dev,true,user,user.target.email,keyword,extended,,,User email address.
-8.6.0-dev,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.6.0-dev,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.6.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.6.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.6.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group.
-8.6.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.6.0-dev,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.6.0-dev,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.6.0-dev,true,user,user.target.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.6.0-dev,true,user,user.target.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.6.0-dev,true,user,user.target.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.6.0-dev,true,user,user.target.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.6.0-dev,true,user,user.target.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.6.0-dev,true,user,user.target.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-8.6.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.6.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
-8.6.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
-8.6.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-8.6.0-dev,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-8.6.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.6.0-dev,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.6.0-dev,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.6.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.6.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.6.0-dev,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.6.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.6.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-8.6.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.6.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
-8.6.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
-8.6.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
-8.6.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-8.6.0-dev,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-8.6.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
-8.6.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
-8.6.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
-8.6.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
-8.6.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
-8.6.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
-8.6.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
-8.6.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
-8.6.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
-8.6.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
+8.7.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
+8.7.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
+8.7.0-dev,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer.
+8.7.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
+8.7.0-dev,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
+8.7.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
+8.7.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
+8.7.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
+8.7.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
+8.7.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
+8.7.0-dev,true,client,client.address,keyword,extended,,,Client network address.
+8.7.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.7.0-dev,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.7.0-dev,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.7.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
+8.7.0-dev,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client.
+8.7.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
+8.7.0-dev,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
+8.7.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.7.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.7.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
+8.7.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.7.0-dev,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.7.0-dev,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
+8.7.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.7.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
+8.7.0-dev,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.7.0-dev,true,client,client.ip,ip,core,,,IP address of the client.
+8.7.0-dev,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
+8.7.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
+8.7.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port
+8.7.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
+8.7.0-dev,true,client,client.port,long,core,,,Port of the client.
+8.7.0-dev,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
+8.7.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.7.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.7.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.7.0-dev,true,client,client.user.email,keyword,extended,,,User email address.
+8.7.0-dev,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.7.0-dev,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.7.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.7.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group.
+8.7.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.7.0-dev,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,client,client.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.7.0-dev,true,client,client.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.7.0-dev,true,client,client.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.7.0-dev,true,client,client.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.7.0-dev,true,client,client.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.7.0-dev,true,client,client.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+8.7.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.7.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.7.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.7.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.7.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.7.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
+8.7.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.7.0-dev,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.7.0-dev,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.7.0-dev,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.7.0-dev,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.7.0-dev,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine.
+8.7.0-dev,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.7.0-dev,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id.
+8.7.0-dev,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name.
+8.7.0-dev,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider.
+8.7.0-dev,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.7.0-dev,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name.
+8.7.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
+8.7.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
+8.7.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
+8.7.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.7.0-dev,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name.
+8.7.0-dev,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.7.0-dev,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.7.0-dev,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.7.0-dev,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.7.0-dev,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine.
+8.7.0-dev,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.7.0-dev,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id.
+8.7.0-dev,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name.
+8.7.0-dev,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider.
+8.7.0-dev,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.7.0-dev,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name.
+8.7.0-dev,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
+8.7.0-dev,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
+8.7.0-dev,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
+8.7.0-dev,true,container,container.id,keyword,core,,,Unique container id.
+8.7.0-dev,true,container,container.image.hash.all,keyword,extended,array,[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26],An array of digests of the image the container was built on.
+8.7.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
+8.7.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags.
+8.7.0-dev,true,container,container.labels,object,extended,,,Image labels.
+8.7.0-dev,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1."
+8.7.0-dev,true,container,container.name,keyword,extended,,,Container name.
+8.7.0-dev,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
+8.7.0-dev,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+8.7.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
+8.7.0-dev,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
+8.7.0-dev,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
+8.7.0-dev,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
+8.7.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address.
+8.7.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.7.0-dev,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.7.0-dev,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.7.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
+8.7.0-dev,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination.
+8.7.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
+8.7.0-dev,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
+8.7.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.7.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.7.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
+8.7.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.7.0-dev,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.7.0-dev,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
+8.7.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.7.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
+8.7.0-dev,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.7.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination.
+8.7.0-dev,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
+8.7.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
+8.7.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
+8.7.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
+8.7.0-dev,true,destination,destination.port,long,core,,,Port of the destination.
+8.7.0-dev,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
+8.7.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.7.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.7.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.7.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address.
+8.7.0-dev,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.7.0-dev,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.7.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.7.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
+8.7.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.7.0-dev,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,destination,destination.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.7.0-dev,true,destination,destination.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.7.0-dev,true,destination,destination.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.7.0-dev,true,destination,destination.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.7.0-dev,true,destination,destination.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.7.0-dev,true,destination,destination.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+8.7.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.7.0-dev,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device.
+8.7.0-dev,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer.
+8.7.0-dev,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model.
+8.7.0-dev,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model.
+8.7.0-dev,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.7.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.7.0-dev,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.7.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.7.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.7.0-dev,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.7.0-dev,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.7.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.7.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.7.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
+8.7.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
+8.7.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
+8.7.0-dev,true,dll,dll.hash.sha384,keyword,extended,,,SHA384 hash.
+8.7.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
+8.7.0-dev,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.7.0-dev,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash.
+8.7.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
+8.7.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
+8.7.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.7.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.7.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.7.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.7.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.7.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.7.0-dev,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.7.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.7.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
+8.7.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
+8.7.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
+8.7.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
+8.7.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
+8.7.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
+8.7.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
+8.7.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
+8.7.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
+8.7.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
+8.7.0-dev,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
+8.7.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
+8.7.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
+8.7.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.7.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
+8.7.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
+8.7.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
+8.7.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
+8.7.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
+8.7.0-dev,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
+8.7.0-dev,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
+8.7.0-dev,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash.
+8.7.0-dev,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.7.0-dev,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.7.0-dev,true,email,email.attachments.file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.7.0-dev,true,email,email.attachments.file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.7.0-dev,true,email,email.attachments.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.7.0-dev,true,email,email.attachments.file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.7.0-dev,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file.
+8.7.0-dev,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file.
+8.7.0-dev,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size.
+8.7.0-dev,true,email,email.bcc.address,keyword,extended,array,bcc.user1@example.com,Email address of BCC recipient
+8.7.0-dev,true,email,email.cc.address,keyword,extended,array,cc.user1@example.com,Email address of CC recipient
+8.7.0-dev,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message.
+8.7.0-dev,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered.
+8.7.0-dev,true,email,email.direction,keyword,extended,,inbound,Direction of the message.
+8.7.0-dev,true,email,email.from.address,keyword,extended,array,sender@example.com,The sender's email address.
+8.7.0-dev,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source.
+8.7.0-dev,true,email,email.message_id,wildcard,extended,,81ce15$8r2j59@mail01.example.com,Value from the Message-ID header.
+8.7.0-dev,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed.
+8.7.0-dev,true,email,email.reply_to.address,keyword,extended,array,reply.here@example.com,Address replies should be delivered to.
+8.7.0-dev,true,email,email.sender.address,keyword,extended,,,Address of the message sender.
+8.7.0-dev,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message.
+8.7.0-dev,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
+8.7.0-dev,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient
+8.7.0-dev,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
+8.7.0-dev,true,error,error.code,keyword,core,,,Error code describing the error.
+8.7.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error.
+8.7.0-dev,true,error,error.message,match_only_text,core,,,Error message.
+8.7.0-dev,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
+8.7.0-dev,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text.
+8.7.0-dev,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
+8.7.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
+8.7.0-dev,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field.
+8.7.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
+8.7.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event.
+8.7.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
+8.7.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
+8.7.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
+8.7.0-dev,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed.
+8.7.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
+8.7.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
+8.7.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
+8.7.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
+8.7.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
+8.7.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
+8.7.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
+8.7.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event.
+8.7.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
+8.7.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
+8.7.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
+8.7.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
+8.7.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event.
+8.7.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event.
+8.7.0-dev,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed.
+8.7.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone.
+8.7.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
+8.7.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
+8.7.0-dev,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function.
+8.7.0-dev,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution.
+8.7.0-dev,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function.
+8.7.0-dev,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function.
+8.7.0-dev,true,faas,faas.trigger,nested,extended,,,Details about the function trigger.
+8.7.0-dev,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc."
+8.7.0-dev,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution.
+8.7.0-dev,true,faas,faas.version,keyword,extended,,123,The version of a serverless function.
+8.7.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed.
+8.7.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.7.0-dev,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.7.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.7.0-dev,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.7.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.7.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.7.0-dev,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.7.0-dev,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.7.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.7.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.7.0-dev,true,file,file.created,date,extended,,,File creation time.
+8.7.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.7.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
+8.7.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.7.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.7.0-dev,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.7.0-dev,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.7.0-dev,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.7.0-dev,true,file,file.elf.creation_date,date,extended,,,Build or compile date.
+8.7.0-dev,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.7.0-dev,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.7.0-dev,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.7.0-dev,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.7.0-dev,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.7.0-dev,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.7.0-dev,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.7.0-dev,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.7.0-dev,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.7.0-dev,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.7.0-dev,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.7.0-dev,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.7.0-dev,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.7.0-dev,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.7.0-dev,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.7.0-dev,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.7.0-dev,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.7.0-dev,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.7.0-dev,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.7.0-dev,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.7.0-dev,true,file,file.elf.segments,nested,extended,array,,ELF object segment list.
+8.7.0-dev,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.7.0-dev,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.7.0-dev,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.7.0-dev,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.7.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.7.0-dev,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.7.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.7.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
+8.7.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
+8.7.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.7.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.7.0-dev,true,file,file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.7.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.7.0-dev,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.7.0-dev,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.7.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.7.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.7.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.7.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified.
+8.7.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.7.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username.
+8.7.0-dev,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.7.0-dev,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.7.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.7.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.7.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.7.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.7.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.7.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.7.0-dev,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.7.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.7.0-dev,true,file,file.size,long,extended,,16384,File size in bytes.
+8.7.0-dev,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
+8.7.0-dev,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.7.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.7.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.7.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.7.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.7.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.7.0-dev,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.7.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.7.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.7.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.7.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.7.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.7.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.7.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.7.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.7.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.7.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.7.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.7.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.7.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.7.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.7.0-dev,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.7.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.7.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.7.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.7.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.7.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.7.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.7.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev,true,group,group.name,keyword,extended,,,Name of the group.
+8.7.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
+8.7.0-dev,true,host,host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id
+8.7.0-dev,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
+8.7.0-dev,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
+8.7.0-dev,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
+8.7.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
+8.7.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
+8.7.0-dev,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
+8.7.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.7.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.7.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
+8.7.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.7.0-dev,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.7.0-dev,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
+8.7.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.7.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
+8.7.0-dev,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.7.0-dev,true,host,host.hostname,keyword,core,,,Hostname of the host.
+8.7.0-dev,true,host,host.id,keyword,core,,,Unique host id.
+8.7.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses.
+8.7.0-dev,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
+8.7.0-dev,true,host,host.name,keyword,core,,,Name of the host.
+8.7.0-dev,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
+8.7.0-dev,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
+8.7.0-dev,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+8.7.0-dev,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
+8.7.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.7.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.7.0-dev,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.7.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.7.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.7.0-dev,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.7.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.7.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+8.7.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.7.0-dev,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode
+8.7.0-dev,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.7.0-dev,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.7.0-dev,true,host,host.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.7.0-dev,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.7.0-dev,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.7.0-dev,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+8.7.0-dev,true,host,host.type,keyword,core,,,Type of host.
+8.7.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
+8.7.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
+8.7.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
+8.7.0-dev,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body.
+8.7.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
+8.7.0-dev,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
+8.7.0-dev,true,http,http.request.method,keyword,extended,,POST,HTTP request method.
+8.7.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
+8.7.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
+8.7.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
+8.7.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
+8.7.0-dev,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body.
+8.7.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
+8.7.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
+8.7.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
+8.7.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version.
+8.7.0-dev,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
+8.7.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event.
+8.7.0-dev,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
+8.7.0-dev,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event.
+8.7.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
+8.7.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
+8.7.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata
+8.7.0-dev,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message.
+8.7.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
+8.7.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
+8.7.0-dev,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message.
+8.7.0-dev,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message.
+8.7.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
+8.7.0-dev,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message.
+8.7.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
+8.7.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
+8.7.0-dev,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages.
+8.7.0-dev,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version.
+8.7.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name.
+8.7.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
+8.7.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
+8.7.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
+8.7.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
+8.7.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
+8.7.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information
+8.7.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.7.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.7.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
+8.7.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
+8.7.0-dev,true,network,network.protocol,keyword,core,,http,Application protocol name.
+8.7.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
+8.7.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
+8.7.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.7.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.7.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information
+8.7.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
+8.7.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
+8.7.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
+8.7.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.7.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.7.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
+8.7.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
+8.7.0-dev,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code.
+8.7.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.7.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.7.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
+8.7.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.7.0-dev,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.7.0-dev,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code.
+8.7.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.7.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
+8.7.0-dev,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.7.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
+8.7.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information
+8.7.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
+8.7.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
+8.7.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
+8.7.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.7.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.7.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
+8.7.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
+8.7.0-dev,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer.
+8.7.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
+8.7.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.7.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.7.0-dev,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.7.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.7.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.7.0-dev,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.7.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.7.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+8.7.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.7.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
+8.7.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
+8.7.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
+8.7.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
+8.7.0-dev,true,observer,observer.version,keyword,core,,,Observer version.
+8.7.0-dev,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action
+8.7.0-dev,true,orchestrator,orchestrator.cluster.id,keyword,extended,,,Unique ID of the cluster.
+8.7.0-dev,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster.
+8.7.0-dev,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster.
+8.7.0-dev,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster.
+8.7.0-dev,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place.
+8.7.0-dev,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups).
+8.7.0-dev,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon.
+8.7.0-dev,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed.
+8.7.0-dev,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon.
+8.7.0-dev,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed.
+8.7.0-dev,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon.
+8.7.0-dev,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)."
+8.7.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
+8.7.0-dev,true,organization,organization.name,keyword,extended,,,Organization name.
+8.7.0-dev,true,organization,organization.name.text,match_only_text,extended,,,Organization name.
+8.7.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
+8.7.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
+8.7.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
+8.7.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
+8.7.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
+8.7.0-dev,true,package,package.installed,date,extended,,,Time when package was installed.
+8.7.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
+8.7.0-dev,true,package,package.name,keyword,extended,,go,Package name
+8.7.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
+8.7.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
+8.7.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes.
+8.7.0-dev,true,package,package.type,keyword,extended,,rpm,Package type
+8.7.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version
+8.7.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.7.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array.
+8.7.0-dev,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.7.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.7.0-dev,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.7.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.7.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.7.0-dev,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.7.0-dev,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.7.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.7.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.7.0-dev,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.7.0-dev,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.7.0-dev,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.7.0-dev,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.7.0-dev,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.7.0-dev,true,process,process.elf.creation_date,date,extended,,,Build or compile date.
+8.7.0-dev,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.7.0-dev,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.7.0-dev,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.7.0-dev,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.7.0-dev,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.7.0-dev,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.7.0-dev,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.7.0-dev,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.7.0-dev,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.7.0-dev,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.7.0-dev,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.7.0-dev,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.7.0-dev,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.7.0-dev,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.7.0-dev,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.7.0-dev,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.7.0-dev,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.7.0-dev,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.7.0-dev,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.7.0-dev,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.7.0-dev,true,process,process.elf.segments,nested,extended,array,,ELF object segment list.
+8.7.0-dev,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.7.0-dev,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.7.0-dev,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.7.0-dev,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.7.0-dev,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+8.7.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.7.0-dev,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.7.0-dev,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array.
+8.7.0-dev,true,process,process.entry_leader.attested_groups.name,keyword,extended,,,Name of the group.
+8.7.0-dev,true,process,process.entry_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev,true,process,process.entry_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,process,process.entry_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.7.0-dev,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.7.0-dev,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.7.0-dev,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
+8.7.0-dev,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
+8.7.0-dev,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.7.0-dev,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.7.0-dev,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group.
+8.7.0-dev,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.7.0-dev,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name.
+8.7.0-dev,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name.
+8.7.0-dev,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.7.0-dev,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id.
+8.7.0-dev,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.7.0-dev,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id.
+8.7.0-dev,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.7.0-dev,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.7.0-dev,true,process,process.entry_leader.pid,long,core,,4242,Process id.
+8.7.0-dev,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group.
+8.7.0-dev,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,process,process.entry_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+8.7.0-dev,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group.
+8.7.0-dev,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,process,process.entry_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.7.0-dev,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.7.0-dev,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device.
+8.7.0-dev,true,process,process.entry_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.7.0-dev,true,process,process.entry_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.7.0-dev,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.7.0-dev,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.7.0-dev,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
+8.7.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.7.0-dev,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.7.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process.
+8.7.0-dev,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.7.0-dev,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array.
+8.7.0-dev,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.7.0-dev,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.7.0-dev,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.7.0-dev,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.7.0-dev,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.7.0-dev,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group.
+8.7.0-dev,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.7.0-dev,true,process,process.group_leader.name,keyword,extended,,ssh,Process name.
+8.7.0-dev,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name.
+8.7.0-dev,true,process,process.group_leader.pid,long,core,,4242,Process id.
+8.7.0-dev,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group.
+8.7.0-dev,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,process,process.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+8.7.0-dev,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group.
+8.7.0-dev,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,process,process.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.7.0-dev,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.7.0-dev,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device.
+8.7.0-dev,true,process,process.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.7.0-dev,true,process,process.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.7.0-dev,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.7.0-dev,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.7.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
+8.7.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
+8.7.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
+8.7.0-dev,true,process,process.hash.sha384,keyword,extended,,,SHA384 hash.
+8.7.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
+8.7.0-dev,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.7.0-dev,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash.
+8.7.0-dev,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.7.0-dev,true,process,process.name,keyword,extended,,ssh,Process name.
+8.7.0-dev,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
+8.7.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.7.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
+8.7.0-dev,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.7.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.7.0-dev,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.7.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.7.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.7.0-dev,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.7.0-dev,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.7.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.7.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.7.0-dev,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.7.0-dev,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.7.0-dev,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.7.0-dev,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.7.0-dev,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.7.0-dev,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date.
+8.7.0-dev,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.7.0-dev,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.7.0-dev,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.7.0-dev,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.7.0-dev,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.7.0-dev,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.7.0-dev,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.7.0-dev,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.7.0-dev,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.7.0-dev,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.7.0-dev,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.7.0-dev,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.7.0-dev,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.7.0-dev,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.7.0-dev,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.7.0-dev,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.7.0-dev,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.7.0-dev,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.7.0-dev,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.7.0-dev,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.7.0-dev,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list.
+8.7.0-dev,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.7.0-dev,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.7.0-dev,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.7.0-dev,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.7.0-dev,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+8.7.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.7.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.7.0-dev,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.7.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
+8.7.0-dev,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev,true,process,process.parent.group.name,keyword,extended,,,Name of the group.
+8.7.0-dev,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.7.0-dev,true,process,process.parent.group_leader.pid,long,core,,4242,Process id.
+8.7.0-dev,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.7.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
+8.7.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
+8.7.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
+8.7.0-dev,true,process,process.parent.hash.sha384,keyword,extended,,,SHA384 hash.
+8.7.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
+8.7.0-dev,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.7.0-dev,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash.
+8.7.0-dev,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.7.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name.
+8.7.0-dev,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
+8.7.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.7.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.7.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.7.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.7.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.7.0-dev,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.7.0-dev,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.7.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.7.0-dev,true,process,process.parent.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
+8.7.0-dev,true,process,process.parent.pid,long,core,,4242,Process id.
+8.7.0-dev,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group.
+8.7.0-dev,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,process,process.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group.
+8.7.0-dev,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,process,process.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.7.0-dev,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.7.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
+8.7.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
+8.7.0-dev,true,process,process.parent.title,keyword,extended,,,Process title.
+8.7.0-dev,true,process,process.parent.title.text,match_only_text,extended,,,Process title.
+8.7.0-dev,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device.
+8.7.0-dev,true,process,process.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.7.0-dev,true,process,process.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.7.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
+8.7.0-dev,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.7.0-dev,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.7.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.7.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.7.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.7.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.7.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.7.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.7.0-dev,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.7.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.7.0-dev,true,process,process.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
+8.7.0-dev,true,process,process.pid,long,core,,4242,Process id.
+8.7.0-dev,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.7.0-dev,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array.
+8.7.0-dev,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.7.0-dev,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.7.0-dev,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev,true,process,process.real_group.name,keyword,extended,,,Name of the group.
+8.7.0-dev,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,process,process.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev,true,process,process.saved_group.name,keyword,extended,,,Name of the group.
+8.7.0-dev,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,process,process.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.7.0-dev,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array.
+8.7.0-dev,true,process,process.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.7.0-dev,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.7.0-dev,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.7.0-dev,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.7.0-dev,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.7.0-dev,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group.
+8.7.0-dev,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.7.0-dev,true,process,process.session_leader.name,keyword,extended,,ssh,Process name.
+8.7.0-dev,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name.
+8.7.0-dev,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.7.0-dev,true,process,process.session_leader.parent.pid,long,core,,4242,Process id.
+8.7.0-dev,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.7.0-dev,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id.
+8.7.0-dev,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.7.0-dev,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.7.0-dev,true,process,process.session_leader.pid,long,core,,4242,Process id.
+8.7.0-dev,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group.
+8.7.0-dev,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,process,process.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+8.7.0-dev,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group.
+8.7.0-dev,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,process,process.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.7.0-dev,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.7.0-dev,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device.
+8.7.0-dev,true,process,process.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.7.0-dev,true,process,process.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.7.0-dev,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.7.0-dev,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.7.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.7.0-dev,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.7.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID.
+8.7.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
+8.7.0-dev,true,process,process.title,keyword,extended,,,Process title.
+8.7.0-dev,true,process,process.title.text,match_only_text,extended,,,Process title.
+8.7.0-dev,true,process,process.tty,object,extended,,,Information about the controlling TTY device.
+8.7.0-dev,true,process,process.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.7.0-dev,true,process,process.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.7.0-dev,true,process,process.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
+8.7.0-dev,true,process,process.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
+8.7.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
+8.7.0-dev,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.7.0-dev,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.7.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.7.0-dev,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.7.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.7.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.7.0-dev,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.7.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.7.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
+8.7.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
+8.7.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
+8.7.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
+8.7.0-dev,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event.
+8.7.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
+8.7.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
+8.7.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
+8.7.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID
+8.7.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
+8.7.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
+8.7.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
+8.7.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
+8.7.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
+8.7.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version
+8.7.0-dev,true,server,server.address,keyword,extended,,,Server network address.
+8.7.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.7.0-dev,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.7.0-dev,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.7.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
+8.7.0-dev,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server.
+8.7.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
+8.7.0-dev,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
+8.7.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.7.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.7.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
+8.7.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.7.0-dev,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.7.0-dev,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
+8.7.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.7.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
+8.7.0-dev,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.7.0-dev,true,server,server.ip,ip,core,,,IP address of the server.
+8.7.0-dev,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
+8.7.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip
+8.7.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port
+8.7.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
+8.7.0-dev,true,server,server.port,long,core,,,Port of the server.
+8.7.0-dev,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
+8.7.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.7.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.7.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.7.0-dev,true,server,server.user.email,keyword,extended,,,User email address.
+8.7.0-dev,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.7.0-dev,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.7.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.7.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group.
+8.7.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.7.0-dev,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,server,server.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.7.0-dev,true,server,server.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.7.0-dev,true,server,server.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.7.0-dev,true,server,server.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.7.0-dev,true,server,server.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.7.0-dev,true,server,server.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+8.7.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.7.0-dev,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.7.0-dev,true,service,service.environment,keyword,extended,,production,Environment of the service.
+8.7.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.7.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.7.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.7.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.7.0-dev,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.7.0-dev,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+8.7.0-dev,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.7.0-dev,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
+8.7.0-dev,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.7.0-dev,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.7.0-dev,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.7.0-dev,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.7.0-dev,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.7.0-dev,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+8.7.0-dev,true,service,service.origin.state,keyword,core,,,Current state of the service.
+8.7.0-dev,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service.
+8.7.0-dev,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service.
+8.7.0-dev,true,service,service.state,keyword,core,,,Current state of the service.
+8.7.0-dev,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.7.0-dev,true,service,service.target.environment,keyword,extended,,production,Environment of the service.
+8.7.0-dev,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.7.0-dev,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.7.0-dev,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.7.0-dev,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.7.0-dev,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.7.0-dev,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+8.7.0-dev,true,service,service.target.state,keyword,core,,,Current state of the service.
+8.7.0-dev,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service.
+8.7.0-dev,true,service,service.target.version,keyword,core,,3.2.4,Version of the service.
+8.7.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
+8.7.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service.
+8.7.0-dev,true,source,source.address,keyword,extended,,,Source network address.
+8.7.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.7.0-dev,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.7.0-dev,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.7.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
+8.7.0-dev,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source.
+8.7.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
+8.7.0-dev,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
+8.7.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.7.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.7.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
+8.7.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.7.0-dev,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.7.0-dev,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
+8.7.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.7.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
+8.7.0-dev,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.7.0-dev,true,source,source.ip,ip,core,,,IP address of the source.
+8.7.0-dev,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
+8.7.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip
+8.7.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port
+8.7.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
+8.7.0-dev,true,source,source.port,long,core,,,Port of the source.
+8.7.0-dev,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+8.7.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.7.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.7.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.7.0-dev,true,source,source.user.email,keyword,extended,,,User email address.
+8.7.0-dev,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.7.0-dev,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.7.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.7.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group.
+8.7.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.7.0-dev,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,source,source.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.7.0-dev,true,source,source.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.7.0-dev,true,source,source.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.7.0-dev,true,source,source.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.7.0-dev,true,source,source.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.7.0-dev,true,source,source.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+8.7.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.7.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
+8.7.0-dev,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event.
+8.7.0-dev,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event.
+8.7.0-dev,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.7.0-dev,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.7.0-dev,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.7.0-dev,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
+8.7.0-dev,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
+8.7.0-dev,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.7.0-dev,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.7.0-dev,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
+8.7.0-dev,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name.
+8.7.0-dev,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code.
+8.7.0-dev,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.7.0-dev,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.7.0-dev,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name.
+8.7.0-dev,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.7.0-dev,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.7.0-dev,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code.
+8.7.0-dev,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.7.0-dev,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name.
+8.7.0-dev,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.7.0-dev,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
+8.7.0-dev,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
+8.7.0-dev,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,WHITE,Indicator TLP marking
+8.7.0-dev,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
+8.7.0-dev,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
+8.7.0-dev,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
+8.7.0-dev,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
+8.7.0-dev,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.7.0-dev,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.7.0-dev,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.7.0-dev,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.7.0-dev,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.7.0-dev,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.7.0-dev,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
+8.7.0-dev,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics
+8.7.0-dev,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed
+8.7.0-dev,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
+8.7.0-dev,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.7.0-dev,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.7.0-dev,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.7.0-dev,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.7.0-dev,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.7.0-dev,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.7.0-dev,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.7.0-dev,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request.
+8.7.0-dev,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.7.0-dev,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
+8.7.0-dev,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request.
+8.7.0-dev,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.7.0-dev,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
+8.7.0-dev,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.7.0-dev,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.7.0-dev,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request.
+8.7.0-dev,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.7.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.7.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.7.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.7.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.7.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.7.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.7.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.7.0-dev,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.7.0-dev,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.7.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.7.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.7.0-dev,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.7.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.7.0-dev,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.7.0-dev,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.7.0-dev,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.7.0-dev,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.7.0-dev,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.7.0-dev,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.7.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.7.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.7.0-dev,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.7.0-dev,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.7.0-dev,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value
+8.7.0-dev,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field
+8.7.0-dev,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier
+8.7.0-dev,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index
+8.7.0-dev,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05T17:00:58.326Z,Date of match
+8.7.0-dev,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match
+8.7.0-dev,true,threat,threat.feed.dashboard_id,keyword,extended,,5ba16340-72e6-11eb-a3e3-b3cc7c78a70f,Feed dashboard ID.
+8.7.0-dev,true,threat,threat.feed.description,keyword,extended,,Threat feed from the AlienVault Open Threat eXchange network.,Description of the threat feed.
+8.7.0-dev,true,threat,threat.feed.name,keyword,extended,,AlienVault OTX,Name of the threat feed.
+8.7.0-dev,true,threat,threat.feed.reference,keyword,extended,,https://otx.alienvault.com,Reference for the threat feed.
+8.7.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
+8.7.0-dev,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group.
+8.7.0-dev,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group.
+8.7.0-dev,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group.
+8.7.0-dev,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group.
+8.7.0-dev,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.7.0-dev,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.7.0-dev,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.7.0-dev,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
+8.7.0-dev,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
+8.7.0-dev,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
+8.7.0-dev,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed.
+8.7.0-dev,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.7.0-dev,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.7.0-dev,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.7.0-dev,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.7.0-dev,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.7.0-dev,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.7.0-dev,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.7.0-dev,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.7.0-dev,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.7.0-dev,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.7.0-dev,true,threat,threat.indicator.file.created,date,extended,,,File creation time.
+8.7.0-dev,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.7.0-dev,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
+8.7.0-dev,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.7.0-dev,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.7.0-dev,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.7.0-dev,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.7.0-dev,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.7.0-dev,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
+8.7.0-dev,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.7.0-dev,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.7.0-dev,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.7.0-dev,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.7.0-dev,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.7.0-dev,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.7.0-dev,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.7.0-dev,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.7.0-dev,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.7.0-dev,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.7.0-dev,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.7.0-dev,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.7.0-dev,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.7.0-dev,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.7.0-dev,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.7.0-dev,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.7.0-dev,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.7.0-dev,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.7.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.7.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.7.0-dev,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
+8.7.0-dev,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.7.0-dev,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.7.0-dev,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.7.0-dev,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.7.0-dev,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.7.0-dev,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.7.0-dev,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.7.0-dev,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
+8.7.0-dev,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
+8.7.0-dev,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.7.0-dev,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.7.0-dev,true,threat,threat.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.7.0-dev,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.7.0-dev,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.7.0-dev,true,threat,threat.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.7.0-dev,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.7.0-dev,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.7.0-dev,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.7.0-dev,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified.
+8.7.0-dev,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.7.0-dev,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username.
+8.7.0-dev,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.7.0-dev,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.7.0-dev,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.7.0-dev,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.7.0-dev,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.7.0-dev,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.7.0-dev,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.7.0-dev,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.7.0-dev,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.7.0-dev,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.7.0-dev,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes.
+8.7.0-dev,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
+8.7.0-dev,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.7.0-dev,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.7.0-dev,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.7.0-dev,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.7.0-dev,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.7.0-dev,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.7.0-dev,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.7.0-dev,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.7.0-dev,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.7.0-dev,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.7.0-dev,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.7.0-dev,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.7.0-dev,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.7.0-dev,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.7.0-dev,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.7.0-dev,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.7.0-dev,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.7.0-dev,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.7.0-dev,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.7.0-dev,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.7.0-dev,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.7.0-dev,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.7.0-dev,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.7.0-dev,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.7.0-dev,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.7.0-dev,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.7.0-dev,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.7.0-dev,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
+8.7.0-dev,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name.
+8.7.0-dev,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code.
+8.7.0-dev,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.7.0-dev,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.7.0-dev,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name.
+8.7.0-dev,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.7.0-dev,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.7.0-dev,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code.
+8.7.0-dev,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.7.0-dev,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name.
+8.7.0-dev,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.7.0-dev,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
+8.7.0-dev,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
+8.7.0-dev,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
+8.7.0-dev,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
+8.7.0-dev,true,threat,threat.indicator.port,long,extended,,443,Indicator port
+8.7.0-dev,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
+8.7.0-dev,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
+8.7.0-dev,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.7.0-dev,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.7.0-dev,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.7.0-dev,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.7.0-dev,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.7.0-dev,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.7.0-dev,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
+8.7.0-dev,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics
+8.7.0-dev,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed
+8.7.0-dev,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
+8.7.0-dev,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.7.0-dev,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.7.0-dev,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.7.0-dev,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.7.0-dev,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.7.0-dev,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.7.0-dev,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.7.0-dev,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request.
+8.7.0-dev,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.7.0-dev,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
+8.7.0-dev,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request.
+8.7.0-dev,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.7.0-dev,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
+8.7.0-dev,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.7.0-dev,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.7.0-dev,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request.
+8.7.0-dev,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.7.0-dev,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.7.0-dev,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.7.0-dev,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.7.0-dev,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.7.0-dev,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.7.0-dev,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.7.0-dev,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.7.0-dev,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.7.0-dev,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.7.0-dev,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.7.0-dev,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.7.0-dev,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.7.0-dev,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.7.0-dev,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.7.0-dev,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.7.0-dev,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.7.0-dev,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.7.0-dev,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.7.0-dev,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.7.0-dev,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.7.0-dev,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.7.0-dev,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.7.0-dev,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.7.0-dev,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software
+8.7.0-dev,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software
+8.7.0-dev,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software.
+8.7.0-dev,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software.
+8.7.0-dev,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL.
+8.7.0-dev,true,threat,threat.software.type,keyword,extended,,Tool,Software type.
+8.7.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
+8.7.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
+8.7.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
+8.7.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
+8.7.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
+8.7.0-dev,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name.
+8.7.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
+8.7.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
+8.7.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
+8.7.0-dev,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
+8.7.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
+8.7.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
+8.7.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
+8.7.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
+8.7.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
+8.7.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
+8.7.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
+8.7.0-dev,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
+8.7.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
+8.7.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
+8.7.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
+8.7.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
+8.7.0-dev,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
+8.7.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
+8.7.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.7.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.7.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.7.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.7.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.7.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.7.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.7.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.7.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.7.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.7.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.7.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.7.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.7.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.7.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.7.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.7.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.7.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.7.0-dev,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.7.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.7.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.7.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.7.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.7.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.7.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
+8.7.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
+8.7.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
+8.7.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
+8.7.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
+8.7.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
+8.7.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
+8.7.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
+8.7.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
+8.7.0-dev,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
+8.7.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
+8.7.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
+8.7.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
+8.7.0-dev,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
+8.7.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.7.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.7.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.7.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.7.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.7.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.7.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.7.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.7.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.7.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.7.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.7.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.7.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.7.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.7.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.7.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.7.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.7.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.7.0-dev,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.7.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.7.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.7.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.7.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.7.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.7.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
+8.7.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
+8.7.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
+8.7.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
+8.7.0-dev,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.7.0-dev,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.7.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.7.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.7.0-dev,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.7.0-dev,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.7.0-dev,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.7.0-dev,true,url,url.password,keyword,extended,,,Password of the request.
+8.7.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.7.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
+8.7.0-dev,true,url,url.query,keyword,extended,,,Query string of the request.
+8.7.0-dev,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.7.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
+8.7.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.7.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.7.0-dev,true,url,url.username,keyword,extended,,,Username of the request.
+8.7.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.7.0-dev,true,user,user.changes.email,keyword,extended,,,User email address.
+8.7.0-dev,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.7.0-dev,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.7.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.7.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
+8.7.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.7.0-dev,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,user,user.changes.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.7.0-dev,true,user,user.changes.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.7.0-dev,true,user,user.changes.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.7.0-dev,true,user,user.changes.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.7.0-dev,true,user,user.changes.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.7.0-dev,true,user,user.changes.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+8.7.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.7.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.7.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.7.0-dev,true,user,user.effective.email,keyword,extended,,,User email address.
+8.7.0-dev,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.7.0-dev,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.7.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.7.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
+8.7.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.7.0-dev,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,user,user.effective.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.7.0-dev,true,user,user.effective.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.7.0-dev,true,user,user.effective.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.7.0-dev,true,user,user.effective.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.7.0-dev,true,user,user.effective.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.7.0-dev,true,user,user.effective.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+8.7.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.7.0-dev,true,user,user.email,keyword,extended,,,User email address.
+8.7.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.7.0-dev,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.7.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.7.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group.
+8.7.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.7.0-dev,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.7.0-dev,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.7.0-dev,true,user,user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.7.0-dev,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.7.0-dev,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.7.0-dev,true,user,user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+8.7.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.7.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.7.0-dev,true,user,user.target.email,keyword,extended,,,User email address.
+8.7.0-dev,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.7.0-dev,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.7.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.7.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.7.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group.
+8.7.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.7.0-dev,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.7.0-dev,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.7.0-dev,true,user,user.target.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.7.0-dev,true,user,user.target.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.7.0-dev,true,user,user.target.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.7.0-dev,true,user,user.target.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.7.0-dev,true,user,user.target.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.7.0-dev,true,user,user.target.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+8.7.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.7.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
+8.7.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
+8.7.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+8.7.0-dev,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+8.7.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.7.0-dev,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.7.0-dev,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.7.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.7.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.7.0-dev,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.7.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.7.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+8.7.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.7.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
+8.7.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
+8.7.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
+8.7.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+8.7.0-dev,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+8.7.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
+8.7.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
+8.7.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
+8.7.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
+8.7.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
+8.7.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
+8.7.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
+8.7.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
+8.7.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
+8.7.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
diff --git a/generated/elasticsearch/composable/component/agent.json b/generated/elasticsearch/composable/component/agent.json
index 178c86ccf0..388846677b 100644
--- a/generated/elasticsearch/composable/component/agent.json
+++ b/generated/elasticsearch/composable/component/agent.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html",
-    "ecs_version": "8.6.0-dev"
+    "ecs_version": "8.7.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/base.json b/generated/elasticsearch/composable/component/base.json
index 217f14a5f9..a050b99f03 100644
--- a/generated/elasticsearch/composable/component/base.json
+++ b/generated/elasticsearch/composable/component/base.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
-    "ecs_version": "8.6.0-dev"
+    "ecs_version": "8.7.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/client.json b/generated/elasticsearch/composable/component/client.json
index e2cf0292f7..cd51d23b55 100644
--- a/generated/elasticsearch/composable/component/client.json
+++ b/generated/elasticsearch/composable/component/client.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-client.html",
-    "ecs_version": "8.6.0-dev"
+    "ecs_version": "8.7.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/cloud.json b/generated/elasticsearch/composable/component/cloud.json
index 5edc8884b8..ca1ce8cf95 100644
--- a/generated/elasticsearch/composable/component/cloud.json
+++ b/generated/elasticsearch/composable/component/cloud.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cloud.html",
-    "ecs_version": "8.6.0-dev"
+    "ecs_version": "8.7.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/container.json b/generated/elasticsearch/composable/component/container.json
index 6f683ae86b..ca49696763 100644
--- a/generated/elasticsearch/composable/component/container.json
+++ b/generated/elasticsearch/composable/component/container.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-container.html",
-    "ecs_version": "8.6.0-dev"
+    "ecs_version": "8.7.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/data_stream.json b/generated/elasticsearch/composable/component/data_stream.json
index 96754802b5..6d9f0eaf1a 100644
--- a/generated/elasticsearch/composable/component/data_stream.json
+++ b/generated/elasticsearch/composable/component/data_stream.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-data_stream.html",
-    "ecs_version": "8.6.0-dev"
+    "ecs_version": "8.7.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/destination.json b/generated/elasticsearch/composable/component/destination.json
index 2b351e5f80..855844200a 100644
--- a/generated/elasticsearch/composable/component/destination.json
+++ b/generated/elasticsearch/composable/component/destination.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-destination.html",
-    "ecs_version": "8.6.0-dev"
+    "ecs_version": "8.7.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/device.json b/generated/elasticsearch/composable/component/device.json
index 32670bb94d..8e947e0f5c 100644
--- a/generated/elasticsearch/composable/component/device.json
+++ b/generated/elasticsearch/composable/component/device.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-device.html",
-    "ecs_version": "8.6.0-dev"
+    "ecs_version": "8.7.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/dll.json b/generated/elasticsearch/composable/component/dll.json
index 188a977f16..1286f8ea02 100644
--- a/generated/elasticsearch/composable/component/dll.json
+++ b/generated/elasticsearch/composable/component/dll.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dll.html",
-    "ecs_version": "8.6.0-dev"
+    "ecs_version": "8.7.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/dns.json b/generated/elasticsearch/composable/component/dns.json
index 71d87c97c1..9fdd14492f 100644
--- a/generated/elasticsearch/composable/component/dns.json
+++ b/generated/elasticsearch/composable/component/dns.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html",
-    "ecs_version": "8.6.0-dev"
+    "ecs_version": "8.7.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/ecs.json b/generated/elasticsearch/composable/component/ecs.json
index a2b61e3371..64d1227cd5 100644
--- a/generated/elasticsearch/composable/component/ecs.json
+++ b/generated/elasticsearch/composable/component/ecs.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html",
-    "ecs_version": "8.6.0-dev"
+    "ecs_version": "8.7.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/email.json b/generated/elasticsearch/composable/component/email.json
index b5911e6d2f..9ca6eb2f3a 100644
--- a/generated/elasticsearch/composable/component/email.json
+++ b/generated/elasticsearch/composable/component/email.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-email.html",
-    "ecs_version": "8.6.0-dev"
+    "ecs_version": "8.7.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/error.json b/generated/elasticsearch/composable/component/error.json
index ced0d25e29..f1d804aed3 100644
--- a/generated/elasticsearch/composable/component/error.json
+++ b/generated/elasticsearch/composable/component/error.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-error.html",
-    "ecs_version": "8.6.0-dev"
+    "ecs_version": "8.7.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/event.json b/generated/elasticsearch/composable/component/event.json
index 607d4cdd08..018ad19f9b 100644
--- a/generated/elasticsearch/composable/component/event.json
+++ b/generated/elasticsearch/composable/component/event.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html",
-    "ecs_version": "8.6.0-dev"
+    "ecs_version": "8.7.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/faas.json b/generated/elasticsearch/composable/component/faas.json
index d83f41aa59..cc92b3125d 100644
--- a/generated/elasticsearch/composable/component/faas.json
+++ b/generated/elasticsearch/composable/component/faas.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-faas.html",
-    "ecs_version": "8.6.0-dev"
+    "ecs_version": "8.7.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/file.json b/generated/elasticsearch/composable/component/file.json
index 4fda935b5d..a9190e1ea9 100644
--- a/generated/elasticsearch/composable/component/file.json
+++ b/generated/elasticsearch/composable/component/file.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html",
-    "ecs_version": "8.6.0-dev"
+    "ecs_version": "8.7.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/group.json b/generated/elasticsearch/composable/component/group.json
index 2b2859ab95..8716a36676 100644
--- a/generated/elasticsearch/composable/component/group.json
+++ b/generated/elasticsearch/composable/component/group.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-group.html",
-    "ecs_version": "8.6.0-dev"
+    "ecs_version": "8.7.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/host.json b/generated/elasticsearch/composable/component/host.json
index d49d77f4ce..9ef352ba8d 100644
--- a/generated/elasticsearch/composable/component/host.json
+++ b/generated/elasticsearch/composable/component/host.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-host.html",
-    "ecs_version": "8.6.0-dev"
+    "ecs_version": "8.7.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/http.json b/generated/elasticsearch/composable/component/http.json
index fcebba0bd2..678f35320c 100644
--- a/generated/elasticsearch/composable/component/http.json
+++ b/generated/elasticsearch/composable/component/http.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-http.html",
-    "ecs_version": "8.6.0-dev"
+    "ecs_version": "8.7.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/log.json b/generated/elasticsearch/composable/component/log.json
index 64396b3e24..0c629e6029 100644
--- a/generated/elasticsearch/composable/component/log.json
+++ b/generated/elasticsearch/composable/component/log.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-log.html",
-    "ecs_version": "8.6.0-dev"
+    "ecs_version": "8.7.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/network.json b/generated/elasticsearch/composable/component/network.json
index e639c6486e..b0fe219653 100644
--- a/generated/elasticsearch/composable/component/network.json
+++ b/generated/elasticsearch/composable/component/network.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html",
-    "ecs_version": "8.6.0-dev"
+    "ecs_version": "8.7.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/observer.json b/generated/elasticsearch/composable/component/observer.json
index 4e470e13a2..76eaf84e0a 100644
--- a/generated/elasticsearch/composable/component/observer.json
+++ b/generated/elasticsearch/composable/component/observer.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html",
-    "ecs_version": "8.6.0-dev"
+    "ecs_version": "8.7.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/orchestrator.json b/generated/elasticsearch/composable/component/orchestrator.json
index b1fd0a2259..6e2d09449d 100644
--- a/generated/elasticsearch/composable/component/orchestrator.json
+++ b/generated/elasticsearch/composable/component/orchestrator.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-orchestrator.html",
-    "ecs_version": "8.6.0-dev"
+    "ecs_version": "8.7.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/organization.json b/generated/elasticsearch/composable/component/organization.json
index 7ea9554e9f..f680d37b02 100644
--- a/generated/elasticsearch/composable/component/organization.json
+++ b/generated/elasticsearch/composable/component/organization.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-organization.html",
-    "ecs_version": "8.6.0-dev"
+    "ecs_version": "8.7.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/package.json b/generated/elasticsearch/composable/component/package.json
index 7516d09e37..165b9a3b06 100644
--- a/generated/elasticsearch/composable/component/package.json
+++ b/generated/elasticsearch/composable/component/package.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-package.html",
-    "ecs_version": "8.6.0-dev"
+    "ecs_version": "8.7.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/process.json b/generated/elasticsearch/composable/component/process.json
index 8f90a4f7d8..1e17cf255d 100644
--- a/generated/elasticsearch/composable/component/process.json
+++ b/generated/elasticsearch/composable/component/process.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-process.html",
-    "ecs_version": "8.6.0-dev"
+    "ecs_version": "8.7.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/registry.json b/generated/elasticsearch/composable/component/registry.json
index c6f683a98e..af2f70b950 100644
--- a/generated/elasticsearch/composable/component/registry.json
+++ b/generated/elasticsearch/composable/component/registry.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-registry.html",
-    "ecs_version": "8.6.0-dev"
+    "ecs_version": "8.7.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/related.json b/generated/elasticsearch/composable/component/related.json
index 2c06b52bff..106e995d97 100644
--- a/generated/elasticsearch/composable/component/related.json
+++ b/generated/elasticsearch/composable/component/related.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-related.html",
-    "ecs_version": "8.6.0-dev"
+    "ecs_version": "8.7.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/rule.json b/generated/elasticsearch/composable/component/rule.json
index a571ec781f..cc8de9ba28 100644
--- a/generated/elasticsearch/composable/component/rule.json
+++ b/generated/elasticsearch/composable/component/rule.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-rule.html",
-    "ecs_version": "8.6.0-dev"
+    "ecs_version": "8.7.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/server.json b/generated/elasticsearch/composable/component/server.json
index 591352a1df..d0454fb9f3 100644
--- a/generated/elasticsearch/composable/component/server.json
+++ b/generated/elasticsearch/composable/component/server.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-server.html",
-    "ecs_version": "8.6.0-dev"
+    "ecs_version": "8.7.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/service.json b/generated/elasticsearch/composable/component/service.json
index 0994a58fdf..0cef95e32f 100644
--- a/generated/elasticsearch/composable/component/service.json
+++ b/generated/elasticsearch/composable/component/service.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-service.html",
-    "ecs_version": "8.6.0-dev"
+    "ecs_version": "8.7.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/source.json b/generated/elasticsearch/composable/component/source.json
index c5f1c281c9..30f560e22a 100644
--- a/generated/elasticsearch/composable/component/source.json
+++ b/generated/elasticsearch/composable/component/source.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-source.html",
-    "ecs_version": "8.6.0-dev"
+    "ecs_version": "8.7.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/threat.json b/generated/elasticsearch/composable/component/threat.json
index 5ca09a4814..df91aeb659 100644
--- a/generated/elasticsearch/composable/component/threat.json
+++ b/generated/elasticsearch/composable/component/threat.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-threat.html",
-    "ecs_version": "8.6.0-dev"
+    "ecs_version": "8.7.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/tls.json b/generated/elasticsearch/composable/component/tls.json
index f01db87257..b8027b94bb 100644
--- a/generated/elasticsearch/composable/component/tls.json
+++ b/generated/elasticsearch/composable/component/tls.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tls.html",
-    "ecs_version": "8.6.0-dev"
+    "ecs_version": "8.7.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/tracing.json b/generated/elasticsearch/composable/component/tracing.json
index e8a85a6e49..5d7e79749e 100644
--- a/generated/elasticsearch/composable/component/tracing.json
+++ b/generated/elasticsearch/composable/component/tracing.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tracing.html",
-    "ecs_version": "8.6.0-dev"
+    "ecs_version": "8.7.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/url.json b/generated/elasticsearch/composable/component/url.json
index 7484328402..3e665593b0 100644
--- a/generated/elasticsearch/composable/component/url.json
+++ b/generated/elasticsearch/composable/component/url.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-url.html",
-    "ecs_version": "8.6.0-dev"
+    "ecs_version": "8.7.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/user.json b/generated/elasticsearch/composable/component/user.json
index 219b4b046f..886e42c06f 100644
--- a/generated/elasticsearch/composable/component/user.json
+++ b/generated/elasticsearch/composable/component/user.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user.html",
-    "ecs_version": "8.6.0-dev"
+    "ecs_version": "8.7.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/user_agent.json b/generated/elasticsearch/composable/component/user_agent.json
index 1be45b6bc5..b9891a921b 100644
--- a/generated/elasticsearch/composable/component/user_agent.json
+++ b/generated/elasticsearch/composable/component/user_agent.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html",
-    "ecs_version": "8.6.0-dev"
+    "ecs_version": "8.7.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/vulnerability.json b/generated/elasticsearch/composable/component/vulnerability.json
index 13d1336973..033a756778 100644
--- a/generated/elasticsearch/composable/component/vulnerability.json
+++ b/generated/elasticsearch/composable/component/vulnerability.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html",
-    "ecs_version": "8.6.0-dev"
+    "ecs_version": "8.7.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/template.json b/generated/elasticsearch/composable/template.json
index 1d0a80f672..50a185ec6a 100644
--- a/generated/elasticsearch/composable/template.json
+++ b/generated/elasticsearch/composable/template.json
@@ -1,48 +1,48 @@
 {
   "_meta": {
     "description": "Sample composable template that includes all ECS fields",
-    "ecs_version": "8.6.0-dev"
+    "ecs_version": "8.7.0-dev"
   },
   "composed_of": [
-    "ecs_8.6.0-dev_base",
-    "ecs_8.6.0-dev_agent",
-    "ecs_8.6.0-dev_client",
-    "ecs_8.6.0-dev_cloud",
-    "ecs_8.6.0-dev_container",
-    "ecs_8.6.0-dev_data_stream",
-    "ecs_8.6.0-dev_destination",
-    "ecs_8.6.0-dev_device",
-    "ecs_8.6.0-dev_dll",
-    "ecs_8.6.0-dev_dns",
-    "ecs_8.6.0-dev_ecs",
-    "ecs_8.6.0-dev_email",
-    "ecs_8.6.0-dev_error",
-    "ecs_8.6.0-dev_event",
-    "ecs_8.6.0-dev_faas",
-    "ecs_8.6.0-dev_file",
-    "ecs_8.6.0-dev_group",
-    "ecs_8.6.0-dev_host",
-    "ecs_8.6.0-dev_http",
-    "ecs_8.6.0-dev_log",
-    "ecs_8.6.0-dev_network",
-    "ecs_8.6.0-dev_observer",
-    "ecs_8.6.0-dev_orchestrator",
-    "ecs_8.6.0-dev_organization",
-    "ecs_8.6.0-dev_package",
-    "ecs_8.6.0-dev_process",
-    "ecs_8.6.0-dev_registry",
-    "ecs_8.6.0-dev_related",
-    "ecs_8.6.0-dev_rule",
-    "ecs_8.6.0-dev_server",
-    "ecs_8.6.0-dev_service",
-    "ecs_8.6.0-dev_source",
-    "ecs_8.6.0-dev_threat",
-    "ecs_8.6.0-dev_tls",
-    "ecs_8.6.0-dev_tracing",
-    "ecs_8.6.0-dev_url",
-    "ecs_8.6.0-dev_user_agent",
-    "ecs_8.6.0-dev_user",
-    "ecs_8.6.0-dev_vulnerability"
+    "ecs_8.7.0-dev_base",
+    "ecs_8.7.0-dev_agent",
+    "ecs_8.7.0-dev_client",
+    "ecs_8.7.0-dev_cloud",
+    "ecs_8.7.0-dev_container",
+    "ecs_8.7.0-dev_data_stream",
+    "ecs_8.7.0-dev_destination",
+    "ecs_8.7.0-dev_device",
+    "ecs_8.7.0-dev_dll",
+    "ecs_8.7.0-dev_dns",
+    "ecs_8.7.0-dev_ecs",
+    "ecs_8.7.0-dev_email",
+    "ecs_8.7.0-dev_error",
+    "ecs_8.7.0-dev_event",
+    "ecs_8.7.0-dev_faas",
+    "ecs_8.7.0-dev_file",
+    "ecs_8.7.0-dev_group",
+    "ecs_8.7.0-dev_host",
+    "ecs_8.7.0-dev_http",
+    "ecs_8.7.0-dev_log",
+    "ecs_8.7.0-dev_network",
+    "ecs_8.7.0-dev_observer",
+    "ecs_8.7.0-dev_orchestrator",
+    "ecs_8.7.0-dev_organization",
+    "ecs_8.7.0-dev_package",
+    "ecs_8.7.0-dev_process",
+    "ecs_8.7.0-dev_registry",
+    "ecs_8.7.0-dev_related",
+    "ecs_8.7.0-dev_rule",
+    "ecs_8.7.0-dev_server",
+    "ecs_8.7.0-dev_service",
+    "ecs_8.7.0-dev_source",
+    "ecs_8.7.0-dev_threat",
+    "ecs_8.7.0-dev_tls",
+    "ecs_8.7.0-dev_tracing",
+    "ecs_8.7.0-dev_url",
+    "ecs_8.7.0-dev_user_agent",
+    "ecs_8.7.0-dev_user",
+    "ecs_8.7.0-dev_vulnerability"
   ],
   "index_patterns": [
     "try-ecs-*"
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index a57759aa3c..e36fdd60af 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -4,7 +4,7 @@
   ],
   "mappings": {
     "_meta": {
-      "version": "8.6.0-dev"
+      "version": "8.7.0-dev"
     },
     "date_detection": false,
     "dynamic_templates": [
diff --git a/version b/version
index 6602f0e9bc..e595c16db2 100644
--- a/version
+++ b/version
@@ -1 +1 @@
-8.6.0-dev
+8.7.0-dev

From 24aedf7731cb6f68918203f454254da05976c0b3 Mon Sep 17 00:00:00 2001
From: Dominic Page <11043991+djptek@users.noreply.github.com>
Date: Wed, 28 Sep 2022 18:54:32 +0200
Subject: [PATCH 041/186] SFF add 8.6 release notes placeholder (#2065)

---
 docs/release-notes/8.6.asciidoc   | 4 ++++
 docs/release-notes/index.asciidoc | 2 ++
 2 files changed, 6 insertions(+)
 create mode 100644 docs/release-notes/8.6.asciidoc

diff --git a/docs/release-notes/8.6.asciidoc b/docs/release-notes/8.6.asciidoc
new file mode 100644
index 0000000000..d2dc0f0ffe
--- /dev/null
+++ b/docs/release-notes/8.6.asciidoc
@@ -0,0 +1,4 @@
+[[ecs-release-notes-8.6.0]]
+=== 8.6.0
+
+coming[8.6.0]
diff --git a/docs/release-notes/index.asciidoc b/docs/release-notes/index.asciidoc
index 02ca782516..206f2c8196 100644
--- a/docs/release-notes/index.asciidoc
+++ b/docs/release-notes/index.asciidoc
@@ -3,6 +3,7 @@
 
 This section summarizes the changes in each release.
 
+* <<ecs-release-notes-8.6.0, {ecs} version 8.6.0>>
 * <<ecs-release-notes-8.5.0, {ecs} version 8.5.0>>
 * <<ecs-release-notes-8.4.0, {ecs} version 8.4.0>>
 * <<ecs-release-notes-8.3.1, {ecs} version 8.3.1>>
@@ -18,6 +19,7 @@ This section summarizes the changes in each release.
 :issue: https://github.com/elastic/ecs/issues/
 :pull: https://github.com/elastic/ecs/pull/
 
+include::8.6.asciidoc[]
 include::8.5.asciidoc[]
 include::8.4.asciidoc[]
 include::8.3.1.asciidoc[]

From b4710e1b464046ce96fc18e5ebdd1019fa523c4d Mon Sep 17 00:00:00 2001
From: Kylie Geller <kylie.geller@elastic.co>
Date: Wed, 28 Sep 2022 14:00:51 -0400
Subject: [PATCH 042/186] Refining the addition of the `risk.*` fields
 locations (#2058)

---
 CHANGELOG.next.md                             |   2 +-
 experimental/generated/beats/fields.ecs.yml   | 322 ----------
 experimental/generated/csv/fields.csv         |  42 --
 experimental/generated/ecs/ecs_flat.yml       | 560 ------------------
 experimental/generated/ecs/ecs_nested.yml     | 560 ------------------
 .../composable/component/client.json          |  24 -
 .../composable/component/destination.json     |  24 -
 .../composable/component/server.json          |  24 -
 .../composable/component/source.json          |  24 -
 .../composable/component/user.json            |  72 ---
 .../elasticsearch/legacy/template.json        | 168 ------
 generated/beats/fields.ecs.yml                | 322 ----------
 generated/csv/fields.csv                      |  42 --
 generated/ecs/ecs_flat.yml                    | 560 ------------------
 generated/ecs/ecs_nested.yml                  | 560 ------------------
 .../composable/component/client.json          |  24 -
 .../composable/component/destination.json     |  24 -
 .../composable/component/server.json          |  24 -
 .../composable/component/source.json          |  24 -
 .../composable/component/user.json            |  72 ---
 generated/elasticsearch/legacy/template.json  | 168 ------
 schemas/subsets/main.yml                      | 172 +++++-
 22 files changed, 167 insertions(+), 3647 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index f178346981..04bc234a2c 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -52,7 +52,7 @@ Thanks, you're awesome :-) -->
 * Adding `process.tty.rows` and `process.tty.columns` as beta fields. #2031
 * Changed `process.env_vars` field type to be an array of keywords. #2038
 * `process.attested_user` and `process.attested_groups` as beta fields. #2050
-* Added `risk.*` fieldset to beta. #2051
+* Added `risk.*` fieldset to beta. #2051, #2058
 
 #### Improvements
 
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index ade4eec2d7..2a8b6af5c1 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -481,52 +481,6 @@
         default_field: false
       description: Short name or login of the user.
       example: a.einstein
-    - name: user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
     - name: user.roles
       level: extended
       type: keyword
@@ -1325,52 +1279,6 @@
         default_field: false
       description: Short name or login of the user.
       example: a.einstein
-    - name: user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
     - name: user.roles
       level: extended
       type: keyword
@@ -7824,52 +7732,6 @@
         default_field: false
       description: Short name or login of the user.
       example: a.einstein
-    - name: user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
     - name: user.roles
       level: extended
       type: keyword
@@ -8598,52 +8460,6 @@
         default_field: false
       description: Short name or login of the user.
       example: a.einstein
-    - name: user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
     - name: user.roles
       level: extended
       type: keyword
@@ -12363,52 +12179,6 @@
       description: Short name or login of the user.
       example: a.einstein
       default_field: false
-    - name: changes.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: changes.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: changes.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: changes.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: changes.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: changes.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
     - name: changes.roles
       level: extended
       type: keyword
@@ -12494,52 +12264,6 @@
       description: Short name or login of the user.
       example: a.einstein
       default_field: false
-    - name: effective.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: effective.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: effective.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: effective.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: effective.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: effective.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
     - name: effective.roles
       level: extended
       type: keyword
@@ -12728,52 +12452,6 @@
       description: Short name or login of the user.
       example: a.einstein
       default_field: false
-    - name: target.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: target.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: target.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: target.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: target.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: target.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
     - name: target.roles
       level: extended
       type: keyword
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index babe1d61e7..843ec0bbc9 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -53,12 +53,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.7.0-dev+exp,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
 8.7.0-dev+exp,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,client,client.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.7.0-dev+exp,true,client,client.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.7.0-dev+exp,true,client,client.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.7.0-dev+exp,true,client,client.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.7.0-dev+exp,true,client,client.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.7.0-dev+exp,true,client,client.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
 8.7.0-dev+exp,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 8.7.0-dev+exp,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
 8.7.0-dev+exp,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
@@ -146,12 +140,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.7.0-dev+exp,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
 8.7.0-dev+exp,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,destination,destination.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.7.0-dev+exp,true,destination,destination.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.7.0-dev+exp,true,destination,destination.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.7.0-dev+exp,true,destination,destination.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.7.0-dev+exp,true,destination,destination.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.7.0-dev+exp,true,destination,destination.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
 8.7.0-dev+exp,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 8.7.0-dev+exp,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device.
 8.7.0-dev+exp,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer.
@@ -917,12 +905,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.7.0-dev+exp,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
 8.7.0-dev+exp,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,server,server.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.7.0-dev+exp,true,server,server.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.7.0-dev+exp,true,server,server.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.7.0-dev+exp,true,server,server.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.7.0-dev+exp,true,server,server.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.7.0-dev+exp,true,server,server.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
 8.7.0-dev+exp,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 8.7.0-dev+exp,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
 8.7.0-dev+exp,true,service,service.environment,keyword,extended,,production,Environment of the service.
@@ -994,12 +976,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.7.0-dev+exp,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
 8.7.0-dev+exp,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,source,source.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.7.0-dev+exp,true,source,source.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.7.0-dev+exp,true,source,source.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.7.0-dev+exp,true,source,source.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.7.0-dev+exp,true,source,source.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.7.0-dev+exp,true,source,source.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
 8.7.0-dev+exp,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 8.7.0-dev+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
 8.7.0-dev+exp,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event.
@@ -1494,12 +1470,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.7.0-dev+exp,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
 8.7.0-dev+exp,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,user,user.changes.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.7.0-dev+exp,true,user,user.changes.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.7.0-dev+exp,true,user,user.changes.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.7.0-dev+exp,true,user,user.changes.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.7.0-dev+exp,true,user,user.changes.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.7.0-dev+exp,true,user,user.changes.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
 8.7.0-dev+exp,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 8.7.0-dev+exp,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
 8.7.0-dev+exp,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
@@ -1513,12 +1483,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.7.0-dev+exp,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
 8.7.0-dev+exp,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,user,user.effective.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.7.0-dev+exp,true,user,user.effective.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.7.0-dev+exp,true,user,user.effective.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.7.0-dev+exp,true,user,user.effective.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.7.0-dev+exp,true,user,user.effective.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.7.0-dev+exp,true,user,user.effective.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
 8.7.0-dev+exp,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 8.7.0-dev+exp,true,user,user.email,keyword,extended,,,User email address.
 8.7.0-dev+exp,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
@@ -1548,12 +1512,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.7.0-dev+exp,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
 8.7.0-dev+exp,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,user,user.target.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.7.0-dev+exp,true,user,user.target.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.7.0-dev+exp,true,user,user.target.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.7.0-dev+exp,true,user,user.target.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.7.0-dev+exp,true,user,user.target.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.7.0-dev+exp,true,user,user.target.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
 8.7.0-dev+exp,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 8.7.0-dev+exp,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
 8.7.0-dev+exp,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 9853469b7b..93d250b037 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -616,86 +616,6 @@ client.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
-client.user.risk.calculated_level:
-  dashed_name: client-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: client.user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-client.user.risk.calculated_score:
-  dashed_name: client-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: client.user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-client.user.risk.calculated_score_norm:
-  dashed_name: client-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: client.user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-client.user.risk.static_level:
-  dashed_name: client-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: client.user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-client.user.risk.static_score:
-  dashed_name: client-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: client.user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-client.user.risk.static_score_norm:
-  dashed_name: client-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: client.user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
 client.user.roles:
   dashed_name: client-user-roles
   description: Array of user roles at the time of the event.
@@ -1767,86 +1687,6 @@ destination.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
-destination.user.risk.calculated_level:
-  dashed_name: destination-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: destination.user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-destination.user.risk.calculated_score:
-  dashed_name: destination-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: destination.user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-destination.user.risk.calculated_score_norm:
-  dashed_name: destination-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: destination.user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-destination.user.risk.static_level:
-  dashed_name: destination-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: destination.user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-destination.user.risk.static_score:
-  dashed_name: destination-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: destination.user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-destination.user.risk.static_score_norm:
-  dashed_name: destination-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: destination.user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
 destination.user.roles:
   dashed_name: destination-user-roles
   description: Array of user roles at the time of the event.
@@ -11529,86 +11369,6 @@ server.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
-server.user.risk.calculated_level:
-  dashed_name: server-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: server.user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-server.user.risk.calculated_score:
-  dashed_name: server-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: server.user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-server.user.risk.calculated_score_norm:
-  dashed_name: server-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: server.user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-server.user.risk.static_level:
-  dashed_name: server-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: server.user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-server.user.risk.static_score:
-  dashed_name: server-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: server.user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-server.user.risk.static_score_norm:
-  dashed_name: server-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: server.user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
 server.user.roles:
   dashed_name: server-user-roles
   description: Array of user roles at the time of the event.
@@ -12656,86 +12416,6 @@ source.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
-source.user.risk.calculated_level:
-  dashed_name: source-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: source.user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-source.user.risk.calculated_score:
-  dashed_name: source-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: source.user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-source.user.risk.calculated_score_norm:
-  dashed_name: source-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: source.user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-source.user.risk.static_level:
-  dashed_name: source-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: source.user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-source.user.risk.static_score:
-  dashed_name: source-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: source.user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-source.user.risk.static_score_norm:
-  dashed_name: source-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: source.user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
 source.user.roles:
   dashed_name: source-user-roles
   description: Array of user roles at the time of the event.
@@ -18933,86 +18613,6 @@ user.changes.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
-user.changes.risk.calculated_level:
-  dashed_name: user-changes-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: user.changes.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-user.changes.risk.calculated_score:
-  dashed_name: user-changes-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: user.changes.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-user.changes.risk.calculated_score_norm:
-  dashed_name: user-changes-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: user.changes.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-user.changes.risk.static_level:
-  dashed_name: user-changes-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: user.changes.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-user.changes.risk.static_score:
-  dashed_name: user-changes-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: user.changes.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-user.changes.risk.static_score_norm:
-  dashed_name: user-changes-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: user.changes.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
 user.changes.roles:
   dashed_name: user-changes-roles
   description: Array of user roles at the time of the event.
@@ -19156,86 +18756,6 @@ user.effective.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
-user.effective.risk.calculated_level:
-  dashed_name: user-effective-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: user.effective.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-user.effective.risk.calculated_score:
-  dashed_name: user-effective-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: user.effective.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-user.effective.risk.calculated_score_norm:
-  dashed_name: user-effective-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: user.effective.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-user.effective.risk.static_level:
-  dashed_name: user-effective-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: user.effective.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-user.effective.risk.static_score:
-  dashed_name: user-effective-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: user.effective.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-user.effective.risk.static_score_norm:
-  dashed_name: user-effective-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: user.effective.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
 user.effective.roles:
   dashed_name: user-effective-roles
   description: Array of user roles at the time of the event.
@@ -19559,86 +19079,6 @@ user.target.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
-user.target.risk.calculated_level:
-  dashed_name: user-target-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: user.target.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-user.target.risk.calculated_score:
-  dashed_name: user-target-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: user.target.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-user.target.risk.calculated_score_norm:
-  dashed_name: user-target-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: user.target.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-user.target.risk.static_level:
-  dashed_name: user-target-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: user.target.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-user.target.risk.static_score:
-  dashed_name: user-target-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: user.target.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-user.target.risk.static_score_norm:
-  dashed_name: user-target-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: user.target.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
 user.target.roles:
   dashed_name: user-target-roles
   description: Array of user roles at the time of the event.
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index d2f8f8e3a7..3c4b0d3aa5 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -779,86 +779,6 @@ client:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
-    client.user.risk.calculated_level:
-      dashed_name: client-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: client.user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    client.user.risk.calculated_score:
-      dashed_name: client-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: client.user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    client.user.risk.calculated_score_norm:
-      dashed_name: client-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: client.user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    client.user.risk.static_level:
-      dashed_name: client-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: client.user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    client.user.risk.static_score:
-      dashed_name: client-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: client.user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    client.user.risk.static_score_norm:
-      dashed_name: client-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: client.user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
     client.user.roles:
       dashed_name: client-user-roles
       description: Array of user roles at the time of the event.
@@ -2189,86 +2109,6 @@ destination:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
-    destination.user.risk.calculated_level:
-      dashed_name: destination-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: destination.user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    destination.user.risk.calculated_score:
-      dashed_name: destination-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: destination.user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    destination.user.risk.calculated_score_norm:
-      dashed_name: destination-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: destination.user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    destination.user.risk.static_level:
-      dashed_name: destination-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: destination.user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    destination.user.risk.static_score:
-      dashed_name: destination-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: destination.user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    destination.user.risk.static_score_norm:
-      dashed_name: destination-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: destination.user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
     destination.user.roles:
       dashed_name: destination-user-roles
       description: Array of user roles at the time of the event.
@@ -13636,86 +13476,6 @@ server:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
-    server.user.risk.calculated_level:
-      dashed_name: server-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: server.user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    server.user.risk.calculated_score:
-      dashed_name: server-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: server.user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    server.user.risk.calculated_score_norm:
-      dashed_name: server-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: server.user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    server.user.risk.static_level:
-      dashed_name: server-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: server.user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    server.user.risk.static_score:
-      dashed_name: server-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: server.user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    server.user.risk.static_score_norm:
-      dashed_name: server-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: server.user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
     server.user.roles:
       dashed_name: server-user-roles
       description: Array of user roles at the time of the event.
@@ -14851,86 +14611,6 @@ source:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
-    source.user.risk.calculated_level:
-      dashed_name: source-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: source.user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    source.user.risk.calculated_score:
-      dashed_name: source-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: source.user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    source.user.risk.calculated_score_norm:
-      dashed_name: source-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: source.user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    source.user.risk.static_level:
-      dashed_name: source-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: source.user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    source.user.risk.static_score:
-      dashed_name: source-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: source.user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    source.user.risk.static_score_norm:
-      dashed_name: source-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: source.user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
     source.user.roles:
       dashed_name: source-user-roles
       description: Array of user roles at the time of the event.
@@ -21289,86 +20969,6 @@ user:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
-    user.changes.risk.calculated_level:
-      dashed_name: user-changes-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: user.changes.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    user.changes.risk.calculated_score:
-      dashed_name: user-changes-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: user.changes.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    user.changes.risk.calculated_score_norm:
-      dashed_name: user-changes-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: user.changes.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    user.changes.risk.static_level:
-      dashed_name: user-changes-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: user.changes.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    user.changes.risk.static_score:
-      dashed_name: user-changes-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: user.changes.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    user.changes.risk.static_score_norm:
-      dashed_name: user-changes-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: user.changes.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
     user.changes.roles:
       dashed_name: user-changes-roles
       description: Array of user roles at the time of the event.
@@ -21512,86 +21112,6 @@ user:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
-    user.effective.risk.calculated_level:
-      dashed_name: user-effective-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: user.effective.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    user.effective.risk.calculated_score:
-      dashed_name: user-effective-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: user.effective.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    user.effective.risk.calculated_score_norm:
-      dashed_name: user-effective-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: user.effective.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    user.effective.risk.static_level:
-      dashed_name: user-effective-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: user.effective.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    user.effective.risk.static_score:
-      dashed_name: user-effective-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: user.effective.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    user.effective.risk.static_score_norm:
-      dashed_name: user-effective-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: user.effective.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
     user.effective.roles:
       dashed_name: user-effective-roles
       description: Array of user roles at the time of the event.
@@ -21915,86 +21435,6 @@ user:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
-    user.target.risk.calculated_level:
-      dashed_name: user-target-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: user.target.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    user.target.risk.calculated_score:
-      dashed_name: user-target-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: user.target.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    user.target.risk.calculated_score_norm:
-      dashed_name: user-target-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: user.target.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    user.target.risk.static_level:
-      dashed_name: user-target-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: user.target.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    user.target.risk.static_score:
-      dashed_name: user-target-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: user.target.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    user.target.risk.static_score_norm:
-      dashed_name: user-target-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: user.target.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
     user.target.roles:
       dashed_name: user-target-roles
       description: Array of user roles at the time of the event.
diff --git a/experimental/generated/elasticsearch/composable/component/client.json b/experimental/generated/elasticsearch/composable/component/client.json
index 89b4617461..e28f531fcc 100644
--- a/experimental/generated/elasticsearch/composable/component/client.json
+++ b/experimental/generated/elasticsearch/composable/component/client.json
@@ -173,30 +173,6 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "risk": {
-                  "properties": {
-                    "calculated_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "calculated_score": {
-                      "type": "float"
-                    },
-                    "calculated_score_norm": {
-                      "type": "float"
-                    },
-                    "static_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "static_score": {
-                      "type": "float"
-                    },
-                    "static_score_norm": {
-                      "type": "float"
-                    }
-                  }
-                },
                 "roles": {
                   "ignore_above": 1024,
                   "type": "keyword"
diff --git a/experimental/generated/elasticsearch/composable/component/destination.json b/experimental/generated/elasticsearch/composable/component/destination.json
index 53cfa212a8..c0008fe505 100644
--- a/experimental/generated/elasticsearch/composable/component/destination.json
+++ b/experimental/generated/elasticsearch/composable/component/destination.json
@@ -173,30 +173,6 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "risk": {
-                  "properties": {
-                    "calculated_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "calculated_score": {
-                      "type": "float"
-                    },
-                    "calculated_score_norm": {
-                      "type": "float"
-                    },
-                    "static_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "static_score": {
-                      "type": "float"
-                    },
-                    "static_score_norm": {
-                      "type": "float"
-                    }
-                  }
-                },
                 "roles": {
                   "ignore_above": 1024,
                   "type": "keyword"
diff --git a/experimental/generated/elasticsearch/composable/component/server.json b/experimental/generated/elasticsearch/composable/component/server.json
index 76d32bbb92..ac3ed07976 100644
--- a/experimental/generated/elasticsearch/composable/component/server.json
+++ b/experimental/generated/elasticsearch/composable/component/server.json
@@ -173,30 +173,6 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "risk": {
-                  "properties": {
-                    "calculated_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "calculated_score": {
-                      "type": "float"
-                    },
-                    "calculated_score_norm": {
-                      "type": "float"
-                    },
-                    "static_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "static_score": {
-                      "type": "float"
-                    },
-                    "static_score_norm": {
-                      "type": "float"
-                    }
-                  }
-                },
                 "roles": {
                   "ignore_above": 1024,
                   "type": "keyword"
diff --git a/experimental/generated/elasticsearch/composable/component/source.json b/experimental/generated/elasticsearch/composable/component/source.json
index 7bf03e55e0..c0f6d097e6 100644
--- a/experimental/generated/elasticsearch/composable/component/source.json
+++ b/experimental/generated/elasticsearch/composable/component/source.json
@@ -173,30 +173,6 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "risk": {
-                  "properties": {
-                    "calculated_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "calculated_score": {
-                      "type": "float"
-                    },
-                    "calculated_score_norm": {
-                      "type": "float"
-                    },
-                    "static_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "static_score": {
-                      "type": "float"
-                    },
-                    "static_score_norm": {
-                      "type": "float"
-                    }
-                  }
-                },
                 "roles": {
                   "ignore_above": 1024,
                   "type": "keyword"
diff --git a/experimental/generated/elasticsearch/composable/component/user.json b/experimental/generated/elasticsearch/composable/component/user.json
index 96f5a38a30..10a154c534 100644
--- a/experimental/generated/elasticsearch/composable/component/user.json
+++ b/experimental/generated/elasticsearch/composable/component/user.json
@@ -60,30 +60,6 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "risk": {
-                  "properties": {
-                    "calculated_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "calculated_score": {
-                      "type": "float"
-                    },
-                    "calculated_score_norm": {
-                      "type": "float"
-                    },
-                    "static_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "static_score": {
-                      "type": "float"
-                    },
-                    "static_score_norm": {
-                      "type": "float"
-                    }
-                  }
-                },
                 "roles": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -146,30 +122,6 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "risk": {
-                  "properties": {
-                    "calculated_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "calculated_score": {
-                      "type": "float"
-                    },
-                    "calculated_score_norm": {
-                      "type": "float"
-                    },
-                    "static_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "static_score": {
-                      "type": "float"
-                    },
-                    "static_score_norm": {
-                      "type": "float"
-                    }
-                  }
-                },
                 "roles": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -302,30 +254,6 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "risk": {
-                  "properties": {
-                    "calculated_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "calculated_score": {
-                      "type": "float"
-                    },
-                    "calculated_score_norm": {
-                      "type": "float"
-                    },
-                    "static_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "static_score": {
-                      "type": "float"
-                    },
-                    "static_score_norm": {
-                      "type": "float"
-                    }
-                  }
-                },
                 "roles": {
                   "ignore_above": 1024,
                   "type": "keyword"
diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json
index e63e5c1166..cdd811e711 100644
--- a/experimental/generated/elasticsearch/legacy/template.json
+++ b/experimental/generated/elasticsearch/legacy/template.json
@@ -263,30 +263,6 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "risk": {
-                "properties": {
-                  "calculated_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "calculated_score": {
-                    "type": "float"
-                  },
-                  "calculated_score_norm": {
-                    "type": "float"
-                  },
-                  "static_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "static_score": {
-                    "type": "float"
-                  },
-                  "static_score_norm": {
-                    "type": "float"
-                  }
-                }
-              },
               "roles": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -770,30 +746,6 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "risk": {
-                "properties": {
-                  "calculated_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "calculated_score": {
-                    "type": "float"
-                  },
-                  "calculated_score_norm": {
-                    "type": "float"
-                  },
-                  "static_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "static_score": {
-                    "type": "float"
-                  },
-                  "static_score_norm": {
-                    "type": "float"
-                  }
-                }
-              },
               "roles": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -4347,30 +4299,6 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "risk": {
-                "properties": {
-                  "calculated_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "calculated_score": {
-                    "type": "float"
-                  },
-                  "calculated_score_norm": {
-                    "type": "float"
-                  },
-                  "static_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "static_score": {
-                    "type": "float"
-                  },
-                  "static_score_norm": {
-                    "type": "float"
-                  }
-                }
-              },
               "roles": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -4702,30 +4630,6 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "risk": {
-                "properties": {
-                  "calculated_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "calculated_score": {
-                    "type": "float"
-                  },
-                  "calculated_score_norm": {
-                    "type": "float"
-                  },
-                  "static_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "static_score": {
-                    "type": "float"
-                  },
-                  "static_score_norm": {
-                    "type": "float"
-                  }
-                }
-              },
               "roles": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -6909,30 +6813,6 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "risk": {
-                "properties": {
-                  "calculated_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "calculated_score": {
-                    "type": "float"
-                  },
-                  "calculated_score_norm": {
-                    "type": "float"
-                  },
-                  "static_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "static_score": {
-                    "type": "float"
-                  },
-                  "static_score_norm": {
-                    "type": "float"
-                  }
-                }
-              },
               "roles": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -6995,30 +6875,6 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "risk": {
-                "properties": {
-                  "calculated_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "calculated_score": {
-                    "type": "float"
-                  },
-                  "calculated_score_norm": {
-                    "type": "float"
-                  },
-                  "static_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "static_score": {
-                    "type": "float"
-                  },
-                  "static_score_norm": {
-                    "type": "float"
-                  }
-                }
-              },
               "roles": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -7151,30 +7007,6 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "risk": {
-                "properties": {
-                  "calculated_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "calculated_score": {
-                    "type": "float"
-                  },
-                  "calculated_score_norm": {
-                    "type": "float"
-                  },
-                  "static_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "static_score": {
-                    "type": "float"
-                  },
-                  "static_score_norm": {
-                    "type": "float"
-                  }
-                }
-              },
               "roles": {
                 "ignore_above": 1024,
                 "type": "keyword"
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 69c9e44735..409f066588 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -431,52 +431,6 @@
         default_field: false
       description: Short name or login of the user.
       example: a.einstein
-    - name: user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
     - name: user.roles
       level: extended
       type: keyword
@@ -1275,52 +1229,6 @@
         default_field: false
       description: Short name or login of the user.
       example: a.einstein
-    - name: user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
     - name: user.roles
       level: extended
       type: keyword
@@ -7774,52 +7682,6 @@
         default_field: false
       description: Short name or login of the user.
       example: a.einstein
-    - name: user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
     - name: user.roles
       level: extended
       type: keyword
@@ -8548,52 +8410,6 @@
         default_field: false
       description: Short name or login of the user.
       example: a.einstein
-    - name: user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
     - name: user.roles
       level: extended
       type: keyword
@@ -12313,52 +12129,6 @@
       description: Short name or login of the user.
       example: a.einstein
       default_field: false
-    - name: changes.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: changes.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: changes.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: changes.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: changes.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: changes.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
     - name: changes.roles
       level: extended
       type: keyword
@@ -12444,52 +12214,6 @@
       description: Short name or login of the user.
       example: a.einstein
       default_field: false
-    - name: effective.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: effective.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: effective.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: effective.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: effective.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: effective.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
     - name: effective.roles
       level: extended
       type: keyword
@@ -12678,52 +12402,6 @@
       description: Short name or login of the user.
       example: a.einstein
       default_field: false
-    - name: target.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: target.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: target.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: target.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: target.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: target.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
     - name: target.roles
       level: extended
       type: keyword
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index 5584f351d0..d8aa0467d3 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -46,12 +46,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.7.0-dev,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
 8.7.0-dev,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,client,client.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.7.0-dev,true,client,client.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.7.0-dev,true,client,client.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.7.0-dev,true,client,client.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.7.0-dev,true,client,client.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.7.0-dev,true,client,client.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
 8.7.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 8.7.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
 8.7.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
@@ -139,12 +133,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.7.0-dev,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
 8.7.0-dev,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,destination,destination.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.7.0-dev,true,destination,destination.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.7.0-dev,true,destination,destination.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.7.0-dev,true,destination,destination.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.7.0-dev,true,destination,destination.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.7.0-dev,true,destination,destination.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
 8.7.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 8.7.0-dev,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device.
 8.7.0-dev,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer.
@@ -910,12 +898,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.7.0-dev,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
 8.7.0-dev,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,server,server.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.7.0-dev,true,server,server.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.7.0-dev,true,server,server.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.7.0-dev,true,server,server.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.7.0-dev,true,server,server.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.7.0-dev,true,server,server.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
 8.7.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 8.7.0-dev,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
 8.7.0-dev,true,service,service.environment,keyword,extended,,production,Environment of the service.
@@ -987,12 +969,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.7.0-dev,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
 8.7.0-dev,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,source,source.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.7.0-dev,true,source,source.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.7.0-dev,true,source,source.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.7.0-dev,true,source,source.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.7.0-dev,true,source,source.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.7.0-dev,true,source,source.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
 8.7.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 8.7.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
 8.7.0-dev,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event.
@@ -1487,12 +1463,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.7.0-dev,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
 8.7.0-dev,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,user,user.changes.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.7.0-dev,true,user,user.changes.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.7.0-dev,true,user,user.changes.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.7.0-dev,true,user,user.changes.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.7.0-dev,true,user,user.changes.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.7.0-dev,true,user,user.changes.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
 8.7.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 8.7.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
 8.7.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
@@ -1506,12 +1476,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.7.0-dev,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
 8.7.0-dev,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,user,user.effective.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.7.0-dev,true,user,user.effective.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.7.0-dev,true,user,user.effective.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.7.0-dev,true,user,user.effective.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.7.0-dev,true,user,user.effective.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.7.0-dev,true,user,user.effective.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
 8.7.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 8.7.0-dev,true,user,user.email,keyword,extended,,,User email address.
 8.7.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
@@ -1541,12 +1505,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.7.0-dev,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
 8.7.0-dev,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,user,user.target.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.7.0-dev,true,user,user.target.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.7.0-dev,true,user,user.target.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.7.0-dev,true,user,user.target.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.7.0-dev,true,user,user.target.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.7.0-dev,true,user,user.target.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
 8.7.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 8.7.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
 8.7.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 1fd5e16572..999c6fa57a 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -547,86 +547,6 @@ client.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
-client.user.risk.calculated_level:
-  dashed_name: client-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: client.user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-client.user.risk.calculated_score:
-  dashed_name: client-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: client.user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-client.user.risk.calculated_score_norm:
-  dashed_name: client-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: client.user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-client.user.risk.static_level:
-  dashed_name: client-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: client.user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-client.user.risk.static_score:
-  dashed_name: client-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: client.user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-client.user.risk.static_score_norm:
-  dashed_name: client-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: client.user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
 client.user.roles:
   dashed_name: client-user-roles
   description: Array of user roles at the time of the event.
@@ -1698,86 +1618,6 @@ destination.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
-destination.user.risk.calculated_level:
-  dashed_name: destination-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: destination.user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-destination.user.risk.calculated_score:
-  dashed_name: destination-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: destination.user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-destination.user.risk.calculated_score_norm:
-  dashed_name: destination-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: destination.user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-destination.user.risk.static_level:
-  dashed_name: destination-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: destination.user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-destination.user.risk.static_score:
-  dashed_name: destination-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: destination.user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-destination.user.risk.static_score_norm:
-  dashed_name: destination-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: destination.user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
 destination.user.roles:
   dashed_name: destination-user-roles
   description: Array of user roles at the time of the event.
@@ -11460,86 +11300,6 @@ server.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
-server.user.risk.calculated_level:
-  dashed_name: server-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: server.user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-server.user.risk.calculated_score:
-  dashed_name: server-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: server.user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-server.user.risk.calculated_score_norm:
-  dashed_name: server-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: server.user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-server.user.risk.static_level:
-  dashed_name: server-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: server.user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-server.user.risk.static_score:
-  dashed_name: server-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: server.user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-server.user.risk.static_score_norm:
-  dashed_name: server-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: server.user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
 server.user.roles:
   dashed_name: server-user-roles
   description: Array of user roles at the time of the event.
@@ -12587,86 +12347,6 @@ source.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
-source.user.risk.calculated_level:
-  dashed_name: source-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: source.user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-source.user.risk.calculated_score:
-  dashed_name: source-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: source.user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-source.user.risk.calculated_score_norm:
-  dashed_name: source-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: source.user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-source.user.risk.static_level:
-  dashed_name: source-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: source.user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-source.user.risk.static_score:
-  dashed_name: source-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: source.user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-source.user.risk.static_score_norm:
-  dashed_name: source-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: source.user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
 source.user.roles:
   dashed_name: source-user-roles
   description: Array of user roles at the time of the event.
@@ -18864,86 +18544,6 @@ user.changes.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
-user.changes.risk.calculated_level:
-  dashed_name: user-changes-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: user.changes.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-user.changes.risk.calculated_score:
-  dashed_name: user-changes-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: user.changes.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-user.changes.risk.calculated_score_norm:
-  dashed_name: user-changes-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: user.changes.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-user.changes.risk.static_level:
-  dashed_name: user-changes-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: user.changes.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-user.changes.risk.static_score:
-  dashed_name: user-changes-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: user.changes.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-user.changes.risk.static_score_norm:
-  dashed_name: user-changes-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: user.changes.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
 user.changes.roles:
   dashed_name: user-changes-roles
   description: Array of user roles at the time of the event.
@@ -19087,86 +18687,6 @@ user.effective.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
-user.effective.risk.calculated_level:
-  dashed_name: user-effective-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: user.effective.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-user.effective.risk.calculated_score:
-  dashed_name: user-effective-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: user.effective.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-user.effective.risk.calculated_score_norm:
-  dashed_name: user-effective-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: user.effective.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-user.effective.risk.static_level:
-  dashed_name: user-effective-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: user.effective.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-user.effective.risk.static_score:
-  dashed_name: user-effective-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: user.effective.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-user.effective.risk.static_score_norm:
-  dashed_name: user-effective-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: user.effective.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
 user.effective.roles:
   dashed_name: user-effective-roles
   description: Array of user roles at the time of the event.
@@ -19490,86 +19010,6 @@ user.target.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
-user.target.risk.calculated_level:
-  dashed_name: user-target-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: user.target.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-user.target.risk.calculated_score:
-  dashed_name: user-target-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: user.target.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-user.target.risk.calculated_score_norm:
-  dashed_name: user-target-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: user.target.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-user.target.risk.static_level:
-  dashed_name: user-target-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: user.target.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-user.target.risk.static_score:
-  dashed_name: user-target-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: user.target.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-user.target.risk.static_score_norm:
-  dashed_name: user-target-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: user.target.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
 user.target.roles:
   dashed_name: user-target-roles
   description: Array of user roles at the time of the event.
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index eb0432f5d6..647a257e5f 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -699,86 +699,6 @@ client:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
-    client.user.risk.calculated_level:
-      dashed_name: client-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: client.user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    client.user.risk.calculated_score:
-      dashed_name: client-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: client.user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    client.user.risk.calculated_score_norm:
-      dashed_name: client-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: client.user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    client.user.risk.static_level:
-      dashed_name: client-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: client.user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    client.user.risk.static_score:
-      dashed_name: client-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: client.user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    client.user.risk.static_score_norm:
-      dashed_name: client-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: client.user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
     client.user.roles:
       dashed_name: client-user-roles
       description: Array of user roles at the time of the event.
@@ -2109,86 +2029,6 @@ destination:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
-    destination.user.risk.calculated_level:
-      dashed_name: destination-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: destination.user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    destination.user.risk.calculated_score:
-      dashed_name: destination-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: destination.user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    destination.user.risk.calculated_score_norm:
-      dashed_name: destination-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: destination.user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    destination.user.risk.static_level:
-      dashed_name: destination-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: destination.user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    destination.user.risk.static_score:
-      dashed_name: destination-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: destination.user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    destination.user.risk.static_score_norm:
-      dashed_name: destination-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: destination.user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
     destination.user.roles:
       dashed_name: destination-user-roles
       description: Array of user roles at the time of the event.
@@ -13556,86 +13396,6 @@ server:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
-    server.user.risk.calculated_level:
-      dashed_name: server-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: server.user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    server.user.risk.calculated_score:
-      dashed_name: server-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: server.user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    server.user.risk.calculated_score_norm:
-      dashed_name: server-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: server.user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    server.user.risk.static_level:
-      dashed_name: server-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: server.user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    server.user.risk.static_score:
-      dashed_name: server-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: server.user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    server.user.risk.static_score_norm:
-      dashed_name: server-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: server.user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
     server.user.roles:
       dashed_name: server-user-roles
       description: Array of user roles at the time of the event.
@@ -14771,86 +14531,6 @@ source:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
-    source.user.risk.calculated_level:
-      dashed_name: source-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: source.user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    source.user.risk.calculated_score:
-      dashed_name: source-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: source.user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    source.user.risk.calculated_score_norm:
-      dashed_name: source-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: source.user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    source.user.risk.static_level:
-      dashed_name: source-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: source.user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    source.user.risk.static_score:
-      dashed_name: source-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: source.user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    source.user.risk.static_score_norm:
-      dashed_name: source-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: source.user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
     source.user.roles:
       dashed_name: source-user-roles
       description: Array of user roles at the time of the event.
@@ -21209,86 +20889,6 @@ user:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
-    user.changes.risk.calculated_level:
-      dashed_name: user-changes-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: user.changes.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    user.changes.risk.calculated_score:
-      dashed_name: user-changes-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: user.changes.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    user.changes.risk.calculated_score_norm:
-      dashed_name: user-changes-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: user.changes.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    user.changes.risk.static_level:
-      dashed_name: user-changes-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: user.changes.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    user.changes.risk.static_score:
-      dashed_name: user-changes-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: user.changes.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    user.changes.risk.static_score_norm:
-      dashed_name: user-changes-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: user.changes.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
     user.changes.roles:
       dashed_name: user-changes-roles
       description: Array of user roles at the time of the event.
@@ -21432,86 +21032,6 @@ user:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
-    user.effective.risk.calculated_level:
-      dashed_name: user-effective-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: user.effective.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    user.effective.risk.calculated_score:
-      dashed_name: user-effective-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: user.effective.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    user.effective.risk.calculated_score_norm:
-      dashed_name: user-effective-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: user.effective.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    user.effective.risk.static_level:
-      dashed_name: user-effective-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: user.effective.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    user.effective.risk.static_score:
-      dashed_name: user-effective-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: user.effective.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    user.effective.risk.static_score_norm:
-      dashed_name: user-effective-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: user.effective.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
     user.effective.roles:
       dashed_name: user-effective-roles
       description: Array of user roles at the time of the event.
@@ -21835,86 +21355,6 @@ user:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
-    user.target.risk.calculated_level:
-      dashed_name: user-target-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: user.target.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    user.target.risk.calculated_score:
-      dashed_name: user-target-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: user.target.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    user.target.risk.calculated_score_norm:
-      dashed_name: user-target-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: user.target.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    user.target.risk.static_level:
-      dashed_name: user-target-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: user.target.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    user.target.risk.static_score:
-      dashed_name: user-target-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: user.target.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    user.target.risk.static_score_norm:
-      dashed_name: user-target-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: user.target.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
     user.target.roles:
       dashed_name: user-target-roles
       description: Array of user roles at the time of the event.
diff --git a/generated/elasticsearch/composable/component/client.json b/generated/elasticsearch/composable/component/client.json
index cd51d23b55..18f0c5e7f4 100644
--- a/generated/elasticsearch/composable/component/client.json
+++ b/generated/elasticsearch/composable/component/client.json
@@ -173,30 +173,6 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "risk": {
-                  "properties": {
-                    "calculated_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "calculated_score": {
-                      "type": "float"
-                    },
-                    "calculated_score_norm": {
-                      "type": "float"
-                    },
-                    "static_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "static_score": {
-                      "type": "float"
-                    },
-                    "static_score_norm": {
-                      "type": "float"
-                    }
-                  }
-                },
                 "roles": {
                   "ignore_above": 1024,
                   "type": "keyword"
diff --git a/generated/elasticsearch/composable/component/destination.json b/generated/elasticsearch/composable/component/destination.json
index 855844200a..5e2167ce83 100644
--- a/generated/elasticsearch/composable/component/destination.json
+++ b/generated/elasticsearch/composable/component/destination.json
@@ -173,30 +173,6 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "risk": {
-                  "properties": {
-                    "calculated_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "calculated_score": {
-                      "type": "float"
-                    },
-                    "calculated_score_norm": {
-                      "type": "float"
-                    },
-                    "static_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "static_score": {
-                      "type": "float"
-                    },
-                    "static_score_norm": {
-                      "type": "float"
-                    }
-                  }
-                },
                 "roles": {
                   "ignore_above": 1024,
                   "type": "keyword"
diff --git a/generated/elasticsearch/composable/component/server.json b/generated/elasticsearch/composable/component/server.json
index d0454fb9f3..8e1702686b 100644
--- a/generated/elasticsearch/composable/component/server.json
+++ b/generated/elasticsearch/composable/component/server.json
@@ -173,30 +173,6 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "risk": {
-                  "properties": {
-                    "calculated_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "calculated_score": {
-                      "type": "float"
-                    },
-                    "calculated_score_norm": {
-                      "type": "float"
-                    },
-                    "static_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "static_score": {
-                      "type": "float"
-                    },
-                    "static_score_norm": {
-                      "type": "float"
-                    }
-                  }
-                },
                 "roles": {
                   "ignore_above": 1024,
                   "type": "keyword"
diff --git a/generated/elasticsearch/composable/component/source.json b/generated/elasticsearch/composable/component/source.json
index 30f560e22a..6bdeff848b 100644
--- a/generated/elasticsearch/composable/component/source.json
+++ b/generated/elasticsearch/composable/component/source.json
@@ -173,30 +173,6 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "risk": {
-                  "properties": {
-                    "calculated_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "calculated_score": {
-                      "type": "float"
-                    },
-                    "calculated_score_norm": {
-                      "type": "float"
-                    },
-                    "static_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "static_score": {
-                      "type": "float"
-                    },
-                    "static_score_norm": {
-                      "type": "float"
-                    }
-                  }
-                },
                 "roles": {
                   "ignore_above": 1024,
                   "type": "keyword"
diff --git a/generated/elasticsearch/composable/component/user.json b/generated/elasticsearch/composable/component/user.json
index 886e42c06f..b5c348c9ab 100644
--- a/generated/elasticsearch/composable/component/user.json
+++ b/generated/elasticsearch/composable/component/user.json
@@ -60,30 +60,6 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "risk": {
-                  "properties": {
-                    "calculated_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "calculated_score": {
-                      "type": "float"
-                    },
-                    "calculated_score_norm": {
-                      "type": "float"
-                    },
-                    "static_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "static_score": {
-                      "type": "float"
-                    },
-                    "static_score_norm": {
-                      "type": "float"
-                    }
-                  }
-                },
                 "roles": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -146,30 +122,6 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "risk": {
-                  "properties": {
-                    "calculated_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "calculated_score": {
-                      "type": "float"
-                    },
-                    "calculated_score_norm": {
-                      "type": "float"
-                    },
-                    "static_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "static_score": {
-                      "type": "float"
-                    },
-                    "static_score_norm": {
-                      "type": "float"
-                    }
-                  }
-                },
                 "roles": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -302,30 +254,6 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "risk": {
-                  "properties": {
-                    "calculated_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "calculated_score": {
-                      "type": "float"
-                    },
-                    "calculated_score_norm": {
-                      "type": "float"
-                    },
-                    "static_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "static_score": {
-                      "type": "float"
-                    },
-                    "static_score_norm": {
-                      "type": "float"
-                    }
-                  }
-                },
                 "roles": {
                   "ignore_above": 1024,
                   "type": "keyword"
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index e36fdd60af..018ac00049 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -221,30 +221,6 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "risk": {
-                "properties": {
-                  "calculated_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "calculated_score": {
-                    "type": "float"
-                  },
-                  "calculated_score_norm": {
-                    "type": "float"
-                  },
-                  "static_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "static_score": {
-                    "type": "float"
-                  },
-                  "static_score_norm": {
-                    "type": "float"
-                  }
-                }
-              },
               "roles": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -728,30 +704,6 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "risk": {
-                "properties": {
-                  "calculated_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "calculated_score": {
-                    "type": "float"
-                  },
-                  "calculated_score_norm": {
-                    "type": "float"
-                  },
-                  "static_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "static_score": {
-                    "type": "float"
-                  },
-                  "static_score_norm": {
-                    "type": "float"
-                  }
-                }
-              },
               "roles": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -4305,30 +4257,6 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "risk": {
-                "properties": {
-                  "calculated_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "calculated_score": {
-                    "type": "float"
-                  },
-                  "calculated_score_norm": {
-                    "type": "float"
-                  },
-                  "static_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "static_score": {
-                    "type": "float"
-                  },
-                  "static_score_norm": {
-                    "type": "float"
-                  }
-                }
-              },
               "roles": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -4660,30 +4588,6 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "risk": {
-                "properties": {
-                  "calculated_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "calculated_score": {
-                    "type": "float"
-                  },
-                  "calculated_score_norm": {
-                    "type": "float"
-                  },
-                  "static_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "static_score": {
-                    "type": "float"
-                  },
-                  "static_score_norm": {
-                    "type": "float"
-                  }
-                }
-              },
               "roles": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -6867,30 +6771,6 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "risk": {
-                "properties": {
-                  "calculated_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "calculated_score": {
-                    "type": "float"
-                  },
-                  "calculated_score_norm": {
-                    "type": "float"
-                  },
-                  "static_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "static_score": {
-                    "type": "float"
-                  },
-                  "static_score_norm": {
-                    "type": "float"
-                  }
-                }
-              },
               "roles": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -6953,30 +6833,6 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "risk": {
-                "properties": {
-                  "calculated_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "calculated_score": {
-                    "type": "float"
-                  },
-                  "calculated_score_norm": {
-                    "type": "float"
-                  },
-                  "static_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "static_score": {
-                    "type": "float"
-                  },
-                  "static_score_norm": {
-                    "type": "float"
-                  }
-                }
-              },
               "roles": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -7109,30 +6965,6 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "risk": {
-                "properties": {
-                  "calculated_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "calculated_score": {
-                    "type": "float"
-                  },
-                  "calculated_score_norm": {
-                    "type": "float"
-                  },
-                  "static_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "static_score": {
-                    "type": "float"
-                  },
-                  "static_score_norm": {
-                    "type": "float"
-                  }
-                }
-              },
               "roles": {
                 "ignore_above": 1024,
                 "type": "keyword"
diff --git a/schemas/subsets/main.yml b/schemas/subsets/main.yml
index 1fa4ed3644..baefd5fa68 100644
--- a/schemas/subsets/main.yml
+++ b/schemas/subsets/main.yml
@@ -8,7 +8,36 @@ fields:
   as:
     fields: "*"
   client:
-    fields: "*"
+    fields:
+      address: {}
+      as:
+        fields: "*"
+      bytes: {}
+      domain: {}
+      geo:
+        fields: "*"
+      ip: {}
+      mac: {}
+      nat: 
+        fields:
+          ip: {}
+          port: {}
+      packets: {}
+      port: {}
+      subdomain: {}
+      registered_domain: {}
+      top_level_domain: {}
+      user: 
+        fields:
+          domain: {}
+          email: {}
+          full_name: {}
+          group:
+            fields: "*"
+          hash: {}
+          id: {}
+          name: {}
+          roles: {}
   cloud:
     fields: "*"
   code_signature:
@@ -18,7 +47,36 @@ fields:
   data_stream:
     fields: "*"
   destination:
-    fields: "*"
+    fields:
+      address: {}
+      as:
+        fields: "*"
+      bytes: {}
+      domain: {}
+      geo:
+        fields: "*"
+      ip: {}
+      mac: {}
+      nat: 
+        fields:
+          ip: {}
+          port: {}
+      packets: {}
+      port: {}
+      subdomain: {}
+      registered_domain: {}
+      top_level_domain: {}
+      user: 
+        fields:
+          domain: {}
+          email: {}
+          full_name: {}
+          group:
+            fields: "*"
+          hash: {}
+          id: {}
+          name: {}
+          roles: {}
   device:
     fields: "*"
   dll:
@@ -385,11 +443,69 @@ fields:
   rule:
     fields: "*"
   server:
-    fields: "*"
+    fields:
+      address: {}
+      as:
+        fields: "*"
+      bytes: {}
+      domain: {}
+      geo:
+        fields: "*"
+      ip: {}
+      mac: {}
+      nat: 
+        fields:
+          ip: {}
+          port: {}
+      packets: {}
+      port: {}
+      subdomain: {}
+      registered_domain: {}
+      top_level_domain: {}
+      user: 
+        fields:
+          domain: {}
+          email: {}
+          full_name: {}
+          group:
+            fields: "*"
+          hash: {}
+          id: {}
+          name: {}
+          roles: {}
   service:
     fields: "*"
   source:
-    fields: "*"
+    fields:
+      address: {}
+      as:
+        fields: "*"
+      bytes: {}
+      domain: {}
+      geo:
+        fields: "*"
+      ip: {}
+      mac: {}
+      nat: 
+        fields:
+          ip: {}
+          port: {}
+      packets: {}
+      port: {}
+      subdomain: {}
+      registered_domain: {}
+      top_level_domain: {}
+      user: 
+        fields:
+          domain: {}
+          email: {}
+          full_name: {}
+          group:
+            fields: "*"
+          hash: {}
+          id: {}
+          name: {}
+          roles: {}
   threat:
     fields: "*"
   tls:
@@ -401,10 +517,54 @@ fields:
   user_agent:
     fields: "*"
   user:
-    fields: "*"
+    fields:
+      changes:
+        fields:
+          domain: {}
+          email: {}
+          group: 
+            fields: "*"
+          full_name: {}
+          hash: {}
+          id: {}
+          name: {}
+          roles: {}
+      domain: {}
+      effective:
+        fields:
+          domain: {}
+          email: {}
+          group: 
+            fields: "*"
+          full_name: {}
+          hash: {}
+          id: {}
+          name: {}
+          roles: {}
+      email: {}
+      group: 
+        fields: "*"
+      full_name: {}
+      hash: {}
+      id: {}
+      name: {}
+      risk:
+        fields: "*"
+      roles: {}
+      target: 
+        fields:
+          domain: {}
+          email: {}
+          group: 
+            fields: "*"
+          full_name: {}
+          hash: {}
+          id: {}
+          name: {}
+          roles: {}
   vlan:
     fields: "*"
   vulnerability:
     fields: "*"
   x509:
-    fields: "*"
+    fields: "*"
\ No newline at end of file

From 5b31e9df287e29602b8bd81cabfd860fa78b95a0 Mon Sep 17 00:00:00 2001
From: Kylie Geller <kylie.geller@elastic.co>
Date: Wed, 28 Sep 2022 14:12:57 -0400
Subject: [PATCH 043/186] adding 8.6 into backport (#2066)

---
 .backportrc.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.backportrc.json b/.backportrc.json
index f8860f33df..2a29126cc1 100644
--- a/.backportrc.json
+++ b/.backportrc.json
@@ -2,6 +2,7 @@
   "upstream": "elastic/ecs",
   "branches": [
     { "name": "main", "checked": true },
+    "8.6",
     "8.5",
     "8.4",
     "8.3",

From ddb15d10153e7a85232714e9ec2e598cea1276ca Mon Sep 17 00:00:00 2001
From: Dominic Page <11043991+djptek@users.noreply.github.com>
Date: Thu, 29 Sep 2022 17:13:26 +0200
Subject: [PATCH 044/186] cut 8.6 SFF Changelog (#2071) (#2072)

---
 CHANGELOG.next.md | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 04bc234a2c..1554c08672 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -16,6 +16,32 @@ Thanks, you're awesome :-) -->
 
 #### Added
 
+#### Improvements
+
+#### Deprecated
+
+### Tooling and Artifact Changes
+
+#### Breaking changes
+
+#### Bugfixes
+
+#### Added
+
+#### Improvements
+
+#### Deprecated
+
+## 8.6.0 (Soft Feature Freeze)
+
+### Schema Changes
+
+#### Breaking changes
+
+#### Bugfixes
+
+#### Added
+
 * Adding `vulnerability` option for `event.catgeory`. #2029
 * Added `device.*` field set as beta. #2030
 

From be6b90cce20fc2664afd71dd4890ed72559142ce Mon Sep 17 00:00:00 2001
From: Kylie Geller <kylie.geller@elastic.co>
Date: Mon, 3 Oct 2022 16:13:01 -0400
Subject: [PATCH 045/186] Update to TLP (#2074)

---
 CHANGELOG.next.md                             |  3 +-
 docs/fields/field-details.asciidoc            | 31 ++++++++++++-------
 experimental/generated/beats/fields.ecs.yml   | 13 ++++++--
 experimental/generated/csv/fields.csv         |  3 +-
 experimental/generated/ecs/ecs_flat.yml       | 30 +++++++++++-------
 experimental/generated/ecs/ecs_nested.yml     | 30 +++++++++++-------
 .../composable/component/threat.json          | 28 +++++++++++++++--
 .../elasticsearch/legacy/template.json        | 28 +++++++++++++++--
 generated/beats/fields.ecs.yml                | 13 ++++++--
 generated/csv/fields.csv                      |  3 +-
 generated/ecs/ecs_flat.yml                    | 30 +++++++++++-------
 generated/ecs/ecs_nested.yml                  | 30 +++++++++++-------
 .../composable/component/threat.json          | 28 +++++++++++++++--
 generated/elasticsearch/legacy/template.json  | 28 +++++++++++++++--
 schemas/threat.yml                            | 20 +++++++++++-
 15 files changed, 241 insertions(+), 77 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 1554c08672..a81732185c 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -44,10 +44,11 @@ Thanks, you're awesome :-) -->
 
 * Adding `vulnerability` option for `event.catgeory`. #2029
 * Added `device.*` field set as beta. #2030
+* Added `tlp.version` to threat #2074
 
 #### Improvements
 
-* Added `CLEAR` and `AMBER+STRICT` as valid values for `threat.indicator.marking.tlp` to accept new [TLP 2.0](https://www.first.org/tlp/) markings - [#2022](https://github.com/elastic/ecs/issues/2022)
+* Added `CLEAR` and `AMBER+STRICT` as valid values for `threat.indicator.marking.tlp` and `enrichments.indicator.marking.tlp` to accept new [TLP 2.0](https://www.first.org/tlp/) markings #2022, #2074
 
 #### Deprecated
 
diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index 7944632967..fd64ce6623 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -9512,23 +9512,16 @@ example: `2020-11-05T17:25:47.000Z`
 // ===============================================================
 
 |
-[[field-threat-enrichments-indicator-marking-tlp]]
-<<field-threat-enrichments-indicator-marking-tlp, threat.enrichments.indicator.marking.tlp>>
+[[field-threat-enrichments-indicator-marking-tlp-version]]
+<<field-threat-enrichments-indicator-marking-tlp-version, threat.enrichments.indicator.marking.tlp.version>>
 
-a| Traffic Light Protocol sharing markings.
-
-Expected values for this field:
-
-* `WHITE`
-* `GREEN`
-* `AMBER`
-* `RED`
+a| Traffic Light Protocol version.
 
 type: keyword
 
 
 
-example: `WHITE`
+example: `2.0`
 
 | extended
 
@@ -10493,6 +10486,22 @@ example: `https://attack.mitre.org/techniques/T1059/001/`
 
 // ===============================================================
 
+|
+[[field-threat-threat-indicator-marking-tlp-version]]
+<<field-threat-threat-indicator-marking-tlp-version, threat.threat.indicator.marking.tlp.version>>
+
+a| Traffic Light Protocol version.
+
+type: keyword
+
+
+
+example: `2.0`
+
+| extended
+
+// ===============================================================
+
 |=====
 
 [discrete]
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 2a8b6af5c1..6deb54a00e 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -9358,12 +9358,12 @@
         this indicator.
       example: '2020-11-05T17:25:47.000Z'
       default_field: false
-    - name: enrichments.indicator.marking.tlp
+    - name: enrichments.indicator.marking.tlp.version
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Traffic Light Protocol sharing markings.
-      example: WHITE
+      description: Traffic Light Protocol version.
+      example: 2.0
       default_field: false
     - name: enrichments.indicator.modified_at
       level: extended
@@ -11339,6 +11339,13 @@
         \ use a MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
       example: https://attack.mitre.org/techniques/T1059/001/
       default_field: false
+    - name: threat.indicator.marking.tlp.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Traffic Light Protocol version.
+      example: 2.0
+      default_field: false
   - name: tls
     title: TLS
     group: 2
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index 843ec0bbc9..12464686bd 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -1101,7 +1101,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,WHITE,Indicator TLP marking
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp.version,keyword,extended,,2.0,Indicator TLP version
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
@@ -1364,6 +1364,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
 8.7.0-dev+exp,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
 8.7.0-dev+exp,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
+8.7.0-dev+exp,true,threat,threat.threat.indicator.marking.tlp.version,keyword,extended,,2.0,Indicator TLP version
 8.7.0-dev+exp,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
 8.7.0-dev+exp,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
 8.7.0-dev+exp,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 93d250b037..b67efc7bcc 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -13955,21 +13955,16 @@ threat.enrichments.indicator.last_seen:
   normalize: []
   short: Date/time indicator was last reported.
   type: date
-threat.enrichments.indicator.marking.tlp:
-  dashed_name: threat-enrichments-indicator-marking-tlp
-  description: Traffic Light Protocol sharing markings.
-  example: WHITE
-  expected_values:
-  - WHITE
-  - GREEN
-  - AMBER
-  - RED
-  flat_name: threat.enrichments.indicator.marking.tlp
+threat.enrichments.indicator.marking.tlp.version:
+  dashed_name: threat-enrichments-indicator-marking-tlp-version
+  description: Traffic Light Protocol version.
+  example: 2.0
+  flat_name: threat.enrichments.indicator.marking.tlp.version
   ignore_above: 1024
   level: extended
-  name: enrichments.indicator.marking.tlp
+  name: enrichments.indicator.marking.tlp.version
   normalize: []
-  short: Indicator TLP marking
+  short: Indicator TLP version
   type: keyword
 threat.enrichments.indicator.modified_at:
   dashed_name: threat-enrichments-indicator-modified-at
@@ -17293,6 +17288,17 @@ threat.technique.subtechnique.reference:
   - array
   short: Threat subtechnique URL reference.
   type: keyword
+threat.threat.indicator.marking.tlp.version:
+  dashed_name: threat-threat-indicator-marking-tlp-version
+  description: Traffic Light Protocol version.
+  example: 2.0
+  flat_name: threat.threat.indicator.marking.tlp.version
+  ignore_above: 1024
+  level: extended
+  name: threat.indicator.marking.tlp.version
+  normalize: []
+  short: Indicator TLP version
+  type: keyword
 tls.cipher:
   dashed_name: tls-cipher
   description: String indicating the cipher used during the current connection.
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 3c4b0d3aa5..1857208f3c 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -16162,21 +16162,16 @@ threat:
       normalize: []
       short: Date/time indicator was last reported.
       type: date
-    threat.enrichments.indicator.marking.tlp:
-      dashed_name: threat-enrichments-indicator-marking-tlp
-      description: Traffic Light Protocol sharing markings.
-      example: WHITE
-      expected_values:
-      - WHITE
-      - GREEN
-      - AMBER
-      - RED
-      flat_name: threat.enrichments.indicator.marking.tlp
+    threat.enrichments.indicator.marking.tlp.version:
+      dashed_name: threat-enrichments-indicator-marking-tlp-version
+      description: Traffic Light Protocol version.
+      example: 2.0
+      flat_name: threat.enrichments.indicator.marking.tlp.version
       ignore_above: 1024
       level: extended
-      name: enrichments.indicator.marking.tlp
+      name: enrichments.indicator.marking.tlp.version
       normalize: []
-      short: Indicator TLP marking
+      short: Indicator TLP version
       type: keyword
     threat.enrichments.indicator.modified_at:
       dashed_name: threat-enrichments-indicator-modified-at
@@ -19507,6 +19502,17 @@ threat:
       - array
       short: Threat subtechnique URL reference.
       type: keyword
+    threat.threat.indicator.marking.tlp.version:
+      dashed_name: threat-threat-indicator-marking-tlp-version
+      description: Traffic Light Protocol version.
+      example: 2.0
+      flat_name: threat.threat.indicator.marking.tlp.version
+      ignore_above: 1024
+      level: extended
+      name: threat.indicator.marking.tlp.version
+      normalize: []
+      short: Indicator TLP version
+      type: keyword
   group: 2
   name: threat
   nestings:
diff --git a/experimental/generated/elasticsearch/composable/component/threat.json b/experimental/generated/elasticsearch/composable/component/threat.json
index c659e1b512..074ee97d62 100644
--- a/experimental/generated/elasticsearch/composable/component/threat.json
+++ b/experimental/generated/elasticsearch/composable/component/threat.json
@@ -531,8 +531,12 @@
                     "marking": {
                       "properties": {
                         "tlp": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
+                          "properties": {
+                            "version": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
                         }
                       }
                     },
@@ -1688,6 +1692,26 @@
                   }
                 }
               }
+            },
+            "threat": {
+              "properties": {
+                "indicator": {
+                  "properties": {
+                    "marking": {
+                      "properties": {
+                        "tlp": {
+                          "properties": {
+                            "version": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        }
+                      }
+                    }
+                  }
+                }
+              }
             }
           }
         }
diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json
index cdd811e711..a606652760 100644
--- a/experimental/generated/elasticsearch/legacy/template.json
+++ b/experimental/generated/elasticsearch/legacy/template.json
@@ -5175,8 +5175,12 @@
                   "marking": {
                     "properties": {
                       "tlp": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
+                        "properties": {
+                          "version": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
                       }
                     }
                   },
@@ -6332,6 +6336,26 @@
                 }
               }
             }
+          },
+          "threat": {
+            "properties": {
+              "indicator": {
+                "properties": {
+                  "marking": {
+                    "properties": {
+                      "tlp": {
+                        "properties": {
+                          "version": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      }
+                    }
+                  }
+                }
+              }
+            }
           }
         }
       },
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 409f066588..2a59b925f0 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -9308,12 +9308,12 @@
         this indicator.
       example: '2020-11-05T17:25:47.000Z'
       default_field: false
-    - name: enrichments.indicator.marking.tlp
+    - name: enrichments.indicator.marking.tlp.version
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Traffic Light Protocol sharing markings.
-      example: WHITE
+      description: Traffic Light Protocol version.
+      example: 2.0
       default_field: false
     - name: enrichments.indicator.modified_at
       level: extended
@@ -11289,6 +11289,13 @@
         \ use a MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
       example: https://attack.mitre.org/techniques/T1059/001/
       default_field: false
+    - name: threat.indicator.marking.tlp.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Traffic Light Protocol version.
+      example: 2.0
+      default_field: false
   - name: tls
     title: TLS
     group: 2
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index d8aa0467d3..359f8b205b 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -1094,7 +1094,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
 8.7.0-dev,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
 8.7.0-dev,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-8.7.0-dev,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,WHITE,Indicator TLP marking
+8.7.0-dev,true,threat,threat.enrichments.indicator.marking.tlp.version,keyword,extended,,2.0,Indicator TLP version
 8.7.0-dev,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
 8.7.0-dev,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
 8.7.0-dev,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
@@ -1357,6 +1357,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
 8.7.0-dev,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
 8.7.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
+8.7.0-dev,true,threat,threat.threat.indicator.marking.tlp.version,keyword,extended,,2.0,Indicator TLP version
 8.7.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
 8.7.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
 8.7.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 999c6fa57a..86f5ff3440 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -13886,21 +13886,16 @@ threat.enrichments.indicator.last_seen:
   normalize: []
   short: Date/time indicator was last reported.
   type: date
-threat.enrichments.indicator.marking.tlp:
-  dashed_name: threat-enrichments-indicator-marking-tlp
-  description: Traffic Light Protocol sharing markings.
-  example: WHITE
-  expected_values:
-  - WHITE
-  - GREEN
-  - AMBER
-  - RED
-  flat_name: threat.enrichments.indicator.marking.tlp
+threat.enrichments.indicator.marking.tlp.version:
+  dashed_name: threat-enrichments-indicator-marking-tlp-version
+  description: Traffic Light Protocol version.
+  example: 2.0
+  flat_name: threat.enrichments.indicator.marking.tlp.version
   ignore_above: 1024
   level: extended
-  name: enrichments.indicator.marking.tlp
+  name: enrichments.indicator.marking.tlp.version
   normalize: []
-  short: Indicator TLP marking
+  short: Indicator TLP version
   type: keyword
 threat.enrichments.indicator.modified_at:
   dashed_name: threat-enrichments-indicator-modified-at
@@ -17224,6 +17219,17 @@ threat.technique.subtechnique.reference:
   - array
   short: Threat subtechnique URL reference.
   type: keyword
+threat.threat.indicator.marking.tlp.version:
+  dashed_name: threat-threat-indicator-marking-tlp-version
+  description: Traffic Light Protocol version.
+  example: 2.0
+  flat_name: threat.threat.indicator.marking.tlp.version
+  ignore_above: 1024
+  level: extended
+  name: threat.indicator.marking.tlp.version
+  normalize: []
+  short: Indicator TLP version
+  type: keyword
 tls.cipher:
   dashed_name: tls-cipher
   description: String indicating the cipher used during the current connection.
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 647a257e5f..03d7e5ad08 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -16082,21 +16082,16 @@ threat:
       normalize: []
       short: Date/time indicator was last reported.
       type: date
-    threat.enrichments.indicator.marking.tlp:
-      dashed_name: threat-enrichments-indicator-marking-tlp
-      description: Traffic Light Protocol sharing markings.
-      example: WHITE
-      expected_values:
-      - WHITE
-      - GREEN
-      - AMBER
-      - RED
-      flat_name: threat.enrichments.indicator.marking.tlp
+    threat.enrichments.indicator.marking.tlp.version:
+      dashed_name: threat-enrichments-indicator-marking-tlp-version
+      description: Traffic Light Protocol version.
+      example: 2.0
+      flat_name: threat.enrichments.indicator.marking.tlp.version
       ignore_above: 1024
       level: extended
-      name: enrichments.indicator.marking.tlp
+      name: enrichments.indicator.marking.tlp.version
       normalize: []
-      short: Indicator TLP marking
+      short: Indicator TLP version
       type: keyword
     threat.enrichments.indicator.modified_at:
       dashed_name: threat-enrichments-indicator-modified-at
@@ -19427,6 +19422,17 @@ threat:
       - array
       short: Threat subtechnique URL reference.
       type: keyword
+    threat.threat.indicator.marking.tlp.version:
+      dashed_name: threat-threat-indicator-marking-tlp-version
+      description: Traffic Light Protocol version.
+      example: 2.0
+      flat_name: threat.threat.indicator.marking.tlp.version
+      ignore_above: 1024
+      level: extended
+      name: threat.indicator.marking.tlp.version
+      normalize: []
+      short: Indicator TLP version
+      type: keyword
   group: 2
   name: threat
   nestings:
diff --git a/generated/elasticsearch/composable/component/threat.json b/generated/elasticsearch/composable/component/threat.json
index df91aeb659..7a03c34938 100644
--- a/generated/elasticsearch/composable/component/threat.json
+++ b/generated/elasticsearch/composable/component/threat.json
@@ -531,8 +531,12 @@
                     "marking": {
                       "properties": {
                         "tlp": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
+                          "properties": {
+                            "version": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
                         }
                       }
                     },
@@ -1688,6 +1692,26 @@
                   }
                 }
               }
+            },
+            "threat": {
+              "properties": {
+                "indicator": {
+                  "properties": {
+                    "marking": {
+                      "properties": {
+                        "tlp": {
+                          "properties": {
+                            "version": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        }
+                      }
+                    }
+                  }
+                }
+              }
             }
           }
         }
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index 018ac00049..e3bcd0fc73 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -5133,8 +5133,12 @@
                   "marking": {
                     "properties": {
                       "tlp": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
+                        "properties": {
+                          "version": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
                       }
                     }
                   },
@@ -6290,6 +6294,26 @@
                 }
               }
             }
+          },
+          "threat": {
+            "properties": {
+              "indicator": {
+                "properties": {
+                  "marking": {
+                    "properties": {
+                      "tlp": {
+                        "properties": {
+                          "version": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      }
+                    }
+                  }
+                }
+              }
+            }
           }
         }
       },
diff --git a/schemas/threat.yml b/schemas/threat.yml
index 456ad0b0be..59b6328d8a 100644
--- a/schemas/threat.yml
+++ b/schemas/threat.yml
@@ -168,10 +168,20 @@
         Traffic Light Protocol sharing markings.
       expected_values:
         - WHITE
+        - CLEAR
         - GREEN
         - AMBER
+        - AMBER+STRICT
         - RED
-      example: WHITE
+      example: CLEAR
+
+    - name: enrichments.indicator.marking.tlp.version
+      level: extended
+      type: keyword
+      short: Indicator TLP version
+      description: >
+        Traffic Light Protocol version.
+      example: 2.0
 
     - name: enrichments.indicator.reference
       level: extended
@@ -458,6 +468,14 @@
         - RED
       example: CLEAR
 
+    - name: threat.indicator.marking.tlp.version
+      level: extended
+      type: keyword
+      short: Indicator TLP version
+      description: >
+        Traffic Light Protocol version.
+      example: 2.0
+
     - name: indicator.reference
       level: extended
       type: keyword

From f7f3aa62c87ba916877ea37c72efca8d5d420fc3 Mon Sep 17 00:00:00 2001
From: Kylie Geller <kylie.geller@elastic.co>
Date: Tue, 4 Oct 2022 16:29:52 -0400
Subject: [PATCH 046/186] Process io subset fix (#2078)

---
 docs/fields/field-details.asciidoc            | 171 ++++++++++++++++++
 experimental/generated/beats/fields.ecs.yml   |  64 +++++++
 experimental/generated/csv/fields.csv         |   9 +
 experimental/generated/ecs/ecs_flat.yml       | 110 +++++++++++
 experimental/generated/ecs/ecs_nested.yml     | 113 ++++++++++++
 .../composable/component/process.json         |  32 ++++
 .../elasticsearch/legacy/template.json        |  32 ++++
 generated/beats/fields.ecs.yml                |  64 +++++++
 generated/csv/fields.csv                      |   9 +
 generated/ecs/ecs_flat.yml                    | 110 +++++++++++
 generated/ecs/ecs_nested.yml                  | 113 ++++++++++++
 .../composable/component/process.json         |  32 ++++
 generated/elasticsearch/legacy/template.json  |  32 ++++
 schemas/subsets/main.yml                      |   2 +
 14 files changed, 893 insertions(+)

diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index fd64ce6623..be17f06546 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -7434,6 +7434,177 @@ type: boolean
 
 example: `True`
 
+| extended
+
+// ===============================================================
+
+|
+[[field-process-io]]
+<<field-process-io, process.io>>
+
+a| beta:[ This field is beta and subject to change. ]
+
+A chunk of input or output (IO) from a single process.
+
+This field only appears on the top level process object, which is the process that wrote the output or read the input.
+
+type: object
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-process-io-bytes-skipped]]
+<<field-process-io-bytes-skipped, process.io.bytes_skipped>>
+
+a| beta:[ This field is beta and subject to change. ]
+
+An array of byte offsets and lengths denoting where IO data has been skipped.
+
+type: object
+
+
+Note: this field should contain an array of values.
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-process-io-bytes-skipped-length]]
+<<field-process-io-bytes-skipped-length, process.io.bytes_skipped.length>>
+
+a| beta:[ This field is beta and subject to change. ]
+
+The length of bytes skipped.
+
+type: number
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-process-io-bytes-skipped-offset]]
+<<field-process-io-bytes-skipped-offset, process.io.bytes_skipped.offset>>
+
+a| beta:[ This field is beta and subject to change. ]
+
+The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
+
+type: number
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-process-io-max-bytes-per-process-exceeded]]
+<<field-process-io-max-bytes-per-process-exceeded, process.io.max_bytes_per_process_exceeded>>
+
+a| beta:[ This field is beta and subject to change. ]
+
+If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting.
+
+type: boolean
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-process-io-text]]
+<<field-process-io-text, process.io.text>>
+
+a| beta:[ This field is beta and subject to change. ]
+
+A chunk of output or input sanitized to UTF-8.
+
+Best efforts are made to ensure complete lines are captured in these events. Assumptions should NOT be made that multiple lines will appear in the same event. TTY output may contain terminal control codes such as for cursor movement, so some string queries may not match due to terminal codes inserted between characters of a word.
+
+type: wildcard
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-process-io-total-bytes-captured]]
+<<field-process-io-total-bytes-captured, process.io.total_bytes_captured>>
+
+a| beta:[ This field is beta and subject to change. ]
+
+The total number of bytes captured in this event.
+
+type: number
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-process-io-total-bytes-skipped]]
+<<field-process-io-total-bytes-skipped, process.io.total_bytes_skipped>>
+
+a| beta:[ This field is beta and subject to change. ]
+
+The total number of bytes that were not captured due to implementation restrictions such as buffer size limits. Implementors should strive to ensure this value is always zero
+
+type: number
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-process-io-type]]
+<<field-process-io-type, process.io.type>>
+
+a| beta:[ This field is beta and subject to change. ]
+
+The type of object on which the IO action (read or write) was taken.
+
+Currently only 'tty' is supported. Other types may be added in the future for 'file' and 'socket' support.
+
+type: keyword
+
+
+
+
+
 | extended
 
 // ===============================================================
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 6deb54a00e..7c1181311e 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -5908,6 +5908,70 @@
         connected to the controlling TTY.'
       example: true
       default_field: false
+    - name: io
+      level: extended
+      type: object
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      default_field: false
+    - name: io.bytes_skipped
+      level: extended
+      type: object
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      default_field: false
+    - name: io.bytes_skipped.length
+      level: extended
+      type: number
+      description: The length of bytes skipped.
+      default_field: false
+    - name: io.bytes_skipped.offset
+      level: extended
+      type: number
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      default_field: false
+    - name: io.max_bytes_per_process_exceeded
+      level: extended
+      type: boolean
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      default_field: false
+    - name: io.text
+      level: extended
+      type: wildcard
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      default_field: false
+    - name: io.total_bytes_captured
+      level: extended
+      type: number
+      description: The total number of bytes captured in this event.
+      default_field: false
+    - name: io.total_bytes_skipped
+      level: extended
+      type: number
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      default_field: false
+    - name: io.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      default_field: false
     - name: name
       level: extended
       type: keyword
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index 12464686bd..cce7cbc2a6 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -664,6 +664,15 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
 8.7.0-dev+exp,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash.
 8.7.0-dev+exp,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.7.0-dev+exp,true,process,process.io,object,extended,,,A chunk of input or output (IO) from a single process.
+8.7.0-dev+exp,true,process,process.io.bytes_skipped,object,extended,"a, r, r, a, y",,An array of byte offsets and lengths denoting where IO data has been skipped.
+8.7.0-dev+exp,true,process,process.io.bytes_skipped.length,number,extended,,,The length of bytes skipped.
+8.7.0-dev+exp,true,process,process.io.bytes_skipped.offset,number,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
+8.7.0-dev+exp,true,process,process.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
+8.7.0-dev+exp,true,process,process.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
+8.7.0-dev+exp,true,process,process.io.total_bytes_captured,number,extended,,,The total number of bytes captured in this event.
+8.7.0-dev+exp,true,process,process.io.total_bytes_skipped,number,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
+8.7.0-dev+exp,true,process,process.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
 8.7.0-dev+exp,true,process,process.name,keyword,extended,,ssh,Process name.
 8.7.0-dev+exp,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
 8.7.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index b67efc7bcc..6707a1d77c 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -8540,6 +8540,116 @@ process.interactive:
   normalize: []
   short: Whether the process is connected to an interactive shell.
   type: boolean
+process.io:
+  beta: This field is beta and subject to change.
+  dashed_name: process-io
+  description: 'A chunk of input or output (IO) from a single process.
+
+    This field only appears on the top level process object, which is the process
+    that wrote the output or read the input.'
+  flat_name: process.io
+  level: extended
+  name: io
+  normalize: []
+  short: A chunk of input or output (IO) from a single process.
+  type: object
+process.io.bytes_skipped:
+  beta: This field is beta and subject to change.
+  dashed_name: process-io-bytes-skipped
+  description: An array of byte offsets and lengths denoting where IO data has been
+    skipped.
+  flat_name: process.io.bytes_skipped
+  level: extended
+  name: io.bytes_skipped
+  normalize: array
+  short: An array of byte offsets and lengths denoting where IO data has been skipped.
+  type: object
+process.io.bytes_skipped.length:
+  beta: This field is beta and subject to change.
+  dashed_name: process-io-bytes-skipped-length
+  description: The length of bytes skipped.
+  flat_name: process.io.bytes_skipped.length
+  level: extended
+  name: io.bytes_skipped.length
+  normalize: []
+  short: The length of bytes skipped.
+  type: number
+process.io.bytes_skipped.offset:
+  beta: This field is beta and subject to change.
+  dashed_name: process-io-bytes-skipped-offset
+  description: The byte offset into this event's io.text (or io.bytes in the future)
+    where length bytes were skipped.
+  flat_name: process.io.bytes_skipped.offset
+  level: extended
+  name: io.bytes_skipped.offset
+  normalize: []
+  short: The byte offset into this event's io.text (or io.bytes in the future) where
+    length bytes were skipped.
+  type: number
+process.io.max_bytes_per_process_exceeded:
+  beta: This field is beta and subject to change.
+  dashed_name: process-io-max-bytes-per-process-exceeded
+  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  flat_name: process.io.max_bytes_per_process_exceeded
+  level: extended
+  name: io.max_bytes_per_process_exceeded
+  normalize: []
+  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  type: boolean
+process.io.text:
+  beta: This field is beta and subject to change.
+  dashed_name: process-io-text
+  description: 'A chunk of output or input sanitized to UTF-8.
+
+    Best efforts are made to ensure complete lines are captured in these events. Assumptions
+    should NOT be made that multiple lines will appear in the same event. TTY output
+    may contain terminal control codes such as for cursor movement, so some string
+    queries may not match due to terminal codes inserted between characters of a word.'
+  flat_name: process.io.text
+  level: extended
+  name: io.text
+  normalize: []
+  short: A chunk of output or input sanitized to UTF-8.
+  type: wildcard
+process.io.total_bytes_captured:
+  beta: This field is beta and subject to change.
+  dashed_name: process-io-total-bytes-captured
+  description: The total number of bytes captured in this event.
+  flat_name: process.io.total_bytes_captured
+  level: extended
+  name: io.total_bytes_captured
+  normalize: []
+  short: The total number of bytes captured in this event.
+  type: number
+process.io.total_bytes_skipped:
+  beta: This field is beta and subject to change.
+  dashed_name: process-io-total-bytes-skipped
+  description: The total number of bytes that were not captured due to implementation
+    restrictions such as buffer size limits. Implementors should strive to ensure
+    this value is always zero
+  flat_name: process.io.total_bytes_skipped
+  level: extended
+  name: io.total_bytes_skipped
+  normalize: []
+  short: The total number of bytes that were not captured due to implementation restrictions
+    such as buffer size limits.
+  type: number
+process.io.type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-io-type
+  description: 'The type of object on which the IO action (read or write) was taken.
+
+    Currently only ''tty'' is supported. Other types may be added in the future for
+    ''file'' and ''socket'' support.'
+  flat_name: process.io.type
+  ignore_above: 1024
+  level: extended
+  name: io.type
+  normalize: []
+  short: The type of object on which the IO action (read or write) was taken.
+  type: keyword
 process.name:
   dashed_name: process-name
   description: 'Process name.
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 1857208f3c..a71f5509c9 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -10269,6 +10269,119 @@ process:
       normalize: []
       short: Whether the process is connected to an interactive shell.
       type: boolean
+    process.io:
+      beta: This field is beta and subject to change.
+      dashed_name: process-io
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      flat_name: process.io
+      level: extended
+      name: io
+      normalize: []
+      short: A chunk of input or output (IO) from a single process.
+      type: object
+    process.io.bytes_skipped:
+      beta: This field is beta and subject to change.
+      dashed_name: process-io-bytes-skipped
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      flat_name: process.io.bytes_skipped
+      level: extended
+      name: io.bytes_skipped
+      normalize: array
+      short: An array of byte offsets and lengths denoting where IO data has been
+        skipped.
+      type: object
+    process.io.bytes_skipped.length:
+      beta: This field is beta and subject to change.
+      dashed_name: process-io-bytes-skipped-length
+      description: The length of bytes skipped.
+      flat_name: process.io.bytes_skipped.length
+      level: extended
+      name: io.bytes_skipped.length
+      normalize: []
+      short: The length of bytes skipped.
+      type: number
+    process.io.bytes_skipped.offset:
+      beta: This field is beta and subject to change.
+      dashed_name: process-io-bytes-skipped-offset
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      flat_name: process.io.bytes_skipped.offset
+      level: extended
+      name: io.bytes_skipped.offset
+      normalize: []
+      short: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      type: number
+    process.io.max_bytes_per_process_exceeded:
+      beta: This field is beta and subject to change.
+      dashed_name: process-io-max-bytes-per-process-exceeded
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      flat_name: process.io.max_bytes_per_process_exceeded
+      level: extended
+      name: io.max_bytes_per_process_exceeded
+      normalize: []
+      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      type: boolean
+    process.io.text:
+      beta: This field is beta and subject to change.
+      dashed_name: process-io-text
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      flat_name: process.io.text
+      level: extended
+      name: io.text
+      normalize: []
+      short: A chunk of output or input sanitized to UTF-8.
+      type: wildcard
+    process.io.total_bytes_captured:
+      beta: This field is beta and subject to change.
+      dashed_name: process-io-total-bytes-captured
+      description: The total number of bytes captured in this event.
+      flat_name: process.io.total_bytes_captured
+      level: extended
+      name: io.total_bytes_captured
+      normalize: []
+      short: The total number of bytes captured in this event.
+      type: number
+    process.io.total_bytes_skipped:
+      beta: This field is beta and subject to change.
+      dashed_name: process-io-total-bytes-skipped
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      flat_name: process.io.total_bytes_skipped
+      level: extended
+      name: io.total_bytes_skipped
+      normalize: []
+      short: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits.
+      type: number
+    process.io.type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-io-type
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      flat_name: process.io.type
+      ignore_above: 1024
+      level: extended
+      name: io.type
+      normalize: []
+      short: The type of object on which the IO action (read or write) was taken.
+      type: keyword
     process.name:
       dashed_name: process-name
       description: 'Process name.
diff --git a/experimental/generated/elasticsearch/composable/component/process.json b/experimental/generated/elasticsearch/composable/component/process.json
index 0053c776da..bd6d6bce10 100644
--- a/experimental/generated/elasticsearch/composable/component/process.json
+++ b/experimental/generated/elasticsearch/composable/component/process.json
@@ -654,6 +654,38 @@
             "interactive": {
               "type": "boolean"
             },
+            "io": {
+              "properties": {
+                "bytes_skipped": {
+                  "properties": {
+                    "length": {
+                      "type": "number"
+                    },
+                    "offset": {
+                      "type": "number"
+                    }
+                  },
+                  "type": "object"
+                },
+                "max_bytes_per_process_exceeded": {
+                  "type": "boolean"
+                },
+                "text": {
+                  "type": "wildcard"
+                },
+                "total_bytes_captured": {
+                  "type": "number"
+                },
+                "total_bytes_skipped": {
+                  "type": "number"
+                },
+                "type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              },
+              "type": "object"
+            },
             "name": {
               "fields": {
                 "text": {
diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json
index a606652760..6d0eabf27f 100644
--- a/experimental/generated/elasticsearch/legacy/template.json
+++ b/experimental/generated/elasticsearch/legacy/template.json
@@ -3174,6 +3174,38 @@
           "interactive": {
             "type": "boolean"
           },
+          "io": {
+            "properties": {
+              "bytes_skipped": {
+                "properties": {
+                  "length": {
+                    "type": "number"
+                  },
+                  "offset": {
+                    "type": "number"
+                  }
+                },
+                "type": "object"
+              },
+              "max_bytes_per_process_exceeded": {
+                "type": "boolean"
+              },
+              "text": {
+                "type": "wildcard"
+              },
+              "total_bytes_captured": {
+                "type": "number"
+              },
+              "total_bytes_skipped": {
+                "type": "number"
+              },
+              "type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            },
+            "type": "object"
+          },
           "name": {
             "fields": {
               "text": {
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 2a59b925f0..a3e8deaf97 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -5858,6 +5858,70 @@
         connected to the controlling TTY.'
       example: true
       default_field: false
+    - name: io
+      level: extended
+      type: object
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      default_field: false
+    - name: io.bytes_skipped
+      level: extended
+      type: object
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      default_field: false
+    - name: io.bytes_skipped.length
+      level: extended
+      type: number
+      description: The length of bytes skipped.
+      default_field: false
+    - name: io.bytes_skipped.offset
+      level: extended
+      type: number
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      default_field: false
+    - name: io.max_bytes_per_process_exceeded
+      level: extended
+      type: boolean
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      default_field: false
+    - name: io.text
+      level: extended
+      type: wildcard
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      default_field: false
+    - name: io.total_bytes_captured
+      level: extended
+      type: number
+      description: The total number of bytes captured in this event.
+      default_field: false
+    - name: io.total_bytes_skipped
+      level: extended
+      type: number
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      default_field: false
+    - name: io.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      default_field: false
     - name: name
       level: extended
       type: keyword
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index 359f8b205b..f502accf2d 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -657,6 +657,15 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
 8.7.0-dev,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash.
 8.7.0-dev,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.7.0-dev,true,process,process.io,object,extended,,,A chunk of input or output (IO) from a single process.
+8.7.0-dev,true,process,process.io.bytes_skipped,object,extended,"a, r, r, a, y",,An array of byte offsets and lengths denoting where IO data has been skipped.
+8.7.0-dev,true,process,process.io.bytes_skipped.length,number,extended,,,The length of bytes skipped.
+8.7.0-dev,true,process,process.io.bytes_skipped.offset,number,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
+8.7.0-dev,true,process,process.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
+8.7.0-dev,true,process,process.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
+8.7.0-dev,true,process,process.io.total_bytes_captured,number,extended,,,The total number of bytes captured in this event.
+8.7.0-dev,true,process,process.io.total_bytes_skipped,number,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
+8.7.0-dev,true,process,process.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
 8.7.0-dev,true,process,process.name,keyword,extended,,ssh,Process name.
 8.7.0-dev,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
 8.7.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 86f5ff3440..9bd35fad8d 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -8471,6 +8471,116 @@ process.interactive:
   normalize: []
   short: Whether the process is connected to an interactive shell.
   type: boolean
+process.io:
+  beta: This field is beta and subject to change.
+  dashed_name: process-io
+  description: 'A chunk of input or output (IO) from a single process.
+
+    This field only appears on the top level process object, which is the process
+    that wrote the output or read the input.'
+  flat_name: process.io
+  level: extended
+  name: io
+  normalize: []
+  short: A chunk of input or output (IO) from a single process.
+  type: object
+process.io.bytes_skipped:
+  beta: This field is beta and subject to change.
+  dashed_name: process-io-bytes-skipped
+  description: An array of byte offsets and lengths denoting where IO data has been
+    skipped.
+  flat_name: process.io.bytes_skipped
+  level: extended
+  name: io.bytes_skipped
+  normalize: array
+  short: An array of byte offsets and lengths denoting where IO data has been skipped.
+  type: object
+process.io.bytes_skipped.length:
+  beta: This field is beta and subject to change.
+  dashed_name: process-io-bytes-skipped-length
+  description: The length of bytes skipped.
+  flat_name: process.io.bytes_skipped.length
+  level: extended
+  name: io.bytes_skipped.length
+  normalize: []
+  short: The length of bytes skipped.
+  type: number
+process.io.bytes_skipped.offset:
+  beta: This field is beta and subject to change.
+  dashed_name: process-io-bytes-skipped-offset
+  description: The byte offset into this event's io.text (or io.bytes in the future)
+    where length bytes were skipped.
+  flat_name: process.io.bytes_skipped.offset
+  level: extended
+  name: io.bytes_skipped.offset
+  normalize: []
+  short: The byte offset into this event's io.text (or io.bytes in the future) where
+    length bytes were skipped.
+  type: number
+process.io.max_bytes_per_process_exceeded:
+  beta: This field is beta and subject to change.
+  dashed_name: process-io-max-bytes-per-process-exceeded
+  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  flat_name: process.io.max_bytes_per_process_exceeded
+  level: extended
+  name: io.max_bytes_per_process_exceeded
+  normalize: []
+  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  type: boolean
+process.io.text:
+  beta: This field is beta and subject to change.
+  dashed_name: process-io-text
+  description: 'A chunk of output or input sanitized to UTF-8.
+
+    Best efforts are made to ensure complete lines are captured in these events. Assumptions
+    should NOT be made that multiple lines will appear in the same event. TTY output
+    may contain terminal control codes such as for cursor movement, so some string
+    queries may not match due to terminal codes inserted between characters of a word.'
+  flat_name: process.io.text
+  level: extended
+  name: io.text
+  normalize: []
+  short: A chunk of output or input sanitized to UTF-8.
+  type: wildcard
+process.io.total_bytes_captured:
+  beta: This field is beta and subject to change.
+  dashed_name: process-io-total-bytes-captured
+  description: The total number of bytes captured in this event.
+  flat_name: process.io.total_bytes_captured
+  level: extended
+  name: io.total_bytes_captured
+  normalize: []
+  short: The total number of bytes captured in this event.
+  type: number
+process.io.total_bytes_skipped:
+  beta: This field is beta and subject to change.
+  dashed_name: process-io-total-bytes-skipped
+  description: The total number of bytes that were not captured due to implementation
+    restrictions such as buffer size limits. Implementors should strive to ensure
+    this value is always zero
+  flat_name: process.io.total_bytes_skipped
+  level: extended
+  name: io.total_bytes_skipped
+  normalize: []
+  short: The total number of bytes that were not captured due to implementation restrictions
+    such as buffer size limits.
+  type: number
+process.io.type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-io-type
+  description: 'The type of object on which the IO action (read or write) was taken.
+
+    Currently only ''tty'' is supported. Other types may be added in the future for
+    ''file'' and ''socket'' support.'
+  flat_name: process.io.type
+  ignore_above: 1024
+  level: extended
+  name: io.type
+  normalize: []
+  short: The type of object on which the IO action (read or write) was taken.
+  type: keyword
 process.name:
   dashed_name: process-name
   description: 'Process name.
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 03d7e5ad08..049ae73a72 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -10189,6 +10189,119 @@ process:
       normalize: []
       short: Whether the process is connected to an interactive shell.
       type: boolean
+    process.io:
+      beta: This field is beta and subject to change.
+      dashed_name: process-io
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      flat_name: process.io
+      level: extended
+      name: io
+      normalize: []
+      short: A chunk of input or output (IO) from a single process.
+      type: object
+    process.io.bytes_skipped:
+      beta: This field is beta and subject to change.
+      dashed_name: process-io-bytes-skipped
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      flat_name: process.io.bytes_skipped
+      level: extended
+      name: io.bytes_skipped
+      normalize: array
+      short: An array of byte offsets and lengths denoting where IO data has been
+        skipped.
+      type: object
+    process.io.bytes_skipped.length:
+      beta: This field is beta and subject to change.
+      dashed_name: process-io-bytes-skipped-length
+      description: The length of bytes skipped.
+      flat_name: process.io.bytes_skipped.length
+      level: extended
+      name: io.bytes_skipped.length
+      normalize: []
+      short: The length of bytes skipped.
+      type: number
+    process.io.bytes_skipped.offset:
+      beta: This field is beta and subject to change.
+      dashed_name: process-io-bytes-skipped-offset
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      flat_name: process.io.bytes_skipped.offset
+      level: extended
+      name: io.bytes_skipped.offset
+      normalize: []
+      short: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      type: number
+    process.io.max_bytes_per_process_exceeded:
+      beta: This field is beta and subject to change.
+      dashed_name: process-io-max-bytes-per-process-exceeded
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      flat_name: process.io.max_bytes_per_process_exceeded
+      level: extended
+      name: io.max_bytes_per_process_exceeded
+      normalize: []
+      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      type: boolean
+    process.io.text:
+      beta: This field is beta and subject to change.
+      dashed_name: process-io-text
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      flat_name: process.io.text
+      level: extended
+      name: io.text
+      normalize: []
+      short: A chunk of output or input sanitized to UTF-8.
+      type: wildcard
+    process.io.total_bytes_captured:
+      beta: This field is beta and subject to change.
+      dashed_name: process-io-total-bytes-captured
+      description: The total number of bytes captured in this event.
+      flat_name: process.io.total_bytes_captured
+      level: extended
+      name: io.total_bytes_captured
+      normalize: []
+      short: The total number of bytes captured in this event.
+      type: number
+    process.io.total_bytes_skipped:
+      beta: This field is beta and subject to change.
+      dashed_name: process-io-total-bytes-skipped
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      flat_name: process.io.total_bytes_skipped
+      level: extended
+      name: io.total_bytes_skipped
+      normalize: []
+      short: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits.
+      type: number
+    process.io.type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-io-type
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      flat_name: process.io.type
+      ignore_above: 1024
+      level: extended
+      name: io.type
+      normalize: []
+      short: The type of object on which the IO action (read or write) was taken.
+      type: keyword
     process.name:
       dashed_name: process-name
       description: 'Process name.
diff --git a/generated/elasticsearch/composable/component/process.json b/generated/elasticsearch/composable/component/process.json
index 1e17cf255d..1268acae31 100644
--- a/generated/elasticsearch/composable/component/process.json
+++ b/generated/elasticsearch/composable/component/process.json
@@ -654,6 +654,38 @@
             "interactive": {
               "type": "boolean"
             },
+            "io": {
+              "properties": {
+                "bytes_skipped": {
+                  "properties": {
+                    "length": {
+                      "type": "number"
+                    },
+                    "offset": {
+                      "type": "number"
+                    }
+                  },
+                  "type": "object"
+                },
+                "max_bytes_per_process_exceeded": {
+                  "type": "boolean"
+                },
+                "text": {
+                  "type": "wildcard"
+                },
+                "total_bytes_captured": {
+                  "type": "number"
+                },
+                "total_bytes_skipped": {
+                  "type": "number"
+                },
+                "type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              },
+              "type": "object"
+            },
             "name": {
               "fields": {
                 "text": {
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index e3bcd0fc73..07590b8585 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -3132,6 +3132,38 @@
           "interactive": {
             "type": "boolean"
           },
+          "io": {
+            "properties": {
+              "bytes_skipped": {
+                "properties": {
+                  "length": {
+                    "type": "number"
+                  },
+                  "offset": {
+                    "type": "number"
+                  }
+                },
+                "type": "object"
+              },
+              "max_bytes_per_process_exceeded": {
+                "type": "boolean"
+              },
+              "text": {
+                "type": "wildcard"
+              },
+              "total_bytes_captured": {
+                "type": "number"
+              },
+              "total_bytes_skipped": {
+                "type": "number"
+              },
+              "type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            },
+            "type": "object"
+          },
           "name": {
             "fields": {
               "text": {
diff --git a/schemas/subsets/main.yml b/schemas/subsets/main.yml
index baefd5fa68..b836b721ea 100644
--- a/schemas/subsets/main.yml
+++ b/schemas/subsets/main.yml
@@ -263,6 +263,8 @@ fields:
       hash:
         fields: "*"
       interactive: {}
+      io: 
+        fields: "*"
       name: {}
       parent:
         fields:

From 0503aa112a97fb81cde45d0cce0b8b78afad4c99 Mon Sep 17 00:00:00 2001
From: Taylor Swanson <90622908+taylor-swanson@users.noreply.github.com>
Date: Wed, 5 Oct 2022 08:10:53 -0500
Subject: [PATCH 047/186] Cutting 8.5 changelog for HFF (#2056) (#2057)

* Cutting 8.5 changelog for HFF

Co-authored-by: Dominic Page <11043991+djptek@users.noreply.github.com>
---
 CHANGELOG.next.md | 17 ++---------------
 1 file changed, 2 insertions(+), 15 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index a81732185c..b22855b665 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -64,14 +64,10 @@ Thanks, you're awesome :-) -->
 
 #### Deprecated
 
-## 8.5.0 (Soft Feature Freeze)
+## 8.5.0 (Hard Feature Freeze)
 
 ### Schema Changes
 
-#### Breaking changes
-
-#### Bugfixes
-
 #### Added
 
 * Adding `risk.*` fields as experimental. #1994, #2010
@@ -86,21 +82,12 @@ Thanks, you're awesome :-) -->
 * Advances `threat.enrichments.indicator` to GA. #1928
 * Added `ios` and `android` as valid values for `os.type` #1999
 
-#### Deprecated
-
 ### Tooling and Artifact Changes
 
-#### Breaking changes
-
 #### Bugfixes
 
 * Added Deprecation Warning for `misspell` task #1993
-
-#### Added
-
-#### Improvements
-
-#### Deprecated
+* Fix typo in client schema #2014
 
 <!-- All empty sections:
 

From 5f5e409071c1ac6b7ade86982fbe65bd72a1dd92 Mon Sep 17 00:00:00 2001
From: Karl Godard <kg@cmd.com>
Date: Tue, 1 Nov 2022 06:46:54 -0700
Subject: [PATCH 048/186] [8.5] Linux event model GA (#2082)

---
 CHANGELOG.next.md                         |   2 +
 docs/fields/field-details.asciidoc        | 109 ++++++++--------------
 experimental/generated/ecs/ecs_flat.yml   |  24 -----
 experimental/generated/ecs/ecs_nested.yml | 101 ++++----------------
 generated/ecs/ecs_flat.yml                |  24 -----
 generated/ecs/ecs_nested.yml              | 101 ++++----------------
 schemas/group.yml                         |   4 -
 schemas/process.yml                       |  16 ----
 schemas/source.yml                        |   1 -
 schemas/user.yml                          |   3 -
 10 files changed, 76 insertions(+), 309 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index b22855b665..c2189391e9 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -68,6 +68,8 @@ Thanks, you're awesome :-) -->
 
 ### Schema Changes
 
+* Fields added to process, user and group fieldsets in RFC 0030 (Linux event model) are now GA. Beta removed.
+
 #### Added
 
 * Adding `risk.*` fields as experimental. #1994, #2010
diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index be17f06546..3733957723 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -7337,9 +7337,7 @@ example: `c2c455d9f99375d`
 [[field-process-entry-meta-type]]
 <<field-process-entry-meta-type, process.entry_meta.type>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-The entry type for the entry session leader. Values include: init(e.g systemd), sshd, ssm, kubelet, teleport, terminal, console
+a| The entry type for the entry session leader. Values include: init(e.g systemd), sshd, ssm, kubelet, teleport, terminal, console
 
 Note: This field is only set on process.session_leader.
 
@@ -7420,9 +7418,7 @@ example: `137`
 [[field-process-interactive]]
 <<field-process-interactive, process.interactive>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-Whether the process is connected to an interactive shell.
+a| Whether the process is connected to an interactive shell.
 
 Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive.
 
@@ -7671,9 +7667,7 @@ example: `4242`
 [[field-process-same-as-process]]
 <<field-process-same-as-process, process.same_as_process>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-This boolean is used to identify if a leader process is the same as the top level process.
+a| This boolean is used to identify if a leader process is the same as the top level process.
 
 For example, if `process.group_leader.same_as_process = true`, it means the process event in question is the leader of its process group. Details under `process.*` like `pid` would be the same under `process.group_leader.*` The same applies for both `process.session_leader` and `process.entry_leader`.
 
@@ -7769,9 +7763,7 @@ Multi-fields:
 [[field-process-tty]]
 <<field-process-tty, process.tty>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-Information about the controlling TTY device. If set, the process belongs to an interactive session.
+a| Information about the controlling TTY device. If set, the process belongs to an interactive session.
 
 type: object
 
@@ -7787,9 +7779,7 @@ type: object
 [[field-process-tty-char-device-major]]
 <<field-process-tty-char-device-major, process.tty.char_device.major>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation.
+a| The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation.
 
 type: long
 
@@ -7805,9 +7795,7 @@ example: `4`
 [[field-process-tty-char-device-minor]]
 <<field-process-tty-char-device-minor, process.tty.char_device.minor>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them.
+a| The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them.
 
 type: long
 
@@ -7973,49 +7961,43 @@ These fields contain Linux Executable Linkable Format (ELF) metadata.
 
 
 | `process.entry_leader.*`
-| <<ecs-process,process>>| beta:[ Reusing the `process` fields in this location is currently considered beta.]
-
-First process from terminal or remote access via SSH, SSM, etc OR a service directly started by the init process.
+| <<ecs-process,process>>
+| First process from terminal or remote access via SSH, SSM, etc OR a service directly started by the init process.
 
 // ===============================================================
 
 
 | `process.entry_leader.parent.*`
-| <<ecs-process,process>>| beta:[ Reusing the `process` fields in this location is currently considered beta.]
-
-Information about the entry leader's parent process. Only pid, start and entity_id fields are set.
+| <<ecs-process,process>>
+| Information about the entry leader's parent process. Only pid, start and entity_id fields are set.
 
 // ===============================================================
 
 
 | `process.entry_leader.parent.session_leader.*`
-| <<ecs-process,process>>| beta:[ Reusing the `process` fields in this location is currently considered beta.]
-
-Information about the parent session of the entry leader. Only pid, start and entity_id fields are set.
+| <<ecs-process,process>>
+| Information about the parent session of the entry leader. Only pid, start and entity_id fields are set.
 
 // ===============================================================
 
 
 | `process.entry_meta.source.*`
-| <<ecs-source,source>>| beta:[ Reusing the `source` fields in this location is currently considered beta.]
-
-Remote client information such as ip, port and geo location.
+| <<ecs-source,source>>
+| Remote client information such as ip, port and geo location.
 
 // ===============================================================
 
 
 | `process.group.*`
-| <<ecs-group,group>>| beta:[ Reusing the `group` fields in this location is currently considered beta.]
-
-The effective group (egid).
+| <<ecs-group,group>>
+| The effective group (egid).
 
 // ===============================================================
 
 
 | `process.group_leader.*`
-| <<ecs-process,process>>| beta:[ Reusing the `process` fields in this location is currently considered beta.]
-
-Information about the process group leader. In some cases this may be the same as the top level process.
+| <<ecs-process,process>>
+| Information about the process group leader. In some cases this may be the same as the top level process.
 
 // ===============================================================
 
@@ -8035,9 +8017,8 @@ Information about the process group leader. In some cases this may be the same a
 
 
 | `process.parent.group_leader.*`
-| <<ecs-process,process>>| beta:[ Reusing the `process` fields in this location is currently considered beta.]
-
-Information about the parent's process group leader. Only pid, start and entity_id fields are set.
+| <<ecs-process,process>>
+| Information about the parent's process group leader. Only pid, start and entity_id fields are set.
 
 // ===============================================================
 
@@ -8050,9 +8031,8 @@ Information about the parent's process group leader. Only pid, start and entity_
 
 
 | `process.previous.*`
-| <<ecs-process,process>>| beta:[ Reusing the `process` fields in this location is currently considered beta.]
-
-An array of previous executions for the process, including the initial fork. Only executable and args are set.
+| <<ecs-process,process>>
+| An array of previous executions for the process, including the initial fork. Only executable and args are set.
 
 Note: this reuse should contain an array of process field set objects.
 
@@ -8060,65 +8040,57 @@ Note: this reuse should contain an array of process field set objects.
 
 
 | `process.real_group.*`
-| <<ecs-group,group>>| beta:[ Reusing the `group` fields in this location is currently considered beta.]
-
-The real group (rgid).
+| <<ecs-group,group>>
+| The real group (rgid).
 
 // ===============================================================
 
 
 | `process.real_user.*`
-| <<ecs-user,user>>| beta:[ Reusing the `user` fields in this location is currently considered beta.]
-
-The real user (ruid). Identifies the real owner of the process.
+| <<ecs-user,user>>
+| The real user (ruid). Identifies the real owner of the process.
 
 // ===============================================================
 
 
 | `process.saved_group.*`
-| <<ecs-group,group>>| beta:[ Reusing the `group` fields in this location is currently considered beta.]
-
-The saved group (sgid).
+| <<ecs-group,group>>
+| The saved group (sgid).
 
 // ===============================================================
 
 
 | `process.saved_user.*`
-| <<ecs-user,user>>| beta:[ Reusing the `user` fields in this location is currently considered beta.]
-
-The saved user (suid).
+| <<ecs-user,user>>
+| The saved user (suid).
 
 // ===============================================================
 
 
 | `process.session_leader.*`
-| <<ecs-process,process>>| beta:[ Reusing the `process` fields in this location is currently considered beta.]
-
-Often the same as entry_leader. When it differs, it represents a session started within another session. e.g. using tmux
+| <<ecs-process,process>>
+| Often the same as entry_leader. When it differs, it represents a session started within another session. e.g. using tmux
 
 // ===============================================================
 
 
 | `process.session_leader.parent.*`
-| <<ecs-process,process>>| beta:[ Reusing the `process` fields in this location is currently considered beta.]
-
-Information about the session leader's parent process. Only pid, start and entity_id fields are set.
+| <<ecs-process,process>>
+| Information about the session leader's parent process. Only pid, start and entity_id fields are set.
 
 // ===============================================================
 
 
 | `process.session_leader.parent.session_leader.*`
-| <<ecs-process,process>>| beta:[ Reusing the `process` fields in this location is currently considered beta.]
-
-Information about the parent session of the session leader. Only pid, start and entity_id fields are set.
+| <<ecs-process,process>>
+| Information about the parent session of the session leader. Only pid, start and entity_id fields are set.
 
 // ===============================================================
 
 
 | `process.supplemental_groups.*`
-| <<ecs-group,group>>| beta:[ Reusing the `group` fields in this location is currently considered beta.]
-
-An array of supplemental groups.
+| <<ecs-group,group>>
+| An array of supplemental groups.
 
 Note: this reuse should contain an array of group field set objects.
 
@@ -8126,9 +8098,8 @@ Note: this reuse should contain an array of group field set objects.
 
 
 | `process.user.*`
-| <<ecs-user,user>>| beta:[ Reusing the `user` fields in this location is currently considered beta.]
-
-The effective user (euid).
+| <<ecs-user,user>>
+| The effective user (euid).
 
 // ===============================================================
 
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 6707a1d77c..c1878e6bed 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -7549,7 +7549,6 @@ process.entry_leader.entry_meta.source.ip:
   short: IP address of the source.
   type: ip
 process.entry_leader.entry_meta.type:
-  beta: This field is beta and subject to change.
   dashed_name: process-entry-leader-entry-meta-type
   description: 'The entry type for the entry session leader. Values include: init(e.g
     systemd), sshd, ssm, kubelet, teleport, terminal, console
@@ -7602,7 +7601,6 @@ process.entry_leader.group.name:
   short: Name of the group.
   type: keyword
 process.entry_leader.interactive:
-  beta: This field is beta and subject to change.
   dashed_name: process-entry-leader-interactive
   description: 'Whether the process is connected to an interactive shell.
 
@@ -7790,7 +7788,6 @@ process.entry_leader.real_user.name:
   short: Short name or login of the user.
   type: keyword
 process.entry_leader.same_as_process:
-  beta: This field is beta and subject to change.
   dashed_name: process-entry-leader-same-as-process
   description: 'This boolean is used to identify if a leader process is the same as
     the top level process.
@@ -7904,7 +7901,6 @@ process.entry_leader.supplemental_groups.name:
   short: Name of the group.
   type: keyword
 process.entry_leader.tty:
-  beta: This field is beta and subject to change.
   dashed_name: process-entry-leader-tty
   description: Information about the controlling TTY device. If set, the process belongs
     to an interactive session.
@@ -7916,7 +7912,6 @@ process.entry_leader.tty:
   short: Information about the controlling TTY device.
   type: object
 process.entry_leader.tty.char_device.major:
-  beta: This field is beta and subject to change.
   dashed_name: process-entry-leader-tty-char-device-major
   description: The major number identifies the driver associated with the device.
     The character device's major and minor numbers can be algorithmically combined
@@ -7931,7 +7926,6 @@ process.entry_leader.tty.char_device.major:
   short: The TTY character device's major number.
   type: long
 process.entry_leader.tty.char_device.minor:
-  beta: This field is beta and subject to change.
   dashed_name: process-entry-leader-tty-char-device-minor
   description: "The minor number is used only by the driver specified by the major\
     \ number; other parts of the kernel don\u2019t use it, and merely pass it along\
@@ -8141,7 +8135,6 @@ process.group_leader.group.name:
   short: Name of the group.
   type: keyword
 process.group_leader.interactive:
-  beta: This field is beta and subject to change.
   dashed_name: process-group-leader-interactive
   description: 'Whether the process is connected to an interactive shell.
 
@@ -8243,7 +8236,6 @@ process.group_leader.real_user.name:
   short: Short name or login of the user.
   type: keyword
 process.group_leader.same_as_process:
-  beta: This field is beta and subject to change.
   dashed_name: process-group-leader-same-as-process
   description: 'This boolean is used to identify if a leader process is the same as
     the top level process.
@@ -8357,7 +8349,6 @@ process.group_leader.supplemental_groups.name:
   short: Name of the group.
   type: keyword
 process.group_leader.tty:
-  beta: This field is beta and subject to change.
   dashed_name: process-group-leader-tty
   description: Information about the controlling TTY device. If set, the process belongs
     to an interactive session.
@@ -8369,7 +8360,6 @@ process.group_leader.tty:
   short: Information about the controlling TTY device.
   type: object
 process.group_leader.tty.char_device.major:
-  beta: This field is beta and subject to change.
   dashed_name: process-group-leader-tty-char-device-major
   description: The major number identifies the driver associated with the device.
     The character device's major and minor numbers can be algorithmically combined
@@ -8384,7 +8374,6 @@ process.group_leader.tty.char_device.major:
   short: The TTY character device's major number.
   type: long
 process.group_leader.tty.char_device.minor:
-  beta: This field is beta and subject to change.
   dashed_name: process-group-leader-tty-char-device-minor
   description: "The minor number is used only by the driver specified by the major\
     \ number; other parts of the kernel don\u2019t use it, and merely pass it along\
@@ -8520,7 +8509,6 @@ process.hash.tlsh:
   short: TLSH hash.
   type: keyword
 process.interactive:
-  beta: This field is beta and subject to change.
   dashed_name: process-interactive
   description: 'Whether the process is connected to an interactive shell.
 
@@ -9373,7 +9361,6 @@ process.parent.hash.tlsh:
   short: TLSH hash.
   type: keyword
 process.parent.interactive:
-  beta: This field is beta and subject to change.
   dashed_name: process-parent-interactive
   description: 'Whether the process is connected to an interactive shell.
 
@@ -9718,7 +9705,6 @@ process.parent.title:
   short: Process title.
   type: keyword
 process.parent.tty:
-  beta: This field is beta and subject to change.
   dashed_name: process-parent-tty
   description: Information about the controlling TTY device. If set, the process belongs
     to an interactive session.
@@ -9730,7 +9716,6 @@ process.parent.tty:
   short: Information about the controlling TTY device.
   type: object
 process.parent.tty.char_device.major:
-  beta: This field is beta and subject to change.
   dashed_name: process-parent-tty-char-device-major
   description: The major number identifies the driver associated with the device.
     The character device's major and minor numbers can be algorithmically combined
@@ -9745,7 +9730,6 @@ process.parent.tty.char_device.major:
   short: The TTY character device's major number.
   type: long
 process.parent.tty.char_device.minor:
-  beta: This field is beta and subject to change.
   dashed_name: process-parent-tty-char-device-minor
   description: "The minor number is used only by the driver specified by the major\
     \ number; other parts of the kernel don\u2019t use it, and merely pass it along\
@@ -10197,7 +10181,6 @@ process.session_leader.group.name:
   short: Name of the group.
   type: keyword
 process.session_leader.interactive:
-  beta: This field is beta and subject to change.
   dashed_name: process-session-leader-interactive
   description: 'Whether the process is connected to an interactive shell.
 
@@ -10385,7 +10368,6 @@ process.session_leader.real_user.name:
   short: Short name or login of the user.
   type: keyword
 process.session_leader.same_as_process:
-  beta: This field is beta and subject to change.
   dashed_name: process-session-leader-same-as-process
   description: 'This boolean is used to identify if a leader process is the same as
     the top level process.
@@ -10499,7 +10481,6 @@ process.session_leader.supplemental_groups.name:
   short: Name of the group.
   type: keyword
 process.session_leader.tty:
-  beta: This field is beta and subject to change.
   dashed_name: process-session-leader-tty
   description: Information about the controlling TTY device. If set, the process belongs
     to an interactive session.
@@ -10511,7 +10492,6 @@ process.session_leader.tty:
   short: Information about the controlling TTY device.
   type: object
 process.session_leader.tty.char_device.major:
-  beta: This field is beta and subject to change.
   dashed_name: process-session-leader-tty-char-device-major
   description: The major number identifies the driver associated with the device.
     The character device's major and minor numbers can be algorithmically combined
@@ -10526,7 +10506,6 @@ process.session_leader.tty.char_device.major:
   short: The TTY character device's major number.
   type: long
 process.session_leader.tty.char_device.minor:
-  beta: This field is beta and subject to change.
   dashed_name: process-session-leader-tty-char-device-minor
   description: "The minor number is used only by the driver specified by the major\
     \ number; other parts of the kernel don\u2019t use it, and merely pass it along\
@@ -10656,7 +10635,6 @@ process.title:
   short: Process title.
   type: keyword
 process.tty:
-  beta: This field is beta and subject to change.
   dashed_name: process-tty
   description: Information about the controlling TTY device. If set, the process belongs
     to an interactive session.
@@ -10667,7 +10645,6 @@ process.tty:
   short: Information about the controlling TTY device.
   type: object
 process.tty.char_device.major:
-  beta: This field is beta and subject to change.
   dashed_name: process-tty-char-device-major
   description: The major number identifies the driver associated with the device.
     The character device's major and minor numbers can be algorithmically combined
@@ -10681,7 +10658,6 @@ process.tty.char_device.major:
   short: The TTY character device's major number.
   type: long
 process.tty.char_device.minor:
-  beta: This field is beta and subject to change.
   dashed_name: process-tty-char-device-minor
   description: "The minor number is used only by the driver specified by the major\
     \ number; other parts of the kernel don\u2019t use it, and merely pass it along\
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index a71f5509c9..1214656eb3 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -6015,22 +6015,18 @@ group:
       full: user.group
     - as: group
       at: process
-      beta: Reusing the `group` fields in this location is currently considered beta.
       full: process.group
       short_override: The effective group (egid).
     - as: real_group
       at: process
-      beta: Reusing the `group` fields in this location is currently considered beta.
       full: process.real_group
       short_override: The real group (rgid).
     - as: saved_group
       at: process
-      beta: Reusing the `group` fields in this location is currently considered beta.
       full: process.saved_group
       short_override: The saved group (sgid).
     - as: supplemental_groups
       at: process
-      beta: Reusing the `group` fields in this location is currently considered beta.
       full: process.supplemental_groups
       normalize:
       - array
@@ -9278,7 +9274,6 @@ process:
       short: IP address of the source.
       type: ip
     process.entry_leader.entry_meta.type:
-      beta: This field is beta and subject to change.
       dashed_name: process-entry-leader-entry-meta-type
       description: 'The entry type for the entry session leader. Values include: init(e.g
         systemd), sshd, ssm, kubelet, teleport, terminal, console
@@ -9331,7 +9326,6 @@ process:
       short: Name of the group.
       type: keyword
     process.entry_leader.interactive:
-      beta: This field is beta and subject to change.
       dashed_name: process-entry-leader-interactive
       description: 'Whether the process is connected to an interactive shell.
 
@@ -9519,7 +9513,6 @@ process:
       short: Short name or login of the user.
       type: keyword
     process.entry_leader.same_as_process:
-      beta: This field is beta and subject to change.
       dashed_name: process-entry-leader-same-as-process
       description: 'This boolean is used to identify if a leader process is the same
         as the top level process.
@@ -9633,7 +9626,6 @@ process:
       short: Name of the group.
       type: keyword
     process.entry_leader.tty:
-      beta: This field is beta and subject to change.
       dashed_name: process-entry-leader-tty
       description: Information about the controlling TTY device. If set, the process
         belongs to an interactive session.
@@ -9645,7 +9637,6 @@ process:
       short: Information about the controlling TTY device.
       type: object
     process.entry_leader.tty.char_device.major:
-      beta: This field is beta and subject to change.
       dashed_name: process-entry-leader-tty-char-device-major
       description: The major number identifies the driver associated with the device.
         The character device's major and minor numbers can be algorithmically combined
@@ -9660,7 +9651,6 @@ process:
       short: The TTY character device's major number.
       type: long
     process.entry_leader.tty.char_device.minor:
-      beta: This field is beta and subject to change.
       dashed_name: process-entry-leader-tty-char-device-minor
       description: "The minor number is used only by the driver specified by the major\
         \ number; other parts of the kernel don\u2019t use it, and merely pass it\
@@ -9870,7 +9860,6 @@ process:
       short: Name of the group.
       type: keyword
     process.group_leader.interactive:
-      beta: This field is beta and subject to change.
       dashed_name: process-group-leader-interactive
       description: 'Whether the process is connected to an interactive shell.
 
@@ -9972,7 +9961,6 @@ process:
       short: Short name or login of the user.
       type: keyword
     process.group_leader.same_as_process:
-      beta: This field is beta and subject to change.
       dashed_name: process-group-leader-same-as-process
       description: 'This boolean is used to identify if a leader process is the same
         as the top level process.
@@ -10086,7 +10074,6 @@ process:
       short: Name of the group.
       type: keyword
     process.group_leader.tty:
-      beta: This field is beta and subject to change.
       dashed_name: process-group-leader-tty
       description: Information about the controlling TTY device. If set, the process
         belongs to an interactive session.
@@ -10098,7 +10085,6 @@ process:
       short: Information about the controlling TTY device.
       type: object
     process.group_leader.tty.char_device.major:
-      beta: This field is beta and subject to change.
       dashed_name: process-group-leader-tty-char-device-major
       description: The major number identifies the driver associated with the device.
         The character device's major and minor numbers can be algorithmically combined
@@ -10113,7 +10099,6 @@ process:
       short: The TTY character device's major number.
       type: long
     process.group_leader.tty.char_device.minor:
-      beta: This field is beta and subject to change.
       dashed_name: process-group-leader-tty-char-device-minor
       description: "The minor number is used only by the driver specified by the major\
         \ number; other parts of the kernel don\u2019t use it, and merely pass it\
@@ -10249,7 +10234,6 @@ process:
       short: TLSH hash.
       type: keyword
     process.interactive:
-      beta: This field is beta and subject to change.
       dashed_name: process-interactive
       description: 'Whether the process is connected to an interactive shell.
 
@@ -11105,7 +11089,6 @@ process:
       short: TLSH hash.
       type: keyword
     process.parent.interactive:
-      beta: This field is beta and subject to change.
       dashed_name: process-parent-interactive
       description: 'Whether the process is connected to an interactive shell.
 
@@ -11450,7 +11433,6 @@ process:
       short: Process title.
       type: keyword
     process.parent.tty:
-      beta: This field is beta and subject to change.
       dashed_name: process-parent-tty
       description: Information about the controlling TTY device. If set, the process
         belongs to an interactive session.
@@ -11462,7 +11444,6 @@ process:
       short: Information about the controlling TTY device.
       type: object
     process.parent.tty.char_device.major:
-      beta: This field is beta and subject to change.
       dashed_name: process-parent-tty-char-device-major
       description: The major number identifies the driver associated with the device.
         The character device's major and minor numbers can be algorithmically combined
@@ -11477,7 +11458,6 @@ process:
       short: The TTY character device's major number.
       type: long
     process.parent.tty.char_device.minor:
-      beta: This field is beta and subject to change.
       dashed_name: process-parent-tty-char-device-minor
       description: "The minor number is used only by the driver specified by the major\
         \ number; other parts of the kernel don\u2019t use it, and merely pass it\
@@ -11929,7 +11909,6 @@ process:
       short: Name of the group.
       type: keyword
     process.session_leader.interactive:
-      beta: This field is beta and subject to change.
       dashed_name: process-session-leader-interactive
       description: 'Whether the process is connected to an interactive shell.
 
@@ -12117,7 +12096,6 @@ process:
       short: Short name or login of the user.
       type: keyword
     process.session_leader.same_as_process:
-      beta: This field is beta and subject to change.
       dashed_name: process-session-leader-same-as-process
       description: 'This boolean is used to identify if a leader process is the same
         as the top level process.
@@ -12231,7 +12209,6 @@ process:
       short: Name of the group.
       type: keyword
     process.session_leader.tty:
-      beta: This field is beta and subject to change.
       dashed_name: process-session-leader-tty
       description: Information about the controlling TTY device. If set, the process
         belongs to an interactive session.
@@ -12243,7 +12220,6 @@ process:
       short: Information about the controlling TTY device.
       type: object
     process.session_leader.tty.char_device.major:
-      beta: This field is beta and subject to change.
       dashed_name: process-session-leader-tty-char-device-major
       description: The major number identifies the driver associated with the device.
         The character device's major and minor numbers can be algorithmically combined
@@ -12258,7 +12234,6 @@ process:
       short: The TTY character device's major number.
       type: long
     process.session_leader.tty.char_device.minor:
-      beta: This field is beta and subject to change.
       dashed_name: process-session-leader-tty-char-device-minor
       description: "The minor number is used only by the driver specified by the major\
         \ number; other parts of the kernel don\u2019t use it, and merely pass it\
@@ -12388,7 +12363,6 @@ process:
       short: Process title.
       type: keyword
     process.tty:
-      beta: This field is beta and subject to change.
       dashed_name: process-tty
       description: Information about the controlling TTY device. If set, the process
         belongs to an interactive session.
@@ -12399,7 +12373,6 @@ process:
       short: Information about the controlling TTY device.
       type: object
     process.tty.char_device.major:
-      beta: This field is beta and subject to change.
       dashed_name: process-tty-char-device-major
       description: The major number identifies the driver associated with the device.
         The character device's major and minor numbers can be algorithmically combined
@@ -12413,7 +12386,6 @@ process:
       short: The TTY character device's major number.
       type: long
     process.tty.char_device.minor:
-      beta: This field is beta and subject to change.
       dashed_name: process-tty-char-device-minor
       description: "The minor number is used only by the driver specified by the major\
         \ number; other parts of the kernel don\u2019t use it, and merely pass it\
@@ -12543,64 +12515,46 @@ process:
       short_override: Information about the parent process.
     - as: entry_leader
       at: process
-      beta: Reusing the `process` fields in this location is currently considered
-        beta.
       full: process.entry_leader
       short_override: First process from terminal or remote access via SSH, SSM, etc
         OR a service directly started by the init process.
     - as: session_leader
       at: process
-      beta: Reusing the `process` fields in this location is currently considered
-        beta.
       full: process.session_leader
       short_override: Often the same as entry_leader. When it differs, it represents
         a session started within another session. e.g. using tmux
     - as: group_leader
       at: process
-      beta: Reusing the `process` fields in this location is currently considered
-        beta.
       full: process.group_leader
       short_override: Information about the process group leader. In some cases this
         may be the same as the top level process.
     - as: group_leader
       at: process.parent
-      beta: Reusing the `process` fields in this location is currently considered
-        beta.
       full: process.parent.group_leader
       short_override: Information about the parent's process group leader. Only pid,
         start and entity_id fields are set.
     - as: parent
       at: process.entry_leader
-      beta: Reusing the `process` fields in this location is currently considered
-        beta.
       full: process.entry_leader.parent
       short_override: Information about the entry leader's parent process. Only pid,
         start and entity_id fields are set.
     - as: parent
       at: process.session_leader
-      beta: Reusing the `process` fields in this location is currently considered
-        beta.
       full: process.session_leader.parent
       short_override: Information about the session leader's parent process. Only
         pid, start and entity_id fields are set.
     - as: session_leader
       at: process.entry_leader.parent
-      beta: Reusing the `process` fields in this location is currently considered
-        beta.
       full: process.entry_leader.parent.session_leader
       short_override: Information about the parent session of the entry leader. Only
         pid, start and entity_id fields are set.
     - as: session_leader
       at: process.session_leader.parent
-      beta: Reusing the `process` fields in this location is currently considered
-        beta.
       full: process.session_leader.parent.session_leader
       short_override: Information about the parent session of the session leader.
         Only pid, start and entity_id fields are set.
     - as: previous
       at: process
-      beta: Reusing the `process` fields in this location is currently considered
-        beta.
       full: process.previous
       normalize: &id001
       - array
@@ -12608,20 +12562,16 @@ process:
         initial fork. Only executable and args are set.
     top_level: true
   reused_here:
-  - beta: Reusing the `group` fields in this location is currently considered beta.
-    full: process.group
+  - full: process.group
     schema_name: group
     short: The effective group (egid).
-  - beta: Reusing the `group` fields in this location is currently considered beta.
-    full: process.real_group
+  - full: process.real_group
     schema_name: group
     short: The real group (rgid).
-  - beta: Reusing the `group` fields in this location is currently considered beta.
-    full: process.saved_group
+  - full: process.saved_group
     schema_name: group
     short: The saved group (sgid).
-  - beta: Reusing the `group` fields in this location is currently considered beta.
-    full: process.supplemental_groups
+  - full: process.supplemental_groups
     normalize:
     - array
     schema_name: group
@@ -12646,20 +12596,16 @@ process:
     full: process.elf
     schema_name: elf
     short: These fields contain Linux Executable Linkable Format (ELF) metadata.
-  - beta: Reusing the `source` fields in this location is currently considered beta.
-    full: process.entry_meta.source
+  - full: process.entry_meta.source
     schema_name: source
     short: Remote client information such as ip, port and geo location.
-  - beta: Reusing the `user` fields in this location is currently considered beta.
-    full: process.user
+  - full: process.user
     schema_name: user
     short: The effective user (euid).
-  - beta: Reusing the `user` fields in this location is currently considered beta.
-    full: process.saved_user
+  - full: process.saved_user
     schema_name: user
     short: The saved user (suid).
-  - beta: Reusing the `user` fields in this location is currently considered beta.
-    full: process.real_user
+  - full: process.real_user
     schema_name: user
     short: The real user (ruid). Identifies the real owner of the process.
   - beta: Reusing the `user` fields in this location is currently considered beta.
@@ -12670,48 +12616,39 @@ process:
   - full: process.parent
     schema_name: process
     short: Information about the parent process.
-  - beta: Reusing the `process` fields in this location is currently considered beta.
-    full: process.entry_leader
+  - full: process.entry_leader
     schema_name: process
     short: First process from terminal or remote access via SSH, SSM, etc OR a service
       directly started by the init process.
-  - beta: Reusing the `process` fields in this location is currently considered beta.
-    full: process.session_leader
+  - full: process.session_leader
     schema_name: process
     short: Often the same as entry_leader. When it differs, it represents a session
       started within another session. e.g. using tmux
-  - beta: Reusing the `process` fields in this location is currently considered beta.
-    full: process.group_leader
+  - full: process.group_leader
     schema_name: process
     short: Information about the process group leader. In some cases this may be the
       same as the top level process.
-  - beta: Reusing the `process` fields in this location is currently considered beta.
-    full: process.parent.group_leader
+  - full: process.parent.group_leader
     schema_name: process
     short: Information about the parent's process group leader. Only pid, start and
       entity_id fields are set.
-  - beta: Reusing the `process` fields in this location is currently considered beta.
-    full: process.entry_leader.parent
+  - full: process.entry_leader.parent
     schema_name: process
     short: Information about the entry leader's parent process. Only pid, start and
       entity_id fields are set.
-  - beta: Reusing the `process` fields in this location is currently considered beta.
-    full: process.session_leader.parent
+  - full: process.session_leader.parent
     schema_name: process
     short: Information about the session leader's parent process. Only pid, start
       and entity_id fields are set.
-  - beta: Reusing the `process` fields in this location is currently considered beta.
-    full: process.entry_leader.parent.session_leader
+  - full: process.entry_leader.parent.session_leader
     schema_name: process
     short: Information about the parent session of the entry leader. Only pid, start
       and entity_id fields are set.
-  - beta: Reusing the `process` fields in this location is currently considered beta.
-    full: process.session_leader.parent.session_leader
+  - full: process.session_leader.parent.session_leader
     schema_name: process
     short: Information about the parent session of the session leader. Only pid, start
       and entity_id fields are set.
-  - beta: Reusing the `process` fields in this location is currently considered beta.
-    full: process.previous
+  - full: process.previous
     normalize: *id001
     schema_name: process
     short: An array of previous executions for the process, including the initial
@@ -14748,7 +14685,6 @@ source:
     expected:
     - as: source
       at: process.entry_meta
-      beta: Reusing the `source` fields in this location is currently considered beta.
       full: process.entry_meta.source
       short_override: Remote client information such as ip, port and geo location.
     top_level: true
@@ -21604,17 +21540,14 @@ user:
       short_override: Captures changes made to a user.
     - as: user
       at: process
-      beta: Reusing the `user` fields in this location is currently considered beta.
       full: process.user
       short_override: The effective user (euid).
     - as: saved_user
       at: process
-      beta: Reusing the `user` fields in this location is currently considered beta.
       full: process.saved_user
       short_override: The saved user (suid).
     - as: real_user
       at: process
-      beta: Reusing the `user` fields in this location is currently considered beta.
       full: process.real_user
       short_override: The real user (ruid). Identifies the real owner of the process.
     - as: attested_user
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 9bd35fad8d..0c2c1d3004 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -7480,7 +7480,6 @@ process.entry_leader.entry_meta.source.ip:
   short: IP address of the source.
   type: ip
 process.entry_leader.entry_meta.type:
-  beta: This field is beta and subject to change.
   dashed_name: process-entry-leader-entry-meta-type
   description: 'The entry type for the entry session leader. Values include: init(e.g
     systemd), sshd, ssm, kubelet, teleport, terminal, console
@@ -7533,7 +7532,6 @@ process.entry_leader.group.name:
   short: Name of the group.
   type: keyword
 process.entry_leader.interactive:
-  beta: This field is beta and subject to change.
   dashed_name: process-entry-leader-interactive
   description: 'Whether the process is connected to an interactive shell.
 
@@ -7721,7 +7719,6 @@ process.entry_leader.real_user.name:
   short: Short name or login of the user.
   type: keyword
 process.entry_leader.same_as_process:
-  beta: This field is beta and subject to change.
   dashed_name: process-entry-leader-same-as-process
   description: 'This boolean is used to identify if a leader process is the same as
     the top level process.
@@ -7835,7 +7832,6 @@ process.entry_leader.supplemental_groups.name:
   short: Name of the group.
   type: keyword
 process.entry_leader.tty:
-  beta: This field is beta and subject to change.
   dashed_name: process-entry-leader-tty
   description: Information about the controlling TTY device. If set, the process belongs
     to an interactive session.
@@ -7847,7 +7843,6 @@ process.entry_leader.tty:
   short: Information about the controlling TTY device.
   type: object
 process.entry_leader.tty.char_device.major:
-  beta: This field is beta and subject to change.
   dashed_name: process-entry-leader-tty-char-device-major
   description: The major number identifies the driver associated with the device.
     The character device's major and minor numbers can be algorithmically combined
@@ -7862,7 +7857,6 @@ process.entry_leader.tty.char_device.major:
   short: The TTY character device's major number.
   type: long
 process.entry_leader.tty.char_device.minor:
-  beta: This field is beta and subject to change.
   dashed_name: process-entry-leader-tty-char-device-minor
   description: "The minor number is used only by the driver specified by the major\
     \ number; other parts of the kernel don\u2019t use it, and merely pass it along\
@@ -8072,7 +8066,6 @@ process.group_leader.group.name:
   short: Name of the group.
   type: keyword
 process.group_leader.interactive:
-  beta: This field is beta and subject to change.
   dashed_name: process-group-leader-interactive
   description: 'Whether the process is connected to an interactive shell.
 
@@ -8174,7 +8167,6 @@ process.group_leader.real_user.name:
   short: Short name or login of the user.
   type: keyword
 process.group_leader.same_as_process:
-  beta: This field is beta and subject to change.
   dashed_name: process-group-leader-same-as-process
   description: 'This boolean is used to identify if a leader process is the same as
     the top level process.
@@ -8288,7 +8280,6 @@ process.group_leader.supplemental_groups.name:
   short: Name of the group.
   type: keyword
 process.group_leader.tty:
-  beta: This field is beta and subject to change.
   dashed_name: process-group-leader-tty
   description: Information about the controlling TTY device. If set, the process belongs
     to an interactive session.
@@ -8300,7 +8291,6 @@ process.group_leader.tty:
   short: Information about the controlling TTY device.
   type: object
 process.group_leader.tty.char_device.major:
-  beta: This field is beta and subject to change.
   dashed_name: process-group-leader-tty-char-device-major
   description: The major number identifies the driver associated with the device.
     The character device's major and minor numbers can be algorithmically combined
@@ -8315,7 +8305,6 @@ process.group_leader.tty.char_device.major:
   short: The TTY character device's major number.
   type: long
 process.group_leader.tty.char_device.minor:
-  beta: This field is beta and subject to change.
   dashed_name: process-group-leader-tty-char-device-minor
   description: "The minor number is used only by the driver specified by the major\
     \ number; other parts of the kernel don\u2019t use it, and merely pass it along\
@@ -8451,7 +8440,6 @@ process.hash.tlsh:
   short: TLSH hash.
   type: keyword
 process.interactive:
-  beta: This field is beta and subject to change.
   dashed_name: process-interactive
   description: 'Whether the process is connected to an interactive shell.
 
@@ -9304,7 +9292,6 @@ process.parent.hash.tlsh:
   short: TLSH hash.
   type: keyword
 process.parent.interactive:
-  beta: This field is beta and subject to change.
   dashed_name: process-parent-interactive
   description: 'Whether the process is connected to an interactive shell.
 
@@ -9649,7 +9636,6 @@ process.parent.title:
   short: Process title.
   type: keyword
 process.parent.tty:
-  beta: This field is beta and subject to change.
   dashed_name: process-parent-tty
   description: Information about the controlling TTY device. If set, the process belongs
     to an interactive session.
@@ -9661,7 +9647,6 @@ process.parent.tty:
   short: Information about the controlling TTY device.
   type: object
 process.parent.tty.char_device.major:
-  beta: This field is beta and subject to change.
   dashed_name: process-parent-tty-char-device-major
   description: The major number identifies the driver associated with the device.
     The character device's major and minor numbers can be algorithmically combined
@@ -9676,7 +9661,6 @@ process.parent.tty.char_device.major:
   short: The TTY character device's major number.
   type: long
 process.parent.tty.char_device.minor:
-  beta: This field is beta and subject to change.
   dashed_name: process-parent-tty-char-device-minor
   description: "The minor number is used only by the driver specified by the major\
     \ number; other parts of the kernel don\u2019t use it, and merely pass it along\
@@ -10128,7 +10112,6 @@ process.session_leader.group.name:
   short: Name of the group.
   type: keyword
 process.session_leader.interactive:
-  beta: This field is beta and subject to change.
   dashed_name: process-session-leader-interactive
   description: 'Whether the process is connected to an interactive shell.
 
@@ -10316,7 +10299,6 @@ process.session_leader.real_user.name:
   short: Short name or login of the user.
   type: keyword
 process.session_leader.same_as_process:
-  beta: This field is beta and subject to change.
   dashed_name: process-session-leader-same-as-process
   description: 'This boolean is used to identify if a leader process is the same as
     the top level process.
@@ -10430,7 +10412,6 @@ process.session_leader.supplemental_groups.name:
   short: Name of the group.
   type: keyword
 process.session_leader.tty:
-  beta: This field is beta and subject to change.
   dashed_name: process-session-leader-tty
   description: Information about the controlling TTY device. If set, the process belongs
     to an interactive session.
@@ -10442,7 +10423,6 @@ process.session_leader.tty:
   short: Information about the controlling TTY device.
   type: object
 process.session_leader.tty.char_device.major:
-  beta: This field is beta and subject to change.
   dashed_name: process-session-leader-tty-char-device-major
   description: The major number identifies the driver associated with the device.
     The character device's major and minor numbers can be algorithmically combined
@@ -10457,7 +10437,6 @@ process.session_leader.tty.char_device.major:
   short: The TTY character device's major number.
   type: long
 process.session_leader.tty.char_device.minor:
-  beta: This field is beta and subject to change.
   dashed_name: process-session-leader-tty-char-device-minor
   description: "The minor number is used only by the driver specified by the major\
     \ number; other parts of the kernel don\u2019t use it, and merely pass it along\
@@ -10587,7 +10566,6 @@ process.title:
   short: Process title.
   type: keyword
 process.tty:
-  beta: This field is beta and subject to change.
   dashed_name: process-tty
   description: Information about the controlling TTY device. If set, the process belongs
     to an interactive session.
@@ -10598,7 +10576,6 @@ process.tty:
   short: Information about the controlling TTY device.
   type: object
 process.tty.char_device.major:
-  beta: This field is beta and subject to change.
   dashed_name: process-tty-char-device-major
   description: The major number identifies the driver associated with the device.
     The character device's major and minor numbers can be algorithmically combined
@@ -10612,7 +10589,6 @@ process.tty.char_device.major:
   short: The TTY character device's major number.
   type: long
 process.tty.char_device.minor:
-  beta: This field is beta and subject to change.
   dashed_name: process-tty-char-device-minor
   description: "The minor number is used only by the driver specified by the major\
     \ number; other parts of the kernel don\u2019t use it, and merely pass it along\
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 049ae73a72..508124f0a7 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -5935,22 +5935,18 @@ group:
       full: user.group
     - as: group
       at: process
-      beta: Reusing the `group` fields in this location is currently considered beta.
       full: process.group
       short_override: The effective group (egid).
     - as: real_group
       at: process
-      beta: Reusing the `group` fields in this location is currently considered beta.
       full: process.real_group
       short_override: The real group (rgid).
     - as: saved_group
       at: process
-      beta: Reusing the `group` fields in this location is currently considered beta.
       full: process.saved_group
       short_override: The saved group (sgid).
     - as: supplemental_groups
       at: process
-      beta: Reusing the `group` fields in this location is currently considered beta.
       full: process.supplemental_groups
       normalize:
       - array
@@ -9198,7 +9194,6 @@ process:
       short: IP address of the source.
       type: ip
     process.entry_leader.entry_meta.type:
-      beta: This field is beta and subject to change.
       dashed_name: process-entry-leader-entry-meta-type
       description: 'The entry type for the entry session leader. Values include: init(e.g
         systemd), sshd, ssm, kubelet, teleport, terminal, console
@@ -9251,7 +9246,6 @@ process:
       short: Name of the group.
       type: keyword
     process.entry_leader.interactive:
-      beta: This field is beta and subject to change.
       dashed_name: process-entry-leader-interactive
       description: 'Whether the process is connected to an interactive shell.
 
@@ -9439,7 +9433,6 @@ process:
       short: Short name or login of the user.
       type: keyword
     process.entry_leader.same_as_process:
-      beta: This field is beta and subject to change.
       dashed_name: process-entry-leader-same-as-process
       description: 'This boolean is used to identify if a leader process is the same
         as the top level process.
@@ -9553,7 +9546,6 @@ process:
       short: Name of the group.
       type: keyword
     process.entry_leader.tty:
-      beta: This field is beta and subject to change.
       dashed_name: process-entry-leader-tty
       description: Information about the controlling TTY device. If set, the process
         belongs to an interactive session.
@@ -9565,7 +9557,6 @@ process:
       short: Information about the controlling TTY device.
       type: object
     process.entry_leader.tty.char_device.major:
-      beta: This field is beta and subject to change.
       dashed_name: process-entry-leader-tty-char-device-major
       description: The major number identifies the driver associated with the device.
         The character device's major and minor numbers can be algorithmically combined
@@ -9580,7 +9571,6 @@ process:
       short: The TTY character device's major number.
       type: long
     process.entry_leader.tty.char_device.minor:
-      beta: This field is beta and subject to change.
       dashed_name: process-entry-leader-tty-char-device-minor
       description: "The minor number is used only by the driver specified by the major\
         \ number; other parts of the kernel don\u2019t use it, and merely pass it\
@@ -9790,7 +9780,6 @@ process:
       short: Name of the group.
       type: keyword
     process.group_leader.interactive:
-      beta: This field is beta and subject to change.
       dashed_name: process-group-leader-interactive
       description: 'Whether the process is connected to an interactive shell.
 
@@ -9892,7 +9881,6 @@ process:
       short: Short name or login of the user.
       type: keyword
     process.group_leader.same_as_process:
-      beta: This field is beta and subject to change.
       dashed_name: process-group-leader-same-as-process
       description: 'This boolean is used to identify if a leader process is the same
         as the top level process.
@@ -10006,7 +9994,6 @@ process:
       short: Name of the group.
       type: keyword
     process.group_leader.tty:
-      beta: This field is beta and subject to change.
       dashed_name: process-group-leader-tty
       description: Information about the controlling TTY device. If set, the process
         belongs to an interactive session.
@@ -10018,7 +10005,6 @@ process:
       short: Information about the controlling TTY device.
       type: object
     process.group_leader.tty.char_device.major:
-      beta: This field is beta and subject to change.
       dashed_name: process-group-leader-tty-char-device-major
       description: The major number identifies the driver associated with the device.
         The character device's major and minor numbers can be algorithmically combined
@@ -10033,7 +10019,6 @@ process:
       short: The TTY character device's major number.
       type: long
     process.group_leader.tty.char_device.minor:
-      beta: This field is beta and subject to change.
       dashed_name: process-group-leader-tty-char-device-minor
       description: "The minor number is used only by the driver specified by the major\
         \ number; other parts of the kernel don\u2019t use it, and merely pass it\
@@ -10169,7 +10154,6 @@ process:
       short: TLSH hash.
       type: keyword
     process.interactive:
-      beta: This field is beta and subject to change.
       dashed_name: process-interactive
       description: 'Whether the process is connected to an interactive shell.
 
@@ -11025,7 +11009,6 @@ process:
       short: TLSH hash.
       type: keyword
     process.parent.interactive:
-      beta: This field is beta and subject to change.
       dashed_name: process-parent-interactive
       description: 'Whether the process is connected to an interactive shell.
 
@@ -11370,7 +11353,6 @@ process:
       short: Process title.
       type: keyword
     process.parent.tty:
-      beta: This field is beta and subject to change.
       dashed_name: process-parent-tty
       description: Information about the controlling TTY device. If set, the process
         belongs to an interactive session.
@@ -11382,7 +11364,6 @@ process:
       short: Information about the controlling TTY device.
       type: object
     process.parent.tty.char_device.major:
-      beta: This field is beta and subject to change.
       dashed_name: process-parent-tty-char-device-major
       description: The major number identifies the driver associated with the device.
         The character device's major and minor numbers can be algorithmically combined
@@ -11397,7 +11378,6 @@ process:
       short: The TTY character device's major number.
       type: long
     process.parent.tty.char_device.minor:
-      beta: This field is beta and subject to change.
       dashed_name: process-parent-tty-char-device-minor
       description: "The minor number is used only by the driver specified by the major\
         \ number; other parts of the kernel don\u2019t use it, and merely pass it\
@@ -11849,7 +11829,6 @@ process:
       short: Name of the group.
       type: keyword
     process.session_leader.interactive:
-      beta: This field is beta and subject to change.
       dashed_name: process-session-leader-interactive
       description: 'Whether the process is connected to an interactive shell.
 
@@ -12037,7 +12016,6 @@ process:
       short: Short name or login of the user.
       type: keyword
     process.session_leader.same_as_process:
-      beta: This field is beta and subject to change.
       dashed_name: process-session-leader-same-as-process
       description: 'This boolean is used to identify if a leader process is the same
         as the top level process.
@@ -12151,7 +12129,6 @@ process:
       short: Name of the group.
       type: keyword
     process.session_leader.tty:
-      beta: This field is beta and subject to change.
       dashed_name: process-session-leader-tty
       description: Information about the controlling TTY device. If set, the process
         belongs to an interactive session.
@@ -12163,7 +12140,6 @@ process:
       short: Information about the controlling TTY device.
       type: object
     process.session_leader.tty.char_device.major:
-      beta: This field is beta and subject to change.
       dashed_name: process-session-leader-tty-char-device-major
       description: The major number identifies the driver associated with the device.
         The character device's major and minor numbers can be algorithmically combined
@@ -12178,7 +12154,6 @@ process:
       short: The TTY character device's major number.
       type: long
     process.session_leader.tty.char_device.minor:
-      beta: This field is beta and subject to change.
       dashed_name: process-session-leader-tty-char-device-minor
       description: "The minor number is used only by the driver specified by the major\
         \ number; other parts of the kernel don\u2019t use it, and merely pass it\
@@ -12308,7 +12283,6 @@ process:
       short: Process title.
       type: keyword
     process.tty:
-      beta: This field is beta and subject to change.
       dashed_name: process-tty
       description: Information about the controlling TTY device. If set, the process
         belongs to an interactive session.
@@ -12319,7 +12293,6 @@ process:
       short: Information about the controlling TTY device.
       type: object
     process.tty.char_device.major:
-      beta: This field is beta and subject to change.
       dashed_name: process-tty-char-device-major
       description: The major number identifies the driver associated with the device.
         The character device's major and minor numbers can be algorithmically combined
@@ -12333,7 +12306,6 @@ process:
       short: The TTY character device's major number.
       type: long
     process.tty.char_device.minor:
-      beta: This field is beta and subject to change.
       dashed_name: process-tty-char-device-minor
       description: "The minor number is used only by the driver specified by the major\
         \ number; other parts of the kernel don\u2019t use it, and merely pass it\
@@ -12463,64 +12435,46 @@ process:
       short_override: Information about the parent process.
     - as: entry_leader
       at: process
-      beta: Reusing the `process` fields in this location is currently considered
-        beta.
       full: process.entry_leader
       short_override: First process from terminal or remote access via SSH, SSM, etc
         OR a service directly started by the init process.
     - as: session_leader
       at: process
-      beta: Reusing the `process` fields in this location is currently considered
-        beta.
       full: process.session_leader
       short_override: Often the same as entry_leader. When it differs, it represents
         a session started within another session. e.g. using tmux
     - as: group_leader
       at: process
-      beta: Reusing the `process` fields in this location is currently considered
-        beta.
       full: process.group_leader
       short_override: Information about the process group leader. In some cases this
         may be the same as the top level process.
     - as: group_leader
       at: process.parent
-      beta: Reusing the `process` fields in this location is currently considered
-        beta.
       full: process.parent.group_leader
       short_override: Information about the parent's process group leader. Only pid,
         start and entity_id fields are set.
     - as: parent
       at: process.entry_leader
-      beta: Reusing the `process` fields in this location is currently considered
-        beta.
       full: process.entry_leader.parent
       short_override: Information about the entry leader's parent process. Only pid,
         start and entity_id fields are set.
     - as: parent
       at: process.session_leader
-      beta: Reusing the `process` fields in this location is currently considered
-        beta.
       full: process.session_leader.parent
       short_override: Information about the session leader's parent process. Only
         pid, start and entity_id fields are set.
     - as: session_leader
       at: process.entry_leader.parent
-      beta: Reusing the `process` fields in this location is currently considered
-        beta.
       full: process.entry_leader.parent.session_leader
       short_override: Information about the parent session of the entry leader. Only
         pid, start and entity_id fields are set.
     - as: session_leader
       at: process.session_leader.parent
-      beta: Reusing the `process` fields in this location is currently considered
-        beta.
       full: process.session_leader.parent.session_leader
       short_override: Information about the parent session of the session leader.
         Only pid, start and entity_id fields are set.
     - as: previous
       at: process
-      beta: Reusing the `process` fields in this location is currently considered
-        beta.
       full: process.previous
       normalize: &id001
       - array
@@ -12528,20 +12482,16 @@ process:
         initial fork. Only executable and args are set.
     top_level: true
   reused_here:
-  - beta: Reusing the `group` fields in this location is currently considered beta.
-    full: process.group
+  - full: process.group
     schema_name: group
     short: The effective group (egid).
-  - beta: Reusing the `group` fields in this location is currently considered beta.
-    full: process.real_group
+  - full: process.real_group
     schema_name: group
     short: The real group (rgid).
-  - beta: Reusing the `group` fields in this location is currently considered beta.
-    full: process.saved_group
+  - full: process.saved_group
     schema_name: group
     short: The saved group (sgid).
-  - beta: Reusing the `group` fields in this location is currently considered beta.
-    full: process.supplemental_groups
+  - full: process.supplemental_groups
     normalize:
     - array
     schema_name: group
@@ -12566,20 +12516,16 @@ process:
     full: process.elf
     schema_name: elf
     short: These fields contain Linux Executable Linkable Format (ELF) metadata.
-  - beta: Reusing the `source` fields in this location is currently considered beta.
-    full: process.entry_meta.source
+  - full: process.entry_meta.source
     schema_name: source
     short: Remote client information such as ip, port and geo location.
-  - beta: Reusing the `user` fields in this location is currently considered beta.
-    full: process.user
+  - full: process.user
     schema_name: user
     short: The effective user (euid).
-  - beta: Reusing the `user` fields in this location is currently considered beta.
-    full: process.saved_user
+  - full: process.saved_user
     schema_name: user
     short: The saved user (suid).
-  - beta: Reusing the `user` fields in this location is currently considered beta.
-    full: process.real_user
+  - full: process.real_user
     schema_name: user
     short: The real user (ruid). Identifies the real owner of the process.
   - beta: Reusing the `user` fields in this location is currently considered beta.
@@ -12590,48 +12536,39 @@ process:
   - full: process.parent
     schema_name: process
     short: Information about the parent process.
-  - beta: Reusing the `process` fields in this location is currently considered beta.
-    full: process.entry_leader
+  - full: process.entry_leader
     schema_name: process
     short: First process from terminal or remote access via SSH, SSM, etc OR a service
       directly started by the init process.
-  - beta: Reusing the `process` fields in this location is currently considered beta.
-    full: process.session_leader
+  - full: process.session_leader
     schema_name: process
     short: Often the same as entry_leader. When it differs, it represents a session
       started within another session. e.g. using tmux
-  - beta: Reusing the `process` fields in this location is currently considered beta.
-    full: process.group_leader
+  - full: process.group_leader
     schema_name: process
     short: Information about the process group leader. In some cases this may be the
       same as the top level process.
-  - beta: Reusing the `process` fields in this location is currently considered beta.
-    full: process.parent.group_leader
+  - full: process.parent.group_leader
     schema_name: process
     short: Information about the parent's process group leader. Only pid, start and
       entity_id fields are set.
-  - beta: Reusing the `process` fields in this location is currently considered beta.
-    full: process.entry_leader.parent
+  - full: process.entry_leader.parent
     schema_name: process
     short: Information about the entry leader's parent process. Only pid, start and
       entity_id fields are set.
-  - beta: Reusing the `process` fields in this location is currently considered beta.
-    full: process.session_leader.parent
+  - full: process.session_leader.parent
     schema_name: process
     short: Information about the session leader's parent process. Only pid, start
       and entity_id fields are set.
-  - beta: Reusing the `process` fields in this location is currently considered beta.
-    full: process.entry_leader.parent.session_leader
+  - full: process.entry_leader.parent.session_leader
     schema_name: process
     short: Information about the parent session of the entry leader. Only pid, start
       and entity_id fields are set.
-  - beta: Reusing the `process` fields in this location is currently considered beta.
-    full: process.session_leader.parent.session_leader
+  - full: process.session_leader.parent.session_leader
     schema_name: process
     short: Information about the parent session of the session leader. Only pid, start
       and entity_id fields are set.
-  - beta: Reusing the `process` fields in this location is currently considered beta.
-    full: process.previous
+  - full: process.previous
     normalize: *id001
     schema_name: process
     short: An array of previous executions for the process, including the initial
@@ -14668,7 +14605,6 @@ source:
     expected:
     - as: source
       at: process.entry_meta
-      beta: Reusing the `source` fields in this location is currently considered beta.
       full: process.entry_meta.source
       short_override: Remote client information such as ip, port and geo location.
     top_level: true
@@ -21524,17 +21460,14 @@ user:
       short_override: Captures changes made to a user.
     - as: user
       at: process
-      beta: Reusing the `user` fields in this location is currently considered beta.
       full: process.user
       short_override: The effective user (euid).
     - as: saved_user
       at: process
-      beta: Reusing the `user` fields in this location is currently considered beta.
       full: process.saved_user
       short_override: The saved user (suid).
     - as: real_user
       at: process
-      beta: Reusing the `user` fields in this location is currently considered beta.
       full: process.real_user
       short_override: The real user (ruid). Identifies the real owner of the process.
     - as: attested_user
diff --git a/schemas/group.yml b/schemas/group.yml
index 9f51403042..7dffd306c4 100644
--- a/schemas/group.yml
+++ b/schemas/group.yml
@@ -32,19 +32,15 @@
       - at: process
         as: group
         short_override: The effective group (egid).
-        beta: Reusing the `group` fields in this location is currently considered beta.
       - at: process
         as: real_group
         short_override: The real group (rgid).
-        beta: Reusing the `group` fields in this location is currently considered beta.
       - at: process
         as: saved_group
         short_override: The saved group (sgid).
-        beta: Reusing the `group` fields in this location is currently considered beta.
       - at: process
         as: supplemental_groups
         short_override: An array of supplemental groups.
-        beta: Reusing the `group` fields in this location is currently considered beta.
         normalize:
           - array
       - at: process
diff --git a/schemas/process.yml b/schemas/process.yml
index 83405e5c5b..06e91758f4 100644
--- a/schemas/process.yml
+++ b/schemas/process.yml
@@ -35,39 +35,30 @@
       - at: process
         as: entry_leader
         short_override: First process from terminal or remote access via SSH, SSM, etc OR a service directly started by the init process.
-        beta: Reusing the `process` fields in this location is currently considered beta.
       - at: process
         as: session_leader
         short_override: Often the same as entry_leader. When it differs, it represents a session started within another session. e.g. using tmux
-        beta: Reusing the `process` fields in this location is currently considered beta.
       - at: process
         as: group_leader
         short_override: Information about the process group leader. In some cases this may be the same as the top level process.
-        beta: Reusing the `process` fields in this location is currently considered beta.
       - at: process.parent
         as: group_leader
         short_override: Information about the parent's process group leader. Only pid, start and entity_id fields are set.
-        beta: Reusing the `process` fields in this location is currently considered beta.
       - at: process.entry_leader
         as: parent
         short_override: Information about the entry leader's parent process. Only pid, start and entity_id fields are set.
-        beta: Reusing the `process` fields in this location is currently considered beta.
       - at: process.session_leader
         as: parent
         short_override: Information about the session leader's parent process. Only pid, start and entity_id fields are set.
-        beta: Reusing the `process` fields in this location is currently considered beta.
       - at: process.entry_leader.parent
         as: session_leader
         short_override: Information about the parent session of the entry leader. Only pid, start and entity_id fields are set.
-        beta: Reusing the `process` fields in this location is currently considered beta.
       - at: process.session_leader.parent
         as: session_leader
         short_override: Information about the parent session of the session leader. Only pid, start and entity_id fields are set.
-        beta: Reusing the `process` fields in this location is currently considered beta.
       - at: process
         as: previous
         short_override: An array of previous executions for the process, including the initial fork. Only executable and args are set.
-        beta: Reusing the `process` fields in this location is currently considered beta.
         normalize:
           - array
 
@@ -244,7 +235,6 @@
       level: extended
       type: boolean
       example: true
-      beta: This field is beta and subject to change.
       short: Whether the process is connected to an interactive shell.
       description: >
         Whether the process is connected to an interactive shell.
@@ -257,7 +247,6 @@
       level: extended
       type: boolean
       example: true
-      beta: This field is beta and subject to change.
       short: This boolean is used to identify if a leader process is the same as the top level process.
       description: >
         This boolean is used to identify if a leader process is the same as the top level process.
@@ -295,7 +284,6 @@
     - name: entry_meta.type
       level: extended
       type: keyword
-      beta: This field is beta and subject to change.
       short: The entry type for the entry session leader.
       description: >
         The entry type for the entry session leader.
@@ -306,7 +294,6 @@
     - name: entry_meta.source
       level: extended
       type: source
-      beta: This field is beta and subject to change.
       short: Entry point information for a session.
       description: >
         Entry point information for a session.
@@ -315,7 +302,6 @@
     - name: tty
       level: extended
       type: object
-      beta: This field is beta and subject to change.
       short: Information about the controlling TTY device.
       description: >
         Information about the controlling TTY device. If set, the process belongs to an interactive session.
@@ -323,7 +309,6 @@
     - name: tty.char_device.major
       level: extended
       type: long
-      beta: This field is beta and subject to change.
       short: The TTY character device's major number.
       description: >
         The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation.
@@ -332,7 +317,6 @@
     - name: tty.char_device.minor
       level: extended
       type: long
-      beta: This field is beta and subject to change.
       short: The TTY character device's minor number.
       description: >
         The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them.
diff --git a/schemas/source.yml b/schemas/source.yml
index 6685bec1b2..266bfc33bf 100644
--- a/schemas/source.yml
+++ b/schemas/source.yml
@@ -34,7 +34,6 @@
       - at: process.entry_meta
         as: source
         short_override: Remote client information such as ip, port and geo location.
-        beta: Reusing the `source` fields in this location is currently considered beta.
 
   fields:
 
diff --git a/schemas/user.yml b/schemas/user.yml
index a12f9f9beb..0e126bfd03 100644
--- a/schemas/user.yml
+++ b/schemas/user.yml
@@ -45,15 +45,12 @@
       - at: process
         as: user
         short_override: The effective user (euid).
-        beta: Reusing the `user` fields in this location is currently considered beta.
       - at: process
         as: saved_user
         short_override: The saved user (suid).
-        beta: Reusing the `user` fields in this location is currently considered beta.
       - at: process
         as: real_user
         short_override: The real user (ruid). Identifies the real owner of the process.
-        beta: Reusing the `user` fields in this location is currently considered beta.
       - at: process
         as: attested_user
         short_override: The externally attested user based on an external source such as the Kube API.

From 75ea42f65b861a30a3da32887c06fe23d4bc111e Mon Sep 17 00:00:00 2001
From: Taylor Swanson <90622908+taylor-swanson@users.noreply.github.com>
Date: Tue, 1 Nov 2022 09:38:00 -0500
Subject: [PATCH 049/186] 8.5 changelog (#2085) (#2091)

---
 CHANGELOG.md | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index acc1571123..043328caa9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,32 @@
 # CHANGELOG
 All notable changes to this project will be documented in this file based on the [Keep a Changelog](http://keepachangelog.com/) Standard. This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [8.5.0](https://github.com/elastic/ecs/compare/v8.4.0...v8.5.0)
+
+### Schema Changes
+
+#### Added
+
+* Adding `risk.*` fields as experimental. #1994, #2010
+* Adding `process.io.*` as beta fields. #1956, #2031
+* Adding `process.tty.rows` and `process.tty.columns` as beta fields. #2031
+* Changed `process.env_vars` field type to be an array of keywords. #2038
+* `process.attested_user` and `process.attested_groups` as beta fields. #2050
+* Added `risk.*` fieldset to beta. #2051, #2058
+* Moved Linux event model fields to GA. #2082
+
+#### Improvements
+
+* Advances `threat.enrichments.indicator` to GA. #1928
+* Added `ios` and `android` as valid values for `os.type` #1999
+
+### Tooling and Artifact Changes
+
+#### Bugfixes
+
+* Added Deprecation Warning for `misspell` task #1993
+* Fix typo in client schema #2014
+
 ## [8.4.0](https://github.com/elastic/ecs/compare/v8.3.1...v8.4.0)
 
 ### Schema Changes

From a0a9b6b24c3f7a8c5f69fdb6c8c194023a906d48 Mon Sep 17 00:00:00 2001
From: Taylor Swanson <90622908+taylor-swanson@users.noreply.github.com>
Date: Tue, 1 Nov 2022 09:53:07 -0500
Subject: [PATCH 050/186] 8.5 release notes (#2086) (#2093)

---
 docs/release-notes/8.5.asciidoc | 34 ++++++++++++++++++++++++++++++++-
 1 file changed, 33 insertions(+), 1 deletion(-)

diff --git a/docs/release-notes/8.5.asciidoc b/docs/release-notes/8.5.asciidoc
index 779b247999..4dd468377c 100644
--- a/docs/release-notes/8.5.asciidoc
+++ b/docs/release-notes/8.5.asciidoc
@@ -1,4 +1,36 @@
 [[ecs-release-notes-8.5.0]]
 === 8.5.0
 
-coming[8.5.0]
+[[schema-changes-8.5.0]]
+[float]
+==== Schema changes
+
+[[schema-added-8.5.0]]
+[float]
+===== Added
+
+* Adding `risk.*` fields as experimental. {ecs_pull}1994[#1994], {ecs_pull}2010[#2010]
+* Adding `process.io.*` as beta fields. {ecs_pull}1956[#1956], {ecs_pull}2031[#2031]
+* Adding `process.tty.rows` and `process.tty.columns` as beta fields. {ecs_pull}2031[#2031]
+* Changed `process.env_vars` field type to be an array of keywords. {ecs_pull}2038[#2038]
+* `process.attested_user` and `process.attested_groups` as beta fields. {ecs_pull}2050[#2050]
+* Added `risk.*` fieldset to beta. {ecs_pull}2051[#2051], {ecs_pull}2058[#2058]
+* Moved Linux event model fields to GA. {ecs_pull}2082[#2082]
+
+[[schema-improvements-8.5.0]]
+[float]
+===== Improvements
+
+* Advances `threat.enrichments.indicator` to GA. {ecs_pull}1928[#1928]
+* Added `ios` and `android` as valid values for `os.type` {ecs_pull}1999[#1999]
+
+[[tooling-changes-8.5.0]]
+[float]
+==== Tooling and artifact changes
+
+[[tooling-bugfixes-8.5.0]]
+[float]
+===== Bugfixes
+
+* Added Deprecation Warning for `misspell` task {ecs_pull}1993[#1993]
+* Fix typo in client schema {ecs_pull}2014[#2014]

From 3b182ef3188c239d9c9a5f63ebb54f01d6700fec Mon Sep 17 00:00:00 2001
From: Dan Kortschak <90160302+efd6@users.noreply.github.com>
Date: Wed, 2 Nov 2022 07:46:45 +1030
Subject: [PATCH 051/186] Add fields for executable object format metadata for
 ELF, Mach-O and PE (#2083)

Fields are added to ELF for malware detection signatures and fields in ELF for
this are reflected in PE. A new Mac OS Mach-O field group is added. Not all
possible fields are added to Mach-O.
---
 CHANGELOG.next.md                             |    1 +
 docs/fields/field-details.asciidoc            |  902 ++++-
 docs/fields/fields.asciidoc                   |    2 +
 experimental/generated/beats/fields.ecs.yml   | 1635 ++++++++-
 experimental/generated/csv/fields.csv         |  183 ++
 experimental/generated/ecs/ecs_flat.yml       | 2337 ++++++++++++-
 experimental/generated/ecs/ecs_nested.yml     | 2914 ++++++++++++++++-
 .../composable/component/dll.json             |   50 +
 .../composable/component/file.json            |  137 +
 .../composable/component/process.json         |  274 ++
 .../composable/component/threat.json          |  158 +
 .../elasticsearch/legacy/template.json        |  619 ++++
 generated/beats/fields.ecs.yml                | 1635 ++++++++-
 generated/csv/fields.csv                      |  183 ++
 generated/ecs/ecs_flat.yml                    | 2337 ++++++++++++-
 generated/ecs/ecs_nested.yml                  | 2914 ++++++++++++++++-
 .../composable/component/dll.json             |   50 +
 .../composable/component/file.json            |  137 +
 .../composable/component/process.json         |  274 ++
 .../composable/component/threat.json          |  158 +
 generated/elasticsearch/legacy/template.json  |  619 ++++
 schemas/elf.yml                               |   73 +
 schemas/macho.yml                             |  166 +
 schemas/pe.yml                                |  121 +
 schemas/subsets/main.yml                      |    8 +-
 25 files changed, 17507 insertions(+), 380 deletions(-)
 create mode 100644 schemas/macho.yml

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index c2189391e9..74d36b843a 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -45,6 +45,7 @@ Thanks, you're awesome :-) -->
 * Adding `vulnerability` option for `event.catgeory`. #2029
 * Added `device.*` field set as beta. #2030
 * Added `tlp.version` to threat #2074
+* Added fields for executable object format metadata for ELF, Mach-O and PE #2083
 
 #### Improvements
 
diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index 3733957723..5a02560208 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -2258,6 +2258,88 @@ Note: this field should contain an array of values.
 
 
 
+| extended
+
+// ===============================================================
+
+|
+[[field-elf-go-import-hash]]
+<<field-elf-go-import-hash, elf.go_import_hash>>
+
+a| A hash of the Go language imports in an ELF file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
+
+The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma).
+
+type: keyword
+
+
+
+example: `10bddcb4cee42080f76c88d9ff964491`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-elf-go-imports]]
+<<field-elf-go-imports, elf.go_imports>>
+
+a| List of imported Go language element names and types.
+
+type: flattened
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-elf-go-imports-names-entropy]]
+<<field-elf-go-imports-names-entropy, elf.go_imports_names_entropy>>
+
+a| Shannon entropy calculation from the list of Go imports.
+
+type: long
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-elf-go-imports-names-var-entropy]]
+<<field-elf-go-imports-names-var-entropy, elf.go_imports_names_var_entropy>>
+
+a| Variance for Shannon entropy calculation from the list of Go imports.
+
+type: long
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-elf-go-stripped]]
+<<field-elf-go-stripped, elf.go_stripped>>
+
+a| Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable.
+
+type: boolean
+
+
+
+
+
 | extended
 
 // ===============================================================
@@ -2386,6 +2468,24 @@ type: keyword
 
 
 
+| extended
+
+// ===============================================================
+
+|
+[[field-elf-import-hash]]
+<<field-elf-import-hash, elf.import_hash>>
+
+a| A hash of the imports in an ELF file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
+
+This is an ELF implementation of the Windows PE imphash.
+
+type: keyword
+
+
+
+example: `d41d8cd98f00b204e9800998ecf8427e`
+
 | extended
 
 // ===============================================================
@@ -2405,6 +2505,38 @@ Note: this field should contain an array of values.
 
 
 
+| extended
+
+// ===============================================================
+
+|
+[[field-elf-imports-names-entropy]]
+<<field-elf-imports-names-entropy, elf.imports_names_entropy>>
+
+a| Shannon entropy calculation from the list of imported element names and types.
+
+type: long
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-elf-imports-names-var-entropy]]
+<<field-elf-imports-names-var-entropy, elf.imports_names_var_entropy>>
+
+a| Variance for Shannon entropy calculation from the list of imported element names and types.
+
+type: long
+
+
+
+
+
 | extended
 
 // ===============================================================
@@ -2538,6 +2670,22 @@ type: keyword
 
 
 
+| extended
+
+// ===============================================================
+
+|
+[[field-elf-sections-var-entropy]]
+<<field-elf-sections-var-entropy, elf.sections.var_entropy>>
+
+a| Variance for Shannon entropy calculation from the section.
+
+type: long
+
+
+
+
+
 | extended
 
 // ===============================================================
@@ -4308,6 +4456,14 @@ These fields contain Linux Executable Linkable Format (ELF) metadata.
 // ===============================================================
 
 
+| `file.macho.*`
+| <<ecs-macho,macho>>| beta:[ This field reuse is beta and subject to change.]
+
+These fields contain Mac OS Mach Object file format (Mach-O) metadata.
+
+// ===============================================================
+
+
 | `file.pe.*`
 | <<ecs-pe,pe>>
 | These fields contain Windows Portable Executable (PE) metadata.
@@ -5803,15 +5959,15 @@ example: `1`
 |=====
 
 
-[[ecs-network]]
-=== Network Fields
+[[ecs-macho]]
+=== Mach-O Header Fields
 
-The network is defined as the communication path over which a host or network event happens.
+These fields contain Mac OS Mach Object file format (Mach-O) metadata.
 
-The network.* fields should be populated with details about the network activity associated with an event.
+beta::[ These fields are in beta and are subject to change.]
 
 [discrete]
-==== Network Field Details
+==== Mach-O Header Field Details
 
 [options="header"]
 |=====
@@ -5820,132 +5976,131 @@ The network.* fields should be populated with details about the network activity
 // ===============================================================
 
 |
-[[field-network-application]]
-<<field-network-application, network.application>>
-
-a| When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name.
+[[field-macho-go-import-hash]]
+<<field-macho-go-import-hash, macho.go_import_hash>>
 
-For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`.
+a| A hash of the Go language imports in a Mach-O file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
 
-The field value must be normalized to lowercase for querying.
+The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma).
 
 type: keyword
 
 
 
-example: `aim`
+example: `10bddcb4cee42080f76c88d9ff964491`
 
 | extended
 
 // ===============================================================
 
 |
-[[field-network-bytes]]
-<<field-network-bytes, network.bytes>>
+[[field-macho-go-imports]]
+<<field-macho-go-imports, macho.go_imports>>
 
-a| Total bytes transferred in both directions.
+a| List of imported Go language element names and types.
 
-If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum.
+type: flattened
 
-type: long
 
 
 
-example: `368`
 
-| core
+| extended
 
 // ===============================================================
 
 |
-[[field-network-community-id]]
-<<field-network-community-id, network.community_id>>
+[[field-macho-go-imports-names-entropy]]
+<<field-macho-go-imports-names-entropy, macho.go_imports_names_entropy>>
 
-a| A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows.
+a| Shannon entropy calculation from the list of Go imports.
 
-Learn more at https://github.com/corelight/community-id-spec.
+type: long
 
-type: keyword
 
 
 
-example: `1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=`
 
 | extended
 
 // ===============================================================
 
 |
-[[field-network-direction]]
-<<field-network-direction, network.direction>>
+[[field-macho-go-imports-names-var-entropy]]
+<<field-macho-go-imports-names-var-entropy, macho.go_imports_names_var_entropy>>
 
-a| Direction of the network traffic.
+a| Variance for Shannon entropy calculation from the list of Go imports.
 
-When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress".
+type: long
 
-When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external".
 
-Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers.
 
-Expected values for this field:
 
-* `ingress`
-* `egress`
-* `inbound`
-* `outbound`
-* `internal`
-* `external`
-* `unknown`
 
-type: keyword
+| extended
 
+// ===============================================================
+
+|
+[[field-macho-go-stripped]]
+<<field-macho-go-stripped, macho.go_stripped>>
+
+a| Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable.
+
+type: boolean
 
 
-example: `inbound`
 
-| core
+
+
+| extended
 
 // ===============================================================
 
 |
-[[field-network-forwarded-ip]]
-<<field-network-forwarded-ip, network.forwarded_ip>>
+[[field-macho-import-hash]]
+<<field-macho-import-hash, macho.import_hash>>
 
-a| Host IP address when the source IP address is the proxy.
+a| A hash of the imports in an Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
 
-type: ip
+This is a synonym for symhash.
+
+type: keyword
 
 
 
-example: `192.1.1.2`
+example: `d41d8cd98f00b204e9800998ecf8427e`
 
-| core
+| extended
 
 // ===============================================================
 
 |
-[[field-network-iana-number]]
-<<field-network-iana-number, network.iana_number>>
+[[field-macho-imports]]
+<<field-macho-imports, macho.imports>>
 
-a| IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number.
+a| List of imported element names and types.
+
+type: flattened
+
+
+Note: this field should contain an array of values.
 
-type: keyword
 
 
 
-example: `6`
 
 | extended
 
 // ===============================================================
 
 |
-[[field-network-inner]]
-<<field-network-inner, network.inner>>
+[[field-macho-imports-names-entropy]]
+<<field-macho-imports-names-entropy, macho.imports_names_entropy>>
 
-a| Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.)
+a| Shannon entropy calculation from the list of imported element names and types.
 
-type: object
+type: long
 
 
 
@@ -5956,97 +6111,398 @@ type: object
 // ===============================================================
 
 |
-[[field-network-name]]
-<<field-network-name, network.name>>
+[[field-macho-imports-names-var-entropy]]
+<<field-macho-imports-names-var-entropy, macho.imports_names_var_entropy>>
 
-a| Name given by operators to sections of their network.
+a| Variance for Shannon entropy calculation from the list of imported element names and types.
+
+type: long
 
-type: keyword
 
 
 
-example: `Guest Wifi`
 
 | extended
 
 // ===============================================================
 
 |
-[[field-network-packets]]
-<<field-network-packets, network.packets>>
+[[field-macho-sections]]
+<<field-macho-sections, macho.sections>>
 
-a| Total packets transferred in both directions.
+a| An array containing an object for each section of the Mach-O file.
 
-If `source.packets` and `destination.packets` are known, `network.packets` is their sum.
+The keys that should be present in these objects are defined by sub-fields underneath `macho.sections.*`.
 
-type: long
+type: nested
 
 
+Note: this field should contain an array of values.
 
-example: `24`
 
-| core
+
+
+
+| extended
 
 // ===============================================================
 
 |
-[[field-network-protocol]]
-<<field-network-protocol, network.protocol>>
+[[field-macho-sections-entropy]]
+<<field-macho-sections-entropy, macho.sections.entropy>>
 
-a| In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`.
+a| Shannon entropy calculation from the section.
 
-The field value must be normalized to lowercase for querying.
+type: long
 
-type: keyword
 
 
 
-example: `http`
 
-| core
+| extended
 
 // ===============================================================
 
 |
-[[field-network-transport]]
-<<field-network-transport, network.transport>>
+[[field-macho-sections-name]]
+<<field-macho-sections-name, macho.sections.name>>
 
-a| Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)
-
-The field value must be normalized to lowercase for querying.
+a| Mach-O Section List name.
 
 type: keyword
 
 
 
-example: `tcp`
 
-| core
+
+| extended
 
 // ===============================================================
 
 |
-[[field-network-type]]
-<<field-network-type, network.type>>
+[[field-macho-sections-physical-size]]
+<<field-macho-sections-physical-size, macho.sections.physical_size>>
 
-a| In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc
+a| Mach-O Section List physical size.
 
-The field value must be normalized to lowercase for querying.
+type: long
 
-type: keyword
 
 
 
-example: `ipv4`
 
-| core
+| extended
 
 // ===============================================================
 
-|=====
+|
+[[field-macho-sections-var-entropy]]
+<<field-macho-sections-var-entropy, macho.sections.var_entropy>>
 
-[discrete]
-==== Field Reuse
+a| Variance for Shannon entropy calculation from the section.
+
+type: long
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-macho-sections-virtual-size]]
+<<field-macho-sections-virtual-size, macho.sections.virtual_size>>
+
+a| Mach-O Section List virtual size. This is always the same as `physical_size`.
+
+type: long
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-macho-symhash]]
+<<field-macho-symhash, macho.symhash>>
+
+a| A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
+
+This is a Mach-O implementation of the Windows PE imphash
+
+type: keyword
+
+
+
+example: `d3ccf195b62a9279c3c19af1080497ec`
+
+| extended
+
+// ===============================================================
+
+|=====
+
+[discrete]
+==== Field Reuse
+
+The `macho` fields are expected to be nested at:
+
+
+* `file.macho`
+
+* `process.macho`
+
+
+Note also that the `macho` fields are not expected to be used directly at the root of the events.
+[[ecs-network]]
+=== Network Fields
+
+The network is defined as the communication path over which a host or network event happens.
+
+The network.* fields should be populated with details about the network activity associated with an event.
+
+[discrete]
+==== Network Field Details
+
+[options="header"]
+|=====
+| Field  | Description | Level
+
+// ===============================================================
+
+|
+[[field-network-application]]
+<<field-network-application, network.application>>
+
+a| When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name.
+
+For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`.
+
+The field value must be normalized to lowercase for querying.
+
+type: keyword
+
+
+
+example: `aim`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-network-bytes]]
+<<field-network-bytes, network.bytes>>
+
+a| Total bytes transferred in both directions.
+
+If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum.
+
+type: long
+
+
+
+example: `368`
+
+| core
+
+// ===============================================================
+
+|
+[[field-network-community-id]]
+<<field-network-community-id, network.community_id>>
+
+a| A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows.
+
+Learn more at https://github.com/corelight/community-id-spec.
+
+type: keyword
+
+
+
+example: `1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-network-direction]]
+<<field-network-direction, network.direction>>
+
+a| Direction of the network traffic.
+
+When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress".
+
+When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external".
+
+Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers.
+
+Expected values for this field:
+
+* `ingress`
+* `egress`
+* `inbound`
+* `outbound`
+* `internal`
+* `external`
+* `unknown`
+
+type: keyword
+
+
+
+example: `inbound`
+
+| core
+
+// ===============================================================
+
+|
+[[field-network-forwarded-ip]]
+<<field-network-forwarded-ip, network.forwarded_ip>>
+
+a| Host IP address when the source IP address is the proxy.
+
+type: ip
+
+
+
+example: `192.1.1.2`
+
+| core
+
+// ===============================================================
+
+|
+[[field-network-iana-number]]
+<<field-network-iana-number, network.iana_number>>
+
+a| IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number.
+
+type: keyword
+
+
+
+example: `6`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-network-inner]]
+<<field-network-inner, network.inner>>
+
+a| Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.)
+
+type: object
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-network-name]]
+<<field-network-name, network.name>>
+
+a| Name given by operators to sections of their network.
+
+type: keyword
+
+
+
+example: `Guest Wifi`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-network-packets]]
+<<field-network-packets, network.packets>>
+
+a| Total packets transferred in both directions.
+
+If `source.packets` and `destination.packets` are known, `network.packets` is their sum.
+
+type: long
+
+
+
+example: `24`
+
+| core
+
+// ===============================================================
+
+|
+[[field-network-protocol]]
+<<field-network-protocol, network.protocol>>
+
+a| In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`.
+
+The field value must be normalized to lowercase for querying.
+
+type: keyword
+
+
+
+example: `http`
+
+| core
+
+// ===============================================================
+
+|
+[[field-network-transport]]
+<<field-network-transport, network.transport>>
+
+a| Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)
+
+The field value must be normalized to lowercase for querying.
+
+type: keyword
+
+
+
+example: `tcp`
+
+| core
+
+// ===============================================================
+
+|
+[[field-network-type]]
+<<field-network-type, network.type>>
+
+a| In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc
+
+The field value must be normalized to lowercase for querying.
+
+type: keyword
+
+
+
+example: `ipv4`
+
+| core
+
+// ===============================================================
+
+|=====
+
+[discrete]
+==== Field Reuse
 
 [[ecs-network-nestings]]
 [discrete]
@@ -7130,6 +7586,88 @@ type: keyword
 
 example: `6.3.9600.17415`
 
+| extended
+
+// ===============================================================
+
+|
+[[field-pe-go-import-hash]]
+<<field-pe-go-import-hash, pe.go_import_hash>>
+
+a| A hash of the Go language imports in a PE file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
+
+The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma).
+
+type: keyword
+
+
+
+example: `10bddcb4cee42080f76c88d9ff964491`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-pe-go-imports]]
+<<field-pe-go-imports, pe.go_imports>>
+
+a| List of imported Go language element names and types.
+
+type: flattened
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-pe-go-imports-names-entropy]]
+<<field-pe-go-imports-names-entropy, pe.go_imports_names_entropy>>
+
+a| Shannon entropy calculation from the list of Go imports.
+
+type: long
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-pe-go-imports-names-var-entropy]]
+<<field-pe-go-imports-names-var-entropy, pe.go_imports_names_var_entropy>>
+
+a| Variance for Shannon entropy calculation from the list of Go imports.
+
+type: long
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-pe-go-stripped]]
+<<field-pe-go-stripped, pe.go_stripped>>
+
+a| Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable.
+
+type: boolean
+
+
+
+
+
 | extended
 
 // ===============================================================
@@ -7148,6 +7686,75 @@ type: keyword
 
 example: `0c6803c4e922103c4dca5963aad36ddf`
 
+| extended
+
+// ===============================================================
+
+|
+[[field-pe-import-hash]]
+<<field-pe-import-hash, pe.import_hash>>
+
+a| A hash of the imports in a PE file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
+
+This is a synonym for imphash.
+
+type: keyword
+
+
+
+example: `d41d8cd98f00b204e9800998ecf8427e`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-pe-imports]]
+<<field-pe-imports, pe.imports>>
+
+a| List of imported element names and types.
+
+type: flattened
+
+
+Note: this field should contain an array of values.
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-pe-imports-names-entropy]]
+<<field-pe-imports-names-entropy, pe.imports_names_entropy>>
+
+a| Shannon entropy calculation from the list of imported element names and types.
+
+type: long
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-pe-imports-names-var-entropy]]
+<<field-pe-imports-names-var-entropy, pe.imports_names_var_entropy>>
+
+a| Variance for Shannon entropy calculation from the list of imported element names and types.
+
+type: long
+
+
+
+
+
 | extended
 
 // ===============================================================
@@ -7198,6 +7805,107 @@ type: keyword
 
 example: `Microsoft® Windows® Operating System`
 
+| extended
+
+// ===============================================================
+
+|
+[[field-pe-sections]]
+<<field-pe-sections, pe.sections>>
+
+a| An array containing an object for each section of the PE file.
+
+The keys that should be present in these objects are defined by sub-fields underneath `pe.sections.*`.
+
+type: nested
+
+
+Note: this field should contain an array of values.
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-pe-sections-entropy]]
+<<field-pe-sections-entropy, pe.sections.entropy>>
+
+a| Shannon entropy calculation from the section.
+
+type: long
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-pe-sections-name]]
+<<field-pe-sections-name, pe.sections.name>>
+
+a| PE Section List name.
+
+type: keyword
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-pe-sections-physical-size]]
+<<field-pe-sections-physical-size, pe.sections.physical_size>>
+
+a| PE Section List physical size.
+
+type: long
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-pe-sections-var-entropy]]
+<<field-pe-sections-var-entropy, pe.sections.var_entropy>>
+
+a| Variance for Shannon entropy calculation from the section.
+
+type: long
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-pe-sections-virtual-size]]
+<<field-pe-sections-virtual-size, pe.sections.virtual_size>>
+
+a| PE Section List virtual size. This is always the same as `physical_size`.
+
+type: long
+
+
+
+
+
 | extended
 
 // ===============================================================
@@ -8009,6 +8717,14 @@ These fields contain Linux Executable Linkable Format (ELF) metadata.
 // ===============================================================
 
 
+| `process.macho.*`
+| <<ecs-macho,macho>>| beta:[ This field reuse is beta and subject to change.]
+
+These fields contain Mac OS Mach Object file format (Mach-O) metadata.
+
+// ===============================================================
+
+
 | `process.parent.*`
 | <<ecs-process,process>>
 | Information about the parent process.
diff --git a/docs/fields/fields.asciidoc b/docs/fields/fields.asciidoc
index b64367d443..14282c52f2 100644
--- a/docs/fields/fields.asciidoc
+++ b/docs/fields/fields.asciidoc
@@ -72,6 +72,8 @@ For a single page representation of all fields, please see the
 
 | <<ecs-log,Log>> | Details about the event's logging mechanism.
 
+| <<ecs-macho,Mach-O Header>> | These fields contain Mac OS Mach Object file format (Mach-O) metadata.
+
 | <<ecs-network,Network>> | Fields describing the communication path over which the event happened.
 
 | <<ecs-observer,Observer>> | Fields describing an entity observing the event from outside the host.
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 7c1181311e..f0bf28be06 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -1515,6 +1515,42 @@
       description: Internal version of the file, provided at compile-time.
       example: 6.3.9600.17415
       default_field: false
+    - name: pe.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: pe.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: pe.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: pe.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: pe.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
     - name: pe.imphash
       level: extended
       type: keyword
@@ -1526,6 +1562,36 @@
         Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
       example: 0c6803c4e922103c4dca5963aad36ddf
       default_field: false
+    - name: pe.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: pe.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: pe.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: pe.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
     - name: pe.original_file_name
       level: extended
       type: keyword
@@ -1551,6 +1617,44 @@
       description: Internal product name of the file, provided at compile-time.
       example: "Microsoft\xAE Windows\xAE Operating System"
       default_field: false
+    - name: pe.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      default_field: false
+    - name: pe.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: pe.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: PE Section List name.
+      default_field: false
+    - name: pe.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: PE Section List physical size.
+      default_field: false
+    - name: pe.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: pe.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
   - name: dns
     title: DNS
     group: 2
@@ -1777,6 +1881,42 @@
       type: flattened
       description: List of exported element names and types.
       default_field: false
+    - name: go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
     - name: header.abi_version
       level: extended
       type: keyword
@@ -1825,11 +1965,36 @@
       ignore_above: 1024
       description: Version of the ELF header.
       default_field: false
+    - name: import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
     - name: imports
       level: extended
       type: flattened
       description: List of imported element names and types.
       default_field: false
+    - name: imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
     - name: sections
       level: extended
       type: nested
@@ -1880,6 +2045,12 @@
       ignore_above: 1024
       description: ELF Section List type.
       default_field: false
+    - name: sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
     - name: sections.virtual_address
       level: extended
       type: long
@@ -2728,6 +2899,42 @@
       type: flattened
       description: List of exported element names and types.
       default_field: false
+    - name: elf.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: elf.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: elf.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: elf.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: elf.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
     - name: elf.header.abi_version
       level: extended
       type: keyword
@@ -2776,11 +2983,36 @@
       ignore_above: 1024
       description: Version of the ELF header.
       default_field: false
+    - name: elf.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
     - name: elf.imports
       level: extended
       type: flattened
       description: List of imported element names and types.
       default_field: false
+    - name: elf.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: elf.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
     - name: elf.sections
       level: extended
       type: nested
@@ -2831,6 +3063,12 @@
       ignore_above: 1024
       description: ELF Section List type.
       default_field: false
+    - name: elf.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
     - name: elf.sections.virtual_address
       level: extended
       type: long
@@ -2959,6 +3197,121 @@
       ignore_above: 1024
       description: Inode representing the file in the filesystem.
       example: '256383'
+    - name: macho.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: macho.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: macho.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: macho.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: macho.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: macho.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in an Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: macho.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: macho.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: macho.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: macho.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      default_field: false
+    - name: macho.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: macho.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Mach-O Section List name.
+      default_field: false
+    - name: macho.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: Mach-O Section List physical size.
+      default_field: false
+    - name: macho.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: macho.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: macho.symhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      default_field: false
     - name: mime_type
       level: extended
       type: keyword
@@ -3029,6 +3382,42 @@
       description: Internal version of the file, provided at compile-time.
       example: 6.3.9600.17415
       default_field: false
+    - name: pe.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: pe.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: pe.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: pe.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: pe.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
     - name: pe.imphash
       level: extended
       type: keyword
@@ -3040,6 +3429,36 @@
         Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
       example: 0c6803c4e922103c4dca5963aad36ddf
       default_field: false
+    - name: pe.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: pe.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: pe.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: pe.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
     - name: pe.original_file_name
       level: extended
       type: keyword
@@ -3065,20 +3484,58 @@
       description: Internal product name of the file, provided at compile-time.
       example: "Microsoft\xAE Windows\xAE Operating System"
       default_field: false
-    - name: size
+    - name: pe.sections
       level: extended
-      type: long
-      description: 'File size in bytes.
+      type: nested
+      description: 'An array containing an object for each section of the PE file.
 
-        Only relevant when `file.type` is "file".'
-      example: 16384
-    - name: target_path
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      default_field: false
+    - name: pe.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: pe.sections.name
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
+      description: PE Section List name.
+      default_field: false
+    - name: pe.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: PE Section List physical size.
+      default_field: false
+    - name: pe.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: pe.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: size
+      level: extended
+      type: long
+      description: 'File size in bytes.
+
+        Only relevant when `file.type` is "file".'
+      example: 16384
+    - name: target_path
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
         default_field: false
       description: Target path for symlinks.
     - name: type
@@ -4070,6 +4527,128 @@
         for RFC 5424 messages.
       example: 1
       default_field: false
+  - name: macho
+    title: Mach-O Header
+    group: 2
+    description: These fields contain Mac OS Mach Object file format (Mach-O) metadata.
+    type: group
+    default_field: true
+    fields:
+    - name: go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in an Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      default_field: false
+    - name: sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Mach-O Section List name.
+      default_field: false
+    - name: sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: Mach-O Section List physical size.
+      default_field: false
+    - name: sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: symhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      default_field: false
   - name: network
     title: Network
     group: 2
@@ -4866,6 +5445,42 @@
       description: Internal version of the file, provided at compile-time.
       example: 6.3.9600.17415
       default_field: false
+    - name: go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
     - name: imphash
       level: extended
       type: keyword
@@ -4877,6 +5492,36 @@
         Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
       example: 0c6803c4e922103c4dca5963aad36ddf
       default_field: false
+    - name: import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
     - name: original_file_name
       level: extended
       type: keyword
@@ -4902,6 +5547,44 @@
       description: Internal product name of the file, provided at compile-time.
       example: "Microsoft\xAE Windows\xAE Operating System"
       default_field: false
+    - name: sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      default_field: false
+    - name: sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: PE Section List name.
+      default_field: false
+    - name: sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: PE Section List physical size.
+      default_field: false
+    - name: sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
   - name: process
     title: Process
     group: 2
@@ -5054,6 +5737,42 @@
       type: flattened
       description: List of exported element names and types.
       default_field: false
+    - name: elf.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: elf.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: elf.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: elf.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: elf.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
     - name: elf.header.abi_version
       level: extended
       type: keyword
@@ -5102,11 +5821,36 @@
       ignore_above: 1024
       description: Version of the ELF header.
       default_field: false
+    - name: elf.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
     - name: elf.imports
       level: extended
       type: flattened
       description: List of imported element names and types.
       default_field: false
+    - name: elf.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: elf.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
     - name: elf.sections
       level: extended
       type: nested
@@ -5157,6 +5901,12 @@
       ignore_above: 1024
       description: ELF Section List type.
       default_field: false
+    - name: elf.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
     - name: elf.sections.virtual_address
       level: extended
       type: long
@@ -5972,6 +6722,121 @@
         Currently only ''tty'' is supported. Other types may be added in the future
         for ''file'' and ''socket'' support.'
       default_field: false
+    - name: macho.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: macho.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: macho.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: macho.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: macho.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: macho.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in an Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: macho.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: macho.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: macho.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: macho.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      default_field: false
+    - name: macho.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: macho.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Mach-O Section List name.
+      default_field: false
+    - name: macho.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: Mach-O Section List physical size.
+      default_field: false
+    - name: macho.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: macho.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: macho.symhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      default_field: false
     - name: name
       level: extended
       type: keyword
@@ -6126,6 +6991,42 @@
       type: flattened
       description: List of exported element names and types.
       default_field: false
+    - name: parent.elf.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: parent.elf.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: parent.elf.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: parent.elf.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: parent.elf.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
     - name: parent.elf.header.abi_version
       level: extended
       type: keyword
@@ -6174,11 +7075,36 @@
       ignore_above: 1024
       description: Version of the ELF header.
       default_field: false
+    - name: parent.elf.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
     - name: parent.elf.imports
       level: extended
       type: flattened
       description: List of imported element names and types.
       default_field: false
+    - name: parent.elf.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: parent.elf.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
     - name: parent.elf.sections
       level: extended
       type: nested
@@ -6229,6 +7155,12 @@
       ignore_above: 1024
       description: ELF Section List type.
       default_field: false
+    - name: parent.elf.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
     - name: parent.elf.sections.virtual_address
       level: extended
       type: long
@@ -6411,6 +7343,121 @@
         connected to the controlling TTY.'
       example: true
       default_field: false
+    - name: parent.macho.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: parent.macho.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: parent.macho.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: parent.macho.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: parent.macho.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: parent.macho.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in an Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: parent.macho.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: parent.macho.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: parent.macho.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: parent.macho.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      default_field: false
+    - name: parent.macho.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: parent.macho.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Mach-O Section List name.
+      default_field: false
+    - name: parent.macho.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: Mach-O Section List physical size.
+      default_field: false
+    - name: parent.macho.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: parent.macho.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: parent.macho.symhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      default_field: false
     - name: parent.name
       level: extended
       type: keyword
@@ -6451,6 +7498,42 @@
       description: Internal version of the file, provided at compile-time.
       example: 6.3.9600.17415
       default_field: false
+    - name: parent.pe.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: parent.pe.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: parent.pe.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: parent.pe.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: parent.pe.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
     - name: parent.pe.imphash
       level: extended
       type: keyword
@@ -6462,6 +7545,36 @@
         Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
       example: 0c6803c4e922103c4dca5963aad36ddf
       default_field: false
+    - name: parent.pe.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: parent.pe.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: parent.pe.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: parent.pe.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
     - name: parent.pe.original_file_name
       level: extended
       type: keyword
@@ -6487,6 +7600,44 @@
       description: Internal product name of the file, provided at compile-time.
       example: "Microsoft\xAE Windows\xAE Operating System"
       default_field: false
+    - name: parent.pe.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      default_field: false
+    - name: parent.pe.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: parent.pe.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: PE Section List name.
+      default_field: false
+    - name: parent.pe.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: PE Section List physical size.
+      default_field: false
+    - name: parent.pe.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: parent.pe.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
     - name: parent.pgid
       level: extended
       type: long
@@ -6676,19 +7827,55 @@
       description: Internal company name of the file, provided at compile-time.
       example: Microsoft Corporation
       default_field: false
-    - name: pe.description
+    - name: pe.description
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      default_field: false
+    - name: pe.file_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      default_field: false
+    - name: pe.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: pe.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: pe.go_imports_names_entropy
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: pe.file_version
+    - name: pe.go_imports_names_var_entropy
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: pe.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
       default_field: false
     - name: pe.imphash
       level: extended
@@ -6701,6 +7888,36 @@
         Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
       example: 0c6803c4e922103c4dca5963aad36ddf
       default_field: false
+    - name: pe.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: pe.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: pe.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: pe.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
     - name: pe.original_file_name
       level: extended
       type: keyword
@@ -6726,6 +7943,44 @@
       description: Internal product name of the file, provided at compile-time.
       example: "Microsoft\xAE Windows\xAE Operating System"
       default_field: false
+    - name: pe.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      default_field: false
+    - name: pe.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: pe.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: PE Section List name.
+      default_field: false
+    - name: pe.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: PE Section List physical size.
+      default_field: false
+    - name: pe.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: pe.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
     - name: pgid
       level: extended
       type: long
@@ -8764,6 +10019,42 @@
       type: flattened
       description: List of exported element names and types.
       default_field: false
+    - name: enrichments.indicator.file.elf.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: enrichments.indicator.file.elf.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: enrichments.indicator.file.elf.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: enrichments.indicator.file.elf.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: enrichments.indicator.file.elf.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
     - name: enrichments.indicator.file.elf.header.abi_version
       level: extended
       type: keyword
@@ -8812,11 +10103,36 @@
       ignore_above: 1024
       description: Version of the ELF header.
       default_field: false
+    - name: enrichments.indicator.file.elf.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
     - name: enrichments.indicator.file.elf.imports
       level: extended
       type: flattened
       description: List of imported element names and types.
       default_field: false
+    - name: enrichments.indicator.file.elf.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: enrichments.indicator.file.elf.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
     - name: enrichments.indicator.file.elf.sections
       level: extended
       type: nested
@@ -8867,6 +10183,12 @@
       ignore_above: 1024
       description: ELF Section List type.
       default_field: false
+    - name: enrichments.indicator.file.elf.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
     - name: enrichments.indicator.file.elf.sections.virtual_address
       level: extended
       type: long
@@ -9077,6 +10399,42 @@
       description: Internal version of the file, provided at compile-time.
       example: 6.3.9600.17415
       default_field: false
+    - name: enrichments.indicator.file.pe.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: enrichments.indicator.file.pe.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: enrichments.indicator.file.pe.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: enrichments.indicator.file.pe.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: enrichments.indicator.file.pe.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
     - name: enrichments.indicator.file.pe.imphash
       level: extended
       type: keyword
@@ -9088,6 +10446,36 @@
         Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
       example: 0c6803c4e922103c4dca5963aad36ddf
       default_field: false
+    - name: enrichments.indicator.file.pe.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: enrichments.indicator.file.pe.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: enrichments.indicator.file.pe.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: enrichments.indicator.file.pe.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
     - name: enrichments.indicator.file.pe.original_file_name
       level: extended
       type: keyword
@@ -9113,6 +10501,44 @@
       description: Internal product name of the file, provided at compile-time.
       example: "Microsoft\xAE Windows\xAE Operating System"
       default_field: false
+    - name: enrichments.indicator.file.pe.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      default_field: false
+    - name: enrichments.indicator.file.pe.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: enrichments.indicator.file.pe.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: PE Section List name.
+      default_field: false
+    - name: enrichments.indicator.file.pe.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: PE Section List physical size.
+      default_field: false
+    - name: enrichments.indicator.file.pe.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: enrichments.indicator.file.pe.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
     - name: enrichments.indicator.file.size
       level: extended
       type: long
@@ -10183,6 +11609,42 @@
       type: flattened
       description: List of exported element names and types.
       default_field: false
+    - name: indicator.file.elf.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: indicator.file.elf.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: indicator.file.elf.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: indicator.file.elf.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: indicator.file.elf.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
     - name: indicator.file.elf.header.abi_version
       level: extended
       type: keyword
@@ -10231,11 +11693,36 @@
       ignore_above: 1024
       description: Version of the ELF header.
       default_field: false
+    - name: indicator.file.elf.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
     - name: indicator.file.elf.imports
       level: extended
       type: flattened
       description: List of imported element names and types.
       default_field: false
+    - name: indicator.file.elf.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: indicator.file.elf.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
     - name: indicator.file.elf.sections
       level: extended
       type: nested
@@ -10286,6 +11773,12 @@
       ignore_above: 1024
       description: ELF Section List type.
       default_field: false
+    - name: indicator.file.elf.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
     - name: indicator.file.elf.sections.virtual_address
       level: extended
       type: long
@@ -10496,6 +11989,42 @@
       description: Internal version of the file, provided at compile-time.
       example: 6.3.9600.17415
       default_field: false
+    - name: indicator.file.pe.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: indicator.file.pe.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: indicator.file.pe.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: indicator.file.pe.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: indicator.file.pe.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
     - name: indicator.file.pe.imphash
       level: extended
       type: keyword
@@ -10507,6 +12036,36 @@
         Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
       example: 0c6803c4e922103c4dca5963aad36ddf
       default_field: false
+    - name: indicator.file.pe.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: indicator.file.pe.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: indicator.file.pe.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: indicator.file.pe.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
     - name: indicator.file.pe.original_file_name
       level: extended
       type: keyword
@@ -10532,6 +12091,44 @@
       description: Internal product name of the file, provided at compile-time.
       example: "Microsoft\xAE Windows\xAE Operating System"
       default_field: false
+    - name: indicator.file.pe.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      default_field: false
+    - name: indicator.file.pe.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: indicator.file.pe.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: PE Section List name.
+      default_field: false
+    - name: indicator.file.pe.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: PE Section List physical size.
+      default_field: false
+    - name: indicator.file.pe.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: indicator.file.pe.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
     - name: indicator.file.size
       level: extended
       type: long
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index cce7cbc2a6..f7026779f1 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -167,10 +167,25 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
 8.7.0-dev+exp,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
 8.7.0-dev+exp,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.7.0-dev+exp,true,dll,dll.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.7.0-dev+exp,true,dll,dll.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.7.0-dev+exp,true,dll,dll.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.7.0-dev+exp,true,dll,dll.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.7.0-dev+exp,true,dll,dll.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
 8.7.0-dev+exp,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.7.0-dev+exp,true,dll,dll.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.7.0-dev+exp,true,dll,dll.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.7.0-dev+exp,true,dll,dll.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.7.0-dev+exp,true,dll,dll.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
 8.7.0-dev+exp,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
 8.7.0-dev+exp,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
 8.7.0-dev+exp,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.7.0-dev+exp,true,dll,dll.pe.sections,nested,extended,array,,Section information of the PE file.
+8.7.0-dev+exp,true,dll,dll.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.7.0-dev+exp,true,dll,dll.pe.sections.name,keyword,extended,,,PE Section List name.
+8.7.0-dev+exp,true,dll,dll.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.7.0-dev+exp,true,dll,dll.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.7.0-dev+exp,true,dll,dll.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
 8.7.0-dev+exp,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
 8.7.0-dev+exp,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
 8.7.0-dev+exp,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
@@ -278,6 +293,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
 8.7.0-dev+exp,true,file,file.elf.creation_date,date,extended,,,Build or compile date.
 8.7.0-dev+exp,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.7.0-dev+exp,true,file,file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.7.0-dev+exp,true,file,file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.7.0-dev+exp,true,file,file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.7.0-dev+exp,true,file,file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.7.0-dev+exp,true,file,file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
 8.7.0-dev+exp,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
 8.7.0-dev+exp,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file.
 8.7.0-dev+exp,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header.
@@ -286,7 +306,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
 8.7.0-dev+exp,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file.
 8.7.0-dev+exp,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.7.0-dev+exp,true,file,file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
 8.7.0-dev+exp,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.7.0-dev+exp,true,file,file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.7.0-dev+exp,true,file,file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
 8.7.0-dev+exp,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file.
 8.7.0-dev+exp,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
 8.7.0-dev+exp,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
@@ -295,6 +318,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
 8.7.0-dev+exp,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
 8.7.0-dev+exp,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.7.0-dev+exp,true,file,file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
 8.7.0-dev+exp,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
 8.7.0-dev+exp,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
 8.7.0-dev+exp,true,file,file.elf.segments,nested,extended,array,,ELF object segment list.
@@ -314,6 +338,22 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
 8.7.0-dev+exp,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash.
 8.7.0-dev+exp,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.7.0-dev+exp,true,file,file.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.7.0-dev+exp,true,file,file.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.7.0-dev+exp,true,file,file.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.7.0-dev+exp,true,file,file.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.7.0-dev+exp,true,file,file.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.7.0-dev+exp,true,file,file.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.7.0-dev+exp,true,file,file.macho.imports,flattened,extended,array,,List of imported element names and types.
+8.7.0-dev+exp,true,file,file.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.7.0-dev+exp,true,file,file.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.7.0-dev+exp,true,file,file.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+8.7.0-dev+exp,true,file,file.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.7.0-dev+exp,true,file,file.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+8.7.0-dev+exp,true,file,file.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+8.7.0-dev+exp,true,file,file.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.7.0-dev+exp,true,file,file.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+8.7.0-dev+exp,true,file,file.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
 8.7.0-dev+exp,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
 8.7.0-dev+exp,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
 8.7.0-dev+exp,true,file,file.mtime,date,extended,,,Last time the file content was modified.
@@ -325,10 +365,25 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
 8.7.0-dev+exp,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
 8.7.0-dev+exp,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.7.0-dev+exp,true,file,file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.7.0-dev+exp,true,file,file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.7.0-dev+exp,true,file,file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.7.0-dev+exp,true,file,file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.7.0-dev+exp,true,file,file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
 8.7.0-dev+exp,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.7.0-dev+exp,true,file,file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.7.0-dev+exp,true,file,file.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.7.0-dev+exp,true,file,file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.7.0-dev+exp,true,file,file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
 8.7.0-dev+exp,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
 8.7.0-dev+exp,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
 8.7.0-dev+exp,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.7.0-dev+exp,true,file,file.pe.sections,nested,extended,array,,Section information of the PE file.
+8.7.0-dev+exp,true,file,file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.7.0-dev+exp,true,file,file.pe.sections.name,keyword,extended,,,PE Section List name.
+8.7.0-dev+exp,true,file,file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.7.0-dev+exp,true,file,file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.7.0-dev+exp,true,file,file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
 8.7.0-dev+exp,true,file,file.size,long,extended,,16384,File size in bytes.
 8.7.0-dev+exp,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
 8.7.0-dev+exp,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks.
@@ -544,6 +599,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
 8.7.0-dev+exp,true,process,process.elf.creation_date,date,extended,,,Build or compile date.
 8.7.0-dev+exp,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.7.0-dev+exp,true,process,process.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.7.0-dev+exp,true,process,process.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.7.0-dev+exp,true,process,process.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.7.0-dev+exp,true,process,process.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.7.0-dev+exp,true,process,process.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
 8.7.0-dev+exp,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
 8.7.0-dev+exp,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file.
 8.7.0-dev+exp,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header.
@@ -552,7 +612,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
 8.7.0-dev+exp,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file.
 8.7.0-dev+exp,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.7.0-dev+exp,true,process,process.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
 8.7.0-dev+exp,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.7.0-dev+exp,true,process,process.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.7.0-dev+exp,true,process,process.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
 8.7.0-dev+exp,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file.
 8.7.0-dev+exp,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
 8.7.0-dev+exp,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
@@ -561,6 +624,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
 8.7.0-dev+exp,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
 8.7.0-dev+exp,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.7.0-dev+exp,true,process,process.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
 8.7.0-dev+exp,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
 8.7.0-dev+exp,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
 8.7.0-dev+exp,true,process,process.elf.segments,nested,extended,array,,ELF object segment list.
@@ -673,6 +737,22 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,process,process.io.total_bytes_captured,number,extended,,,The total number of bytes captured in this event.
 8.7.0-dev+exp,true,process,process.io.total_bytes_skipped,number,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
 8.7.0-dev+exp,true,process,process.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
+8.7.0-dev+exp,true,process,process.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.7.0-dev+exp,true,process,process.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.7.0-dev+exp,true,process,process.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.7.0-dev+exp,true,process,process.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.7.0-dev+exp,true,process,process.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.7.0-dev+exp,true,process,process.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.7.0-dev+exp,true,process,process.macho.imports,flattened,extended,array,,List of imported element names and types.
+8.7.0-dev+exp,true,process,process.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.7.0-dev+exp,true,process,process.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.7.0-dev+exp,true,process,process.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+8.7.0-dev+exp,true,process,process.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.7.0-dev+exp,true,process,process.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+8.7.0-dev+exp,true,process,process.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+8.7.0-dev+exp,true,process,process.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.7.0-dev+exp,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+8.7.0-dev+exp,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
 8.7.0-dev+exp,true,process,process.name,keyword,extended,,ssh,Process name.
 8.7.0-dev+exp,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
 8.7.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
@@ -693,6 +773,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
 8.7.0-dev+exp,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date.
 8.7.0-dev+exp,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.7.0-dev+exp,true,process,process.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.7.0-dev+exp,true,process,process.parent.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.7.0-dev+exp,true,process,process.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.7.0-dev+exp,true,process,process.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.7.0-dev+exp,true,process,process.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
 8.7.0-dev+exp,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
 8.7.0-dev+exp,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
 8.7.0-dev+exp,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
@@ -701,7 +786,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
 8.7.0-dev+exp,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
 8.7.0-dev+exp,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.7.0-dev+exp,true,process,process.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
 8.7.0-dev+exp,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.7.0-dev+exp,true,process,process.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.7.0-dev+exp,true,process,process.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
 8.7.0-dev+exp,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
 8.7.0-dev+exp,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
 8.7.0-dev+exp,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
@@ -710,6 +798,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
 8.7.0-dev+exp,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
 8.7.0-dev+exp,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.7.0-dev+exp,true,process,process.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
 8.7.0-dev+exp,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
 8.7.0-dev+exp,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
 8.7.0-dev+exp,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list.
@@ -735,16 +824,47 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
 8.7.0-dev+exp,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash.
 8.7.0-dev+exp,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.7.0-dev+exp,true,process,process.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.7.0-dev+exp,true,process,process.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.7.0-dev+exp,true,process,process.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.7.0-dev+exp,true,process,process.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.7.0-dev+exp,true,process,process.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.7.0-dev+exp,true,process,process.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.7.0-dev+exp,true,process,process.parent.macho.imports,flattened,extended,array,,List of imported element names and types.
+8.7.0-dev+exp,true,process,process.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.7.0-dev+exp,true,process,process.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.7.0-dev+exp,true,process,process.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+8.7.0-dev+exp,true,process,process.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.7.0-dev+exp,true,process,process.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+8.7.0-dev+exp,true,process,process.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+8.7.0-dev+exp,true,process,process.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.7.0-dev+exp,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+8.7.0-dev+exp,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
 8.7.0-dev+exp,true,process,process.parent.name,keyword,extended,,ssh,Process name.
 8.7.0-dev+exp,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
 8.7.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
 8.7.0-dev+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
 8.7.0-dev+exp,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
 8.7.0-dev+exp,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.7.0-dev+exp,true,process,process.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.7.0-dev+exp,true,process,process.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.7.0-dev+exp,true,process,process.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.7.0-dev+exp,true,process,process.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.7.0-dev+exp,true,process,process.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
 8.7.0-dev+exp,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.7.0-dev+exp,true,process,process.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.7.0-dev+exp,true,process,process.parent.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.7.0-dev+exp,true,process,process.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.7.0-dev+exp,true,process,process.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
 8.7.0-dev+exp,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
 8.7.0-dev+exp,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
 8.7.0-dev+exp,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.7.0-dev+exp,true,process,process.parent.pe.sections,nested,extended,array,,Section information of the PE file.
+8.7.0-dev+exp,true,process,process.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.7.0-dev+exp,true,process,process.parent.pe.sections.name,keyword,extended,,,PE Section List name.
+8.7.0-dev+exp,true,process,process.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.7.0-dev+exp,true,process,process.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.7.0-dev+exp,true,process,process.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
 8.7.0-dev+exp,true,process,process.parent.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
 8.7.0-dev+exp,true,process,process.parent.pid,long,core,,4242,Process id.
 8.7.0-dev+exp,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
@@ -777,10 +897,25 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
 8.7.0-dev+exp,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
 8.7.0-dev+exp,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.7.0-dev+exp,true,process,process.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.7.0-dev+exp,true,process,process.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.7.0-dev+exp,true,process,process.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.7.0-dev+exp,true,process,process.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.7.0-dev+exp,true,process,process.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
 8.7.0-dev+exp,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.7.0-dev+exp,true,process,process.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.7.0-dev+exp,true,process,process.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.7.0-dev+exp,true,process,process.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.7.0-dev+exp,true,process,process.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
 8.7.0-dev+exp,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
 8.7.0-dev+exp,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
 8.7.0-dev+exp,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.7.0-dev+exp,true,process,process.pe.sections,nested,extended,array,,Section information of the PE file.
+8.7.0-dev+exp,true,process,process.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.7.0-dev+exp,true,process,process.pe.sections.name,keyword,extended,,,PE Section List name.
+8.7.0-dev+exp,true,process,process.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.7.0-dev+exp,true,process,process.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.7.0-dev+exp,true,process,process.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
 8.7.0-dev+exp,true,process,process.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
 8.7.0-dev+exp,true,process,process.pid,long,core,,4242,Process id.
 8.7.0-dev+exp,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
@@ -1016,6 +1151,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
@@ -1024,7 +1164,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
@@ -1033,6 +1176,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
@@ -1063,10 +1207,25 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes.
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
@@ -1207,6 +1366,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
 8.7.0-dev+exp,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
 8.7.0-dev+exp,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.7.0-dev+exp,true,threat,threat.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.7.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.7.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.7.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.7.0-dev+exp,true,threat,threat.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
 8.7.0-dev+exp,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
 8.7.0-dev+exp,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
 8.7.0-dev+exp,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
@@ -1215,7 +1379,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
 8.7.0-dev+exp,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
 8.7.0-dev+exp,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.7.0-dev+exp,true,threat,threat.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
 8.7.0-dev+exp,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.7.0-dev+exp,true,threat,threat.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.7.0-dev+exp,true,threat,threat.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
 8.7.0-dev+exp,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
 8.7.0-dev+exp,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
 8.7.0-dev+exp,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
@@ -1224,6 +1391,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
 8.7.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
 8.7.0-dev+exp,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.7.0-dev+exp,true,threat,threat.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
 8.7.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
 8.7.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
 8.7.0-dev+exp,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
@@ -1254,10 +1422,25 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
 8.7.0-dev+exp,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
 8.7.0-dev+exp,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.7.0-dev+exp,true,threat,threat.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.7.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.7.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.7.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.7.0-dev+exp,true,threat,threat.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
 8.7.0-dev+exp,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.7.0-dev+exp,true,threat,threat.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.7.0-dev+exp,true,threat,threat.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.7.0-dev+exp,true,threat,threat.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.7.0-dev+exp,true,threat,threat.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
 8.7.0-dev+exp,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
 8.7.0-dev+exp,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
 8.7.0-dev+exp,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.7.0-dev+exp,true,threat,threat.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
+8.7.0-dev+exp,true,threat,threat.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.7.0-dev+exp,true,threat,threat.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
+8.7.0-dev+exp,true,threat,threat.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.7.0-dev+exp,true,threat,threat.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.7.0-dev+exp,true,threat,threat.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
 8.7.0-dev+exp,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes.
 8.7.0-dev+exp,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
 8.7.0-dev+exp,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index c1878e6bed..2c85f9915f 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -2023,6 +2023,67 @@ dll.pe.file_version:
   original_fieldset: pe
   short: Process name.
   type: keyword
+dll.pe.go_import_hash:
+  dashed_name: dll-pe-go-import-hash
+  description: 'A hash of the Go language imports in a PE file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available [here](https://github.com/elastic/toutoumomoma).'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: dll.pe.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+dll.pe.go_imports:
+  dashed_name: dll-pe-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: dll.pe.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: pe
+  short: List of imported Go language element names and types.
+  type: flattened
+dll.pe.go_imports_names_entropy:
+  dashed_name: dll-pe-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: dll.pe.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+dll.pe.go_imports_names_var_entropy:
+  dashed_name: dll-pe-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: dll.pe.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+dll.pe.go_stripped:
+  dashed_name: dll-pe-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: dll.pe.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: pe
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
 dll.pe.imphash:
   dashed_name: dll-pe-imphash
   description: 'A hash of the imports in a PE file. An imphash -- or import hash --
@@ -2039,6 +2100,58 @@ dll.pe.imphash:
   original_fieldset: pe
   short: A hash of the imports in a PE file.
   type: keyword
+dll.pe.import_hash:
+  dashed_name: dll-pe-import-hash
+  description: 'A hash of the imports in a PE file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: dll.pe.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in an ELF file.
+  type: keyword
+dll.pe.imports:
+  dashed_name: dll-pe-imports
+  description: List of imported element names and types.
+  flat_name: dll.pe.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of imported element names and types.
+  type: flattened
+dll.pe.imports_names_entropy:
+  dashed_name: dll-pe-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: dll.pe.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+dll.pe.imports_names_var_entropy:
+  dashed_name: dll-pe-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: dll.pe.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
 dll.pe.original_file_name:
   dashed_name: dll-pe-original-file-name
   description: Internal name of the file, provided at compile-time.
@@ -2079,6 +2192,75 @@ dll.pe.product:
   original_fieldset: pe
   short: Internal product name of the file, provided at compile-time.
   type: keyword
+dll.pe.sections:
+  dashed_name: dll-pe-sections
+  description: 'An array containing an object for each section of the PE file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `pe.sections.*`.'
+  flat_name: dll.pe.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Section information of the PE file.
+  type: nested
+dll.pe.sections.entropy:
+  dashed_name: dll-pe-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: dll.pe.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the section.
+  type: long
+dll.pe.sections.name:
+  dashed_name: dll-pe-sections-name
+  description: PE Section List name.
+  flat_name: dll.pe.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List name.
+  type: keyword
+dll.pe.sections.physical_size:
+  dashed_name: dll-pe-sections-physical-size
+  description: PE Section List physical size.
+  flat_name: dll.pe.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List physical size.
+  type: long
+dll.pe.sections.var_entropy:
+  dashed_name: dll-pe-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: dll.pe.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+dll.pe.sections.virtual_size:
+  dashed_name: dll-pe-sections-virtual-size
+  description: PE Section List virtual size. This is always the same as `physical_size`.
+  flat_name: dll.pe.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List virtual size. This is always the same as `physical_size`.
+  type: long
 dns.answers:
   dashed_name: dns-answers
   description: 'An array containing an object for each answer section returned by
@@ -3887,6 +4069,67 @@ file.elf.exports:
   original_fieldset: elf
   short: List of exported element names and types.
   type: flattened
+file.elf.go_import_hash:
+  dashed_name: file-elf-go-import-hash
+  description: 'A hash of the Go language imports in an ELF file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available [here](https://github.com/elastic/toutoumomoma).'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: file.elf.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+file.elf.go_imports:
+  dashed_name: file-elf-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: file.elf.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: elf
+  short: List of imported Go language element names and types.
+  type: flattened
+file.elf.go_imports_names_entropy:
+  dashed_name: file-elf-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: file.elf.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+file.elf.go_imports_names_var_entropy:
+  dashed_name: file-elf-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: file.elf.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+file.elf.go_stripped:
+  dashed_name: file-elf-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: file.elf.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: elf
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
 file.elf.header.abi_version:
   dashed_name: file-elf-header-abi-version
   description: Version of the ELF Application Binary Interface (ABI).
@@ -3975,6 +4218,22 @@ file.elf.header.version:
   original_fieldset: elf
   short: Version of the ELF header.
   type: keyword
+file.elf.import_hash:
+  dashed_name: file-elf-import-hash
+  description: 'A hash of the imports in an ELF file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is an ELF implementation of the Windows PE imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: file.elf.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the imports in an ELF file.
+  type: keyword
 file.elf.imports:
   dashed_name: file-elf-imports
   description: List of imported element names and types.
@@ -3986,6 +4245,31 @@ file.elf.imports:
   original_fieldset: elf
   short: List of imported element names and types.
   type: flattened
+file.elf.imports_names_entropy:
+  dashed_name: file-elf-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: file.elf.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+file.elf.imports_names_var_entropy:
+  dashed_name: file-elf-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: file.elf.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
 file.elf.sections:
   dashed_name: file-elf-sections
   description: 'An array containing an object for each section of the ELF file.
@@ -4077,6 +4361,17 @@ file.elf.sections.type:
   original_fieldset: elf
   short: ELF Section List type.
   type: keyword
+file.elf.sections.var_entropy:
+  dashed_name: file-elf-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: file.elf.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
 file.elf.sections.virtual_address:
   dashed_name: file-elf-sections-virtual-address
   description: ELF Section List virtual address.
@@ -4305,6 +4600,204 @@ file.inode:
   normalize: []
   short: Inode representing the file in the filesystem.
   type: keyword
+file.macho.go_import_hash:
+  dashed_name: file-macho-go-import-hash
+  description: 'A hash of the Go language imports in a Mach-O file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available [here](https://github.com/elastic/toutoumomoma).'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: file.macho.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+file.macho.go_imports:
+  dashed_name: file-macho-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: file.macho.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: macho
+  short: List of imported Go language element names and types.
+  type: flattened
+file.macho.go_imports_names_entropy:
+  dashed_name: file-macho-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: file.macho.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+file.macho.go_imports_names_var_entropy:
+  dashed_name: file-macho-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: file.macho.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+file.macho.go_stripped:
+  dashed_name: file-macho-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: file.macho.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: macho
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+file.macho.import_hash:
+  dashed_name: file-macho-import-hash
+  description: 'A hash of the imports in an Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for symhash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: file.macho.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in an ELF file.
+  type: keyword
+file.macho.imports:
+  dashed_name: file-macho-imports
+  description: List of imported element names and types.
+  flat_name: file.macho.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: macho
+  short: List of imported element names and types.
+  type: flattened
+file.macho.imports_names_entropy:
+  dashed_name: file-macho-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: file.macho.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+file.macho.imports_names_var_entropy:
+  dashed_name: file-macho-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: file.macho.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+file.macho.sections:
+  dashed_name: file-macho-sections
+  description: 'An array containing an object for each section of the Mach-O file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `macho.sections.*`.'
+  flat_name: file.macho.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: macho
+  short: Section information of the Mach-O file.
+  type: nested
+file.macho.sections.entropy:
+  dashed_name: file-macho-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: file.macho.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the section.
+  type: long
+file.macho.sections.name:
+  dashed_name: file-macho-sections-name
+  description: Mach-O Section List name.
+  flat_name: file.macho.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List name.
+  type: keyword
+file.macho.sections.physical_size:
+  dashed_name: file-macho-sections-physical-size
+  description: Mach-O Section List physical size.
+  flat_name: file.macho.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List physical size.
+  type: long
+file.macho.sections.var_entropy:
+  dashed_name: file-macho-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: file.macho.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+file.macho.sections.virtual_size:
+  dashed_name: file-macho-sections-virtual-size
+  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  flat_name: file.macho.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  type: long
+file.macho.symhash:
+  dashed_name: file-macho-symhash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a Mach-O implementation of the Windows PE imphash'
+  example: d3ccf195b62a9279c3c19af1080497ec
+  flat_name: file.macho.symhash
+  ignore_above: 1024
+  level: extended
+  name: symhash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
 file.mime_type:
   dashed_name: file-mime-type
   description: MIME type should identify the format of the file or stream of bytes
@@ -4424,6 +4917,67 @@ file.pe.file_version:
   original_fieldset: pe
   short: Process name.
   type: keyword
+file.pe.go_import_hash:
+  dashed_name: file-pe-go-import-hash
+  description: 'A hash of the Go language imports in a PE file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available [here](https://github.com/elastic/toutoumomoma).'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: file.pe.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+file.pe.go_imports:
+  dashed_name: file-pe-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: file.pe.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: pe
+  short: List of imported Go language element names and types.
+  type: flattened
+file.pe.go_imports_names_entropy:
+  dashed_name: file-pe-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: file.pe.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+file.pe.go_imports_names_var_entropy:
+  dashed_name: file-pe-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: file.pe.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+file.pe.go_stripped:
+  dashed_name: file-pe-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: file.pe.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: pe
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
 file.pe.imphash:
   dashed_name: file-pe-imphash
   description: 'A hash of the imports in a PE file. An imphash -- or import hash --
@@ -4440,6 +4994,58 @@ file.pe.imphash:
   original_fieldset: pe
   short: A hash of the imports in a PE file.
   type: keyword
+file.pe.import_hash:
+  dashed_name: file-pe-import-hash
+  description: 'A hash of the imports in a PE file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: file.pe.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in an ELF file.
+  type: keyword
+file.pe.imports:
+  dashed_name: file-pe-imports
+  description: List of imported element names and types.
+  flat_name: file.pe.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of imported element names and types.
+  type: flattened
+file.pe.imports_names_entropy:
+  dashed_name: file-pe-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: file.pe.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+file.pe.imports_names_var_entropy:
+  dashed_name: file-pe-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: file.pe.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
 file.pe.original_file_name:
   dashed_name: file-pe-original-file-name
   description: Internal name of the file, provided at compile-time.
@@ -4478,8 +5084,77 @@ file.pe.product:
   name: product
   normalize: []
   original_fieldset: pe
-  short: Internal product name of the file, provided at compile-time.
-  type: keyword
+  short: Internal product name of the file, provided at compile-time.
+  type: keyword
+file.pe.sections:
+  dashed_name: file-pe-sections
+  description: 'An array containing an object for each section of the PE file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `pe.sections.*`.'
+  flat_name: file.pe.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Section information of the PE file.
+  type: nested
+file.pe.sections.entropy:
+  dashed_name: file-pe-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: file.pe.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the section.
+  type: long
+file.pe.sections.name:
+  dashed_name: file-pe-sections-name
+  description: PE Section List name.
+  flat_name: file.pe.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List name.
+  type: keyword
+file.pe.sections.physical_size:
+  dashed_name: file-pe-sections-physical-size
+  description: PE Section List physical size.
+  flat_name: file.pe.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List physical size.
+  type: long
+file.pe.sections.var_entropy:
+  dashed_name: file-pe-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: file.pe.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+file.pe.sections.virtual_size:
+  dashed_name: file-pe-sections-virtual-size
+  description: PE Section List virtual size. This is always the same as `physical_size`.
+  flat_name: file.pe.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List virtual size. This is always the same as `physical_size`.
+  type: long
 file.size:
   dashed_name: file-size
   description: 'File size in bytes.
@@ -7130,6 +7805,67 @@ process.elf.exports:
   original_fieldset: elf
   short: List of exported element names and types.
   type: flattened
+process.elf.go_import_hash:
+  dashed_name: process-elf-go-import-hash
+  description: 'A hash of the Go language imports in an ELF file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available [here](https://github.com/elastic/toutoumomoma).'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.elf.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+process.elf.go_imports:
+  dashed_name: process-elf-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.elf.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: elf
+  short: List of imported Go language element names and types.
+  type: flattened
+process.elf.go_imports_names_entropy:
+  dashed_name: process-elf-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.elf.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.elf.go_imports_names_var_entropy:
+  dashed_name: process-elf-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.elf.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.elf.go_stripped:
+  dashed_name: process-elf-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.elf.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: elf
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
 process.elf.header.abi_version:
   dashed_name: process-elf-header-abi-version
   description: Version of the ELF Application Binary Interface (ABI).
@@ -7218,6 +7954,22 @@ process.elf.header.version:
   original_fieldset: elf
   short: Version of the ELF header.
   type: keyword
+process.elf.import_hash:
+  dashed_name: process-elf-import-hash
+  description: 'A hash of the imports in an ELF file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is an ELF implementation of the Windows PE imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.elf.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the imports in an ELF file.
+  type: keyword
 process.elf.imports:
   dashed_name: process-elf-imports
   description: List of imported element names and types.
@@ -7229,6 +7981,31 @@ process.elf.imports:
   original_fieldset: elf
   short: List of imported element names and types.
   type: flattened
+process.elf.imports_names_entropy:
+  dashed_name: process-elf-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.elf.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.elf.imports_names_var_entropy:
+  dashed_name: process-elf-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.elf.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
 process.elf.sections:
   dashed_name: process-elf-sections
   description: 'An array containing an object for each section of the ELF file.
@@ -7320,6 +8097,17 @@ process.elf.sections.type:
   original_fieldset: elf
   short: ELF Section List type.
   type: keyword
+process.elf.sections.var_entropy:
+  dashed_name: process-elf-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.elf.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
 process.elf.sections.virtual_address:
   dashed_name: process-elf-sections-virtual-address
   description: ELF Section List virtual address.
@@ -8638,6 +9426,204 @@ process.io.type:
   normalize: []
   short: The type of object on which the IO action (read or write) was taken.
   type: keyword
+process.macho.go_import_hash:
+  dashed_name: process-macho-go-import-hash
+  description: 'A hash of the Go language imports in a Mach-O file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available [here](https://github.com/elastic/toutoumomoma).'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.macho.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+process.macho.go_imports:
+  dashed_name: process-macho-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.macho.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: macho
+  short: List of imported Go language element names and types.
+  type: flattened
+process.macho.go_imports_names_entropy:
+  dashed_name: process-macho-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.macho.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.macho.go_imports_names_var_entropy:
+  dashed_name: process-macho-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.macho.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.macho.go_stripped:
+  dashed_name: process-macho-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.macho.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: macho
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.macho.import_hash:
+  dashed_name: process-macho-import-hash
+  description: 'A hash of the imports in an Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for symhash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.macho.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in an ELF file.
+  type: keyword
+process.macho.imports:
+  dashed_name: process-macho-imports
+  description: List of imported element names and types.
+  flat_name: process.macho.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: macho
+  short: List of imported element names and types.
+  type: flattened
+process.macho.imports_names_entropy:
+  dashed_name: process-macho-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.macho.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.macho.imports_names_var_entropy:
+  dashed_name: process-macho-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.macho.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.macho.sections:
+  dashed_name: process-macho-sections
+  description: 'An array containing an object for each section of the Mach-O file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `macho.sections.*`.'
+  flat_name: process.macho.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: macho
+  short: Section information of the Mach-O file.
+  type: nested
+process.macho.sections.entropy:
+  dashed_name: process-macho-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.macho.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the section.
+  type: long
+process.macho.sections.name:
+  dashed_name: process-macho-sections-name
+  description: Mach-O Section List name.
+  flat_name: process.macho.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List name.
+  type: keyword
+process.macho.sections.physical_size:
+  dashed_name: process-macho-sections-physical-size
+  description: Mach-O Section List physical size.
+  flat_name: process.macho.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List physical size.
+  type: long
+process.macho.sections.var_entropy:
+  dashed_name: process-macho-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.macho.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.macho.sections.virtual_size:
+  dashed_name: process-macho-sections-virtual-size
+  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.macho.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.macho.symhash:
+  dashed_name: process-macho-symhash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a Mach-O implementation of the Windows PE imphash'
+  example: d3ccf195b62a9279c3c19af1080497ec
+  flat_name: process.macho.symhash
+  ignore_above: 1024
+  level: extended
+  name: symhash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
 process.name:
   dashed_name: process-name
   description: 'Process name.
@@ -8886,6 +9872,67 @@ process.parent.elf.exports:
   original_fieldset: elf
   short: List of exported element names and types.
   type: flattened
+process.parent.elf.go_import_hash:
+  dashed_name: process-parent-elf-go-import-hash
+  description: 'A hash of the Go language imports in an ELF file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available [here](https://github.com/elastic/toutoumomoma).'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.parent.elf.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+process.parent.elf.go_imports:
+  dashed_name: process-parent-elf-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.parent.elf.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: elf
+  short: List of imported Go language element names and types.
+  type: flattened
+process.parent.elf.go_imports_names_entropy:
+  dashed_name: process-parent-elf-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.parent.elf.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.parent.elf.go_imports_names_var_entropy:
+  dashed_name: process-parent-elf-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.parent.elf.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.parent.elf.go_stripped:
+  dashed_name: process-parent-elf-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.parent.elf.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: elf
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
 process.parent.elf.header.abi_version:
   dashed_name: process-parent-elf-header-abi-version
   description: Version of the ELF Application Binary Interface (ABI).
@@ -8974,6 +10021,22 @@ process.parent.elf.header.version:
   original_fieldset: elf
   short: Version of the ELF header.
   type: keyword
+process.parent.elf.import_hash:
+  dashed_name: process-parent-elf-import-hash
+  description: 'A hash of the imports in an ELF file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is an ELF implementation of the Windows PE imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.parent.elf.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the imports in an ELF file.
+  type: keyword
 process.parent.elf.imports:
   dashed_name: process-parent-elf-imports
   description: List of imported element names and types.
@@ -8985,6 +10048,31 @@ process.parent.elf.imports:
   original_fieldset: elf
   short: List of imported element names and types.
   type: flattened
+process.parent.elf.imports_names_entropy:
+  dashed_name: process-parent-elf-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.parent.elf.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.parent.elf.imports_names_var_entropy:
+  dashed_name: process-parent-elf-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.parent.elf.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
 process.parent.elf.sections:
   dashed_name: process-parent-elf-sections
   description: 'An array containing an object for each section of the ELF file.
@@ -9076,6 +10164,17 @@ process.parent.elf.sections.type:
   original_fieldset: elf
   short: ELF Section List type.
   type: keyword
+process.parent.elf.sections.var_entropy:
+  dashed_name: process-parent-elf-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.parent.elf.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
 process.parent.elf.sections.virtual_address:
   dashed_name: process-parent-elf-sections-virtual-address
   description: ELF Section List virtual address.
@@ -9344,43 +10443,241 @@ process.parent.hash.ssdeep:
   flat_name: process.parent.hash.ssdeep
   ignore_above: 1024
   level: extended
-  name: ssdeep
+  name: ssdeep
+  normalize: []
+  original_fieldset: hash
+  short: SSDEEP hash.
+  type: keyword
+process.parent.hash.tlsh:
+  dashed_name: process-parent-hash-tlsh
+  description: TLSH hash.
+  flat_name: process.parent.hash.tlsh
+  ignore_above: 1024
+  level: extended
+  name: tlsh
+  normalize: []
+  original_fieldset: hash
+  short: TLSH hash.
+  type: keyword
+process.parent.interactive:
+  dashed_name: process-parent-interactive
+  description: 'Whether the process is connected to an interactive shell.
+
+    Process interactivity is inferred from the processes file descriptors. If the
+    character device for the controlling tty is the same as stdin and stderr for the
+    process, the process is considered interactive.
+
+    Note: A non-interactive process can belong to an interactive session and is simply
+    one that does not have open file descriptors reading the controlling TTY on FD
+    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
+    is still considered interactive if stdin and stderr are connected to the controlling
+    TTY.'
+  example: true
+  flat_name: process.parent.interactive
+  level: extended
+  name: interactive
+  normalize: []
+  original_fieldset: process
+  short: Whether the process is connected to an interactive shell.
+  type: boolean
+process.parent.macho.go_import_hash:
+  dashed_name: process-parent-macho-go-import-hash
+  description: 'A hash of the Go language imports in a Mach-O file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available [here](https://github.com/elastic/toutoumomoma).'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.parent.macho.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+process.parent.macho.go_imports:
+  dashed_name: process-parent-macho-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.parent.macho.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: macho
+  short: List of imported Go language element names and types.
+  type: flattened
+process.parent.macho.go_imports_names_entropy:
+  dashed_name: process-parent-macho-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.parent.macho.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.parent.macho.go_imports_names_var_entropy:
+  dashed_name: process-parent-macho-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.parent.macho.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.parent.macho.go_stripped:
+  dashed_name: process-parent-macho-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.parent.macho.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: macho
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.parent.macho.import_hash:
+  dashed_name: process-parent-macho-import-hash
+  description: 'A hash of the imports in an Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for symhash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.parent.macho.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in an ELF file.
+  type: keyword
+process.parent.macho.imports:
+  dashed_name: process-parent-macho-imports
+  description: List of imported element names and types.
+  flat_name: process.parent.macho.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: macho
+  short: List of imported element names and types.
+  type: flattened
+process.parent.macho.imports_names_entropy:
+  dashed_name: process-parent-macho-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.parent.macho.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.parent.macho.imports_names_var_entropy:
+  dashed_name: process-parent-macho-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.parent.macho.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.parent.macho.sections:
+  dashed_name: process-parent-macho-sections
+  description: 'An array containing an object for each section of the Mach-O file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `macho.sections.*`.'
+  flat_name: process.parent.macho.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: macho
+  short: Section information of the Mach-O file.
+  type: nested
+process.parent.macho.sections.entropy:
+  dashed_name: process-parent-macho-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.parent.macho.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
   normalize: []
-  original_fieldset: hash
-  short: SSDEEP hash.
-  type: keyword
-process.parent.hash.tlsh:
-  dashed_name: process-parent-hash-tlsh
-  description: TLSH hash.
-  flat_name: process.parent.hash.tlsh
+  original_fieldset: macho
+  short: Shannon entropy calculation from the section.
+  type: long
+process.parent.macho.sections.name:
+  dashed_name: process-parent-macho-sections-name
+  description: Mach-O Section List name.
+  flat_name: process.parent.macho.sections.name
   ignore_above: 1024
   level: extended
-  name: tlsh
+  name: sections.name
   normalize: []
-  original_fieldset: hash
-  short: TLSH hash.
+  original_fieldset: macho
+  short: Mach-O Section List name.
   type: keyword
-process.parent.interactive:
-  dashed_name: process-parent-interactive
-  description: 'Whether the process is connected to an interactive shell.
-
-    Process interactivity is inferred from the processes file descriptors. If the
-    character device for the controlling tty is the same as stdin and stderr for the
-    process, the process is considered interactive.
+process.parent.macho.sections.physical_size:
+  dashed_name: process-parent-macho-sections-physical-size
+  description: Mach-O Section List physical size.
+  flat_name: process.parent.macho.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List physical size.
+  type: long
+process.parent.macho.sections.var_entropy:
+  dashed_name: process-parent-macho-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.parent.macho.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.parent.macho.sections.virtual_size:
+  dashed_name: process-parent-macho-sections-virtual-size
+  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.parent.macho.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.parent.macho.symhash:
+  dashed_name: process-parent-macho-symhash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
 
-    Note: A non-interactive process can belong to an interactive session and is simply
-    one that does not have open file descriptors reading the controlling TTY on FD
-    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
-    is still considered interactive if stdin and stderr are connected to the controlling
-    TTY.'
-  example: true
-  flat_name: process.parent.interactive
+    This is a Mach-O implementation of the Windows PE imphash'
+  example: d3ccf195b62a9279c3c19af1080497ec
+  flat_name: process.parent.macho.symhash
+  ignore_above: 1024
   level: extended
-  name: interactive
+  name: symhash
   normalize: []
-  original_fieldset: process
-  short: Whether the process is connected to an interactive shell.
-  type: boolean
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
 process.parent.name:
   dashed_name: process-parent-name
   description: 'Process name.
@@ -9447,6 +10744,67 @@ process.parent.pe.file_version:
   original_fieldset: pe
   short: Process name.
   type: keyword
+process.parent.pe.go_import_hash:
+  dashed_name: process-parent-pe-go-import-hash
+  description: 'A hash of the Go language imports in a PE file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available [here](https://github.com/elastic/toutoumomoma).'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.parent.pe.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+process.parent.pe.go_imports:
+  dashed_name: process-parent-pe-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.parent.pe.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: pe
+  short: List of imported Go language element names and types.
+  type: flattened
+process.parent.pe.go_imports_names_entropy:
+  dashed_name: process-parent-pe-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.parent.pe.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.parent.pe.go_imports_names_var_entropy:
+  dashed_name: process-parent-pe-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.parent.pe.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.parent.pe.go_stripped:
+  dashed_name: process-parent-pe-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.parent.pe.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: pe
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
 process.parent.pe.imphash:
   dashed_name: process-parent-pe-imphash
   description: 'A hash of the imports in a PE file. An imphash -- or import hash --
@@ -9463,6 +10821,58 @@ process.parent.pe.imphash:
   original_fieldset: pe
   short: A hash of the imports in a PE file.
   type: keyword
+process.parent.pe.import_hash:
+  dashed_name: process-parent-pe-import-hash
+  description: 'A hash of the imports in a PE file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.parent.pe.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in an ELF file.
+  type: keyword
+process.parent.pe.imports:
+  dashed_name: process-parent-pe-imports
+  description: List of imported element names and types.
+  flat_name: process.parent.pe.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of imported element names and types.
+  type: flattened
+process.parent.pe.imports_names_entropy:
+  dashed_name: process-parent-pe-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.parent.pe.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.parent.pe.imports_names_var_entropy:
+  dashed_name: process-parent-pe-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.parent.pe.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
 process.parent.pe.original_file_name:
   dashed_name: process-parent-pe-original-file-name
   description: Internal name of the file, provided at compile-time.
@@ -9503,6 +10913,75 @@ process.parent.pe.product:
   original_fieldset: pe
   short: Internal product name of the file, provided at compile-time.
   type: keyword
+process.parent.pe.sections:
+  dashed_name: process-parent-pe-sections
+  description: 'An array containing an object for each section of the PE file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `pe.sections.*`.'
+  flat_name: process.parent.pe.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Section information of the PE file.
+  type: nested
+process.parent.pe.sections.entropy:
+  dashed_name: process-parent-pe-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.parent.pe.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the section.
+  type: long
+process.parent.pe.sections.name:
+  dashed_name: process-parent-pe-sections-name
+  description: PE Section List name.
+  flat_name: process.parent.pe.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List name.
+  type: keyword
+process.parent.pe.sections.physical_size:
+  dashed_name: process-parent-pe-sections-physical-size
+  description: PE Section List physical size.
+  flat_name: process.parent.pe.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List physical size.
+  type: long
+process.parent.pe.sections.var_entropy:
+  dashed_name: process-parent-pe-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.parent.pe.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.parent.pe.sections.virtual_size:
+  dashed_name: process-parent-pe-sections-virtual-size
+  description: PE Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.parent.pe.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List virtual size. This is always the same as `physical_size`.
+  type: long
 process.parent.pgid:
   dashed_name: process-parent-pgid
   description: 'Deprecated for removal in next major version release. This field is
@@ -9846,6 +11325,67 @@ process.pe.file_version:
   original_fieldset: pe
   short: Process name.
   type: keyword
+process.pe.go_import_hash:
+  dashed_name: process-pe-go-import-hash
+  description: 'A hash of the Go language imports in a PE file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available [here](https://github.com/elastic/toutoumomoma).'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.pe.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+process.pe.go_imports:
+  dashed_name: process-pe-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.pe.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: pe
+  short: List of imported Go language element names and types.
+  type: flattened
+process.pe.go_imports_names_entropy:
+  dashed_name: process-pe-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.pe.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.pe.go_imports_names_var_entropy:
+  dashed_name: process-pe-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.pe.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.pe.go_stripped:
+  dashed_name: process-pe-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.pe.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: pe
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
 process.pe.imphash:
   dashed_name: process-pe-imphash
   description: 'A hash of the imports in a PE file. An imphash -- or import hash --
@@ -9862,6 +11402,58 @@ process.pe.imphash:
   original_fieldset: pe
   short: A hash of the imports in a PE file.
   type: keyword
+process.pe.import_hash:
+  dashed_name: process-pe-import-hash
+  description: 'A hash of the imports in a PE file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.pe.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in an ELF file.
+  type: keyword
+process.pe.imports:
+  dashed_name: process-pe-imports
+  description: List of imported element names and types.
+  flat_name: process.pe.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of imported element names and types.
+  type: flattened
+process.pe.imports_names_entropy:
+  dashed_name: process-pe-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.pe.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.pe.imports_names_var_entropy:
+  dashed_name: process-pe-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.pe.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
 process.pe.original_file_name:
   dashed_name: process-pe-original-file-name
   description: Internal name of the file, provided at compile-time.
@@ -9902,6 +11494,75 @@ process.pe.product:
   original_fieldset: pe
   short: Internal product name of the file, provided at compile-time.
   type: keyword
+process.pe.sections:
+  dashed_name: process-pe-sections
+  description: 'An array containing an object for each section of the PE file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `pe.sections.*`.'
+  flat_name: process.pe.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Section information of the PE file.
+  type: nested
+process.pe.sections.entropy:
+  dashed_name: process-pe-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.pe.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the section.
+  type: long
+process.pe.sections.name:
+  dashed_name: process-pe-sections-name
+  description: PE Section List name.
+  flat_name: process.pe.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List name.
+  type: keyword
+process.pe.sections.physical_size:
+  dashed_name: process-pe-sections-physical-size
+  description: PE Section List physical size.
+  flat_name: process.pe.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List physical size.
+  type: long
+process.pe.sections.var_entropy:
+  dashed_name: process-pe-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.pe.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.pe.sections.virtual_size:
+  dashed_name: process-pe-sections-virtual-size
+  description: PE Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.pe.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List virtual size. This is always the same as `physical_size`.
+  type: long
 process.pgid:
   dashed_name: process-pgid
   description: 'Deprecated for removal in next major version release. This field is
@@ -12891,22 +14552,83 @@ threat.enrichments.indicator.file.elf.creation_date:
     was built or compiled. It can also be faked by malware creators.
   flat_name: threat.enrichments.indicator.file.elf.creation_date
   level: extended
-  name: creation_date
+  name: creation_date
+  normalize: []
+  original_fieldset: elf
+  short: Build or compile date.
+  type: date
+threat.enrichments.indicator.file.elf.exports:
+  dashed_name: threat-enrichments-indicator-file-elf-exports
+  description: List of exported element names and types.
+  flat_name: threat.enrichments.indicator.file.elf.exports
+  level: extended
+  name: exports
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of exported element names and types.
+  type: flattened
+threat.enrichments.indicator.file.elf.go_import_hash:
+  dashed_name: threat-enrichments-indicator-file-elf-go-import-hash
+  description: 'A hash of the Go language imports in an ELF file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available [here](https://github.com/elastic/toutoumomoma).'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: threat.enrichments.indicator.file.elf.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+threat.enrichments.indicator.file.elf.go_imports:
+  dashed_name: threat-enrichments-indicator-file-elf-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: threat.enrichments.indicator.file.elf.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: elf
+  short: List of imported Go language element names and types.
+  type: flattened
+threat.enrichments.indicator.file.elf.go_imports_names_entropy:
+  dashed_name: threat-enrichments-indicator-file-elf-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: threat.enrichments.indicator.file.elf.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+threat.enrichments.indicator.file.elf.go_imports_names_var_entropy:
+  dashed_name: threat-enrichments-indicator-file-elf-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: threat.enrichments.indicator.file.elf.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
   normalize: []
   original_fieldset: elf
-  short: Build or compile date.
-  type: date
-threat.enrichments.indicator.file.elf.exports:
-  dashed_name: threat-enrichments-indicator-file-elf-exports
-  description: List of exported element names and types.
-  flat_name: threat.enrichments.indicator.file.elf.exports
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+threat.enrichments.indicator.file.elf.go_stripped:
+  dashed_name: threat-enrichments-indicator-file-elf-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: threat.enrichments.indicator.file.elf.go_stripped
   level: extended
-  name: exports
-  normalize:
-  - array
+  name: go_stripped
+  normalize: []
   original_fieldset: elf
-  short: List of exported element names and types.
-  type: flattened
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
 threat.enrichments.indicator.file.elf.header.abi_version:
   dashed_name: threat-enrichments-indicator-file-elf-header-abi-version
   description: Version of the ELF Application Binary Interface (ABI).
@@ -12995,6 +14717,22 @@ threat.enrichments.indicator.file.elf.header.version:
   original_fieldset: elf
   short: Version of the ELF header.
   type: keyword
+threat.enrichments.indicator.file.elf.import_hash:
+  dashed_name: threat-enrichments-indicator-file-elf-import-hash
+  description: 'A hash of the imports in an ELF file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is an ELF implementation of the Windows PE imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: threat.enrichments.indicator.file.elf.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the imports in an ELF file.
+  type: keyword
 threat.enrichments.indicator.file.elf.imports:
   dashed_name: threat-enrichments-indicator-file-elf-imports
   description: List of imported element names and types.
@@ -13006,6 +14744,31 @@ threat.enrichments.indicator.file.elf.imports:
   original_fieldset: elf
   short: List of imported element names and types.
   type: flattened
+threat.enrichments.indicator.file.elf.imports_names_entropy:
+  dashed_name: threat-enrichments-indicator-file-elf-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: threat.enrichments.indicator.file.elf.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+threat.enrichments.indicator.file.elf.imports_names_var_entropy:
+  dashed_name: threat-enrichments-indicator-file-elf-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: threat.enrichments.indicator.file.elf.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
 threat.enrichments.indicator.file.elf.sections:
   dashed_name: threat-enrichments-indicator-file-elf-sections
   description: 'An array containing an object for each section of the ELF file.
@@ -13097,6 +14860,17 @@ threat.enrichments.indicator.file.elf.sections.type:
   original_fieldset: elf
   short: ELF Section List type.
   type: keyword
+threat.enrichments.indicator.file.elf.sections.var_entropy:
+  dashed_name: threat-enrichments-indicator-file-elf-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: threat.enrichments.indicator.file.elf.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
 threat.enrichments.indicator.file.elf.sections.virtual_address:
   dashed_name: threat-enrichments-indicator-file-elf-sections-virtual-address
   description: ELF Section List virtual address.
@@ -13455,6 +15229,67 @@ threat.enrichments.indicator.file.pe.file_version:
   original_fieldset: pe
   short: Process name.
   type: keyword
+threat.enrichments.indicator.file.pe.go_import_hash:
+  dashed_name: threat-enrichments-indicator-file-pe-go-import-hash
+  description: 'A hash of the Go language imports in a PE file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available [here](https://github.com/elastic/toutoumomoma).'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: threat.enrichments.indicator.file.pe.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+threat.enrichments.indicator.file.pe.go_imports:
+  dashed_name: threat-enrichments-indicator-file-pe-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: threat.enrichments.indicator.file.pe.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: pe
+  short: List of imported Go language element names and types.
+  type: flattened
+threat.enrichments.indicator.file.pe.go_imports_names_entropy:
+  dashed_name: threat-enrichments-indicator-file-pe-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: threat.enrichments.indicator.file.pe.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+threat.enrichments.indicator.file.pe.go_imports_names_var_entropy:
+  dashed_name: threat-enrichments-indicator-file-pe-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: threat.enrichments.indicator.file.pe.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+threat.enrichments.indicator.file.pe.go_stripped:
+  dashed_name: threat-enrichments-indicator-file-pe-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: threat.enrichments.indicator.file.pe.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: pe
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
 threat.enrichments.indicator.file.pe.imphash:
   dashed_name: threat-enrichments-indicator-file-pe-imphash
   description: 'A hash of the imports in a PE file. An imphash -- or import hash --
@@ -13471,6 +15306,58 @@ threat.enrichments.indicator.file.pe.imphash:
   original_fieldset: pe
   short: A hash of the imports in a PE file.
   type: keyword
+threat.enrichments.indicator.file.pe.import_hash:
+  dashed_name: threat-enrichments-indicator-file-pe-import-hash
+  description: 'A hash of the imports in a PE file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: threat.enrichments.indicator.file.pe.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in an ELF file.
+  type: keyword
+threat.enrichments.indicator.file.pe.imports:
+  dashed_name: threat-enrichments-indicator-file-pe-imports
+  description: List of imported element names and types.
+  flat_name: threat.enrichments.indicator.file.pe.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of imported element names and types.
+  type: flattened
+threat.enrichments.indicator.file.pe.imports_names_entropy:
+  dashed_name: threat-enrichments-indicator-file-pe-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: threat.enrichments.indicator.file.pe.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+threat.enrichments.indicator.file.pe.imports_names_var_entropy:
+  dashed_name: threat-enrichments-indicator-file-pe-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: threat.enrichments.indicator.file.pe.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
 threat.enrichments.indicator.file.pe.original_file_name:
   dashed_name: threat-enrichments-indicator-file-pe-original-file-name
   description: Internal name of the file, provided at compile-time.
@@ -13511,6 +15398,75 @@ threat.enrichments.indicator.file.pe.product:
   original_fieldset: pe
   short: Internal product name of the file, provided at compile-time.
   type: keyword
+threat.enrichments.indicator.file.pe.sections:
+  dashed_name: threat-enrichments-indicator-file-pe-sections
+  description: 'An array containing an object for each section of the PE file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `pe.sections.*`.'
+  flat_name: threat.enrichments.indicator.file.pe.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Section information of the PE file.
+  type: nested
+threat.enrichments.indicator.file.pe.sections.entropy:
+  dashed_name: threat-enrichments-indicator-file-pe-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: threat.enrichments.indicator.file.pe.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the section.
+  type: long
+threat.enrichments.indicator.file.pe.sections.name:
+  dashed_name: threat-enrichments-indicator-file-pe-sections-name
+  description: PE Section List name.
+  flat_name: threat.enrichments.indicator.file.pe.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List name.
+  type: keyword
+threat.enrichments.indicator.file.pe.sections.physical_size:
+  dashed_name: threat-enrichments-indicator-file-pe-sections-physical-size
+  description: PE Section List physical size.
+  flat_name: threat.enrichments.indicator.file.pe.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List physical size.
+  type: long
+threat.enrichments.indicator.file.pe.sections.var_entropy:
+  dashed_name: threat-enrichments-indicator-file-pe-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: threat.enrichments.indicator.file.pe.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+threat.enrichments.indicator.file.pe.sections.virtual_size:
+  dashed_name: threat-enrichments-indicator-file-pe-sections-virtual-size
+  description: PE Section List virtual size. This is always the same as `physical_size`.
+  flat_name: threat.enrichments.indicator.file.pe.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List virtual size. This is always the same as `physical_size`.
+  type: long
 threat.enrichments.indicator.file.size:
   dashed_name: threat-enrichments-indicator-file-size
   description: 'File size in bytes.
@@ -15290,6 +17246,67 @@ threat.indicator.file.elf.exports:
   original_fieldset: elf
   short: List of exported element names and types.
   type: flattened
+threat.indicator.file.elf.go_import_hash:
+  dashed_name: threat-indicator-file-elf-go-import-hash
+  description: 'A hash of the Go language imports in an ELF file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available [here](https://github.com/elastic/toutoumomoma).'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: threat.indicator.file.elf.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+threat.indicator.file.elf.go_imports:
+  dashed_name: threat-indicator-file-elf-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: threat.indicator.file.elf.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: elf
+  short: List of imported Go language element names and types.
+  type: flattened
+threat.indicator.file.elf.go_imports_names_entropy:
+  dashed_name: threat-indicator-file-elf-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: threat.indicator.file.elf.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+threat.indicator.file.elf.go_imports_names_var_entropy:
+  dashed_name: threat-indicator-file-elf-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: threat.indicator.file.elf.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+threat.indicator.file.elf.go_stripped:
+  dashed_name: threat-indicator-file-elf-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: threat.indicator.file.elf.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: elf
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
 threat.indicator.file.elf.header.abi_version:
   dashed_name: threat-indicator-file-elf-header-abi-version
   description: Version of the ELF Application Binary Interface (ABI).
@@ -15378,6 +17395,22 @@ threat.indicator.file.elf.header.version:
   original_fieldset: elf
   short: Version of the ELF header.
   type: keyword
+threat.indicator.file.elf.import_hash:
+  dashed_name: threat-indicator-file-elf-import-hash
+  description: 'A hash of the imports in an ELF file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is an ELF implementation of the Windows PE imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: threat.indicator.file.elf.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the imports in an ELF file.
+  type: keyword
 threat.indicator.file.elf.imports:
   dashed_name: threat-indicator-file-elf-imports
   description: List of imported element names and types.
@@ -15389,6 +17422,31 @@ threat.indicator.file.elf.imports:
   original_fieldset: elf
   short: List of imported element names and types.
   type: flattened
+threat.indicator.file.elf.imports_names_entropy:
+  dashed_name: threat-indicator-file-elf-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: threat.indicator.file.elf.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+threat.indicator.file.elf.imports_names_var_entropy:
+  dashed_name: threat-indicator-file-elf-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: threat.indicator.file.elf.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
 threat.indicator.file.elf.sections:
   dashed_name: threat-indicator-file-elf-sections
   description: 'An array containing an object for each section of the ELF file.
@@ -15480,6 +17538,17 @@ threat.indicator.file.elf.sections.type:
   original_fieldset: elf
   short: ELF Section List type.
   type: keyword
+threat.indicator.file.elf.sections.var_entropy:
+  dashed_name: threat-indicator-file-elf-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: threat.indicator.file.elf.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
 threat.indicator.file.elf.sections.virtual_address:
   dashed_name: threat-indicator-file-elf-sections-virtual-address
   description: ELF Section List virtual address.
@@ -15838,6 +17907,67 @@ threat.indicator.file.pe.file_version:
   original_fieldset: pe
   short: Process name.
   type: keyword
+threat.indicator.file.pe.go_import_hash:
+  dashed_name: threat-indicator-file-pe-go-import-hash
+  description: 'A hash of the Go language imports in a PE file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available [here](https://github.com/elastic/toutoumomoma).'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: threat.indicator.file.pe.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+threat.indicator.file.pe.go_imports:
+  dashed_name: threat-indicator-file-pe-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: threat.indicator.file.pe.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: pe
+  short: List of imported Go language element names and types.
+  type: flattened
+threat.indicator.file.pe.go_imports_names_entropy:
+  dashed_name: threat-indicator-file-pe-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: threat.indicator.file.pe.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+threat.indicator.file.pe.go_imports_names_var_entropy:
+  dashed_name: threat-indicator-file-pe-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: threat.indicator.file.pe.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+threat.indicator.file.pe.go_stripped:
+  dashed_name: threat-indicator-file-pe-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: threat.indicator.file.pe.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: pe
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
 threat.indicator.file.pe.imphash:
   dashed_name: threat-indicator-file-pe-imphash
   description: 'A hash of the imports in a PE file. An imphash -- or import hash --
@@ -15854,6 +17984,58 @@ threat.indicator.file.pe.imphash:
   original_fieldset: pe
   short: A hash of the imports in a PE file.
   type: keyword
+threat.indicator.file.pe.import_hash:
+  dashed_name: threat-indicator-file-pe-import-hash
+  description: 'A hash of the imports in a PE file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: threat.indicator.file.pe.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in an ELF file.
+  type: keyword
+threat.indicator.file.pe.imports:
+  dashed_name: threat-indicator-file-pe-imports
+  description: List of imported element names and types.
+  flat_name: threat.indicator.file.pe.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of imported element names and types.
+  type: flattened
+threat.indicator.file.pe.imports_names_entropy:
+  dashed_name: threat-indicator-file-pe-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: threat.indicator.file.pe.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+threat.indicator.file.pe.imports_names_var_entropy:
+  dashed_name: threat-indicator-file-pe-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: threat.indicator.file.pe.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
 threat.indicator.file.pe.original_file_name:
   dashed_name: threat-indicator-file-pe-original-file-name
   description: Internal name of the file, provided at compile-time.
@@ -15894,6 +18076,75 @@ threat.indicator.file.pe.product:
   original_fieldset: pe
   short: Internal product name of the file, provided at compile-time.
   type: keyword
+threat.indicator.file.pe.sections:
+  dashed_name: threat-indicator-file-pe-sections
+  description: 'An array containing an object for each section of the PE file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `pe.sections.*`.'
+  flat_name: threat.indicator.file.pe.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Section information of the PE file.
+  type: nested
+threat.indicator.file.pe.sections.entropy:
+  dashed_name: threat-indicator-file-pe-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: threat.indicator.file.pe.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the section.
+  type: long
+threat.indicator.file.pe.sections.name:
+  dashed_name: threat-indicator-file-pe-sections-name
+  description: PE Section List name.
+  flat_name: threat.indicator.file.pe.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List name.
+  type: keyword
+threat.indicator.file.pe.sections.physical_size:
+  dashed_name: threat-indicator-file-pe-sections-physical-size
+  description: PE Section List physical size.
+  flat_name: threat.indicator.file.pe.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List physical size.
+  type: long
+threat.indicator.file.pe.sections.var_entropy:
+  dashed_name: threat-indicator-file-pe-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: threat.indicator.file.pe.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+threat.indicator.file.pe.sections.virtual_size:
+  dashed_name: threat-indicator-file-pe-sections-virtual-size
+  description: PE Section List virtual size. This is always the same as `physical_size`.
+  flat_name: threat.indicator.file.pe.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List virtual size. This is always the same as `physical_size`.
+  type: long
 threat.indicator.file.size:
   dashed_name: threat-indicator-file-size
   description: 'File size in bytes.
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 1214656eb3..b63b8115ef 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -2496,6 +2496,67 @@ dll:
       original_fieldset: pe
       short: Process name.
       type: keyword
+    dll.pe.go_import_hash:
+      dashed_name: dll-pe-go-import-hash
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: dll.pe.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    dll.pe.go_imports:
+      dashed_name: dll-pe-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: dll.pe.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: pe
+      short: List of imported Go language element names and types.
+      type: flattened
+    dll.pe.go_imports_names_entropy:
+      dashed_name: dll-pe-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: dll.pe.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    dll.pe.go_imports_names_var_entropy:
+      dashed_name: dll-pe-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: dll.pe.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    dll.pe.go_stripped:
+      dashed_name: dll-pe-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: dll.pe.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: pe
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
     dll.pe.imphash:
       dashed_name: dll-pe-imphash
       description: 'A hash of the imports in a PE file. An imphash -- or import hash
@@ -2512,6 +2573,59 @@ dll:
       original_fieldset: pe
       short: A hash of the imports in a PE file.
       type: keyword
+    dll.pe.import_hash:
+      dashed_name: dll-pe-import-hash
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: dll.pe.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in an ELF file.
+      type: keyword
+    dll.pe.imports:
+      dashed_name: dll-pe-imports
+      description: List of imported element names and types.
+      flat_name: dll.pe.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of imported element names and types.
+      type: flattened
+    dll.pe.imports_names_entropy:
+      dashed_name: dll-pe-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: dll.pe.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    dll.pe.imports_names_var_entropy:
+      dashed_name: dll-pe-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: dll.pe.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
     dll.pe.original_file_name:
       dashed_name: dll-pe-original-file-name
       description: Internal name of the file, provided at compile-time.
@@ -2552,6 +2666,75 @@ dll:
       original_fieldset: pe
       short: Internal product name of the file, provided at compile-time.
       type: keyword
+    dll.pe.sections:
+      dashed_name: dll-pe-sections
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      flat_name: dll.pe.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Section information of the PE file.
+      type: nested
+    dll.pe.sections.entropy:
+      dashed_name: dll-pe-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: dll.pe.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the section.
+      type: long
+    dll.pe.sections.name:
+      dashed_name: dll-pe-sections-name
+      description: PE Section List name.
+      flat_name: dll.pe.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List name.
+      type: keyword
+    dll.pe.sections.physical_size:
+      dashed_name: dll-pe-sections-physical-size
+      description: PE Section List physical size.
+      flat_name: dll.pe.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List physical size.
+      type: long
+    dll.pe.sections.var_entropy:
+      dashed_name: dll-pe-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: dll.pe.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    dll.pe.sections.virtual_size:
+      dashed_name: dll-pe-sections-virtual-size
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      flat_name: dll.pe.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List virtual size. This is always the same as `physical_size`.
+      type: long
   group: 2
   name: dll
   nestings:
@@ -2928,6 +3111,62 @@ elf:
       - array
       short: List of exported element names and types.
       type: flattened
+    elf.go_import_hash:
+      dashed_name: elf-go-import-hash
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: elf.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    elf.go_imports:
+      dashed_name: elf-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: elf.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      short: List of imported Go language element names and types.
+      type: flattened
+    elf.go_imports_names_entropy:
+      dashed_name: elf-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: elf.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    elf.go_imports_names_var_entropy:
+      dashed_name: elf-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: elf.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    elf.go_stripped:
+      dashed_name: elf-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: elf.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
     elf.header.abi_version:
       dashed_name: elf-header-abi-version
       description: Version of the ELF Application Binary Interface (ABI).
@@ -3008,6 +3247,21 @@ elf:
       normalize: []
       short: Version of the ELF header.
       type: keyword
+    elf.import_hash:
+      dashed_name: elf-import-hash
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: elf.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      short: A hash of the imports in an ELF file.
+      type: keyword
     elf.imports:
       dashed_name: elf-imports
       description: List of imported element names and types.
@@ -3018,6 +3272,30 @@ elf:
       - array
       short: List of imported element names and types.
       type: flattened
+    elf.imports_names_entropy:
+      dashed_name: elf-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: elf.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    elf.imports_names_var_entropy:
+      dashed_name: elf-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: elf.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
     elf.sections:
       dashed_name: elf-sections
       description: 'An array containing an object for each section of the ELF file.
@@ -3101,6 +3379,16 @@ elf:
       normalize: []
       short: ELF Section List type.
       type: keyword
+    elf.sections.var_entropy:
+      dashed_name: elf-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: elf.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
     elf.sections.virtual_address:
       dashed_name: elf-sections-virtual-address
       description: ELF Section List virtual address.
@@ -4815,6 +5103,67 @@ file:
       original_fieldset: elf
       short: List of exported element names and types.
       type: flattened
+    file.elf.go_import_hash:
+      dashed_name: file-elf-go-import-hash
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: file.elf.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    file.elf.go_imports:
+      dashed_name: file-elf-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: file.elf.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: elf
+      short: List of imported Go language element names and types.
+      type: flattened
+    file.elf.go_imports_names_entropy:
+      dashed_name: file-elf-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: file.elf.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    file.elf.go_imports_names_var_entropy:
+      dashed_name: file-elf-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: file.elf.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    file.elf.go_stripped:
+      dashed_name: file-elf-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: file.elf.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: elf
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
     file.elf.header.abi_version:
       dashed_name: file-elf-header-abi-version
       description: Version of the ELF Application Binary Interface (ABI).
@@ -4903,6 +5252,22 @@ file:
       original_fieldset: elf
       short: Version of the ELF header.
       type: keyword
+    file.elf.import_hash:
+      dashed_name: file-elf-import-hash
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: file.elf.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the imports in an ELF file.
+      type: keyword
     file.elf.imports:
       dashed_name: file-elf-imports
       description: List of imported element names and types.
@@ -4914,6 +5279,32 @@ file:
       original_fieldset: elf
       short: List of imported element names and types.
       type: flattened
+    file.elf.imports_names_entropy:
+      dashed_name: file-elf-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: file.elf.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    file.elf.imports_names_var_entropy:
+      dashed_name: file-elf-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: file.elf.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
     file.elf.sections:
       dashed_name: file-elf-sections
       description: 'An array containing an object for each section of the ELF file.
@@ -5005,6 +5396,17 @@ file:
       original_fieldset: elf
       short: ELF Section List type.
       type: keyword
+    file.elf.sections.var_entropy:
+      dashed_name: file-elf-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: file.elf.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
     file.elf.sections.virtual_address:
       dashed_name: file-elf-sections-virtual-address
       description: ELF Section List virtual address.
@@ -5233,6 +5635,205 @@ file:
       normalize: []
       short: Inode representing the file in the filesystem.
       type: keyword
+    file.macho.go_import_hash:
+      dashed_name: file-macho-go-import-hash
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: file.macho.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    file.macho.go_imports:
+      dashed_name: file-macho-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: file.macho.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: macho
+      short: List of imported Go language element names and types.
+      type: flattened
+    file.macho.go_imports_names_entropy:
+      dashed_name: file-macho-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: file.macho.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    file.macho.go_imports_names_var_entropy:
+      dashed_name: file-macho-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: file.macho.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    file.macho.go_stripped:
+      dashed_name: file-macho-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: file.macho.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: macho
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    file.macho.import_hash:
+      dashed_name: file-macho-import-hash
+      description: 'A hash of the imports in an Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: file.macho.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in an ELF file.
+      type: keyword
+    file.macho.imports:
+      dashed_name: file-macho-imports
+      description: List of imported element names and types.
+      flat_name: file.macho.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: macho
+      short: List of imported element names and types.
+      type: flattened
+    file.macho.imports_names_entropy:
+      dashed_name: file-macho-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: file.macho.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    file.macho.imports_names_var_entropy:
+      dashed_name: file-macho-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: file.macho.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    file.macho.sections:
+      dashed_name: file-macho-sections
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      flat_name: file.macho.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: macho
+      short: Section information of the Mach-O file.
+      type: nested
+    file.macho.sections.entropy:
+      dashed_name: file-macho-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: file.macho.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the section.
+      type: long
+    file.macho.sections.name:
+      dashed_name: file-macho-sections-name
+      description: Mach-O Section List name.
+      flat_name: file.macho.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List name.
+      type: keyword
+    file.macho.sections.physical_size:
+      dashed_name: file-macho-sections-physical-size
+      description: Mach-O Section List physical size.
+      flat_name: file.macho.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List physical size.
+      type: long
+    file.macho.sections.var_entropy:
+      dashed_name: file-macho-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: file.macho.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    file.macho.sections.virtual_size:
+      dashed_name: file-macho-sections-virtual-size
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      flat_name: file.macho.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    file.macho.symhash:
+      dashed_name: file-macho-symhash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      flat_name: file.macho.symhash
+      ignore_above: 1024
+      level: extended
+      name: symhash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
     file.mime_type:
       dashed_name: file-mime-type
       description: MIME type should identify the format of the file or stream of bytes
@@ -5352,22 +5953,136 @@ file:
       original_fieldset: pe
       short: Process name.
       type: keyword
-    file.pe.imphash:
-      dashed_name: file-pe-imphash
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
+    file.pe.go_import_hash:
+      dashed_name: file-pe-go-import-hash
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
 
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      flat_name: file.pe.imphash
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: file.pe.go_import_hash
       ignore_above: 1024
       level: extended
-      name: imphash
+      name: go_import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    file.pe.go_imports:
+      dashed_name: file-pe-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: file.pe.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: pe
+      short: List of imported Go language element names and types.
+      type: flattened
+    file.pe.go_imports_names_entropy:
+      dashed_name: file-pe-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: file.pe.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    file.pe.go_imports_names_var_entropy:
+      dashed_name: file-pe-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: file.pe.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    file.pe.go_stripped:
+      dashed_name: file-pe-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: file.pe.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: pe
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    file.pe.imphash:
+      dashed_name: file-pe-imphash
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      flat_name: file.pe.imphash
+      ignore_above: 1024
+      level: extended
+      name: imphash
       normalize: []
       original_fieldset: pe
       short: A hash of the imports in a PE file.
       type: keyword
+    file.pe.import_hash:
+      dashed_name: file-pe-import-hash
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: file.pe.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in an ELF file.
+      type: keyword
+    file.pe.imports:
+      dashed_name: file-pe-imports
+      description: List of imported element names and types.
+      flat_name: file.pe.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of imported element names and types.
+      type: flattened
+    file.pe.imports_names_entropy:
+      dashed_name: file-pe-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: file.pe.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    file.pe.imports_names_var_entropy:
+      dashed_name: file-pe-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: file.pe.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
     file.pe.original_file_name:
       dashed_name: file-pe-original-file-name
       description: Internal name of the file, provided at compile-time.
@@ -5408,6 +6123,75 @@ file:
       original_fieldset: pe
       short: Internal product name of the file, provided at compile-time.
       type: keyword
+    file.pe.sections:
+      dashed_name: file-pe-sections
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      flat_name: file.pe.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Section information of the PE file.
+      type: nested
+    file.pe.sections.entropy:
+      dashed_name: file-pe-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: file.pe.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the section.
+      type: long
+    file.pe.sections.name:
+      dashed_name: file-pe-sections-name
+      description: PE Section List name.
+      flat_name: file.pe.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List name.
+      type: keyword
+    file.pe.sections.physical_size:
+      dashed_name: file-pe-sections-physical-size
+      description: PE Section List physical size.
+      flat_name: file.pe.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List physical size.
+      type: long
+    file.pe.sections.var_entropy:
+      dashed_name: file-pe-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: file.pe.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    file.pe.sections.virtual_size:
+      dashed_name: file-pe-sections-virtual-size
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      flat_name: file.pe.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List virtual size. This is always the same as `physical_size`.
+      type: long
     file.size:
       dashed_name: file-size
       description: 'File size in bytes.
@@ -5768,6 +6552,7 @@ file:
   - file.code_signature
   - file.elf
   - file.hash
+  - file.macho
   - file.pe
   - file.x509
   prefix: file.
@@ -5797,6 +6582,10 @@ file:
     full: file.elf
     schema_name: elf
     short: These fields contain Linux Executable Linkable Format (ELF) metadata.
+  - beta: This field reuse is beta and subject to change.
+    full: file.macho
+    schema_name: macho
+    short: These fields contain Mac OS Mach Object file format (Mach-O) metadata.
   short: Fields describing files.
   title: File
   type: group
@@ -7202,6 +7991,210 @@ log:
   short: Details about the event's logging mechanism.
   title: Log
   type: group
+macho:
+  beta: These fields are in beta and are subject to change.
+  description: These fields contain Mac OS Mach Object file format (Mach-O) metadata.
+  fields:
+    macho.go_import_hash:
+      dashed_name: macho-go-import-hash
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: macho.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    macho.go_imports:
+      dashed_name: macho-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: macho.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      short: List of imported Go language element names and types.
+      type: flattened
+    macho.go_imports_names_entropy:
+      dashed_name: macho-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: macho.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    macho.go_imports_names_var_entropy:
+      dashed_name: macho-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: macho.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    macho.go_stripped:
+      dashed_name: macho-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: macho.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    macho.import_hash:
+      dashed_name: macho-import-hash
+      description: 'A hash of the imports in an Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: macho.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      short: A hash of the imports in an ELF file.
+      type: keyword
+    macho.imports:
+      dashed_name: macho-imports
+      description: List of imported element names and types.
+      flat_name: macho.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      short: List of imported element names and types.
+      type: flattened
+    macho.imports_names_entropy:
+      dashed_name: macho-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: macho.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    macho.imports_names_var_entropy:
+      dashed_name: macho-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: macho.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    macho.sections:
+      dashed_name: macho-sections
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      flat_name: macho.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      short: Section information of the Mach-O file.
+      type: nested
+    macho.sections.entropy:
+      dashed_name: macho-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: macho.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      short: Shannon entropy calculation from the section.
+      type: long
+    macho.sections.name:
+      dashed_name: macho-sections-name
+      description: Mach-O Section List name.
+      flat_name: macho.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      short: Mach-O Section List name.
+      type: keyword
+    macho.sections.physical_size:
+      dashed_name: macho-sections-physical-size
+      description: Mach-O Section List physical size.
+      flat_name: macho.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      short: Mach-O Section List physical size.
+      type: long
+    macho.sections.var_entropy:
+      dashed_name: macho-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: macho.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    macho.sections.virtual_size:
+      dashed_name: macho-sections-virtual-size
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      flat_name: macho.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    macho.symhash:
+      dashed_name: macho-symhash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      flat_name: macho.symhash
+      ignore_above: 1024
+      level: extended
+      name: symhash
+      normalize: []
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
+  group: 2
+  name: macho
+  prefix: macho.
+  reusable:
+    expected:
+    - as: macho
+      at: file
+      beta: This field reuse is beta and subject to change.
+      full: file.macho
+    - as: macho
+      at: process
+      beta: This field reuse is beta and subject to change.
+      full: process.macho
+    top_level: false
+  short: These fields contain Mac OS Mach Object file format (Mach-O) metadata.
+  title: Mach-O Header
+  type: group
 network:
   description: 'The network is defined as the communication path over which a host
     or network event happens.
@@ -8550,6 +9543,62 @@ pe:
       normalize: []
       short: Process name.
       type: keyword
+    pe.go_import_hash:
+      dashed_name: pe-go-import-hash
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: pe.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    pe.go_imports:
+      dashed_name: pe-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: pe.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      short: List of imported Go language element names and types.
+      type: flattened
+    pe.go_imports_names_entropy:
+      dashed_name: pe-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: pe.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    pe.go_imports_names_var_entropy:
+      dashed_name: pe-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: pe.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    pe.go_stripped:
+      dashed_name: pe-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: pe.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
     pe.imphash:
       dashed_name: pe-imphash
       description: 'A hash of the imports in a PE file. An imphash -- or import hash
@@ -8565,6 +9614,55 @@ pe:
       normalize: []
       short: A hash of the imports in a PE file.
       type: keyword
+    pe.import_hash:
+      dashed_name: pe-import-hash
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: pe.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      short: A hash of the imports in an ELF file.
+      type: keyword
+    pe.imports:
+      dashed_name: pe-imports
+      description: List of imported element names and types.
+      flat_name: pe.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      short: List of imported element names and types.
+      type: flattened
+    pe.imports_names_entropy:
+      dashed_name: pe-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: pe.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    pe.imports_names_var_entropy:
+      dashed_name: pe-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: pe.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
     pe.original_file_name:
       dashed_name: pe-original-file-name
       description: Internal name of the file, provided at compile-time.
@@ -8602,37 +9700,100 @@ pe:
       normalize: []
       short: Internal product name of the file, provided at compile-time.
       type: keyword
-  group: 2
-  name: pe
-  prefix: pe.
-  reusable:
-    expected:
-    - as: pe
-      at: file
-      full: file.pe
-    - as: pe
-      at: dll
-      full: dll.pe
-    - as: pe
-      at: process
-      full: process.pe
-    top_level: false
-  short: These fields contain Windows Portable Executable (PE) metadata.
-  title: PE Header
-  type: group
-process:
-  description: 'These fields contain information about a process.
-
-    These fields can help you correlate metrics information with a process id/name
-    from a log message.  The `process.pid` often stays in the metric itself and is
-    copied to the global field for correlation.'
-  fields:
-    process.args:
-      dashed_name: process-args
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
+    pe.sections:
+      dashed_name: pe-sections
+      description: 'An array containing an object for each section of the PE file.
 
-        May be filtered to protect sensitive information.'
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      flat_name: pe.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      short: Section information of the PE file.
+      type: nested
+    pe.sections.entropy:
+      dashed_name: pe-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: pe.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      short: Shannon entropy calculation from the section.
+      type: long
+    pe.sections.name:
+      dashed_name: pe-sections-name
+      description: PE Section List name.
+      flat_name: pe.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      short: PE Section List name.
+      type: keyword
+    pe.sections.physical_size:
+      dashed_name: pe-sections-physical-size
+      description: PE Section List physical size.
+      flat_name: pe.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      short: PE Section List physical size.
+      type: long
+    pe.sections.var_entropy:
+      dashed_name: pe-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: pe.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    pe.sections.virtual_size:
+      dashed_name: pe-sections-virtual-size
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      flat_name: pe.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      short: PE Section List virtual size. This is always the same as `physical_size`.
+      type: long
+  group: 2
+  name: pe
+  prefix: pe.
+  reusable:
+    expected:
+    - as: pe
+      at: file
+      full: file.pe
+    - as: pe
+      at: dll
+      full: dll.pe
+    - as: pe
+      at: process
+      full: process.pe
+    top_level: false
+  short: These fields contain Windows Portable Executable (PE) metadata.
+  title: PE Header
+  type: group
+process:
+  description: 'These fields contain information about a process.
+
+    These fields can help you correlate metrics information with a process id/name
+    from a log message.  The `process.pid` often stays in the metric itself and is
+    copied to the global field for correlation.'
+  fields:
+    process.args:
+      dashed_name: process-args
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
       example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
       flat_name: process.args
       ignore_above: 1024
@@ -8855,6 +10016,67 @@ process:
       original_fieldset: elf
       short: List of exported element names and types.
       type: flattened
+    process.elf.go_import_hash:
+      dashed_name: process-elf-go-import-hash
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.elf.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    process.elf.go_imports:
+      dashed_name: process-elf-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.elf.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: elf
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.elf.go_imports_names_entropy:
+      dashed_name: process-elf-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.elf.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.elf.go_imports_names_var_entropy:
+      dashed_name: process-elf-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.elf.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.elf.go_stripped:
+      dashed_name: process-elf-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.elf.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: elf
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
     process.elf.header.abi_version:
       dashed_name: process-elf-header-abi-version
       description: Version of the ELF Application Binary Interface (ABI).
@@ -8943,6 +10165,22 @@ process:
       original_fieldset: elf
       short: Version of the ELF header.
       type: keyword
+    process.elf.import_hash:
+      dashed_name: process-elf-import-hash
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.elf.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the imports in an ELF file.
+      type: keyword
     process.elf.imports:
       dashed_name: process-elf-imports
       description: List of imported element names and types.
@@ -8954,6 +10192,32 @@ process:
       original_fieldset: elf
       short: List of imported element names and types.
       type: flattened
+    process.elf.imports_names_entropy:
+      dashed_name: process-elf-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.elf.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.elf.imports_names_var_entropy:
+      dashed_name: process-elf-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.elf.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
     process.elf.sections:
       dashed_name: process-elf-sections
       description: 'An array containing an object for each section of the ELF file.
@@ -9045,6 +10309,17 @@ process:
       original_fieldset: elf
       short: ELF Section List type.
       type: keyword
+    process.elf.sections.var_entropy:
+      dashed_name: process-elf-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.elf.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
     process.elf.sections.virtual_address:
       dashed_name: process-elf-sections-virtual-address
       description: ELF Section List virtual address.
@@ -10366,6 +11641,205 @@ process:
       normalize: []
       short: The type of object on which the IO action (read or write) was taken.
       type: keyword
+    process.macho.go_import_hash:
+      dashed_name: process-macho-go-import-hash
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.macho.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    process.macho.go_imports:
+      dashed_name: process-macho-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.macho.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: macho
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.macho.go_imports_names_entropy:
+      dashed_name: process-macho-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.macho.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.macho.go_imports_names_var_entropy:
+      dashed_name: process-macho-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.macho.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.macho.go_stripped:
+      dashed_name: process-macho-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.macho.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: macho
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.macho.import_hash:
+      dashed_name: process-macho-import-hash
+      description: 'A hash of the imports in an Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.macho.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in an ELF file.
+      type: keyword
+    process.macho.imports:
+      dashed_name: process-macho-imports
+      description: List of imported element names and types.
+      flat_name: process.macho.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: macho
+      short: List of imported element names and types.
+      type: flattened
+    process.macho.imports_names_entropy:
+      dashed_name: process-macho-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.macho.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.macho.imports_names_var_entropy:
+      dashed_name: process-macho-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.macho.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.macho.sections:
+      dashed_name: process-macho-sections
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      flat_name: process.macho.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: macho
+      short: Section information of the Mach-O file.
+      type: nested
+    process.macho.sections.entropy:
+      dashed_name: process-macho-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.macho.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.macho.sections.name:
+      dashed_name: process-macho-sections-name
+      description: Mach-O Section List name.
+      flat_name: process.macho.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List name.
+      type: keyword
+    process.macho.sections.physical_size:
+      dashed_name: process-macho-sections-physical-size
+      description: Mach-O Section List physical size.
+      flat_name: process.macho.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List physical size.
+      type: long
+    process.macho.sections.var_entropy:
+      dashed_name: process-macho-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.macho.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.macho.sections.virtual_size:
+      dashed_name: process-macho-sections-virtual-size
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.macho.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.macho.symhash:
+      dashed_name: process-macho-symhash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      flat_name: process.macho.symhash
+      ignore_above: 1024
+      level: extended
+      name: symhash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
     process.name:
       dashed_name: process-name
       description: 'Process name.
@@ -10614,6 +12088,67 @@ process:
       original_fieldset: elf
       short: List of exported element names and types.
       type: flattened
+    process.parent.elf.go_import_hash:
+      dashed_name: process-parent-elf-go-import-hash
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.parent.elf.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    process.parent.elf.go_imports:
+      dashed_name: process-parent-elf-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.parent.elf.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: elf
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.parent.elf.go_imports_names_entropy:
+      dashed_name: process-parent-elf-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.parent.elf.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.parent.elf.go_imports_names_var_entropy:
+      dashed_name: process-parent-elf-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.parent.elf.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.parent.elf.go_stripped:
+      dashed_name: process-parent-elf-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.parent.elf.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: elf
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
     process.parent.elf.header.abi_version:
       dashed_name: process-parent-elf-header-abi-version
       description: Version of the ELF Application Binary Interface (ABI).
@@ -10702,6 +12237,22 @@ process:
       original_fieldset: elf
       short: Version of the ELF header.
       type: keyword
+    process.parent.elf.import_hash:
+      dashed_name: process-parent-elf-import-hash
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.parent.elf.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the imports in an ELF file.
+      type: keyword
     process.parent.elf.imports:
       dashed_name: process-parent-elf-imports
       description: List of imported element names and types.
@@ -10713,6 +12264,32 @@ process:
       original_fieldset: elf
       short: List of imported element names and types.
       type: flattened
+    process.parent.elf.imports_names_entropy:
+      dashed_name: process-parent-elf-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.parent.elf.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.parent.elf.imports_names_var_entropy:
+      dashed_name: process-parent-elf-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.parent.elf.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
     process.parent.elf.sections:
       dashed_name: process-parent-elf-sections
       description: 'An array containing an object for each section of the ELF file.
@@ -10804,6 +12381,17 @@ process:
       original_fieldset: elf
       short: ELF Section List type.
       type: keyword
+    process.parent.elf.sections.var_entropy:
+      dashed_name: process-parent-elf-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.parent.elf.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
     process.parent.elf.sections.virtual_address:
       dashed_name: process-parent-elf-sections-virtual-address
       description: ELF Section List virtual address.
@@ -11072,43 +12660,242 @@ process:
       flat_name: process.parent.hash.ssdeep
       ignore_above: 1024
       level: extended
-      name: ssdeep
+      name: ssdeep
+      normalize: []
+      original_fieldset: hash
+      short: SSDEEP hash.
+      type: keyword
+    process.parent.hash.tlsh:
+      dashed_name: process-parent-hash-tlsh
+      description: TLSH hash.
+      flat_name: process.parent.hash.tlsh
+      ignore_above: 1024
+      level: extended
+      name: tlsh
+      normalize: []
+      original_fieldset: hash
+      short: TLSH hash.
+      type: keyword
+    process.parent.interactive:
+      dashed_name: process-parent-interactive
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      flat_name: process.parent.interactive
+      level: extended
+      name: interactive
+      normalize: []
+      original_fieldset: process
+      short: Whether the process is connected to an interactive shell.
+      type: boolean
+    process.parent.macho.go_import_hash:
+      dashed_name: process-parent-macho-go-import-hash
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.parent.macho.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    process.parent.macho.go_imports:
+      dashed_name: process-parent-macho-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.parent.macho.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: macho
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.parent.macho.go_imports_names_entropy:
+      dashed_name: process-parent-macho-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.parent.macho.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.parent.macho.go_imports_names_var_entropy:
+      dashed_name: process-parent-macho-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.parent.macho.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.parent.macho.go_stripped:
+      dashed_name: process-parent-macho-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.parent.macho.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: macho
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.parent.macho.import_hash:
+      dashed_name: process-parent-macho-import-hash
+      description: 'A hash of the imports in an Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.parent.macho.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in an ELF file.
+      type: keyword
+    process.parent.macho.imports:
+      dashed_name: process-parent-macho-imports
+      description: List of imported element names and types.
+      flat_name: process.parent.macho.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: macho
+      short: List of imported element names and types.
+      type: flattened
+    process.parent.macho.imports_names_entropy:
+      dashed_name: process-parent-macho-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.parent.macho.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.parent.macho.imports_names_var_entropy:
+      dashed_name: process-parent-macho-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.parent.macho.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.parent.macho.sections:
+      dashed_name: process-parent-macho-sections
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      flat_name: process.parent.macho.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: macho
+      short: Section information of the Mach-O file.
+      type: nested
+    process.parent.macho.sections.entropy:
+      dashed_name: process-parent-macho-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.parent.macho.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.parent.macho.sections.name:
+      dashed_name: process-parent-macho-sections-name
+      description: Mach-O Section List name.
+      flat_name: process.parent.macho.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
       normalize: []
-      original_fieldset: hash
-      short: SSDEEP hash.
+      original_fieldset: macho
+      short: Mach-O Section List name.
       type: keyword
-    process.parent.hash.tlsh:
-      dashed_name: process-parent-hash-tlsh
-      description: TLSH hash.
-      flat_name: process.parent.hash.tlsh
-      ignore_above: 1024
+    process.parent.macho.sections.physical_size:
+      dashed_name: process-parent-macho-sections-physical-size
+      description: Mach-O Section List physical size.
+      flat_name: process.parent.macho.sections.physical_size
+      format: bytes
       level: extended
-      name: tlsh
+      name: sections.physical_size
       normalize: []
-      original_fieldset: hash
-      short: TLSH hash.
-      type: keyword
-    process.parent.interactive:
-      dashed_name: process-parent-interactive
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
+      original_fieldset: macho
+      short: Mach-O Section List physical size.
+      type: long
+    process.parent.macho.sections.var_entropy:
+      dashed_name: process-parent-macho-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.parent.macho.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.parent.macho.sections.virtual_size:
+      dashed_name: process-parent-macho-sections-virtual-size
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.parent.macho.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.parent.macho.symhash:
+      dashed_name: process-parent-macho-symhash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
 
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      flat_name: process.parent.interactive
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      flat_name: process.parent.macho.symhash
+      ignore_above: 1024
       level: extended
-      name: interactive
+      name: symhash
       normalize: []
-      original_fieldset: process
-      short: Whether the process is connected to an interactive shell.
-      type: boolean
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
     process.parent.name:
       dashed_name: process-parent-name
       description: 'Process name.
@@ -11175,6 +12962,67 @@ process:
       original_fieldset: pe
       short: Process name.
       type: keyword
+    process.parent.pe.go_import_hash:
+      dashed_name: process-parent-pe-go-import-hash
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.parent.pe.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    process.parent.pe.go_imports:
+      dashed_name: process-parent-pe-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.parent.pe.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: pe
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.parent.pe.go_imports_names_entropy:
+      dashed_name: process-parent-pe-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.parent.pe.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.parent.pe.go_imports_names_var_entropy:
+      dashed_name: process-parent-pe-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.parent.pe.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.parent.pe.go_stripped:
+      dashed_name: process-parent-pe-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.parent.pe.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: pe
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
     process.parent.pe.imphash:
       dashed_name: process-parent-pe-imphash
       description: 'A hash of the imports in a PE file. An imphash -- or import hash
@@ -11191,6 +13039,59 @@ process:
       original_fieldset: pe
       short: A hash of the imports in a PE file.
       type: keyword
+    process.parent.pe.import_hash:
+      dashed_name: process-parent-pe-import-hash
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.parent.pe.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in an ELF file.
+      type: keyword
+    process.parent.pe.imports:
+      dashed_name: process-parent-pe-imports
+      description: List of imported element names and types.
+      flat_name: process.parent.pe.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of imported element names and types.
+      type: flattened
+    process.parent.pe.imports_names_entropy:
+      dashed_name: process-parent-pe-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.parent.pe.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.parent.pe.imports_names_var_entropy:
+      dashed_name: process-parent-pe-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.parent.pe.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
     process.parent.pe.original_file_name:
       dashed_name: process-parent-pe-original-file-name
       description: Internal name of the file, provided at compile-time.
@@ -11231,6 +13132,75 @@ process:
       original_fieldset: pe
       short: Internal product name of the file, provided at compile-time.
       type: keyword
+    process.parent.pe.sections:
+      dashed_name: process-parent-pe-sections
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      flat_name: process.parent.pe.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Section information of the PE file.
+      type: nested
+    process.parent.pe.sections.entropy:
+      dashed_name: process-parent-pe-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.parent.pe.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.parent.pe.sections.name:
+      dashed_name: process-parent-pe-sections-name
+      description: PE Section List name.
+      flat_name: process.parent.pe.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List name.
+      type: keyword
+    process.parent.pe.sections.physical_size:
+      dashed_name: process-parent-pe-sections-physical-size
+      description: PE Section List physical size.
+      flat_name: process.parent.pe.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List physical size.
+      type: long
+    process.parent.pe.sections.var_entropy:
+      dashed_name: process-parent-pe-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.parent.pe.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.parent.pe.sections.virtual_size:
+      dashed_name: process-parent-pe-sections-virtual-size
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.parent.pe.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List virtual size. This is always the same as `physical_size`.
+      type: long
     process.parent.pgid:
       dashed_name: process-parent-pgid
       description: 'Deprecated for removal in next major version release. This field
@@ -11574,6 +13544,67 @@ process:
       original_fieldset: pe
       short: Process name.
       type: keyword
+    process.pe.go_import_hash:
+      dashed_name: process-pe-go-import-hash
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.pe.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    process.pe.go_imports:
+      dashed_name: process-pe-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.pe.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: pe
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.pe.go_imports_names_entropy:
+      dashed_name: process-pe-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.pe.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.pe.go_imports_names_var_entropy:
+      dashed_name: process-pe-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.pe.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.pe.go_stripped:
+      dashed_name: process-pe-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.pe.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: pe
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
     process.pe.imphash:
       dashed_name: process-pe-imphash
       description: 'A hash of the imports in a PE file. An imphash -- or import hash
@@ -11590,6 +13621,59 @@ process:
       original_fieldset: pe
       short: A hash of the imports in a PE file.
       type: keyword
+    process.pe.import_hash:
+      dashed_name: process-pe-import-hash
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.pe.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in an ELF file.
+      type: keyword
+    process.pe.imports:
+      dashed_name: process-pe-imports
+      description: List of imported element names and types.
+      flat_name: process.pe.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of imported element names and types.
+      type: flattened
+    process.pe.imports_names_entropy:
+      dashed_name: process-pe-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.pe.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.pe.imports_names_var_entropy:
+      dashed_name: process-pe-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.pe.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
     process.pe.original_file_name:
       dashed_name: process-pe-original-file-name
       description: Internal name of the file, provided at compile-time.
@@ -11630,6 +13714,75 @@ process:
       original_fieldset: pe
       short: Internal product name of the file, provided at compile-time.
       type: keyword
+    process.pe.sections:
+      dashed_name: process-pe-sections
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      flat_name: process.pe.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Section information of the PE file.
+      type: nested
+    process.pe.sections.entropy:
+      dashed_name: process-pe-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.pe.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.pe.sections.name:
+      dashed_name: process-pe-sections-name
+      description: PE Section List name.
+      flat_name: process.pe.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List name.
+      type: keyword
+    process.pe.sections.physical_size:
+      dashed_name: process-pe-sections-physical-size
+      description: PE Section List physical size.
+      flat_name: process.pe.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List physical size.
+      type: long
+    process.pe.sections.var_entropy:
+      dashed_name: process-pe-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.pe.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.pe.sections.virtual_size:
+      dashed_name: process-pe-sections-virtual-size
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.pe.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List virtual size. This is always the same as `physical_size`.
+      type: long
     process.pgid:
       dashed_name: process-pgid
       description: 'Deprecated for removal in next major version release. This field
@@ -12493,6 +14646,7 @@ process:
   - process.group
   - process.group_leader
   - process.hash
+  - process.macho
   - process.parent
   - process.parent.group_leader
   - process.pe
@@ -12596,6 +14750,10 @@ process:
     full: process.elf
     schema_name: elf
     short: These fields contain Linux Executable Linkable Format (ELF) metadata.
+  - beta: This field reuse is beta and subject to change.
+    full: process.macho
+    schema_name: macho
+    short: These fields contain Mac OS Mach Object file format (Mach-O) metadata.
   - full: process.entry_meta.source
     schema_name: source
     short: Remote client information such as ip, port and geo location.
@@ -15060,22 +17218,83 @@ threat:
         it was built or compiled. It can also be faked by malware creators.
       flat_name: threat.enrichments.indicator.file.elf.creation_date
       level: extended
-      name: creation_date
+      name: creation_date
+      normalize: []
+      original_fieldset: elf
+      short: Build or compile date.
+      type: date
+    threat.enrichments.indicator.file.elf.exports:
+      dashed_name: threat-enrichments-indicator-file-elf-exports
+      description: List of exported element names and types.
+      flat_name: threat.enrichments.indicator.file.elf.exports
+      level: extended
+      name: exports
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of exported element names and types.
+      type: flattened
+    threat.enrichments.indicator.file.elf.go_import_hash:
+      dashed_name: threat-enrichments-indicator-file-elf-go-import-hash
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: threat.enrichments.indicator.file.elf.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    threat.enrichments.indicator.file.elf.go_imports:
+      dashed_name: threat-enrichments-indicator-file-elf-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: threat.enrichments.indicator.file.elf.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: elf
+      short: List of imported Go language element names and types.
+      type: flattened
+    threat.enrichments.indicator.file.elf.go_imports_names_entropy:
+      dashed_name: threat-enrichments-indicator-file-elf-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: threat.enrichments.indicator.file.elf.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    threat.enrichments.indicator.file.elf.go_imports_names_var_entropy:
+      dashed_name: threat-enrichments-indicator-file-elf-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: threat.enrichments.indicator.file.elf.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
       normalize: []
       original_fieldset: elf
-      short: Build or compile date.
-      type: date
-    threat.enrichments.indicator.file.elf.exports:
-      dashed_name: threat-enrichments-indicator-file-elf-exports
-      description: List of exported element names and types.
-      flat_name: threat.enrichments.indicator.file.elf.exports
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    threat.enrichments.indicator.file.elf.go_stripped:
+      dashed_name: threat-enrichments-indicator-file-elf-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: threat.enrichments.indicator.file.elf.go_stripped
       level: extended
-      name: exports
-      normalize:
-      - array
+      name: go_stripped
+      normalize: []
       original_fieldset: elf
-      short: List of exported element names and types.
-      type: flattened
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
     threat.enrichments.indicator.file.elf.header.abi_version:
       dashed_name: threat-enrichments-indicator-file-elf-header-abi-version
       description: Version of the ELF Application Binary Interface (ABI).
@@ -15164,6 +17383,22 @@ threat:
       original_fieldset: elf
       short: Version of the ELF header.
       type: keyword
+    threat.enrichments.indicator.file.elf.import_hash:
+      dashed_name: threat-enrichments-indicator-file-elf-import-hash
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: threat.enrichments.indicator.file.elf.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the imports in an ELF file.
+      type: keyword
     threat.enrichments.indicator.file.elf.imports:
       dashed_name: threat-enrichments-indicator-file-elf-imports
       description: List of imported element names and types.
@@ -15175,6 +17410,32 @@ threat:
       original_fieldset: elf
       short: List of imported element names and types.
       type: flattened
+    threat.enrichments.indicator.file.elf.imports_names_entropy:
+      dashed_name: threat-enrichments-indicator-file-elf-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: threat.enrichments.indicator.file.elf.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    threat.enrichments.indicator.file.elf.imports_names_var_entropy:
+      dashed_name: threat-enrichments-indicator-file-elf-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: threat.enrichments.indicator.file.elf.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
     threat.enrichments.indicator.file.elf.sections:
       dashed_name: threat-enrichments-indicator-file-elf-sections
       description: 'An array containing an object for each section of the ELF file.
@@ -15266,6 +17527,17 @@ threat:
       original_fieldset: elf
       short: ELF Section List type.
       type: keyword
+    threat.enrichments.indicator.file.elf.sections.var_entropy:
+      dashed_name: threat-enrichments-indicator-file-elf-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: threat.enrichments.indicator.file.elf.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
     threat.enrichments.indicator.file.elf.sections.virtual_address:
       dashed_name: threat-enrichments-indicator-file-elf-sections-virtual-address
       description: ELF Section List virtual address.
@@ -15624,6 +17896,67 @@ threat:
       original_fieldset: pe
       short: Process name.
       type: keyword
+    threat.enrichments.indicator.file.pe.go_import_hash:
+      dashed_name: threat-enrichments-indicator-file-pe-go-import-hash
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: threat.enrichments.indicator.file.pe.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    threat.enrichments.indicator.file.pe.go_imports:
+      dashed_name: threat-enrichments-indicator-file-pe-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: threat.enrichments.indicator.file.pe.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: pe
+      short: List of imported Go language element names and types.
+      type: flattened
+    threat.enrichments.indicator.file.pe.go_imports_names_entropy:
+      dashed_name: threat-enrichments-indicator-file-pe-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: threat.enrichments.indicator.file.pe.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    threat.enrichments.indicator.file.pe.go_imports_names_var_entropy:
+      dashed_name: threat-enrichments-indicator-file-pe-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: threat.enrichments.indicator.file.pe.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    threat.enrichments.indicator.file.pe.go_stripped:
+      dashed_name: threat-enrichments-indicator-file-pe-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: threat.enrichments.indicator.file.pe.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: pe
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
     threat.enrichments.indicator.file.pe.imphash:
       dashed_name: threat-enrichments-indicator-file-pe-imphash
       description: 'A hash of the imports in a PE file. An imphash -- or import hash
@@ -15640,6 +17973,59 @@ threat:
       original_fieldset: pe
       short: A hash of the imports in a PE file.
       type: keyword
+    threat.enrichments.indicator.file.pe.import_hash:
+      dashed_name: threat-enrichments-indicator-file-pe-import-hash
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: threat.enrichments.indicator.file.pe.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in an ELF file.
+      type: keyword
+    threat.enrichments.indicator.file.pe.imports:
+      dashed_name: threat-enrichments-indicator-file-pe-imports
+      description: List of imported element names and types.
+      flat_name: threat.enrichments.indicator.file.pe.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of imported element names and types.
+      type: flattened
+    threat.enrichments.indicator.file.pe.imports_names_entropy:
+      dashed_name: threat-enrichments-indicator-file-pe-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: threat.enrichments.indicator.file.pe.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    threat.enrichments.indicator.file.pe.imports_names_var_entropy:
+      dashed_name: threat-enrichments-indicator-file-pe-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: threat.enrichments.indicator.file.pe.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
     threat.enrichments.indicator.file.pe.original_file_name:
       dashed_name: threat-enrichments-indicator-file-pe-original-file-name
       description: Internal name of the file, provided at compile-time.
@@ -15680,6 +18066,75 @@ threat:
       original_fieldset: pe
       short: Internal product name of the file, provided at compile-time.
       type: keyword
+    threat.enrichments.indicator.file.pe.sections:
+      dashed_name: threat-enrichments-indicator-file-pe-sections
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      flat_name: threat.enrichments.indicator.file.pe.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Section information of the PE file.
+      type: nested
+    threat.enrichments.indicator.file.pe.sections.entropy:
+      dashed_name: threat-enrichments-indicator-file-pe-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: threat.enrichments.indicator.file.pe.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the section.
+      type: long
+    threat.enrichments.indicator.file.pe.sections.name:
+      dashed_name: threat-enrichments-indicator-file-pe-sections-name
+      description: PE Section List name.
+      flat_name: threat.enrichments.indicator.file.pe.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List name.
+      type: keyword
+    threat.enrichments.indicator.file.pe.sections.physical_size:
+      dashed_name: threat-enrichments-indicator-file-pe-sections-physical-size
+      description: PE Section List physical size.
+      flat_name: threat.enrichments.indicator.file.pe.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List physical size.
+      type: long
+    threat.enrichments.indicator.file.pe.sections.var_entropy:
+      dashed_name: threat-enrichments-indicator-file-pe-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: threat.enrichments.indicator.file.pe.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    threat.enrichments.indicator.file.pe.sections.virtual_size:
+      dashed_name: threat-enrichments-indicator-file-pe-sections-virtual-size
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      flat_name: threat.enrichments.indicator.file.pe.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List virtual size. This is always the same as `physical_size`.
+      type: long
     threat.enrichments.indicator.file.size:
       dashed_name: threat-enrichments-indicator-file-size
       description: 'File size in bytes.
@@ -17463,6 +19918,67 @@ threat:
       original_fieldset: elf
       short: List of exported element names and types.
       type: flattened
+    threat.indicator.file.elf.go_import_hash:
+      dashed_name: threat-indicator-file-elf-go-import-hash
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: threat.indicator.file.elf.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    threat.indicator.file.elf.go_imports:
+      dashed_name: threat-indicator-file-elf-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: threat.indicator.file.elf.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: elf
+      short: List of imported Go language element names and types.
+      type: flattened
+    threat.indicator.file.elf.go_imports_names_entropy:
+      dashed_name: threat-indicator-file-elf-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: threat.indicator.file.elf.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    threat.indicator.file.elf.go_imports_names_var_entropy:
+      dashed_name: threat-indicator-file-elf-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: threat.indicator.file.elf.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    threat.indicator.file.elf.go_stripped:
+      dashed_name: threat-indicator-file-elf-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: threat.indicator.file.elf.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: elf
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
     threat.indicator.file.elf.header.abi_version:
       dashed_name: threat-indicator-file-elf-header-abi-version
       description: Version of the ELF Application Binary Interface (ABI).
@@ -17551,6 +20067,22 @@ threat:
       original_fieldset: elf
       short: Version of the ELF header.
       type: keyword
+    threat.indicator.file.elf.import_hash:
+      dashed_name: threat-indicator-file-elf-import-hash
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: threat.indicator.file.elf.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the imports in an ELF file.
+      type: keyword
     threat.indicator.file.elf.imports:
       dashed_name: threat-indicator-file-elf-imports
       description: List of imported element names and types.
@@ -17562,6 +20094,32 @@ threat:
       original_fieldset: elf
       short: List of imported element names and types.
       type: flattened
+    threat.indicator.file.elf.imports_names_entropy:
+      dashed_name: threat-indicator-file-elf-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: threat.indicator.file.elf.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    threat.indicator.file.elf.imports_names_var_entropy:
+      dashed_name: threat-indicator-file-elf-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: threat.indicator.file.elf.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
     threat.indicator.file.elf.sections:
       dashed_name: threat-indicator-file-elf-sections
       description: 'An array containing an object for each section of the ELF file.
@@ -17653,6 +20211,17 @@ threat:
       original_fieldset: elf
       short: ELF Section List type.
       type: keyword
+    threat.indicator.file.elf.sections.var_entropy:
+      dashed_name: threat-indicator-file-elf-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: threat.indicator.file.elf.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
     threat.indicator.file.elf.sections.virtual_address:
       dashed_name: threat-indicator-file-elf-sections-virtual-address
       description: ELF Section List virtual address.
@@ -18011,6 +20580,67 @@ threat:
       original_fieldset: pe
       short: Process name.
       type: keyword
+    threat.indicator.file.pe.go_import_hash:
+      dashed_name: threat-indicator-file-pe-go-import-hash
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: threat.indicator.file.pe.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    threat.indicator.file.pe.go_imports:
+      dashed_name: threat-indicator-file-pe-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: threat.indicator.file.pe.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: pe
+      short: List of imported Go language element names and types.
+      type: flattened
+    threat.indicator.file.pe.go_imports_names_entropy:
+      dashed_name: threat-indicator-file-pe-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: threat.indicator.file.pe.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    threat.indicator.file.pe.go_imports_names_var_entropy:
+      dashed_name: threat-indicator-file-pe-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: threat.indicator.file.pe.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    threat.indicator.file.pe.go_stripped:
+      dashed_name: threat-indicator-file-pe-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: threat.indicator.file.pe.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: pe
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
     threat.indicator.file.pe.imphash:
       dashed_name: threat-indicator-file-pe-imphash
       description: 'A hash of the imports in a PE file. An imphash -- or import hash
@@ -18027,6 +20657,59 @@ threat:
       original_fieldset: pe
       short: A hash of the imports in a PE file.
       type: keyword
+    threat.indicator.file.pe.import_hash:
+      dashed_name: threat-indicator-file-pe-import-hash
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: threat.indicator.file.pe.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in an ELF file.
+      type: keyword
+    threat.indicator.file.pe.imports:
+      dashed_name: threat-indicator-file-pe-imports
+      description: List of imported element names and types.
+      flat_name: threat.indicator.file.pe.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of imported element names and types.
+      type: flattened
+    threat.indicator.file.pe.imports_names_entropy:
+      dashed_name: threat-indicator-file-pe-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: threat.indicator.file.pe.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    threat.indicator.file.pe.imports_names_var_entropy:
+      dashed_name: threat-indicator-file-pe-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: threat.indicator.file.pe.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
     threat.indicator.file.pe.original_file_name:
       dashed_name: threat-indicator-file-pe-original-file-name
       description: Internal name of the file, provided at compile-time.
@@ -18067,6 +20750,75 @@ threat:
       original_fieldset: pe
       short: Internal product name of the file, provided at compile-time.
       type: keyword
+    threat.indicator.file.pe.sections:
+      dashed_name: threat-indicator-file-pe-sections
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      flat_name: threat.indicator.file.pe.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Section information of the PE file.
+      type: nested
+    threat.indicator.file.pe.sections.entropy:
+      dashed_name: threat-indicator-file-pe-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: threat.indicator.file.pe.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the section.
+      type: long
+    threat.indicator.file.pe.sections.name:
+      dashed_name: threat-indicator-file-pe-sections-name
+      description: PE Section List name.
+      flat_name: threat.indicator.file.pe.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List name.
+      type: keyword
+    threat.indicator.file.pe.sections.physical_size:
+      dashed_name: threat-indicator-file-pe-sections-physical-size
+      description: PE Section List physical size.
+      flat_name: threat.indicator.file.pe.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List physical size.
+      type: long
+    threat.indicator.file.pe.sections.var_entropy:
+      dashed_name: threat-indicator-file-pe-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: threat.indicator.file.pe.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    threat.indicator.file.pe.sections.virtual_size:
+      dashed_name: threat-indicator-file-pe-sections-virtual-size
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      flat_name: threat.indicator.file.pe.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List virtual size. This is always the same as `physical_size`.
+      type: long
     threat.indicator.file.size:
       dashed_name: threat-indicator-file-size
       description: 'File size in bytes.
diff --git a/experimental/generated/elasticsearch/composable/component/dll.json b/experimental/generated/elasticsearch/composable/component/dll.json
index abbb0883be..6ce95d6d39 100644
--- a/experimental/generated/elasticsearch/composable/component/dll.json
+++ b/experimental/generated/elasticsearch/composable/component/dll.json
@@ -102,10 +102,39 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "go_import_hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "go_imports": {
+                  "type": "flattened"
+                },
+                "go_imports_names_entropy": {
+                  "type": "long"
+                },
+                "go_imports_names_var_entropy": {
+                  "type": "long"
+                },
+                "go_stripped": {
+                  "type": "boolean"
+                },
                 "imphash": {
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "import_hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "imports": {
+                  "type": "flattened"
+                },
+                "imports_names_entropy": {
+                  "type": "long"
+                },
+                "imports_names_var_entropy": {
+                  "type": "long"
+                },
                 "original_file_name": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -117,6 +146,27 @@
                 "product": {
                   "ignore_above": 1024,
                   "type": "keyword"
+                },
+                "sections": {
+                  "properties": {
+                    "entropy": {
+                      "type": "long"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "physical_size": {
+                      "type": "long"
+                    },
+                    "var_entropy": {
+                      "type": "long"
+                    },
+                    "virtual_size": {
+                      "type": "long"
+                    }
+                  },
+                  "type": "nested"
                 }
               }
             }
diff --git a/experimental/generated/elasticsearch/composable/component/file.json b/experimental/generated/elasticsearch/composable/component/file.json
index bb18576642..902e77b2f7 100644
--- a/experimental/generated/elasticsearch/composable/component/file.json
+++ b/experimental/generated/elasticsearch/composable/component/file.json
@@ -89,6 +89,22 @@
                 "exports": {
                   "type": "flattened"
                 },
+                "go_import_hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "go_imports": {
+                  "type": "flattened"
+                },
+                "go_imports_names_entropy": {
+                  "type": "long"
+                },
+                "go_imports_names_var_entropy": {
+                  "type": "long"
+                },
+                "go_stripped": {
+                  "type": "boolean"
+                },
                 "header": {
                   "properties": {
                     "abi_version": {
@@ -124,9 +140,19 @@
                     }
                   }
                 },
+                "import_hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "imports": {
                   "type": "flattened"
                 },
+                "imports_names_entropy": {
+                  "type": "long"
+                },
+                "imports_names_var_entropy": {
+                  "type": "long"
+                },
                 "sections": {
                   "properties": {
                     "chi2": {
@@ -154,6 +180,9 @@
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
+                    "var_entropy": {
+                      "type": "long"
+                    },
                     "virtual_address": {
                       "type": "long"
                     },
@@ -238,6 +267,64 @@
               "ignore_above": 1024,
               "type": "keyword"
             },
+            "macho": {
+              "properties": {
+                "go_import_hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "go_imports": {
+                  "type": "flattened"
+                },
+                "go_imports_names_entropy": {
+                  "type": "long"
+                },
+                "go_imports_names_var_entropy": {
+                  "type": "long"
+                },
+                "go_stripped": {
+                  "type": "boolean"
+                },
+                "import_hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "imports": {
+                  "type": "flattened"
+                },
+                "imports_names_entropy": {
+                  "type": "long"
+                },
+                "imports_names_var_entropy": {
+                  "type": "long"
+                },
+                "sections": {
+                  "properties": {
+                    "entropy": {
+                      "type": "long"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "physical_size": {
+                      "type": "long"
+                    },
+                    "var_entropy": {
+                      "type": "long"
+                    },
+                    "virtual_size": {
+                      "type": "long"
+                    }
+                  },
+                  "type": "nested"
+                },
+                "symhash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
             "mime_type": {
               "ignore_above": 1024,
               "type": "keyword"
@@ -284,10 +371,39 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "go_import_hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "go_imports": {
+                  "type": "flattened"
+                },
+                "go_imports_names_entropy": {
+                  "type": "long"
+                },
+                "go_imports_names_var_entropy": {
+                  "type": "long"
+                },
+                "go_stripped": {
+                  "type": "boolean"
+                },
                 "imphash": {
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "import_hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "imports": {
+                  "type": "flattened"
+                },
+                "imports_names_entropy": {
+                  "type": "long"
+                },
+                "imports_names_var_entropy": {
+                  "type": "long"
+                },
                 "original_file_name": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -299,6 +415,27 @@
                 "product": {
                   "ignore_above": 1024,
                   "type": "keyword"
+                },
+                "sections": {
+                  "properties": {
+                    "entropy": {
+                      "type": "long"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "physical_size": {
+                      "type": "long"
+                    },
+                    "var_entropy": {
+                      "type": "long"
+                    },
+                    "virtual_size": {
+                      "type": "long"
+                    }
+                  },
+                  "type": "nested"
                 }
               }
             },
diff --git a/experimental/generated/elasticsearch/composable/component/process.json b/experimental/generated/elasticsearch/composable/component/process.json
index bd6d6bce10..d299ecd870 100644
--- a/experimental/generated/elasticsearch/composable/component/process.json
+++ b/experimental/generated/elasticsearch/composable/component/process.json
@@ -79,6 +79,22 @@
                 "exports": {
                   "type": "flattened"
                 },
+                "go_import_hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "go_imports": {
+                  "type": "flattened"
+                },
+                "go_imports_names_entropy": {
+                  "type": "long"
+                },
+                "go_imports_names_var_entropy": {
+                  "type": "long"
+                },
+                "go_stripped": {
+                  "type": "boolean"
+                },
                 "header": {
                   "properties": {
                     "abi_version": {
@@ -114,9 +130,19 @@
                     }
                   }
                 },
+                "import_hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "imports": {
                   "type": "flattened"
                 },
+                "imports_names_entropy": {
+                  "type": "long"
+                },
+                "imports_names_var_entropy": {
+                  "type": "long"
+                },
                 "sections": {
                   "properties": {
                     "chi2": {
@@ -144,6 +170,9 @@
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
+                    "var_entropy": {
+                      "type": "long"
+                    },
                     "virtual_address": {
                       "type": "long"
                     },
@@ -686,6 +715,64 @@
               },
               "type": "object"
             },
+            "macho": {
+              "properties": {
+                "go_import_hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "go_imports": {
+                  "type": "flattened"
+                },
+                "go_imports_names_entropy": {
+                  "type": "long"
+                },
+                "go_imports_names_var_entropy": {
+                  "type": "long"
+                },
+                "go_stripped": {
+                  "type": "boolean"
+                },
+                "import_hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "imports": {
+                  "type": "flattened"
+                },
+                "imports_names_entropy": {
+                  "type": "long"
+                },
+                "imports_names_var_entropy": {
+                  "type": "long"
+                },
+                "sections": {
+                  "properties": {
+                    "entropy": {
+                      "type": "long"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "physical_size": {
+                      "type": "long"
+                    },
+                    "var_entropy": {
+                      "type": "long"
+                    },
+                    "virtual_size": {
+                      "type": "long"
+                    }
+                  },
+                  "type": "nested"
+                },
+                "symhash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
             "name": {
               "fields": {
                 "text": {
@@ -768,6 +855,22 @@
                     "exports": {
                       "type": "flattened"
                     },
+                    "go_import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_imports": {
+                      "type": "flattened"
+                    },
+                    "go_imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "go_imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "go_stripped": {
+                      "type": "boolean"
+                    },
                     "header": {
                       "properties": {
                         "abi_version": {
@@ -803,9 +906,19 @@
                         }
                       }
                     },
+                    "import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
                     "imports": {
                       "type": "flattened"
                     },
+                    "imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "imports_names_var_entropy": {
+                      "type": "long"
+                    },
                     "sections": {
                       "properties": {
                         "chi2": {
@@ -833,6 +946,9 @@
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
+                        "var_entropy": {
+                          "type": "long"
+                        },
                         "virtual_address": {
                           "type": "long"
                         },
@@ -945,6 +1061,64 @@
                 "interactive": {
                   "type": "boolean"
                 },
+                "macho": {
+                  "properties": {
+                    "go_import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_imports": {
+                      "type": "flattened"
+                    },
+                    "go_imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "go_imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "go_stripped": {
+                      "type": "boolean"
+                    },
+                    "import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "sections": {
+                      "properties": {
+                        "entropy": {
+                          "type": "long"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_size": {
+                          "type": "long"
+                        },
+                        "var_entropy": {
+                          "type": "long"
+                        },
+                        "virtual_size": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "nested"
+                    },
+                    "symhash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
                 "name": {
                   "fields": {
                     "text": {
@@ -972,10 +1146,39 @@
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
+                    "go_import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_imports": {
+                      "type": "flattened"
+                    },
+                    "go_imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "go_imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "go_stripped": {
+                      "type": "boolean"
+                    },
                     "imphash": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
+                    "import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "imports_names_var_entropy": {
+                      "type": "long"
+                    },
                     "original_file_name": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -987,6 +1190,27 @@
                     "product": {
                       "ignore_above": 1024,
                       "type": "keyword"
+                    },
+                    "sections": {
+                      "properties": {
+                        "entropy": {
+                          "type": "long"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_size": {
+                          "type": "long"
+                        },
+                        "var_entropy": {
+                          "type": "long"
+                        },
+                        "virtual_size": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "nested"
                     }
                   }
                 },
@@ -1153,10 +1377,39 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "go_import_hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "go_imports": {
+                  "type": "flattened"
+                },
+                "go_imports_names_entropy": {
+                  "type": "long"
+                },
+                "go_imports_names_var_entropy": {
+                  "type": "long"
+                },
+                "go_stripped": {
+                  "type": "boolean"
+                },
                 "imphash": {
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "import_hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "imports": {
+                  "type": "flattened"
+                },
+                "imports_names_entropy": {
+                  "type": "long"
+                },
+                "imports_names_var_entropy": {
+                  "type": "long"
+                },
                 "original_file_name": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -1168,6 +1421,27 @@
                 "product": {
                   "ignore_above": 1024,
                   "type": "keyword"
+                },
+                "sections": {
+                  "properties": {
+                    "entropy": {
+                      "type": "long"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "physical_size": {
+                      "type": "long"
+                    },
+                    "var_entropy": {
+                      "type": "long"
+                    },
+                    "virtual_size": {
+                      "type": "long"
+                    }
+                  },
+                  "type": "nested"
                 }
               }
             },
diff --git a/experimental/generated/elasticsearch/composable/component/threat.json b/experimental/generated/elasticsearch/composable/component/threat.json
index 074ee97d62..81cfd9376b 100644
--- a/experimental/generated/elasticsearch/composable/component/threat.json
+++ b/experimental/generated/elasticsearch/composable/component/threat.json
@@ -131,6 +131,22 @@
                             "exports": {
                               "type": "flattened"
                             },
+                            "go_import_hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "go_imports": {
+                              "type": "flattened"
+                            },
+                            "go_imports_names_entropy": {
+                              "type": "long"
+                            },
+                            "go_imports_names_var_entropy": {
+                              "type": "long"
+                            },
+                            "go_stripped": {
+                              "type": "boolean"
+                            },
                             "header": {
                               "properties": {
                                 "abi_version": {
@@ -166,9 +182,19 @@
                                 }
                               }
                             },
+                            "import_hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
                             "imports": {
                               "type": "flattened"
                             },
+                            "imports_names_entropy": {
+                              "type": "long"
+                            },
+                            "imports_names_var_entropy": {
+                              "type": "long"
+                            },
                             "sections": {
                               "properties": {
                                 "chi2": {
@@ -196,6 +222,9 @@
                                   "ignore_above": 1024,
                                   "type": "keyword"
                                 },
+                                "var_entropy": {
+                                  "type": "long"
+                                },
                                 "virtual_address": {
                                   "type": "long"
                                 },
@@ -326,10 +355,39 @@
                               "ignore_above": 1024,
                               "type": "keyword"
                             },
+                            "go_import_hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "go_imports": {
+                              "type": "flattened"
+                            },
+                            "go_imports_names_entropy": {
+                              "type": "long"
+                            },
+                            "go_imports_names_var_entropy": {
+                              "type": "long"
+                            },
+                            "go_stripped": {
+                              "type": "boolean"
+                            },
                             "imphash": {
                               "ignore_above": 1024,
                               "type": "keyword"
                             },
+                            "import_hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "imports": {
+                              "type": "flattened"
+                            },
+                            "imports_names_entropy": {
+                              "type": "long"
+                            },
+                            "imports_names_var_entropy": {
+                              "type": "long"
+                            },
                             "original_file_name": {
                               "ignore_above": 1024,
                               "type": "keyword"
@@ -341,6 +399,27 @@
                             "product": {
                               "ignore_above": 1024,
                               "type": "keyword"
+                            },
+                            "sections": {
+                              "properties": {
+                                "entropy": {
+                                  "type": "long"
+                                },
+                                "name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "physical_size": {
+                                  "type": "long"
+                                },
+                                "var_entropy": {
+                                  "type": "long"
+                                },
+                                "virtual_size": {
+                                  "type": "long"
+                                }
+                              },
+                              "type": "nested"
                             }
                           }
                         },
@@ -969,6 +1048,22 @@
                         "exports": {
                           "type": "flattened"
                         },
+                        "go_import_hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "go_imports": {
+                          "type": "flattened"
+                        },
+                        "go_imports_names_entropy": {
+                          "type": "long"
+                        },
+                        "go_imports_names_var_entropy": {
+                          "type": "long"
+                        },
+                        "go_stripped": {
+                          "type": "boolean"
+                        },
                         "header": {
                           "properties": {
                             "abi_version": {
@@ -1004,9 +1099,19 @@
                             }
                           }
                         },
+                        "import_hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
                         "imports": {
                           "type": "flattened"
                         },
+                        "imports_names_entropy": {
+                          "type": "long"
+                        },
+                        "imports_names_var_entropy": {
+                          "type": "long"
+                        },
                         "sections": {
                           "properties": {
                             "chi2": {
@@ -1034,6 +1139,9 @@
                               "ignore_above": 1024,
                               "type": "keyword"
                             },
+                            "var_entropy": {
+                              "type": "long"
+                            },
                             "virtual_address": {
                               "type": "long"
                             },
@@ -1164,10 +1272,39 @@
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
+                        "go_import_hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "go_imports": {
+                          "type": "flattened"
+                        },
+                        "go_imports_names_entropy": {
+                          "type": "long"
+                        },
+                        "go_imports_names_var_entropy": {
+                          "type": "long"
+                        },
+                        "go_stripped": {
+                          "type": "boolean"
+                        },
                         "imphash": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
+                        "import_hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "imports": {
+                          "type": "flattened"
+                        },
+                        "imports_names_entropy": {
+                          "type": "long"
+                        },
+                        "imports_names_var_entropy": {
+                          "type": "long"
+                        },
                         "original_file_name": {
                           "ignore_above": 1024,
                           "type": "keyword"
@@ -1179,6 +1316,27 @@
                         "product": {
                           "ignore_above": 1024,
                           "type": "keyword"
+                        },
+                        "sections": {
+                          "properties": {
+                            "entropy": {
+                              "type": "long"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "physical_size": {
+                              "type": "long"
+                            },
+                            "var_entropy": {
+                              "type": "long"
+                            },
+                            "virtual_size": {
+                              "type": "long"
+                            }
+                          },
+                          "type": "nested"
                         }
                       }
                     },
diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json
index 6d0eabf27f..ed83955ed3 100644
--- a/experimental/generated/elasticsearch/legacy/template.json
+++ b/experimental/generated/elasticsearch/legacy/template.json
@@ -874,10 +874,39 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "go_import_hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "go_imports": {
+                "type": "flattened"
+              },
+              "go_imports_names_entropy": {
+                "type": "long"
+              },
+              "go_imports_names_var_entropy": {
+                "type": "long"
+              },
+              "go_stripped": {
+                "type": "boolean"
+              },
               "imphash": {
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "import_hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "imports": {
+                "type": "flattened"
+              },
+              "imports_names_entropy": {
+                "type": "long"
+              },
+              "imports_names_var_entropy": {
+                "type": "long"
+              },
               "original_file_name": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -889,6 +918,27 @@
               "product": {
                 "ignore_above": 1024,
                 "type": "keyword"
+              },
+              "sections": {
+                "properties": {
+                  "entropy": {
+                    "type": "long"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "physical_size": {
+                    "type": "long"
+                  },
+                  "var_entropy": {
+                    "type": "long"
+                  },
+                  "virtual_size": {
+                    "type": "long"
+                  }
+                },
+                "type": "nested"
               }
             }
           }
@@ -1369,6 +1419,22 @@
               "exports": {
                 "type": "flattened"
               },
+              "go_import_hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "go_imports": {
+                "type": "flattened"
+              },
+              "go_imports_names_entropy": {
+                "type": "long"
+              },
+              "go_imports_names_var_entropy": {
+                "type": "long"
+              },
+              "go_stripped": {
+                "type": "boolean"
+              },
               "header": {
                 "properties": {
                   "abi_version": {
@@ -1404,9 +1470,19 @@
                   }
                 }
               },
+              "import_hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "imports": {
                 "type": "flattened"
               },
+              "imports_names_entropy": {
+                "type": "long"
+              },
+              "imports_names_var_entropy": {
+                "type": "long"
+              },
               "sections": {
                 "properties": {
                   "chi2": {
@@ -1434,6 +1510,9 @@
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
+                  "var_entropy": {
+                    "type": "long"
+                  },
                   "virtual_address": {
                     "type": "long"
                   },
@@ -1518,6 +1597,64 @@
             "ignore_above": 1024,
             "type": "keyword"
           },
+          "macho": {
+            "properties": {
+              "go_import_hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "go_imports": {
+                "type": "flattened"
+              },
+              "go_imports_names_entropy": {
+                "type": "long"
+              },
+              "go_imports_names_var_entropy": {
+                "type": "long"
+              },
+              "go_stripped": {
+                "type": "boolean"
+              },
+              "import_hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "imports": {
+                "type": "flattened"
+              },
+              "imports_names_entropy": {
+                "type": "long"
+              },
+              "imports_names_var_entropy": {
+                "type": "long"
+              },
+              "sections": {
+                "properties": {
+                  "entropy": {
+                    "type": "long"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "physical_size": {
+                    "type": "long"
+                  },
+                  "var_entropy": {
+                    "type": "long"
+                  },
+                  "virtual_size": {
+                    "type": "long"
+                  }
+                },
+                "type": "nested"
+              },
+              "symhash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
           "mime_type": {
             "ignore_above": 1024,
             "type": "keyword"
@@ -1564,10 +1701,39 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "go_import_hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "go_imports": {
+                "type": "flattened"
+              },
+              "go_imports_names_entropy": {
+                "type": "long"
+              },
+              "go_imports_names_var_entropy": {
+                "type": "long"
+              },
+              "go_stripped": {
+                "type": "boolean"
+              },
               "imphash": {
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "import_hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "imports": {
+                "type": "flattened"
+              },
+              "imports_names_entropy": {
+                "type": "long"
+              },
+              "imports_names_var_entropy": {
+                "type": "long"
+              },
               "original_file_name": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -1579,6 +1745,27 @@
               "product": {
                 "ignore_above": 1024,
                 "type": "keyword"
+              },
+              "sections": {
+                "properties": {
+                  "entropy": {
+                    "type": "long"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "physical_size": {
+                    "type": "long"
+                  },
+                  "var_entropy": {
+                    "type": "long"
+                  },
+                  "virtual_size": {
+                    "type": "long"
+                  }
+                },
+                "type": "nested"
               }
             }
           },
@@ -2599,6 +2786,22 @@
               "exports": {
                 "type": "flattened"
               },
+              "go_import_hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "go_imports": {
+                "type": "flattened"
+              },
+              "go_imports_names_entropy": {
+                "type": "long"
+              },
+              "go_imports_names_var_entropy": {
+                "type": "long"
+              },
+              "go_stripped": {
+                "type": "boolean"
+              },
               "header": {
                 "properties": {
                   "abi_version": {
@@ -2634,9 +2837,19 @@
                   }
                 }
               },
+              "import_hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "imports": {
                 "type": "flattened"
               },
+              "imports_names_entropy": {
+                "type": "long"
+              },
+              "imports_names_var_entropy": {
+                "type": "long"
+              },
               "sections": {
                 "properties": {
                   "chi2": {
@@ -2664,6 +2877,9 @@
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
+                  "var_entropy": {
+                    "type": "long"
+                  },
                   "virtual_address": {
                     "type": "long"
                   },
@@ -3206,6 +3422,64 @@
             },
             "type": "object"
           },
+          "macho": {
+            "properties": {
+              "go_import_hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "go_imports": {
+                "type": "flattened"
+              },
+              "go_imports_names_entropy": {
+                "type": "long"
+              },
+              "go_imports_names_var_entropy": {
+                "type": "long"
+              },
+              "go_stripped": {
+                "type": "boolean"
+              },
+              "import_hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "imports": {
+                "type": "flattened"
+              },
+              "imports_names_entropy": {
+                "type": "long"
+              },
+              "imports_names_var_entropy": {
+                "type": "long"
+              },
+              "sections": {
+                "properties": {
+                  "entropy": {
+                    "type": "long"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "physical_size": {
+                    "type": "long"
+                  },
+                  "var_entropy": {
+                    "type": "long"
+                  },
+                  "virtual_size": {
+                    "type": "long"
+                  }
+                },
+                "type": "nested"
+              },
+              "symhash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
           "name": {
             "fields": {
               "text": {
@@ -3288,6 +3562,22 @@
                   "exports": {
                     "type": "flattened"
                   },
+                  "go_import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_imports": {
+                    "type": "flattened"
+                  },
+                  "go_imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "go_imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "go_stripped": {
+                    "type": "boolean"
+                  },
                   "header": {
                     "properties": {
                       "abi_version": {
@@ -3323,9 +3613,19 @@
                       }
                     }
                   },
+                  "import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
                   "imports": {
                     "type": "flattened"
                   },
+                  "imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "imports_names_var_entropy": {
+                    "type": "long"
+                  },
                   "sections": {
                     "properties": {
                       "chi2": {
@@ -3353,6 +3653,9 @@
                         "ignore_above": 1024,
                         "type": "keyword"
                       },
+                      "var_entropy": {
+                        "type": "long"
+                      },
                       "virtual_address": {
                         "type": "long"
                       },
@@ -3465,6 +3768,64 @@
               "interactive": {
                 "type": "boolean"
               },
+              "macho": {
+                "properties": {
+                  "go_import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_imports": {
+                    "type": "flattened"
+                  },
+                  "go_imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "go_imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "go_stripped": {
+                    "type": "boolean"
+                  },
+                  "import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "sections": {
+                    "properties": {
+                      "entropy": {
+                        "type": "long"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_size": {
+                        "type": "long"
+                      },
+                      "var_entropy": {
+                        "type": "long"
+                      },
+                      "virtual_size": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "nested"
+                  },
+                  "symhash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
               "name": {
                 "fields": {
                   "text": {
@@ -3492,10 +3853,39 @@
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
+                  "go_import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_imports": {
+                    "type": "flattened"
+                  },
+                  "go_imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "go_imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "go_stripped": {
+                    "type": "boolean"
+                  },
                   "imphash": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
+                  "import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "imports_names_var_entropy": {
+                    "type": "long"
+                  },
                   "original_file_name": {
                     "ignore_above": 1024,
                     "type": "keyword"
@@ -3507,6 +3897,27 @@
                   "product": {
                     "ignore_above": 1024,
                     "type": "keyword"
+                  },
+                  "sections": {
+                    "properties": {
+                      "entropy": {
+                        "type": "long"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_size": {
+                        "type": "long"
+                      },
+                      "var_entropy": {
+                        "type": "long"
+                      },
+                      "virtual_size": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "nested"
                   }
                 }
               },
@@ -3673,10 +4084,39 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "go_import_hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "go_imports": {
+                "type": "flattened"
+              },
+              "go_imports_names_entropy": {
+                "type": "long"
+              },
+              "go_imports_names_var_entropy": {
+                "type": "long"
+              },
+              "go_stripped": {
+                "type": "boolean"
+              },
               "imphash": {
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "import_hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "imports": {
+                "type": "flattened"
+              },
+              "imports_names_entropy": {
+                "type": "long"
+              },
+              "imports_names_var_entropy": {
+                "type": "long"
+              },
               "original_file_name": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -3688,6 +4128,27 @@
               "product": {
                 "ignore_above": 1024,
                 "type": "keyword"
+              },
+              "sections": {
+                "properties": {
+                  "entropy": {
+                    "type": "long"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "physical_size": {
+                    "type": "long"
+                  },
+                  "var_entropy": {
+                    "type": "long"
+                  },
+                  "virtual_size": {
+                    "type": "long"
+                  }
+                },
+                "type": "nested"
               }
             }
           },
@@ -4807,6 +5268,22 @@
                           "exports": {
                             "type": "flattened"
                           },
+                          "go_import_hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "go_imports": {
+                            "type": "flattened"
+                          },
+                          "go_imports_names_entropy": {
+                            "type": "long"
+                          },
+                          "go_imports_names_var_entropy": {
+                            "type": "long"
+                          },
+                          "go_stripped": {
+                            "type": "boolean"
+                          },
                           "header": {
                             "properties": {
                               "abi_version": {
@@ -4842,9 +5319,19 @@
                               }
                             }
                           },
+                          "import_hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
                           "imports": {
                             "type": "flattened"
                           },
+                          "imports_names_entropy": {
+                            "type": "long"
+                          },
+                          "imports_names_var_entropy": {
+                            "type": "long"
+                          },
                           "sections": {
                             "properties": {
                               "chi2": {
@@ -4872,6 +5359,9 @@
                                 "ignore_above": 1024,
                                 "type": "keyword"
                               },
+                              "var_entropy": {
+                                "type": "long"
+                              },
                               "virtual_address": {
                                 "type": "long"
                               },
@@ -5002,10 +5492,39 @@
                             "ignore_above": 1024,
                             "type": "keyword"
                           },
+                          "go_import_hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "go_imports": {
+                            "type": "flattened"
+                          },
+                          "go_imports_names_entropy": {
+                            "type": "long"
+                          },
+                          "go_imports_names_var_entropy": {
+                            "type": "long"
+                          },
+                          "go_stripped": {
+                            "type": "boolean"
+                          },
                           "imphash": {
                             "ignore_above": 1024,
                             "type": "keyword"
                           },
+                          "import_hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "imports": {
+                            "type": "flattened"
+                          },
+                          "imports_names_entropy": {
+                            "type": "long"
+                          },
+                          "imports_names_var_entropy": {
+                            "type": "long"
+                          },
                           "original_file_name": {
                             "ignore_above": 1024,
                             "type": "keyword"
@@ -5017,6 +5536,27 @@
                           "product": {
                             "ignore_above": 1024,
                             "type": "keyword"
+                          },
+                          "sections": {
+                            "properties": {
+                              "entropy": {
+                                "type": "long"
+                              },
+                              "name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "physical_size": {
+                                "type": "long"
+                              },
+                              "var_entropy": {
+                                "type": "long"
+                              },
+                              "virtual_size": {
+                                "type": "long"
+                              }
+                            },
+                            "type": "nested"
                           }
                         }
                       },
@@ -5645,6 +6185,22 @@
                       "exports": {
                         "type": "flattened"
                       },
+                      "go_import_hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "go_imports": {
+                        "type": "flattened"
+                      },
+                      "go_imports_names_entropy": {
+                        "type": "long"
+                      },
+                      "go_imports_names_var_entropy": {
+                        "type": "long"
+                      },
+                      "go_stripped": {
+                        "type": "boolean"
+                      },
                       "header": {
                         "properties": {
                           "abi_version": {
@@ -5680,9 +6236,19 @@
                           }
                         }
                       },
+                      "import_hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
                       "imports": {
                         "type": "flattened"
                       },
+                      "imports_names_entropy": {
+                        "type": "long"
+                      },
+                      "imports_names_var_entropy": {
+                        "type": "long"
+                      },
                       "sections": {
                         "properties": {
                           "chi2": {
@@ -5710,6 +6276,9 @@
                             "ignore_above": 1024,
                             "type": "keyword"
                           },
+                          "var_entropy": {
+                            "type": "long"
+                          },
                           "virtual_address": {
                             "type": "long"
                           },
@@ -5840,10 +6409,39 @@
                         "ignore_above": 1024,
                         "type": "keyword"
                       },
+                      "go_import_hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "go_imports": {
+                        "type": "flattened"
+                      },
+                      "go_imports_names_entropy": {
+                        "type": "long"
+                      },
+                      "go_imports_names_var_entropy": {
+                        "type": "long"
+                      },
+                      "go_stripped": {
+                        "type": "boolean"
+                      },
                       "imphash": {
                         "ignore_above": 1024,
                         "type": "keyword"
                       },
+                      "import_hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "imports": {
+                        "type": "flattened"
+                      },
+                      "imports_names_entropy": {
+                        "type": "long"
+                      },
+                      "imports_names_var_entropy": {
+                        "type": "long"
+                      },
                       "original_file_name": {
                         "ignore_above": 1024,
                         "type": "keyword"
@@ -5855,6 +6453,27 @@
                       "product": {
                         "ignore_above": 1024,
                         "type": "keyword"
+                      },
+                      "sections": {
+                        "properties": {
+                          "entropy": {
+                            "type": "long"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "physical_size": {
+                            "type": "long"
+                          },
+                          "var_entropy": {
+                            "type": "long"
+                          },
+                          "virtual_size": {
+                            "type": "long"
+                          }
+                        },
+                        "type": "nested"
                       }
                     }
                   },
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index a3e8deaf97..a091b25c5f 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -1465,6 +1465,42 @@
       description: Internal version of the file, provided at compile-time.
       example: 6.3.9600.17415
       default_field: false
+    - name: pe.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: pe.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: pe.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: pe.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: pe.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
     - name: pe.imphash
       level: extended
       type: keyword
@@ -1476,6 +1512,36 @@
         Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
       example: 0c6803c4e922103c4dca5963aad36ddf
       default_field: false
+    - name: pe.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: pe.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: pe.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: pe.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
     - name: pe.original_file_name
       level: extended
       type: keyword
@@ -1501,6 +1567,44 @@
       description: Internal product name of the file, provided at compile-time.
       example: "Microsoft\xAE Windows\xAE Operating System"
       default_field: false
+    - name: pe.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      default_field: false
+    - name: pe.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: pe.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: PE Section List name.
+      default_field: false
+    - name: pe.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: PE Section List physical size.
+      default_field: false
+    - name: pe.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: pe.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
   - name: dns
     title: DNS
     group: 2
@@ -1727,6 +1831,42 @@
       type: flattened
       description: List of exported element names and types.
       default_field: false
+    - name: go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
     - name: header.abi_version
       level: extended
       type: keyword
@@ -1775,11 +1915,36 @@
       ignore_above: 1024
       description: Version of the ELF header.
       default_field: false
+    - name: import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
     - name: imports
       level: extended
       type: flattened
       description: List of imported element names and types.
       default_field: false
+    - name: imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
     - name: sections
       level: extended
       type: nested
@@ -1830,6 +1995,12 @@
       ignore_above: 1024
       description: ELF Section List type.
       default_field: false
+    - name: sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
     - name: sections.virtual_address
       level: extended
       type: long
@@ -2678,6 +2849,42 @@
       type: flattened
       description: List of exported element names and types.
       default_field: false
+    - name: elf.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: elf.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: elf.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: elf.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: elf.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
     - name: elf.header.abi_version
       level: extended
       type: keyword
@@ -2726,11 +2933,36 @@
       ignore_above: 1024
       description: Version of the ELF header.
       default_field: false
+    - name: elf.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
     - name: elf.imports
       level: extended
       type: flattened
       description: List of imported element names and types.
       default_field: false
+    - name: elf.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: elf.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
     - name: elf.sections
       level: extended
       type: nested
@@ -2781,6 +3013,12 @@
       ignore_above: 1024
       description: ELF Section List type.
       default_field: false
+    - name: elf.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
     - name: elf.sections.virtual_address
       level: extended
       type: long
@@ -2909,6 +3147,121 @@
       ignore_above: 1024
       description: Inode representing the file in the filesystem.
       example: '256383'
+    - name: macho.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: macho.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: macho.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: macho.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: macho.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: macho.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in an Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: macho.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: macho.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: macho.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: macho.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      default_field: false
+    - name: macho.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: macho.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Mach-O Section List name.
+      default_field: false
+    - name: macho.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: Mach-O Section List physical size.
+      default_field: false
+    - name: macho.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: macho.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: macho.symhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      default_field: false
     - name: mime_type
       level: extended
       type: keyword
@@ -2979,6 +3332,42 @@
       description: Internal version of the file, provided at compile-time.
       example: 6.3.9600.17415
       default_field: false
+    - name: pe.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: pe.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: pe.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: pe.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: pe.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
     - name: pe.imphash
       level: extended
       type: keyword
@@ -2990,6 +3379,36 @@
         Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
       example: 0c6803c4e922103c4dca5963aad36ddf
       default_field: false
+    - name: pe.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: pe.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: pe.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: pe.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
     - name: pe.original_file_name
       level: extended
       type: keyword
@@ -3015,20 +3434,58 @@
       description: Internal product name of the file, provided at compile-time.
       example: "Microsoft\xAE Windows\xAE Operating System"
       default_field: false
-    - name: size
+    - name: pe.sections
       level: extended
-      type: long
-      description: 'File size in bytes.
+      type: nested
+      description: 'An array containing an object for each section of the PE file.
 
-        Only relevant when `file.type` is "file".'
-      example: 16384
-    - name: target_path
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      default_field: false
+    - name: pe.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: pe.sections.name
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
+      description: PE Section List name.
+      default_field: false
+    - name: pe.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: PE Section List physical size.
+      default_field: false
+    - name: pe.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: pe.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: size
+      level: extended
+      type: long
+      description: 'File size in bytes.
+
+        Only relevant when `file.type` is "file".'
+      example: 16384
+    - name: target_path
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
         default_field: false
       description: Target path for symlinks.
     - name: type
@@ -4020,6 +4477,128 @@
         for RFC 5424 messages.
       example: 1
       default_field: false
+  - name: macho
+    title: Mach-O Header
+    group: 2
+    description: These fields contain Mac OS Mach Object file format (Mach-O) metadata.
+    type: group
+    default_field: true
+    fields:
+    - name: go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in an Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      default_field: false
+    - name: sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Mach-O Section List name.
+      default_field: false
+    - name: sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: Mach-O Section List physical size.
+      default_field: false
+    - name: sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: symhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      default_field: false
   - name: network
     title: Network
     group: 2
@@ -4816,6 +5395,42 @@
       description: Internal version of the file, provided at compile-time.
       example: 6.3.9600.17415
       default_field: false
+    - name: go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
     - name: imphash
       level: extended
       type: keyword
@@ -4827,6 +5442,36 @@
         Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
       example: 0c6803c4e922103c4dca5963aad36ddf
       default_field: false
+    - name: import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
     - name: original_file_name
       level: extended
       type: keyword
@@ -4852,6 +5497,44 @@
       description: Internal product name of the file, provided at compile-time.
       example: "Microsoft\xAE Windows\xAE Operating System"
       default_field: false
+    - name: sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      default_field: false
+    - name: sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: PE Section List name.
+      default_field: false
+    - name: sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: PE Section List physical size.
+      default_field: false
+    - name: sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
   - name: process
     title: Process
     group: 2
@@ -5004,6 +5687,42 @@
       type: flattened
       description: List of exported element names and types.
       default_field: false
+    - name: elf.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: elf.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: elf.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: elf.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: elf.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
     - name: elf.header.abi_version
       level: extended
       type: keyword
@@ -5052,11 +5771,36 @@
       ignore_above: 1024
       description: Version of the ELF header.
       default_field: false
+    - name: elf.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
     - name: elf.imports
       level: extended
       type: flattened
       description: List of imported element names and types.
       default_field: false
+    - name: elf.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: elf.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
     - name: elf.sections
       level: extended
       type: nested
@@ -5107,6 +5851,12 @@
       ignore_above: 1024
       description: ELF Section List type.
       default_field: false
+    - name: elf.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
     - name: elf.sections.virtual_address
       level: extended
       type: long
@@ -5922,6 +6672,121 @@
         Currently only ''tty'' is supported. Other types may be added in the future
         for ''file'' and ''socket'' support.'
       default_field: false
+    - name: macho.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: macho.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: macho.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: macho.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: macho.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: macho.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in an Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: macho.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: macho.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: macho.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: macho.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      default_field: false
+    - name: macho.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: macho.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Mach-O Section List name.
+      default_field: false
+    - name: macho.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: Mach-O Section List physical size.
+      default_field: false
+    - name: macho.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: macho.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: macho.symhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      default_field: false
     - name: name
       level: extended
       type: keyword
@@ -6076,6 +6941,42 @@
       type: flattened
       description: List of exported element names and types.
       default_field: false
+    - name: parent.elf.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: parent.elf.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: parent.elf.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: parent.elf.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: parent.elf.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
     - name: parent.elf.header.abi_version
       level: extended
       type: keyword
@@ -6124,11 +7025,36 @@
       ignore_above: 1024
       description: Version of the ELF header.
       default_field: false
+    - name: parent.elf.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
     - name: parent.elf.imports
       level: extended
       type: flattened
       description: List of imported element names and types.
       default_field: false
+    - name: parent.elf.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: parent.elf.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
     - name: parent.elf.sections
       level: extended
       type: nested
@@ -6179,6 +7105,12 @@
       ignore_above: 1024
       description: ELF Section List type.
       default_field: false
+    - name: parent.elf.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
     - name: parent.elf.sections.virtual_address
       level: extended
       type: long
@@ -6361,6 +7293,121 @@
         connected to the controlling TTY.'
       example: true
       default_field: false
+    - name: parent.macho.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: parent.macho.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: parent.macho.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: parent.macho.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: parent.macho.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: parent.macho.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in an Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: parent.macho.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: parent.macho.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: parent.macho.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: parent.macho.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      default_field: false
+    - name: parent.macho.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: parent.macho.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Mach-O Section List name.
+      default_field: false
+    - name: parent.macho.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: Mach-O Section List physical size.
+      default_field: false
+    - name: parent.macho.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: parent.macho.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: parent.macho.symhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      default_field: false
     - name: parent.name
       level: extended
       type: keyword
@@ -6401,6 +7448,42 @@
       description: Internal version of the file, provided at compile-time.
       example: 6.3.9600.17415
       default_field: false
+    - name: parent.pe.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: parent.pe.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: parent.pe.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: parent.pe.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: parent.pe.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
     - name: parent.pe.imphash
       level: extended
       type: keyword
@@ -6412,6 +7495,36 @@
         Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
       example: 0c6803c4e922103c4dca5963aad36ddf
       default_field: false
+    - name: parent.pe.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: parent.pe.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: parent.pe.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: parent.pe.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
     - name: parent.pe.original_file_name
       level: extended
       type: keyword
@@ -6437,6 +7550,44 @@
       description: Internal product name of the file, provided at compile-time.
       example: "Microsoft\xAE Windows\xAE Operating System"
       default_field: false
+    - name: parent.pe.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      default_field: false
+    - name: parent.pe.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: parent.pe.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: PE Section List name.
+      default_field: false
+    - name: parent.pe.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: PE Section List physical size.
+      default_field: false
+    - name: parent.pe.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: parent.pe.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
     - name: parent.pgid
       level: extended
       type: long
@@ -6626,19 +7777,55 @@
       description: Internal company name of the file, provided at compile-time.
       example: Microsoft Corporation
       default_field: false
-    - name: pe.description
+    - name: pe.description
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      default_field: false
+    - name: pe.file_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      default_field: false
+    - name: pe.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: pe.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: pe.go_imports_names_entropy
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: pe.file_version
+    - name: pe.go_imports_names_var_entropy
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: pe.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
       default_field: false
     - name: pe.imphash
       level: extended
@@ -6651,6 +7838,36 @@
         Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
       example: 0c6803c4e922103c4dca5963aad36ddf
       default_field: false
+    - name: pe.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: pe.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: pe.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: pe.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
     - name: pe.original_file_name
       level: extended
       type: keyword
@@ -6676,6 +7893,44 @@
       description: Internal product name of the file, provided at compile-time.
       example: "Microsoft\xAE Windows\xAE Operating System"
       default_field: false
+    - name: pe.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      default_field: false
+    - name: pe.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: pe.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: PE Section List name.
+      default_field: false
+    - name: pe.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: PE Section List physical size.
+      default_field: false
+    - name: pe.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: pe.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
     - name: pgid
       level: extended
       type: long
@@ -8714,6 +9969,42 @@
       type: flattened
       description: List of exported element names and types.
       default_field: false
+    - name: enrichments.indicator.file.elf.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: enrichments.indicator.file.elf.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: enrichments.indicator.file.elf.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: enrichments.indicator.file.elf.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: enrichments.indicator.file.elf.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
     - name: enrichments.indicator.file.elf.header.abi_version
       level: extended
       type: keyword
@@ -8762,11 +10053,36 @@
       ignore_above: 1024
       description: Version of the ELF header.
       default_field: false
+    - name: enrichments.indicator.file.elf.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
     - name: enrichments.indicator.file.elf.imports
       level: extended
       type: flattened
       description: List of imported element names and types.
       default_field: false
+    - name: enrichments.indicator.file.elf.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: enrichments.indicator.file.elf.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
     - name: enrichments.indicator.file.elf.sections
       level: extended
       type: nested
@@ -8817,6 +10133,12 @@
       ignore_above: 1024
       description: ELF Section List type.
       default_field: false
+    - name: enrichments.indicator.file.elf.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
     - name: enrichments.indicator.file.elf.sections.virtual_address
       level: extended
       type: long
@@ -9027,6 +10349,42 @@
       description: Internal version of the file, provided at compile-time.
       example: 6.3.9600.17415
       default_field: false
+    - name: enrichments.indicator.file.pe.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: enrichments.indicator.file.pe.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: enrichments.indicator.file.pe.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: enrichments.indicator.file.pe.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: enrichments.indicator.file.pe.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
     - name: enrichments.indicator.file.pe.imphash
       level: extended
       type: keyword
@@ -9038,6 +10396,36 @@
         Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
       example: 0c6803c4e922103c4dca5963aad36ddf
       default_field: false
+    - name: enrichments.indicator.file.pe.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: enrichments.indicator.file.pe.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: enrichments.indicator.file.pe.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: enrichments.indicator.file.pe.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
     - name: enrichments.indicator.file.pe.original_file_name
       level: extended
       type: keyword
@@ -9063,6 +10451,44 @@
       description: Internal product name of the file, provided at compile-time.
       example: "Microsoft\xAE Windows\xAE Operating System"
       default_field: false
+    - name: enrichments.indicator.file.pe.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      default_field: false
+    - name: enrichments.indicator.file.pe.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: enrichments.indicator.file.pe.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: PE Section List name.
+      default_field: false
+    - name: enrichments.indicator.file.pe.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: PE Section List physical size.
+      default_field: false
+    - name: enrichments.indicator.file.pe.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: enrichments.indicator.file.pe.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
     - name: enrichments.indicator.file.size
       level: extended
       type: long
@@ -10133,6 +11559,42 @@
       type: flattened
       description: List of exported element names and types.
       default_field: false
+    - name: indicator.file.elf.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: indicator.file.elf.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: indicator.file.elf.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: indicator.file.elf.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: indicator.file.elf.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
     - name: indicator.file.elf.header.abi_version
       level: extended
       type: keyword
@@ -10181,11 +11643,36 @@
       ignore_above: 1024
       description: Version of the ELF header.
       default_field: false
+    - name: indicator.file.elf.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
     - name: indicator.file.elf.imports
       level: extended
       type: flattened
       description: List of imported element names and types.
       default_field: false
+    - name: indicator.file.elf.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: indicator.file.elf.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
     - name: indicator.file.elf.sections
       level: extended
       type: nested
@@ -10236,6 +11723,12 @@
       ignore_above: 1024
       description: ELF Section List type.
       default_field: false
+    - name: indicator.file.elf.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
     - name: indicator.file.elf.sections.virtual_address
       level: extended
       type: long
@@ -10446,6 +11939,42 @@
       description: Internal version of the file, provided at compile-time.
       example: 6.3.9600.17415
       default_field: false
+    - name: indicator.file.pe.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: indicator.file.pe.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: indicator.file.pe.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: indicator.file.pe.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: indicator.file.pe.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
     - name: indicator.file.pe.imphash
       level: extended
       type: keyword
@@ -10457,6 +11986,36 @@
         Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
       example: 0c6803c4e922103c4dca5963aad36ddf
       default_field: false
+    - name: indicator.file.pe.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: indicator.file.pe.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: indicator.file.pe.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: indicator.file.pe.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
     - name: indicator.file.pe.original_file_name
       level: extended
       type: keyword
@@ -10482,6 +12041,44 @@
       description: Internal product name of the file, provided at compile-time.
       example: "Microsoft\xAE Windows\xAE Operating System"
       default_field: false
+    - name: indicator.file.pe.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      default_field: false
+    - name: indicator.file.pe.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: indicator.file.pe.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: PE Section List name.
+      default_field: false
+    - name: indicator.file.pe.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: PE Section List physical size.
+      default_field: false
+    - name: indicator.file.pe.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: indicator.file.pe.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
     - name: indicator.file.size
       level: extended
       type: long
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index f502accf2d..e5d08c3228 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -160,10 +160,25 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
 8.7.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
 8.7.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.7.0-dev,true,dll,dll.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.7.0-dev,true,dll,dll.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.7.0-dev,true,dll,dll.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.7.0-dev,true,dll,dll.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.7.0-dev,true,dll,dll.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
 8.7.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.7.0-dev,true,dll,dll.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.7.0-dev,true,dll,dll.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.7.0-dev,true,dll,dll.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.7.0-dev,true,dll,dll.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
 8.7.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
 8.7.0-dev,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
 8.7.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.7.0-dev,true,dll,dll.pe.sections,nested,extended,array,,Section information of the PE file.
+8.7.0-dev,true,dll,dll.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.7.0-dev,true,dll,dll.pe.sections.name,keyword,extended,,,PE Section List name.
+8.7.0-dev,true,dll,dll.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.7.0-dev,true,dll,dll.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.7.0-dev,true,dll,dll.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
 8.7.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
 8.7.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
 8.7.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
@@ -271,6 +286,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
 8.7.0-dev,true,file,file.elf.creation_date,date,extended,,,Build or compile date.
 8.7.0-dev,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.7.0-dev,true,file,file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.7.0-dev,true,file,file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.7.0-dev,true,file,file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.7.0-dev,true,file,file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.7.0-dev,true,file,file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
 8.7.0-dev,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
 8.7.0-dev,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file.
 8.7.0-dev,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header.
@@ -279,7 +299,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
 8.7.0-dev,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file.
 8.7.0-dev,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.7.0-dev,true,file,file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
 8.7.0-dev,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.7.0-dev,true,file,file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.7.0-dev,true,file,file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
 8.7.0-dev,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file.
 8.7.0-dev,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
 8.7.0-dev,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
@@ -288,6 +311,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
 8.7.0-dev,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
 8.7.0-dev,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.7.0-dev,true,file,file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
 8.7.0-dev,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
 8.7.0-dev,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
 8.7.0-dev,true,file,file.elf.segments,nested,extended,array,,ELF object segment list.
@@ -307,6 +331,22 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
 8.7.0-dev,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash.
 8.7.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.7.0-dev,true,file,file.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.7.0-dev,true,file,file.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.7.0-dev,true,file,file.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.7.0-dev,true,file,file.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.7.0-dev,true,file,file.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.7.0-dev,true,file,file.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.7.0-dev,true,file,file.macho.imports,flattened,extended,array,,List of imported element names and types.
+8.7.0-dev,true,file,file.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.7.0-dev,true,file,file.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.7.0-dev,true,file,file.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+8.7.0-dev,true,file,file.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.7.0-dev,true,file,file.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+8.7.0-dev,true,file,file.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+8.7.0-dev,true,file,file.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.7.0-dev,true,file,file.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+8.7.0-dev,true,file,file.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
 8.7.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
 8.7.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
 8.7.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified.
@@ -318,10 +358,25 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
 8.7.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
 8.7.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.7.0-dev,true,file,file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.7.0-dev,true,file,file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.7.0-dev,true,file,file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.7.0-dev,true,file,file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.7.0-dev,true,file,file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
 8.7.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.7.0-dev,true,file,file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.7.0-dev,true,file,file.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.7.0-dev,true,file,file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.7.0-dev,true,file,file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
 8.7.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
 8.7.0-dev,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
 8.7.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.7.0-dev,true,file,file.pe.sections,nested,extended,array,,Section information of the PE file.
+8.7.0-dev,true,file,file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.7.0-dev,true,file,file.pe.sections.name,keyword,extended,,,PE Section List name.
+8.7.0-dev,true,file,file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.7.0-dev,true,file,file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.7.0-dev,true,file,file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
 8.7.0-dev,true,file,file.size,long,extended,,16384,File size in bytes.
 8.7.0-dev,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
 8.7.0-dev,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks.
@@ -537,6 +592,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
 8.7.0-dev,true,process,process.elf.creation_date,date,extended,,,Build or compile date.
 8.7.0-dev,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.7.0-dev,true,process,process.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.7.0-dev,true,process,process.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.7.0-dev,true,process,process.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.7.0-dev,true,process,process.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.7.0-dev,true,process,process.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
 8.7.0-dev,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
 8.7.0-dev,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file.
 8.7.0-dev,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header.
@@ -545,7 +605,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
 8.7.0-dev,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file.
 8.7.0-dev,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.7.0-dev,true,process,process.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
 8.7.0-dev,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.7.0-dev,true,process,process.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.7.0-dev,true,process,process.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
 8.7.0-dev,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file.
 8.7.0-dev,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
 8.7.0-dev,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
@@ -554,6 +617,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
 8.7.0-dev,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
 8.7.0-dev,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.7.0-dev,true,process,process.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
 8.7.0-dev,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
 8.7.0-dev,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
 8.7.0-dev,true,process,process.elf.segments,nested,extended,array,,ELF object segment list.
@@ -666,6 +730,22 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,process,process.io.total_bytes_captured,number,extended,,,The total number of bytes captured in this event.
 8.7.0-dev,true,process,process.io.total_bytes_skipped,number,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
 8.7.0-dev,true,process,process.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
+8.7.0-dev,true,process,process.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.7.0-dev,true,process,process.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.7.0-dev,true,process,process.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.7.0-dev,true,process,process.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.7.0-dev,true,process,process.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.7.0-dev,true,process,process.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.7.0-dev,true,process,process.macho.imports,flattened,extended,array,,List of imported element names and types.
+8.7.0-dev,true,process,process.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.7.0-dev,true,process,process.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.7.0-dev,true,process,process.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+8.7.0-dev,true,process,process.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.7.0-dev,true,process,process.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+8.7.0-dev,true,process,process.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+8.7.0-dev,true,process,process.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.7.0-dev,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+8.7.0-dev,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
 8.7.0-dev,true,process,process.name,keyword,extended,,ssh,Process name.
 8.7.0-dev,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
 8.7.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
@@ -686,6 +766,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
 8.7.0-dev,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date.
 8.7.0-dev,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.7.0-dev,true,process,process.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.7.0-dev,true,process,process.parent.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.7.0-dev,true,process,process.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.7.0-dev,true,process,process.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.7.0-dev,true,process,process.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
 8.7.0-dev,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
 8.7.0-dev,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
 8.7.0-dev,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
@@ -694,7 +779,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
 8.7.0-dev,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
 8.7.0-dev,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.7.0-dev,true,process,process.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
 8.7.0-dev,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.7.0-dev,true,process,process.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.7.0-dev,true,process,process.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
 8.7.0-dev,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
 8.7.0-dev,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
 8.7.0-dev,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
@@ -703,6 +791,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
 8.7.0-dev,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
 8.7.0-dev,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.7.0-dev,true,process,process.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
 8.7.0-dev,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
 8.7.0-dev,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
 8.7.0-dev,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list.
@@ -728,16 +817,47 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
 8.7.0-dev,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash.
 8.7.0-dev,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.7.0-dev,true,process,process.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.7.0-dev,true,process,process.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.7.0-dev,true,process,process.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.7.0-dev,true,process,process.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.7.0-dev,true,process,process.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.7.0-dev,true,process,process.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.7.0-dev,true,process,process.parent.macho.imports,flattened,extended,array,,List of imported element names and types.
+8.7.0-dev,true,process,process.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.7.0-dev,true,process,process.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.7.0-dev,true,process,process.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+8.7.0-dev,true,process,process.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.7.0-dev,true,process,process.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+8.7.0-dev,true,process,process.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+8.7.0-dev,true,process,process.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.7.0-dev,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+8.7.0-dev,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
 8.7.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name.
 8.7.0-dev,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
 8.7.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
 8.7.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
 8.7.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
 8.7.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.7.0-dev,true,process,process.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.7.0-dev,true,process,process.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.7.0-dev,true,process,process.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.7.0-dev,true,process,process.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.7.0-dev,true,process,process.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
 8.7.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.7.0-dev,true,process,process.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.7.0-dev,true,process,process.parent.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.7.0-dev,true,process,process.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.7.0-dev,true,process,process.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
 8.7.0-dev,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
 8.7.0-dev,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
 8.7.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.7.0-dev,true,process,process.parent.pe.sections,nested,extended,array,,Section information of the PE file.
+8.7.0-dev,true,process,process.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.7.0-dev,true,process,process.parent.pe.sections.name,keyword,extended,,,PE Section List name.
+8.7.0-dev,true,process,process.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.7.0-dev,true,process,process.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.7.0-dev,true,process,process.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
 8.7.0-dev,true,process,process.parent.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
 8.7.0-dev,true,process,process.parent.pid,long,core,,4242,Process id.
 8.7.0-dev,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
@@ -770,10 +890,25 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
 8.7.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
 8.7.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.7.0-dev,true,process,process.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.7.0-dev,true,process,process.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.7.0-dev,true,process,process.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.7.0-dev,true,process,process.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.7.0-dev,true,process,process.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
 8.7.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.7.0-dev,true,process,process.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.7.0-dev,true,process,process.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.7.0-dev,true,process,process.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.7.0-dev,true,process,process.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
 8.7.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
 8.7.0-dev,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
 8.7.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.7.0-dev,true,process,process.pe.sections,nested,extended,array,,Section information of the PE file.
+8.7.0-dev,true,process,process.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.7.0-dev,true,process,process.pe.sections.name,keyword,extended,,,PE Section List name.
+8.7.0-dev,true,process,process.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.7.0-dev,true,process,process.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.7.0-dev,true,process,process.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
 8.7.0-dev,true,process,process.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
 8.7.0-dev,true,process,process.pid,long,core,,4242,Process id.
 8.7.0-dev,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
@@ -1009,6 +1144,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
 8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
 8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
 8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
 8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
 8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
@@ -1017,7 +1157,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
 8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
 8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
 8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
 8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
 8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
 8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
@@ -1026,6 +1169,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
 8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
 8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
 8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
 8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
 8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
@@ -1056,10 +1200,25 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
 8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
 8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
 8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
 8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
 8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
 8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
 8.7.0-dev,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes.
 8.7.0-dev,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
 8.7.0-dev,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
@@ -1200,6 +1359,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
 8.7.0-dev,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
 8.7.0-dev,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.7.0-dev,true,threat,threat.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.7.0-dev,true,threat,threat.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.7.0-dev,true,threat,threat.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.7.0-dev,true,threat,threat.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.7.0-dev,true,threat,threat.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
 8.7.0-dev,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
 8.7.0-dev,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
 8.7.0-dev,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
@@ -1208,7 +1372,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
 8.7.0-dev,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
 8.7.0-dev,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.7.0-dev,true,threat,threat.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
 8.7.0-dev,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.7.0-dev,true,threat,threat.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.7.0-dev,true,threat,threat.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
 8.7.0-dev,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
 8.7.0-dev,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
 8.7.0-dev,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
@@ -1217,6 +1384,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
 8.7.0-dev,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
 8.7.0-dev,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.7.0-dev,true,threat,threat.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
 8.7.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
 8.7.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
 8.7.0-dev,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
@@ -1247,10 +1415,25 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
 8.7.0-dev,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
 8.7.0-dev,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.7.0-dev,true,threat,threat.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.7.0-dev,true,threat,threat.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.7.0-dev,true,threat,threat.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.7.0-dev,true,threat,threat.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.7.0-dev,true,threat,threat.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
 8.7.0-dev,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.7.0-dev,true,threat,threat.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.7.0-dev,true,threat,threat.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.7.0-dev,true,threat,threat.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.7.0-dev,true,threat,threat.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
 8.7.0-dev,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
 8.7.0-dev,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
 8.7.0-dev,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.7.0-dev,true,threat,threat.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
+8.7.0-dev,true,threat,threat.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.7.0-dev,true,threat,threat.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
+8.7.0-dev,true,threat,threat.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.7.0-dev,true,threat,threat.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.7.0-dev,true,threat,threat.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
 8.7.0-dev,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes.
 8.7.0-dev,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
 8.7.0-dev,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 0c2c1d3004..954701ab12 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -1954,6 +1954,67 @@ dll.pe.file_version:
   original_fieldset: pe
   short: Process name.
   type: keyword
+dll.pe.go_import_hash:
+  dashed_name: dll-pe-go-import-hash
+  description: 'A hash of the Go language imports in a PE file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available [here](https://github.com/elastic/toutoumomoma).'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: dll.pe.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+dll.pe.go_imports:
+  dashed_name: dll-pe-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: dll.pe.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: pe
+  short: List of imported Go language element names and types.
+  type: flattened
+dll.pe.go_imports_names_entropy:
+  dashed_name: dll-pe-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: dll.pe.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+dll.pe.go_imports_names_var_entropy:
+  dashed_name: dll-pe-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: dll.pe.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+dll.pe.go_stripped:
+  dashed_name: dll-pe-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: dll.pe.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: pe
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
 dll.pe.imphash:
   dashed_name: dll-pe-imphash
   description: 'A hash of the imports in a PE file. An imphash -- or import hash --
@@ -1970,6 +2031,58 @@ dll.pe.imphash:
   original_fieldset: pe
   short: A hash of the imports in a PE file.
   type: keyword
+dll.pe.import_hash:
+  dashed_name: dll-pe-import-hash
+  description: 'A hash of the imports in a PE file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: dll.pe.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in an ELF file.
+  type: keyword
+dll.pe.imports:
+  dashed_name: dll-pe-imports
+  description: List of imported element names and types.
+  flat_name: dll.pe.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of imported element names and types.
+  type: flattened
+dll.pe.imports_names_entropy:
+  dashed_name: dll-pe-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: dll.pe.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+dll.pe.imports_names_var_entropy:
+  dashed_name: dll-pe-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: dll.pe.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
 dll.pe.original_file_name:
   dashed_name: dll-pe-original-file-name
   description: Internal name of the file, provided at compile-time.
@@ -2010,6 +2123,75 @@ dll.pe.product:
   original_fieldset: pe
   short: Internal product name of the file, provided at compile-time.
   type: keyword
+dll.pe.sections:
+  dashed_name: dll-pe-sections
+  description: 'An array containing an object for each section of the PE file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `pe.sections.*`.'
+  flat_name: dll.pe.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Section information of the PE file.
+  type: nested
+dll.pe.sections.entropy:
+  dashed_name: dll-pe-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: dll.pe.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the section.
+  type: long
+dll.pe.sections.name:
+  dashed_name: dll-pe-sections-name
+  description: PE Section List name.
+  flat_name: dll.pe.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List name.
+  type: keyword
+dll.pe.sections.physical_size:
+  dashed_name: dll-pe-sections-physical-size
+  description: PE Section List physical size.
+  flat_name: dll.pe.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List physical size.
+  type: long
+dll.pe.sections.var_entropy:
+  dashed_name: dll-pe-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: dll.pe.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+dll.pe.sections.virtual_size:
+  dashed_name: dll-pe-sections-virtual-size
+  description: PE Section List virtual size. This is always the same as `physical_size`.
+  flat_name: dll.pe.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List virtual size. This is always the same as `physical_size`.
+  type: long
 dns.answers:
   dashed_name: dns-answers
   description: 'An array containing an object for each answer section returned by
@@ -3818,6 +4000,67 @@ file.elf.exports:
   original_fieldset: elf
   short: List of exported element names and types.
   type: flattened
+file.elf.go_import_hash:
+  dashed_name: file-elf-go-import-hash
+  description: 'A hash of the Go language imports in an ELF file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available [here](https://github.com/elastic/toutoumomoma).'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: file.elf.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+file.elf.go_imports:
+  dashed_name: file-elf-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: file.elf.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: elf
+  short: List of imported Go language element names and types.
+  type: flattened
+file.elf.go_imports_names_entropy:
+  dashed_name: file-elf-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: file.elf.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+file.elf.go_imports_names_var_entropy:
+  dashed_name: file-elf-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: file.elf.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+file.elf.go_stripped:
+  dashed_name: file-elf-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: file.elf.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: elf
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
 file.elf.header.abi_version:
   dashed_name: file-elf-header-abi-version
   description: Version of the ELF Application Binary Interface (ABI).
@@ -3906,6 +4149,22 @@ file.elf.header.version:
   original_fieldset: elf
   short: Version of the ELF header.
   type: keyword
+file.elf.import_hash:
+  dashed_name: file-elf-import-hash
+  description: 'A hash of the imports in an ELF file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is an ELF implementation of the Windows PE imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: file.elf.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the imports in an ELF file.
+  type: keyword
 file.elf.imports:
   dashed_name: file-elf-imports
   description: List of imported element names and types.
@@ -3917,6 +4176,31 @@ file.elf.imports:
   original_fieldset: elf
   short: List of imported element names and types.
   type: flattened
+file.elf.imports_names_entropy:
+  dashed_name: file-elf-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: file.elf.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+file.elf.imports_names_var_entropy:
+  dashed_name: file-elf-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: file.elf.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
 file.elf.sections:
   dashed_name: file-elf-sections
   description: 'An array containing an object for each section of the ELF file.
@@ -4008,6 +4292,17 @@ file.elf.sections.type:
   original_fieldset: elf
   short: ELF Section List type.
   type: keyword
+file.elf.sections.var_entropy:
+  dashed_name: file-elf-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: file.elf.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
 file.elf.sections.virtual_address:
   dashed_name: file-elf-sections-virtual-address
   description: ELF Section List virtual address.
@@ -4236,6 +4531,204 @@ file.inode:
   normalize: []
   short: Inode representing the file in the filesystem.
   type: keyword
+file.macho.go_import_hash:
+  dashed_name: file-macho-go-import-hash
+  description: 'A hash of the Go language imports in a Mach-O file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available [here](https://github.com/elastic/toutoumomoma).'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: file.macho.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+file.macho.go_imports:
+  dashed_name: file-macho-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: file.macho.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: macho
+  short: List of imported Go language element names and types.
+  type: flattened
+file.macho.go_imports_names_entropy:
+  dashed_name: file-macho-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: file.macho.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+file.macho.go_imports_names_var_entropy:
+  dashed_name: file-macho-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: file.macho.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+file.macho.go_stripped:
+  dashed_name: file-macho-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: file.macho.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: macho
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+file.macho.import_hash:
+  dashed_name: file-macho-import-hash
+  description: 'A hash of the imports in an Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for symhash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: file.macho.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in an ELF file.
+  type: keyword
+file.macho.imports:
+  dashed_name: file-macho-imports
+  description: List of imported element names and types.
+  flat_name: file.macho.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: macho
+  short: List of imported element names and types.
+  type: flattened
+file.macho.imports_names_entropy:
+  dashed_name: file-macho-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: file.macho.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+file.macho.imports_names_var_entropy:
+  dashed_name: file-macho-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: file.macho.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+file.macho.sections:
+  dashed_name: file-macho-sections
+  description: 'An array containing an object for each section of the Mach-O file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `macho.sections.*`.'
+  flat_name: file.macho.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: macho
+  short: Section information of the Mach-O file.
+  type: nested
+file.macho.sections.entropy:
+  dashed_name: file-macho-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: file.macho.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the section.
+  type: long
+file.macho.sections.name:
+  dashed_name: file-macho-sections-name
+  description: Mach-O Section List name.
+  flat_name: file.macho.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List name.
+  type: keyword
+file.macho.sections.physical_size:
+  dashed_name: file-macho-sections-physical-size
+  description: Mach-O Section List physical size.
+  flat_name: file.macho.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List physical size.
+  type: long
+file.macho.sections.var_entropy:
+  dashed_name: file-macho-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: file.macho.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+file.macho.sections.virtual_size:
+  dashed_name: file-macho-sections-virtual-size
+  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  flat_name: file.macho.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  type: long
+file.macho.symhash:
+  dashed_name: file-macho-symhash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a Mach-O implementation of the Windows PE imphash'
+  example: d3ccf195b62a9279c3c19af1080497ec
+  flat_name: file.macho.symhash
+  ignore_above: 1024
+  level: extended
+  name: symhash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
 file.mime_type:
   dashed_name: file-mime-type
   description: MIME type should identify the format of the file or stream of bytes
@@ -4355,6 +4848,67 @@ file.pe.file_version:
   original_fieldset: pe
   short: Process name.
   type: keyword
+file.pe.go_import_hash:
+  dashed_name: file-pe-go-import-hash
+  description: 'A hash of the Go language imports in a PE file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available [here](https://github.com/elastic/toutoumomoma).'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: file.pe.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+file.pe.go_imports:
+  dashed_name: file-pe-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: file.pe.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: pe
+  short: List of imported Go language element names and types.
+  type: flattened
+file.pe.go_imports_names_entropy:
+  dashed_name: file-pe-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: file.pe.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+file.pe.go_imports_names_var_entropy:
+  dashed_name: file-pe-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: file.pe.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+file.pe.go_stripped:
+  dashed_name: file-pe-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: file.pe.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: pe
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
 file.pe.imphash:
   dashed_name: file-pe-imphash
   description: 'A hash of the imports in a PE file. An imphash -- or import hash --
@@ -4371,6 +4925,58 @@ file.pe.imphash:
   original_fieldset: pe
   short: A hash of the imports in a PE file.
   type: keyword
+file.pe.import_hash:
+  dashed_name: file-pe-import-hash
+  description: 'A hash of the imports in a PE file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: file.pe.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in an ELF file.
+  type: keyword
+file.pe.imports:
+  dashed_name: file-pe-imports
+  description: List of imported element names and types.
+  flat_name: file.pe.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of imported element names and types.
+  type: flattened
+file.pe.imports_names_entropy:
+  dashed_name: file-pe-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: file.pe.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+file.pe.imports_names_var_entropy:
+  dashed_name: file-pe-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: file.pe.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
 file.pe.original_file_name:
   dashed_name: file-pe-original-file-name
   description: Internal name of the file, provided at compile-time.
@@ -4409,8 +5015,77 @@ file.pe.product:
   name: product
   normalize: []
   original_fieldset: pe
-  short: Internal product name of the file, provided at compile-time.
-  type: keyword
+  short: Internal product name of the file, provided at compile-time.
+  type: keyword
+file.pe.sections:
+  dashed_name: file-pe-sections
+  description: 'An array containing an object for each section of the PE file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `pe.sections.*`.'
+  flat_name: file.pe.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Section information of the PE file.
+  type: nested
+file.pe.sections.entropy:
+  dashed_name: file-pe-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: file.pe.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the section.
+  type: long
+file.pe.sections.name:
+  dashed_name: file-pe-sections-name
+  description: PE Section List name.
+  flat_name: file.pe.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List name.
+  type: keyword
+file.pe.sections.physical_size:
+  dashed_name: file-pe-sections-physical-size
+  description: PE Section List physical size.
+  flat_name: file.pe.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List physical size.
+  type: long
+file.pe.sections.var_entropy:
+  dashed_name: file-pe-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: file.pe.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+file.pe.sections.virtual_size:
+  dashed_name: file-pe-sections-virtual-size
+  description: PE Section List virtual size. This is always the same as `physical_size`.
+  flat_name: file.pe.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List virtual size. This is always the same as `physical_size`.
+  type: long
 file.size:
   dashed_name: file-size
   description: 'File size in bytes.
@@ -7061,6 +7736,67 @@ process.elf.exports:
   original_fieldset: elf
   short: List of exported element names and types.
   type: flattened
+process.elf.go_import_hash:
+  dashed_name: process-elf-go-import-hash
+  description: 'A hash of the Go language imports in an ELF file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available [here](https://github.com/elastic/toutoumomoma).'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.elf.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+process.elf.go_imports:
+  dashed_name: process-elf-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.elf.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: elf
+  short: List of imported Go language element names and types.
+  type: flattened
+process.elf.go_imports_names_entropy:
+  dashed_name: process-elf-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.elf.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.elf.go_imports_names_var_entropy:
+  dashed_name: process-elf-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.elf.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.elf.go_stripped:
+  dashed_name: process-elf-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.elf.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: elf
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
 process.elf.header.abi_version:
   dashed_name: process-elf-header-abi-version
   description: Version of the ELF Application Binary Interface (ABI).
@@ -7149,6 +7885,22 @@ process.elf.header.version:
   original_fieldset: elf
   short: Version of the ELF header.
   type: keyword
+process.elf.import_hash:
+  dashed_name: process-elf-import-hash
+  description: 'A hash of the imports in an ELF file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is an ELF implementation of the Windows PE imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.elf.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the imports in an ELF file.
+  type: keyword
 process.elf.imports:
   dashed_name: process-elf-imports
   description: List of imported element names and types.
@@ -7160,6 +7912,31 @@ process.elf.imports:
   original_fieldset: elf
   short: List of imported element names and types.
   type: flattened
+process.elf.imports_names_entropy:
+  dashed_name: process-elf-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.elf.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.elf.imports_names_var_entropy:
+  dashed_name: process-elf-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.elf.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
 process.elf.sections:
   dashed_name: process-elf-sections
   description: 'An array containing an object for each section of the ELF file.
@@ -7251,6 +8028,17 @@ process.elf.sections.type:
   original_fieldset: elf
   short: ELF Section List type.
   type: keyword
+process.elf.sections.var_entropy:
+  dashed_name: process-elf-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.elf.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
 process.elf.sections.virtual_address:
   dashed_name: process-elf-sections-virtual-address
   description: ELF Section List virtual address.
@@ -8569,6 +9357,204 @@ process.io.type:
   normalize: []
   short: The type of object on which the IO action (read or write) was taken.
   type: keyword
+process.macho.go_import_hash:
+  dashed_name: process-macho-go-import-hash
+  description: 'A hash of the Go language imports in a Mach-O file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available [here](https://github.com/elastic/toutoumomoma).'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.macho.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+process.macho.go_imports:
+  dashed_name: process-macho-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.macho.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: macho
+  short: List of imported Go language element names and types.
+  type: flattened
+process.macho.go_imports_names_entropy:
+  dashed_name: process-macho-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.macho.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.macho.go_imports_names_var_entropy:
+  dashed_name: process-macho-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.macho.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.macho.go_stripped:
+  dashed_name: process-macho-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.macho.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: macho
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.macho.import_hash:
+  dashed_name: process-macho-import-hash
+  description: 'A hash of the imports in an Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for symhash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.macho.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in an ELF file.
+  type: keyword
+process.macho.imports:
+  dashed_name: process-macho-imports
+  description: List of imported element names and types.
+  flat_name: process.macho.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: macho
+  short: List of imported element names and types.
+  type: flattened
+process.macho.imports_names_entropy:
+  dashed_name: process-macho-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.macho.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.macho.imports_names_var_entropy:
+  dashed_name: process-macho-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.macho.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.macho.sections:
+  dashed_name: process-macho-sections
+  description: 'An array containing an object for each section of the Mach-O file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `macho.sections.*`.'
+  flat_name: process.macho.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: macho
+  short: Section information of the Mach-O file.
+  type: nested
+process.macho.sections.entropy:
+  dashed_name: process-macho-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.macho.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the section.
+  type: long
+process.macho.sections.name:
+  dashed_name: process-macho-sections-name
+  description: Mach-O Section List name.
+  flat_name: process.macho.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List name.
+  type: keyword
+process.macho.sections.physical_size:
+  dashed_name: process-macho-sections-physical-size
+  description: Mach-O Section List physical size.
+  flat_name: process.macho.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List physical size.
+  type: long
+process.macho.sections.var_entropy:
+  dashed_name: process-macho-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.macho.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.macho.sections.virtual_size:
+  dashed_name: process-macho-sections-virtual-size
+  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.macho.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.macho.symhash:
+  dashed_name: process-macho-symhash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a Mach-O implementation of the Windows PE imphash'
+  example: d3ccf195b62a9279c3c19af1080497ec
+  flat_name: process.macho.symhash
+  ignore_above: 1024
+  level: extended
+  name: symhash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
 process.name:
   dashed_name: process-name
   description: 'Process name.
@@ -8817,6 +9803,67 @@ process.parent.elf.exports:
   original_fieldset: elf
   short: List of exported element names and types.
   type: flattened
+process.parent.elf.go_import_hash:
+  dashed_name: process-parent-elf-go-import-hash
+  description: 'A hash of the Go language imports in an ELF file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available [here](https://github.com/elastic/toutoumomoma).'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.parent.elf.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+process.parent.elf.go_imports:
+  dashed_name: process-parent-elf-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.parent.elf.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: elf
+  short: List of imported Go language element names and types.
+  type: flattened
+process.parent.elf.go_imports_names_entropy:
+  dashed_name: process-parent-elf-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.parent.elf.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.parent.elf.go_imports_names_var_entropy:
+  dashed_name: process-parent-elf-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.parent.elf.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.parent.elf.go_stripped:
+  dashed_name: process-parent-elf-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.parent.elf.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: elf
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
 process.parent.elf.header.abi_version:
   dashed_name: process-parent-elf-header-abi-version
   description: Version of the ELF Application Binary Interface (ABI).
@@ -8905,6 +9952,22 @@ process.parent.elf.header.version:
   original_fieldset: elf
   short: Version of the ELF header.
   type: keyword
+process.parent.elf.import_hash:
+  dashed_name: process-parent-elf-import-hash
+  description: 'A hash of the imports in an ELF file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is an ELF implementation of the Windows PE imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.parent.elf.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the imports in an ELF file.
+  type: keyword
 process.parent.elf.imports:
   dashed_name: process-parent-elf-imports
   description: List of imported element names and types.
@@ -8916,6 +9979,31 @@ process.parent.elf.imports:
   original_fieldset: elf
   short: List of imported element names and types.
   type: flattened
+process.parent.elf.imports_names_entropy:
+  dashed_name: process-parent-elf-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.parent.elf.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.parent.elf.imports_names_var_entropy:
+  dashed_name: process-parent-elf-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.parent.elf.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
 process.parent.elf.sections:
   dashed_name: process-parent-elf-sections
   description: 'An array containing an object for each section of the ELF file.
@@ -9007,6 +10095,17 @@ process.parent.elf.sections.type:
   original_fieldset: elf
   short: ELF Section List type.
   type: keyword
+process.parent.elf.sections.var_entropy:
+  dashed_name: process-parent-elf-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.parent.elf.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
 process.parent.elf.sections.virtual_address:
   dashed_name: process-parent-elf-sections-virtual-address
   description: ELF Section List virtual address.
@@ -9275,43 +10374,241 @@ process.parent.hash.ssdeep:
   flat_name: process.parent.hash.ssdeep
   ignore_above: 1024
   level: extended
-  name: ssdeep
+  name: ssdeep
+  normalize: []
+  original_fieldset: hash
+  short: SSDEEP hash.
+  type: keyword
+process.parent.hash.tlsh:
+  dashed_name: process-parent-hash-tlsh
+  description: TLSH hash.
+  flat_name: process.parent.hash.tlsh
+  ignore_above: 1024
+  level: extended
+  name: tlsh
+  normalize: []
+  original_fieldset: hash
+  short: TLSH hash.
+  type: keyword
+process.parent.interactive:
+  dashed_name: process-parent-interactive
+  description: 'Whether the process is connected to an interactive shell.
+
+    Process interactivity is inferred from the processes file descriptors. If the
+    character device for the controlling tty is the same as stdin and stderr for the
+    process, the process is considered interactive.
+
+    Note: A non-interactive process can belong to an interactive session and is simply
+    one that does not have open file descriptors reading the controlling TTY on FD
+    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
+    is still considered interactive if stdin and stderr are connected to the controlling
+    TTY.'
+  example: true
+  flat_name: process.parent.interactive
+  level: extended
+  name: interactive
+  normalize: []
+  original_fieldset: process
+  short: Whether the process is connected to an interactive shell.
+  type: boolean
+process.parent.macho.go_import_hash:
+  dashed_name: process-parent-macho-go-import-hash
+  description: 'A hash of the Go language imports in a Mach-O file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available [here](https://github.com/elastic/toutoumomoma).'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.parent.macho.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+process.parent.macho.go_imports:
+  dashed_name: process-parent-macho-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.parent.macho.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: macho
+  short: List of imported Go language element names and types.
+  type: flattened
+process.parent.macho.go_imports_names_entropy:
+  dashed_name: process-parent-macho-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.parent.macho.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.parent.macho.go_imports_names_var_entropy:
+  dashed_name: process-parent-macho-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.parent.macho.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.parent.macho.go_stripped:
+  dashed_name: process-parent-macho-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.parent.macho.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: macho
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.parent.macho.import_hash:
+  dashed_name: process-parent-macho-import-hash
+  description: 'A hash of the imports in an Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for symhash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.parent.macho.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in an ELF file.
+  type: keyword
+process.parent.macho.imports:
+  dashed_name: process-parent-macho-imports
+  description: List of imported element names and types.
+  flat_name: process.parent.macho.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: macho
+  short: List of imported element names and types.
+  type: flattened
+process.parent.macho.imports_names_entropy:
+  dashed_name: process-parent-macho-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.parent.macho.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.parent.macho.imports_names_var_entropy:
+  dashed_name: process-parent-macho-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.parent.macho.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.parent.macho.sections:
+  dashed_name: process-parent-macho-sections
+  description: 'An array containing an object for each section of the Mach-O file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `macho.sections.*`.'
+  flat_name: process.parent.macho.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: macho
+  short: Section information of the Mach-O file.
+  type: nested
+process.parent.macho.sections.entropy:
+  dashed_name: process-parent-macho-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.parent.macho.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
   normalize: []
-  original_fieldset: hash
-  short: SSDEEP hash.
-  type: keyword
-process.parent.hash.tlsh:
-  dashed_name: process-parent-hash-tlsh
-  description: TLSH hash.
-  flat_name: process.parent.hash.tlsh
+  original_fieldset: macho
+  short: Shannon entropy calculation from the section.
+  type: long
+process.parent.macho.sections.name:
+  dashed_name: process-parent-macho-sections-name
+  description: Mach-O Section List name.
+  flat_name: process.parent.macho.sections.name
   ignore_above: 1024
   level: extended
-  name: tlsh
+  name: sections.name
   normalize: []
-  original_fieldset: hash
-  short: TLSH hash.
+  original_fieldset: macho
+  short: Mach-O Section List name.
   type: keyword
-process.parent.interactive:
-  dashed_name: process-parent-interactive
-  description: 'Whether the process is connected to an interactive shell.
-
-    Process interactivity is inferred from the processes file descriptors. If the
-    character device for the controlling tty is the same as stdin and stderr for the
-    process, the process is considered interactive.
+process.parent.macho.sections.physical_size:
+  dashed_name: process-parent-macho-sections-physical-size
+  description: Mach-O Section List physical size.
+  flat_name: process.parent.macho.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List physical size.
+  type: long
+process.parent.macho.sections.var_entropy:
+  dashed_name: process-parent-macho-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.parent.macho.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.parent.macho.sections.virtual_size:
+  dashed_name: process-parent-macho-sections-virtual-size
+  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.parent.macho.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.parent.macho.symhash:
+  dashed_name: process-parent-macho-symhash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
 
-    Note: A non-interactive process can belong to an interactive session and is simply
-    one that does not have open file descriptors reading the controlling TTY on FD
-    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
-    is still considered interactive if stdin and stderr are connected to the controlling
-    TTY.'
-  example: true
-  flat_name: process.parent.interactive
+    This is a Mach-O implementation of the Windows PE imphash'
+  example: d3ccf195b62a9279c3c19af1080497ec
+  flat_name: process.parent.macho.symhash
+  ignore_above: 1024
   level: extended
-  name: interactive
+  name: symhash
   normalize: []
-  original_fieldset: process
-  short: Whether the process is connected to an interactive shell.
-  type: boolean
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
 process.parent.name:
   dashed_name: process-parent-name
   description: 'Process name.
@@ -9378,6 +10675,67 @@ process.parent.pe.file_version:
   original_fieldset: pe
   short: Process name.
   type: keyword
+process.parent.pe.go_import_hash:
+  dashed_name: process-parent-pe-go-import-hash
+  description: 'A hash of the Go language imports in a PE file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available [here](https://github.com/elastic/toutoumomoma).'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.parent.pe.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+process.parent.pe.go_imports:
+  dashed_name: process-parent-pe-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.parent.pe.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: pe
+  short: List of imported Go language element names and types.
+  type: flattened
+process.parent.pe.go_imports_names_entropy:
+  dashed_name: process-parent-pe-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.parent.pe.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.parent.pe.go_imports_names_var_entropy:
+  dashed_name: process-parent-pe-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.parent.pe.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.parent.pe.go_stripped:
+  dashed_name: process-parent-pe-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.parent.pe.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: pe
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
 process.parent.pe.imphash:
   dashed_name: process-parent-pe-imphash
   description: 'A hash of the imports in a PE file. An imphash -- or import hash --
@@ -9394,6 +10752,58 @@ process.parent.pe.imphash:
   original_fieldset: pe
   short: A hash of the imports in a PE file.
   type: keyword
+process.parent.pe.import_hash:
+  dashed_name: process-parent-pe-import-hash
+  description: 'A hash of the imports in a PE file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.parent.pe.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in an ELF file.
+  type: keyword
+process.parent.pe.imports:
+  dashed_name: process-parent-pe-imports
+  description: List of imported element names and types.
+  flat_name: process.parent.pe.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of imported element names and types.
+  type: flattened
+process.parent.pe.imports_names_entropy:
+  dashed_name: process-parent-pe-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.parent.pe.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.parent.pe.imports_names_var_entropy:
+  dashed_name: process-parent-pe-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.parent.pe.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
 process.parent.pe.original_file_name:
   dashed_name: process-parent-pe-original-file-name
   description: Internal name of the file, provided at compile-time.
@@ -9434,6 +10844,75 @@ process.parent.pe.product:
   original_fieldset: pe
   short: Internal product name of the file, provided at compile-time.
   type: keyword
+process.parent.pe.sections:
+  dashed_name: process-parent-pe-sections
+  description: 'An array containing an object for each section of the PE file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `pe.sections.*`.'
+  flat_name: process.parent.pe.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Section information of the PE file.
+  type: nested
+process.parent.pe.sections.entropy:
+  dashed_name: process-parent-pe-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.parent.pe.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the section.
+  type: long
+process.parent.pe.sections.name:
+  dashed_name: process-parent-pe-sections-name
+  description: PE Section List name.
+  flat_name: process.parent.pe.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List name.
+  type: keyword
+process.parent.pe.sections.physical_size:
+  dashed_name: process-parent-pe-sections-physical-size
+  description: PE Section List physical size.
+  flat_name: process.parent.pe.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List physical size.
+  type: long
+process.parent.pe.sections.var_entropy:
+  dashed_name: process-parent-pe-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.parent.pe.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.parent.pe.sections.virtual_size:
+  dashed_name: process-parent-pe-sections-virtual-size
+  description: PE Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.parent.pe.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List virtual size. This is always the same as `physical_size`.
+  type: long
 process.parent.pgid:
   dashed_name: process-parent-pgid
   description: 'Deprecated for removal in next major version release. This field is
@@ -9777,6 +11256,67 @@ process.pe.file_version:
   original_fieldset: pe
   short: Process name.
   type: keyword
+process.pe.go_import_hash:
+  dashed_name: process-pe-go-import-hash
+  description: 'A hash of the Go language imports in a PE file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available [here](https://github.com/elastic/toutoumomoma).'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.pe.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+process.pe.go_imports:
+  dashed_name: process-pe-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.pe.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: pe
+  short: List of imported Go language element names and types.
+  type: flattened
+process.pe.go_imports_names_entropy:
+  dashed_name: process-pe-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.pe.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.pe.go_imports_names_var_entropy:
+  dashed_name: process-pe-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.pe.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.pe.go_stripped:
+  dashed_name: process-pe-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.pe.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: pe
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
 process.pe.imphash:
   dashed_name: process-pe-imphash
   description: 'A hash of the imports in a PE file. An imphash -- or import hash --
@@ -9793,6 +11333,58 @@ process.pe.imphash:
   original_fieldset: pe
   short: A hash of the imports in a PE file.
   type: keyword
+process.pe.import_hash:
+  dashed_name: process-pe-import-hash
+  description: 'A hash of the imports in a PE file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.pe.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in an ELF file.
+  type: keyword
+process.pe.imports:
+  dashed_name: process-pe-imports
+  description: List of imported element names and types.
+  flat_name: process.pe.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of imported element names and types.
+  type: flattened
+process.pe.imports_names_entropy:
+  dashed_name: process-pe-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.pe.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.pe.imports_names_var_entropy:
+  dashed_name: process-pe-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.pe.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
 process.pe.original_file_name:
   dashed_name: process-pe-original-file-name
   description: Internal name of the file, provided at compile-time.
@@ -9833,6 +11425,75 @@ process.pe.product:
   original_fieldset: pe
   short: Internal product name of the file, provided at compile-time.
   type: keyword
+process.pe.sections:
+  dashed_name: process-pe-sections
+  description: 'An array containing an object for each section of the PE file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `pe.sections.*`.'
+  flat_name: process.pe.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Section information of the PE file.
+  type: nested
+process.pe.sections.entropy:
+  dashed_name: process-pe-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.pe.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the section.
+  type: long
+process.pe.sections.name:
+  dashed_name: process-pe-sections-name
+  description: PE Section List name.
+  flat_name: process.pe.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List name.
+  type: keyword
+process.pe.sections.physical_size:
+  dashed_name: process-pe-sections-physical-size
+  description: PE Section List physical size.
+  flat_name: process.pe.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List physical size.
+  type: long
+process.pe.sections.var_entropy:
+  dashed_name: process-pe-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.pe.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.pe.sections.virtual_size:
+  dashed_name: process-pe-sections-virtual-size
+  description: PE Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.pe.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List virtual size. This is always the same as `physical_size`.
+  type: long
 process.pgid:
   dashed_name: process-pgid
   description: 'Deprecated for removal in next major version release. This field is
@@ -12822,22 +14483,83 @@ threat.enrichments.indicator.file.elf.creation_date:
     was built or compiled. It can also be faked by malware creators.
   flat_name: threat.enrichments.indicator.file.elf.creation_date
   level: extended
-  name: creation_date
+  name: creation_date
+  normalize: []
+  original_fieldset: elf
+  short: Build or compile date.
+  type: date
+threat.enrichments.indicator.file.elf.exports:
+  dashed_name: threat-enrichments-indicator-file-elf-exports
+  description: List of exported element names and types.
+  flat_name: threat.enrichments.indicator.file.elf.exports
+  level: extended
+  name: exports
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of exported element names and types.
+  type: flattened
+threat.enrichments.indicator.file.elf.go_import_hash:
+  dashed_name: threat-enrichments-indicator-file-elf-go-import-hash
+  description: 'A hash of the Go language imports in an ELF file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available [here](https://github.com/elastic/toutoumomoma).'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: threat.enrichments.indicator.file.elf.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+threat.enrichments.indicator.file.elf.go_imports:
+  dashed_name: threat-enrichments-indicator-file-elf-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: threat.enrichments.indicator.file.elf.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: elf
+  short: List of imported Go language element names and types.
+  type: flattened
+threat.enrichments.indicator.file.elf.go_imports_names_entropy:
+  dashed_name: threat-enrichments-indicator-file-elf-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: threat.enrichments.indicator.file.elf.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+threat.enrichments.indicator.file.elf.go_imports_names_var_entropy:
+  dashed_name: threat-enrichments-indicator-file-elf-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: threat.enrichments.indicator.file.elf.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
   normalize: []
   original_fieldset: elf
-  short: Build or compile date.
-  type: date
-threat.enrichments.indicator.file.elf.exports:
-  dashed_name: threat-enrichments-indicator-file-elf-exports
-  description: List of exported element names and types.
-  flat_name: threat.enrichments.indicator.file.elf.exports
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+threat.enrichments.indicator.file.elf.go_stripped:
+  dashed_name: threat-enrichments-indicator-file-elf-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: threat.enrichments.indicator.file.elf.go_stripped
   level: extended
-  name: exports
-  normalize:
-  - array
+  name: go_stripped
+  normalize: []
   original_fieldset: elf
-  short: List of exported element names and types.
-  type: flattened
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
 threat.enrichments.indicator.file.elf.header.abi_version:
   dashed_name: threat-enrichments-indicator-file-elf-header-abi-version
   description: Version of the ELF Application Binary Interface (ABI).
@@ -12926,6 +14648,22 @@ threat.enrichments.indicator.file.elf.header.version:
   original_fieldset: elf
   short: Version of the ELF header.
   type: keyword
+threat.enrichments.indicator.file.elf.import_hash:
+  dashed_name: threat-enrichments-indicator-file-elf-import-hash
+  description: 'A hash of the imports in an ELF file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is an ELF implementation of the Windows PE imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: threat.enrichments.indicator.file.elf.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the imports in an ELF file.
+  type: keyword
 threat.enrichments.indicator.file.elf.imports:
   dashed_name: threat-enrichments-indicator-file-elf-imports
   description: List of imported element names and types.
@@ -12937,6 +14675,31 @@ threat.enrichments.indicator.file.elf.imports:
   original_fieldset: elf
   short: List of imported element names and types.
   type: flattened
+threat.enrichments.indicator.file.elf.imports_names_entropy:
+  dashed_name: threat-enrichments-indicator-file-elf-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: threat.enrichments.indicator.file.elf.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+threat.enrichments.indicator.file.elf.imports_names_var_entropy:
+  dashed_name: threat-enrichments-indicator-file-elf-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: threat.enrichments.indicator.file.elf.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
 threat.enrichments.indicator.file.elf.sections:
   dashed_name: threat-enrichments-indicator-file-elf-sections
   description: 'An array containing an object for each section of the ELF file.
@@ -13028,6 +14791,17 @@ threat.enrichments.indicator.file.elf.sections.type:
   original_fieldset: elf
   short: ELF Section List type.
   type: keyword
+threat.enrichments.indicator.file.elf.sections.var_entropy:
+  dashed_name: threat-enrichments-indicator-file-elf-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: threat.enrichments.indicator.file.elf.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
 threat.enrichments.indicator.file.elf.sections.virtual_address:
   dashed_name: threat-enrichments-indicator-file-elf-sections-virtual-address
   description: ELF Section List virtual address.
@@ -13386,6 +15160,67 @@ threat.enrichments.indicator.file.pe.file_version:
   original_fieldset: pe
   short: Process name.
   type: keyword
+threat.enrichments.indicator.file.pe.go_import_hash:
+  dashed_name: threat-enrichments-indicator-file-pe-go-import-hash
+  description: 'A hash of the Go language imports in a PE file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available [here](https://github.com/elastic/toutoumomoma).'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: threat.enrichments.indicator.file.pe.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+threat.enrichments.indicator.file.pe.go_imports:
+  dashed_name: threat-enrichments-indicator-file-pe-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: threat.enrichments.indicator.file.pe.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: pe
+  short: List of imported Go language element names and types.
+  type: flattened
+threat.enrichments.indicator.file.pe.go_imports_names_entropy:
+  dashed_name: threat-enrichments-indicator-file-pe-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: threat.enrichments.indicator.file.pe.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+threat.enrichments.indicator.file.pe.go_imports_names_var_entropy:
+  dashed_name: threat-enrichments-indicator-file-pe-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: threat.enrichments.indicator.file.pe.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+threat.enrichments.indicator.file.pe.go_stripped:
+  dashed_name: threat-enrichments-indicator-file-pe-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: threat.enrichments.indicator.file.pe.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: pe
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
 threat.enrichments.indicator.file.pe.imphash:
   dashed_name: threat-enrichments-indicator-file-pe-imphash
   description: 'A hash of the imports in a PE file. An imphash -- or import hash --
@@ -13402,6 +15237,58 @@ threat.enrichments.indicator.file.pe.imphash:
   original_fieldset: pe
   short: A hash of the imports in a PE file.
   type: keyword
+threat.enrichments.indicator.file.pe.import_hash:
+  dashed_name: threat-enrichments-indicator-file-pe-import-hash
+  description: 'A hash of the imports in a PE file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: threat.enrichments.indicator.file.pe.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in an ELF file.
+  type: keyword
+threat.enrichments.indicator.file.pe.imports:
+  dashed_name: threat-enrichments-indicator-file-pe-imports
+  description: List of imported element names and types.
+  flat_name: threat.enrichments.indicator.file.pe.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of imported element names and types.
+  type: flattened
+threat.enrichments.indicator.file.pe.imports_names_entropy:
+  dashed_name: threat-enrichments-indicator-file-pe-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: threat.enrichments.indicator.file.pe.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+threat.enrichments.indicator.file.pe.imports_names_var_entropy:
+  dashed_name: threat-enrichments-indicator-file-pe-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: threat.enrichments.indicator.file.pe.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
 threat.enrichments.indicator.file.pe.original_file_name:
   dashed_name: threat-enrichments-indicator-file-pe-original-file-name
   description: Internal name of the file, provided at compile-time.
@@ -13442,6 +15329,75 @@ threat.enrichments.indicator.file.pe.product:
   original_fieldset: pe
   short: Internal product name of the file, provided at compile-time.
   type: keyword
+threat.enrichments.indicator.file.pe.sections:
+  dashed_name: threat-enrichments-indicator-file-pe-sections
+  description: 'An array containing an object for each section of the PE file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `pe.sections.*`.'
+  flat_name: threat.enrichments.indicator.file.pe.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Section information of the PE file.
+  type: nested
+threat.enrichments.indicator.file.pe.sections.entropy:
+  dashed_name: threat-enrichments-indicator-file-pe-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: threat.enrichments.indicator.file.pe.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the section.
+  type: long
+threat.enrichments.indicator.file.pe.sections.name:
+  dashed_name: threat-enrichments-indicator-file-pe-sections-name
+  description: PE Section List name.
+  flat_name: threat.enrichments.indicator.file.pe.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List name.
+  type: keyword
+threat.enrichments.indicator.file.pe.sections.physical_size:
+  dashed_name: threat-enrichments-indicator-file-pe-sections-physical-size
+  description: PE Section List physical size.
+  flat_name: threat.enrichments.indicator.file.pe.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List physical size.
+  type: long
+threat.enrichments.indicator.file.pe.sections.var_entropy:
+  dashed_name: threat-enrichments-indicator-file-pe-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: threat.enrichments.indicator.file.pe.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+threat.enrichments.indicator.file.pe.sections.virtual_size:
+  dashed_name: threat-enrichments-indicator-file-pe-sections-virtual-size
+  description: PE Section List virtual size. This is always the same as `physical_size`.
+  flat_name: threat.enrichments.indicator.file.pe.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List virtual size. This is always the same as `physical_size`.
+  type: long
 threat.enrichments.indicator.file.size:
   dashed_name: threat-enrichments-indicator-file-size
   description: 'File size in bytes.
@@ -15221,6 +17177,67 @@ threat.indicator.file.elf.exports:
   original_fieldset: elf
   short: List of exported element names and types.
   type: flattened
+threat.indicator.file.elf.go_import_hash:
+  dashed_name: threat-indicator-file-elf-go-import-hash
+  description: 'A hash of the Go language imports in an ELF file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available [here](https://github.com/elastic/toutoumomoma).'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: threat.indicator.file.elf.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+threat.indicator.file.elf.go_imports:
+  dashed_name: threat-indicator-file-elf-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: threat.indicator.file.elf.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: elf
+  short: List of imported Go language element names and types.
+  type: flattened
+threat.indicator.file.elf.go_imports_names_entropy:
+  dashed_name: threat-indicator-file-elf-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: threat.indicator.file.elf.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+threat.indicator.file.elf.go_imports_names_var_entropy:
+  dashed_name: threat-indicator-file-elf-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: threat.indicator.file.elf.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+threat.indicator.file.elf.go_stripped:
+  dashed_name: threat-indicator-file-elf-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: threat.indicator.file.elf.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: elf
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
 threat.indicator.file.elf.header.abi_version:
   dashed_name: threat-indicator-file-elf-header-abi-version
   description: Version of the ELF Application Binary Interface (ABI).
@@ -15309,6 +17326,22 @@ threat.indicator.file.elf.header.version:
   original_fieldset: elf
   short: Version of the ELF header.
   type: keyword
+threat.indicator.file.elf.import_hash:
+  dashed_name: threat-indicator-file-elf-import-hash
+  description: 'A hash of the imports in an ELF file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is an ELF implementation of the Windows PE imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: threat.indicator.file.elf.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the imports in an ELF file.
+  type: keyword
 threat.indicator.file.elf.imports:
   dashed_name: threat-indicator-file-elf-imports
   description: List of imported element names and types.
@@ -15320,6 +17353,31 @@ threat.indicator.file.elf.imports:
   original_fieldset: elf
   short: List of imported element names and types.
   type: flattened
+threat.indicator.file.elf.imports_names_entropy:
+  dashed_name: threat-indicator-file-elf-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: threat.indicator.file.elf.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+threat.indicator.file.elf.imports_names_var_entropy:
+  dashed_name: threat-indicator-file-elf-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: threat.indicator.file.elf.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
 threat.indicator.file.elf.sections:
   dashed_name: threat-indicator-file-elf-sections
   description: 'An array containing an object for each section of the ELF file.
@@ -15411,6 +17469,17 @@ threat.indicator.file.elf.sections.type:
   original_fieldset: elf
   short: ELF Section List type.
   type: keyword
+threat.indicator.file.elf.sections.var_entropy:
+  dashed_name: threat-indicator-file-elf-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: threat.indicator.file.elf.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
 threat.indicator.file.elf.sections.virtual_address:
   dashed_name: threat-indicator-file-elf-sections-virtual-address
   description: ELF Section List virtual address.
@@ -15769,6 +17838,67 @@ threat.indicator.file.pe.file_version:
   original_fieldset: pe
   short: Process name.
   type: keyword
+threat.indicator.file.pe.go_import_hash:
+  dashed_name: threat-indicator-file-pe-go-import-hash
+  description: 'A hash of the Go language imports in a PE file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available [here](https://github.com/elastic/toutoumomoma).'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: threat.indicator.file.pe.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+threat.indicator.file.pe.go_imports:
+  dashed_name: threat-indicator-file-pe-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: threat.indicator.file.pe.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: pe
+  short: List of imported Go language element names and types.
+  type: flattened
+threat.indicator.file.pe.go_imports_names_entropy:
+  dashed_name: threat-indicator-file-pe-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: threat.indicator.file.pe.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+threat.indicator.file.pe.go_imports_names_var_entropy:
+  dashed_name: threat-indicator-file-pe-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: threat.indicator.file.pe.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+threat.indicator.file.pe.go_stripped:
+  dashed_name: threat-indicator-file-pe-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: threat.indicator.file.pe.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: pe
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
 threat.indicator.file.pe.imphash:
   dashed_name: threat-indicator-file-pe-imphash
   description: 'A hash of the imports in a PE file. An imphash -- or import hash --
@@ -15785,6 +17915,58 @@ threat.indicator.file.pe.imphash:
   original_fieldset: pe
   short: A hash of the imports in a PE file.
   type: keyword
+threat.indicator.file.pe.import_hash:
+  dashed_name: threat-indicator-file-pe-import-hash
+  description: 'A hash of the imports in a PE file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: threat.indicator.file.pe.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in an ELF file.
+  type: keyword
+threat.indicator.file.pe.imports:
+  dashed_name: threat-indicator-file-pe-imports
+  description: List of imported element names and types.
+  flat_name: threat.indicator.file.pe.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of imported element names and types.
+  type: flattened
+threat.indicator.file.pe.imports_names_entropy:
+  dashed_name: threat-indicator-file-pe-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: threat.indicator.file.pe.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+threat.indicator.file.pe.imports_names_var_entropy:
+  dashed_name: threat-indicator-file-pe-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: threat.indicator.file.pe.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
 threat.indicator.file.pe.original_file_name:
   dashed_name: threat-indicator-file-pe-original-file-name
   description: Internal name of the file, provided at compile-time.
@@ -15825,6 +18007,75 @@ threat.indicator.file.pe.product:
   original_fieldset: pe
   short: Internal product name of the file, provided at compile-time.
   type: keyword
+threat.indicator.file.pe.sections:
+  dashed_name: threat-indicator-file-pe-sections
+  description: 'An array containing an object for each section of the PE file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `pe.sections.*`.'
+  flat_name: threat.indicator.file.pe.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Section information of the PE file.
+  type: nested
+threat.indicator.file.pe.sections.entropy:
+  dashed_name: threat-indicator-file-pe-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: threat.indicator.file.pe.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the section.
+  type: long
+threat.indicator.file.pe.sections.name:
+  dashed_name: threat-indicator-file-pe-sections-name
+  description: PE Section List name.
+  flat_name: threat.indicator.file.pe.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List name.
+  type: keyword
+threat.indicator.file.pe.sections.physical_size:
+  dashed_name: threat-indicator-file-pe-sections-physical-size
+  description: PE Section List physical size.
+  flat_name: threat.indicator.file.pe.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List physical size.
+  type: long
+threat.indicator.file.pe.sections.var_entropy:
+  dashed_name: threat-indicator-file-pe-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: threat.indicator.file.pe.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+threat.indicator.file.pe.sections.virtual_size:
+  dashed_name: threat-indicator-file-pe-sections-virtual-size
+  description: PE Section List virtual size. This is always the same as `physical_size`.
+  flat_name: threat.indicator.file.pe.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List virtual size. This is always the same as `physical_size`.
+  type: long
 threat.indicator.file.size:
   dashed_name: threat-indicator-file-size
   description: 'File size in bytes.
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 508124f0a7..ea6af99d24 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -2416,6 +2416,67 @@ dll:
       original_fieldset: pe
       short: Process name.
       type: keyword
+    dll.pe.go_import_hash:
+      dashed_name: dll-pe-go-import-hash
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: dll.pe.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    dll.pe.go_imports:
+      dashed_name: dll-pe-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: dll.pe.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: pe
+      short: List of imported Go language element names and types.
+      type: flattened
+    dll.pe.go_imports_names_entropy:
+      dashed_name: dll-pe-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: dll.pe.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    dll.pe.go_imports_names_var_entropy:
+      dashed_name: dll-pe-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: dll.pe.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    dll.pe.go_stripped:
+      dashed_name: dll-pe-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: dll.pe.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: pe
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
     dll.pe.imphash:
       dashed_name: dll-pe-imphash
       description: 'A hash of the imports in a PE file. An imphash -- or import hash
@@ -2432,6 +2493,59 @@ dll:
       original_fieldset: pe
       short: A hash of the imports in a PE file.
       type: keyword
+    dll.pe.import_hash:
+      dashed_name: dll-pe-import-hash
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: dll.pe.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in an ELF file.
+      type: keyword
+    dll.pe.imports:
+      dashed_name: dll-pe-imports
+      description: List of imported element names and types.
+      flat_name: dll.pe.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of imported element names and types.
+      type: flattened
+    dll.pe.imports_names_entropy:
+      dashed_name: dll-pe-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: dll.pe.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    dll.pe.imports_names_var_entropy:
+      dashed_name: dll-pe-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: dll.pe.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
     dll.pe.original_file_name:
       dashed_name: dll-pe-original-file-name
       description: Internal name of the file, provided at compile-time.
@@ -2472,6 +2586,75 @@ dll:
       original_fieldset: pe
       short: Internal product name of the file, provided at compile-time.
       type: keyword
+    dll.pe.sections:
+      dashed_name: dll-pe-sections
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      flat_name: dll.pe.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Section information of the PE file.
+      type: nested
+    dll.pe.sections.entropy:
+      dashed_name: dll-pe-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: dll.pe.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the section.
+      type: long
+    dll.pe.sections.name:
+      dashed_name: dll-pe-sections-name
+      description: PE Section List name.
+      flat_name: dll.pe.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List name.
+      type: keyword
+    dll.pe.sections.physical_size:
+      dashed_name: dll-pe-sections-physical-size
+      description: PE Section List physical size.
+      flat_name: dll.pe.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List physical size.
+      type: long
+    dll.pe.sections.var_entropy:
+      dashed_name: dll-pe-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: dll.pe.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    dll.pe.sections.virtual_size:
+      dashed_name: dll-pe-sections-virtual-size
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      flat_name: dll.pe.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List virtual size. This is always the same as `physical_size`.
+      type: long
   group: 2
   name: dll
   nestings:
@@ -2848,6 +3031,62 @@ elf:
       - array
       short: List of exported element names and types.
       type: flattened
+    elf.go_import_hash:
+      dashed_name: elf-go-import-hash
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: elf.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    elf.go_imports:
+      dashed_name: elf-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: elf.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      short: List of imported Go language element names and types.
+      type: flattened
+    elf.go_imports_names_entropy:
+      dashed_name: elf-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: elf.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    elf.go_imports_names_var_entropy:
+      dashed_name: elf-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: elf.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    elf.go_stripped:
+      dashed_name: elf-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: elf.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
     elf.header.abi_version:
       dashed_name: elf-header-abi-version
       description: Version of the ELF Application Binary Interface (ABI).
@@ -2928,6 +3167,21 @@ elf:
       normalize: []
       short: Version of the ELF header.
       type: keyword
+    elf.import_hash:
+      dashed_name: elf-import-hash
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: elf.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      short: A hash of the imports in an ELF file.
+      type: keyword
     elf.imports:
       dashed_name: elf-imports
       description: List of imported element names and types.
@@ -2938,6 +3192,30 @@ elf:
       - array
       short: List of imported element names and types.
       type: flattened
+    elf.imports_names_entropy:
+      dashed_name: elf-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: elf.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    elf.imports_names_var_entropy:
+      dashed_name: elf-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: elf.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
     elf.sections:
       dashed_name: elf-sections
       description: 'An array containing an object for each section of the ELF file.
@@ -3021,6 +3299,16 @@ elf:
       normalize: []
       short: ELF Section List type.
       type: keyword
+    elf.sections.var_entropy:
+      dashed_name: elf-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: elf.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
     elf.sections.virtual_address:
       dashed_name: elf-sections-virtual-address
       description: ELF Section List virtual address.
@@ -4735,6 +5023,67 @@ file:
       original_fieldset: elf
       short: List of exported element names and types.
       type: flattened
+    file.elf.go_import_hash:
+      dashed_name: file-elf-go-import-hash
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: file.elf.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    file.elf.go_imports:
+      dashed_name: file-elf-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: file.elf.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: elf
+      short: List of imported Go language element names and types.
+      type: flattened
+    file.elf.go_imports_names_entropy:
+      dashed_name: file-elf-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: file.elf.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    file.elf.go_imports_names_var_entropy:
+      dashed_name: file-elf-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: file.elf.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    file.elf.go_stripped:
+      dashed_name: file-elf-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: file.elf.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: elf
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
     file.elf.header.abi_version:
       dashed_name: file-elf-header-abi-version
       description: Version of the ELF Application Binary Interface (ABI).
@@ -4823,6 +5172,22 @@ file:
       original_fieldset: elf
       short: Version of the ELF header.
       type: keyword
+    file.elf.import_hash:
+      dashed_name: file-elf-import-hash
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: file.elf.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the imports in an ELF file.
+      type: keyword
     file.elf.imports:
       dashed_name: file-elf-imports
       description: List of imported element names and types.
@@ -4834,6 +5199,32 @@ file:
       original_fieldset: elf
       short: List of imported element names and types.
       type: flattened
+    file.elf.imports_names_entropy:
+      dashed_name: file-elf-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: file.elf.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    file.elf.imports_names_var_entropy:
+      dashed_name: file-elf-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: file.elf.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
     file.elf.sections:
       dashed_name: file-elf-sections
       description: 'An array containing an object for each section of the ELF file.
@@ -4925,6 +5316,17 @@ file:
       original_fieldset: elf
       short: ELF Section List type.
       type: keyword
+    file.elf.sections.var_entropy:
+      dashed_name: file-elf-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: file.elf.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
     file.elf.sections.virtual_address:
       dashed_name: file-elf-sections-virtual-address
       description: ELF Section List virtual address.
@@ -5153,6 +5555,205 @@ file:
       normalize: []
       short: Inode representing the file in the filesystem.
       type: keyword
+    file.macho.go_import_hash:
+      dashed_name: file-macho-go-import-hash
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: file.macho.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    file.macho.go_imports:
+      dashed_name: file-macho-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: file.macho.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: macho
+      short: List of imported Go language element names and types.
+      type: flattened
+    file.macho.go_imports_names_entropy:
+      dashed_name: file-macho-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: file.macho.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    file.macho.go_imports_names_var_entropy:
+      dashed_name: file-macho-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: file.macho.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    file.macho.go_stripped:
+      dashed_name: file-macho-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: file.macho.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: macho
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    file.macho.import_hash:
+      dashed_name: file-macho-import-hash
+      description: 'A hash of the imports in an Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: file.macho.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in an ELF file.
+      type: keyword
+    file.macho.imports:
+      dashed_name: file-macho-imports
+      description: List of imported element names and types.
+      flat_name: file.macho.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: macho
+      short: List of imported element names and types.
+      type: flattened
+    file.macho.imports_names_entropy:
+      dashed_name: file-macho-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: file.macho.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    file.macho.imports_names_var_entropy:
+      dashed_name: file-macho-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: file.macho.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    file.macho.sections:
+      dashed_name: file-macho-sections
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      flat_name: file.macho.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: macho
+      short: Section information of the Mach-O file.
+      type: nested
+    file.macho.sections.entropy:
+      dashed_name: file-macho-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: file.macho.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the section.
+      type: long
+    file.macho.sections.name:
+      dashed_name: file-macho-sections-name
+      description: Mach-O Section List name.
+      flat_name: file.macho.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List name.
+      type: keyword
+    file.macho.sections.physical_size:
+      dashed_name: file-macho-sections-physical-size
+      description: Mach-O Section List physical size.
+      flat_name: file.macho.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List physical size.
+      type: long
+    file.macho.sections.var_entropy:
+      dashed_name: file-macho-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: file.macho.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    file.macho.sections.virtual_size:
+      dashed_name: file-macho-sections-virtual-size
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      flat_name: file.macho.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    file.macho.symhash:
+      dashed_name: file-macho-symhash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      flat_name: file.macho.symhash
+      ignore_above: 1024
+      level: extended
+      name: symhash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
     file.mime_type:
       dashed_name: file-mime-type
       description: MIME type should identify the format of the file or stream of bytes
@@ -5272,22 +5873,136 @@ file:
       original_fieldset: pe
       short: Process name.
       type: keyword
-    file.pe.imphash:
-      dashed_name: file-pe-imphash
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
+    file.pe.go_import_hash:
+      dashed_name: file-pe-go-import-hash
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
 
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      flat_name: file.pe.imphash
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: file.pe.go_import_hash
       ignore_above: 1024
       level: extended
-      name: imphash
+      name: go_import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    file.pe.go_imports:
+      dashed_name: file-pe-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: file.pe.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: pe
+      short: List of imported Go language element names and types.
+      type: flattened
+    file.pe.go_imports_names_entropy:
+      dashed_name: file-pe-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: file.pe.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    file.pe.go_imports_names_var_entropy:
+      dashed_name: file-pe-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: file.pe.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    file.pe.go_stripped:
+      dashed_name: file-pe-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: file.pe.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: pe
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    file.pe.imphash:
+      dashed_name: file-pe-imphash
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      flat_name: file.pe.imphash
+      ignore_above: 1024
+      level: extended
+      name: imphash
       normalize: []
       original_fieldset: pe
       short: A hash of the imports in a PE file.
       type: keyword
+    file.pe.import_hash:
+      dashed_name: file-pe-import-hash
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: file.pe.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in an ELF file.
+      type: keyword
+    file.pe.imports:
+      dashed_name: file-pe-imports
+      description: List of imported element names and types.
+      flat_name: file.pe.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of imported element names and types.
+      type: flattened
+    file.pe.imports_names_entropy:
+      dashed_name: file-pe-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: file.pe.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    file.pe.imports_names_var_entropy:
+      dashed_name: file-pe-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: file.pe.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
     file.pe.original_file_name:
       dashed_name: file-pe-original-file-name
       description: Internal name of the file, provided at compile-time.
@@ -5328,6 +6043,75 @@ file:
       original_fieldset: pe
       short: Internal product name of the file, provided at compile-time.
       type: keyword
+    file.pe.sections:
+      dashed_name: file-pe-sections
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      flat_name: file.pe.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Section information of the PE file.
+      type: nested
+    file.pe.sections.entropy:
+      dashed_name: file-pe-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: file.pe.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the section.
+      type: long
+    file.pe.sections.name:
+      dashed_name: file-pe-sections-name
+      description: PE Section List name.
+      flat_name: file.pe.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List name.
+      type: keyword
+    file.pe.sections.physical_size:
+      dashed_name: file-pe-sections-physical-size
+      description: PE Section List physical size.
+      flat_name: file.pe.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List physical size.
+      type: long
+    file.pe.sections.var_entropy:
+      dashed_name: file-pe-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: file.pe.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    file.pe.sections.virtual_size:
+      dashed_name: file-pe-sections-virtual-size
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      flat_name: file.pe.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List virtual size. This is always the same as `physical_size`.
+      type: long
     file.size:
       dashed_name: file-size
       description: 'File size in bytes.
@@ -5688,6 +6472,7 @@ file:
   - file.code_signature
   - file.elf
   - file.hash
+  - file.macho
   - file.pe
   - file.x509
   prefix: file.
@@ -5717,6 +6502,10 @@ file:
     full: file.elf
     schema_name: elf
     short: These fields contain Linux Executable Linkable Format (ELF) metadata.
+  - beta: This field reuse is beta and subject to change.
+    full: file.macho
+    schema_name: macho
+    short: These fields contain Mac OS Mach Object file format (Mach-O) metadata.
   short: Fields describing files.
   title: File
   type: group
@@ -7122,6 +7911,210 @@ log:
   short: Details about the event's logging mechanism.
   title: Log
   type: group
+macho:
+  beta: These fields are in beta and are subject to change.
+  description: These fields contain Mac OS Mach Object file format (Mach-O) metadata.
+  fields:
+    macho.go_import_hash:
+      dashed_name: macho-go-import-hash
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: macho.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    macho.go_imports:
+      dashed_name: macho-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: macho.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      short: List of imported Go language element names and types.
+      type: flattened
+    macho.go_imports_names_entropy:
+      dashed_name: macho-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: macho.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    macho.go_imports_names_var_entropy:
+      dashed_name: macho-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: macho.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    macho.go_stripped:
+      dashed_name: macho-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: macho.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    macho.import_hash:
+      dashed_name: macho-import-hash
+      description: 'A hash of the imports in an Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: macho.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      short: A hash of the imports in an ELF file.
+      type: keyword
+    macho.imports:
+      dashed_name: macho-imports
+      description: List of imported element names and types.
+      flat_name: macho.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      short: List of imported element names and types.
+      type: flattened
+    macho.imports_names_entropy:
+      dashed_name: macho-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: macho.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    macho.imports_names_var_entropy:
+      dashed_name: macho-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: macho.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    macho.sections:
+      dashed_name: macho-sections
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      flat_name: macho.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      short: Section information of the Mach-O file.
+      type: nested
+    macho.sections.entropy:
+      dashed_name: macho-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: macho.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      short: Shannon entropy calculation from the section.
+      type: long
+    macho.sections.name:
+      dashed_name: macho-sections-name
+      description: Mach-O Section List name.
+      flat_name: macho.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      short: Mach-O Section List name.
+      type: keyword
+    macho.sections.physical_size:
+      dashed_name: macho-sections-physical-size
+      description: Mach-O Section List physical size.
+      flat_name: macho.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      short: Mach-O Section List physical size.
+      type: long
+    macho.sections.var_entropy:
+      dashed_name: macho-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: macho.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    macho.sections.virtual_size:
+      dashed_name: macho-sections-virtual-size
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      flat_name: macho.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    macho.symhash:
+      dashed_name: macho-symhash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      flat_name: macho.symhash
+      ignore_above: 1024
+      level: extended
+      name: symhash
+      normalize: []
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
+  group: 2
+  name: macho
+  prefix: macho.
+  reusable:
+    expected:
+    - as: macho
+      at: file
+      beta: This field reuse is beta and subject to change.
+      full: file.macho
+    - as: macho
+      at: process
+      beta: This field reuse is beta and subject to change.
+      full: process.macho
+    top_level: false
+  short: These fields contain Mac OS Mach Object file format (Mach-O) metadata.
+  title: Mach-O Header
+  type: group
 network:
   description: 'The network is defined as the communication path over which a host
     or network event happens.
@@ -8470,6 +9463,62 @@ pe:
       normalize: []
       short: Process name.
       type: keyword
+    pe.go_import_hash:
+      dashed_name: pe-go-import-hash
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: pe.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    pe.go_imports:
+      dashed_name: pe-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: pe.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      short: List of imported Go language element names and types.
+      type: flattened
+    pe.go_imports_names_entropy:
+      dashed_name: pe-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: pe.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    pe.go_imports_names_var_entropy:
+      dashed_name: pe-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: pe.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    pe.go_stripped:
+      dashed_name: pe-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: pe.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
     pe.imphash:
       dashed_name: pe-imphash
       description: 'A hash of the imports in a PE file. An imphash -- or import hash
@@ -8485,6 +9534,55 @@ pe:
       normalize: []
       short: A hash of the imports in a PE file.
       type: keyword
+    pe.import_hash:
+      dashed_name: pe-import-hash
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: pe.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      short: A hash of the imports in an ELF file.
+      type: keyword
+    pe.imports:
+      dashed_name: pe-imports
+      description: List of imported element names and types.
+      flat_name: pe.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      short: List of imported element names and types.
+      type: flattened
+    pe.imports_names_entropy:
+      dashed_name: pe-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: pe.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    pe.imports_names_var_entropy:
+      dashed_name: pe-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: pe.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
     pe.original_file_name:
       dashed_name: pe-original-file-name
       description: Internal name of the file, provided at compile-time.
@@ -8522,37 +9620,100 @@ pe:
       normalize: []
       short: Internal product name of the file, provided at compile-time.
       type: keyword
-  group: 2
-  name: pe
-  prefix: pe.
-  reusable:
-    expected:
-    - as: pe
-      at: file
-      full: file.pe
-    - as: pe
-      at: dll
-      full: dll.pe
-    - as: pe
-      at: process
-      full: process.pe
-    top_level: false
-  short: These fields contain Windows Portable Executable (PE) metadata.
-  title: PE Header
-  type: group
-process:
-  description: 'These fields contain information about a process.
-
-    These fields can help you correlate metrics information with a process id/name
-    from a log message.  The `process.pid` often stays in the metric itself and is
-    copied to the global field for correlation.'
-  fields:
-    process.args:
-      dashed_name: process-args
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
+    pe.sections:
+      dashed_name: pe-sections
+      description: 'An array containing an object for each section of the PE file.
 
-        May be filtered to protect sensitive information.'
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      flat_name: pe.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      short: Section information of the PE file.
+      type: nested
+    pe.sections.entropy:
+      dashed_name: pe-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: pe.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      short: Shannon entropy calculation from the section.
+      type: long
+    pe.sections.name:
+      dashed_name: pe-sections-name
+      description: PE Section List name.
+      flat_name: pe.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      short: PE Section List name.
+      type: keyword
+    pe.sections.physical_size:
+      dashed_name: pe-sections-physical-size
+      description: PE Section List physical size.
+      flat_name: pe.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      short: PE Section List physical size.
+      type: long
+    pe.sections.var_entropy:
+      dashed_name: pe-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: pe.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    pe.sections.virtual_size:
+      dashed_name: pe-sections-virtual-size
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      flat_name: pe.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      short: PE Section List virtual size. This is always the same as `physical_size`.
+      type: long
+  group: 2
+  name: pe
+  prefix: pe.
+  reusable:
+    expected:
+    - as: pe
+      at: file
+      full: file.pe
+    - as: pe
+      at: dll
+      full: dll.pe
+    - as: pe
+      at: process
+      full: process.pe
+    top_level: false
+  short: These fields contain Windows Portable Executable (PE) metadata.
+  title: PE Header
+  type: group
+process:
+  description: 'These fields contain information about a process.
+
+    These fields can help you correlate metrics information with a process id/name
+    from a log message.  The `process.pid` often stays in the metric itself and is
+    copied to the global field for correlation.'
+  fields:
+    process.args:
+      dashed_name: process-args
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
       example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
       flat_name: process.args
       ignore_above: 1024
@@ -8775,6 +9936,67 @@ process:
       original_fieldset: elf
       short: List of exported element names and types.
       type: flattened
+    process.elf.go_import_hash:
+      dashed_name: process-elf-go-import-hash
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.elf.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    process.elf.go_imports:
+      dashed_name: process-elf-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.elf.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: elf
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.elf.go_imports_names_entropy:
+      dashed_name: process-elf-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.elf.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.elf.go_imports_names_var_entropy:
+      dashed_name: process-elf-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.elf.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.elf.go_stripped:
+      dashed_name: process-elf-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.elf.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: elf
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
     process.elf.header.abi_version:
       dashed_name: process-elf-header-abi-version
       description: Version of the ELF Application Binary Interface (ABI).
@@ -8863,6 +10085,22 @@ process:
       original_fieldset: elf
       short: Version of the ELF header.
       type: keyword
+    process.elf.import_hash:
+      dashed_name: process-elf-import-hash
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.elf.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the imports in an ELF file.
+      type: keyword
     process.elf.imports:
       dashed_name: process-elf-imports
       description: List of imported element names and types.
@@ -8874,6 +10112,32 @@ process:
       original_fieldset: elf
       short: List of imported element names and types.
       type: flattened
+    process.elf.imports_names_entropy:
+      dashed_name: process-elf-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.elf.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.elf.imports_names_var_entropy:
+      dashed_name: process-elf-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.elf.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
     process.elf.sections:
       dashed_name: process-elf-sections
       description: 'An array containing an object for each section of the ELF file.
@@ -8965,6 +10229,17 @@ process:
       original_fieldset: elf
       short: ELF Section List type.
       type: keyword
+    process.elf.sections.var_entropy:
+      dashed_name: process-elf-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.elf.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
     process.elf.sections.virtual_address:
       dashed_name: process-elf-sections-virtual-address
       description: ELF Section List virtual address.
@@ -10286,6 +11561,205 @@ process:
       normalize: []
       short: The type of object on which the IO action (read or write) was taken.
       type: keyword
+    process.macho.go_import_hash:
+      dashed_name: process-macho-go-import-hash
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.macho.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    process.macho.go_imports:
+      dashed_name: process-macho-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.macho.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: macho
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.macho.go_imports_names_entropy:
+      dashed_name: process-macho-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.macho.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.macho.go_imports_names_var_entropy:
+      dashed_name: process-macho-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.macho.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.macho.go_stripped:
+      dashed_name: process-macho-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.macho.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: macho
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.macho.import_hash:
+      dashed_name: process-macho-import-hash
+      description: 'A hash of the imports in an Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.macho.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in an ELF file.
+      type: keyword
+    process.macho.imports:
+      dashed_name: process-macho-imports
+      description: List of imported element names and types.
+      flat_name: process.macho.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: macho
+      short: List of imported element names and types.
+      type: flattened
+    process.macho.imports_names_entropy:
+      dashed_name: process-macho-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.macho.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.macho.imports_names_var_entropy:
+      dashed_name: process-macho-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.macho.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.macho.sections:
+      dashed_name: process-macho-sections
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      flat_name: process.macho.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: macho
+      short: Section information of the Mach-O file.
+      type: nested
+    process.macho.sections.entropy:
+      dashed_name: process-macho-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.macho.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.macho.sections.name:
+      dashed_name: process-macho-sections-name
+      description: Mach-O Section List name.
+      flat_name: process.macho.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List name.
+      type: keyword
+    process.macho.sections.physical_size:
+      dashed_name: process-macho-sections-physical-size
+      description: Mach-O Section List physical size.
+      flat_name: process.macho.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List physical size.
+      type: long
+    process.macho.sections.var_entropy:
+      dashed_name: process-macho-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.macho.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.macho.sections.virtual_size:
+      dashed_name: process-macho-sections-virtual-size
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.macho.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.macho.symhash:
+      dashed_name: process-macho-symhash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      flat_name: process.macho.symhash
+      ignore_above: 1024
+      level: extended
+      name: symhash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
     process.name:
       dashed_name: process-name
       description: 'Process name.
@@ -10534,6 +12008,67 @@ process:
       original_fieldset: elf
       short: List of exported element names and types.
       type: flattened
+    process.parent.elf.go_import_hash:
+      dashed_name: process-parent-elf-go-import-hash
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.parent.elf.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    process.parent.elf.go_imports:
+      dashed_name: process-parent-elf-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.parent.elf.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: elf
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.parent.elf.go_imports_names_entropy:
+      dashed_name: process-parent-elf-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.parent.elf.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.parent.elf.go_imports_names_var_entropy:
+      dashed_name: process-parent-elf-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.parent.elf.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.parent.elf.go_stripped:
+      dashed_name: process-parent-elf-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.parent.elf.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: elf
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
     process.parent.elf.header.abi_version:
       dashed_name: process-parent-elf-header-abi-version
       description: Version of the ELF Application Binary Interface (ABI).
@@ -10622,6 +12157,22 @@ process:
       original_fieldset: elf
       short: Version of the ELF header.
       type: keyword
+    process.parent.elf.import_hash:
+      dashed_name: process-parent-elf-import-hash
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.parent.elf.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the imports in an ELF file.
+      type: keyword
     process.parent.elf.imports:
       dashed_name: process-parent-elf-imports
       description: List of imported element names and types.
@@ -10633,6 +12184,32 @@ process:
       original_fieldset: elf
       short: List of imported element names and types.
       type: flattened
+    process.parent.elf.imports_names_entropy:
+      dashed_name: process-parent-elf-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.parent.elf.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.parent.elf.imports_names_var_entropy:
+      dashed_name: process-parent-elf-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.parent.elf.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
     process.parent.elf.sections:
       dashed_name: process-parent-elf-sections
       description: 'An array containing an object for each section of the ELF file.
@@ -10724,6 +12301,17 @@ process:
       original_fieldset: elf
       short: ELF Section List type.
       type: keyword
+    process.parent.elf.sections.var_entropy:
+      dashed_name: process-parent-elf-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.parent.elf.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
     process.parent.elf.sections.virtual_address:
       dashed_name: process-parent-elf-sections-virtual-address
       description: ELF Section List virtual address.
@@ -10992,43 +12580,242 @@ process:
       flat_name: process.parent.hash.ssdeep
       ignore_above: 1024
       level: extended
-      name: ssdeep
+      name: ssdeep
+      normalize: []
+      original_fieldset: hash
+      short: SSDEEP hash.
+      type: keyword
+    process.parent.hash.tlsh:
+      dashed_name: process-parent-hash-tlsh
+      description: TLSH hash.
+      flat_name: process.parent.hash.tlsh
+      ignore_above: 1024
+      level: extended
+      name: tlsh
+      normalize: []
+      original_fieldset: hash
+      short: TLSH hash.
+      type: keyword
+    process.parent.interactive:
+      dashed_name: process-parent-interactive
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      flat_name: process.parent.interactive
+      level: extended
+      name: interactive
+      normalize: []
+      original_fieldset: process
+      short: Whether the process is connected to an interactive shell.
+      type: boolean
+    process.parent.macho.go_import_hash:
+      dashed_name: process-parent-macho-go-import-hash
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.parent.macho.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    process.parent.macho.go_imports:
+      dashed_name: process-parent-macho-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.parent.macho.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: macho
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.parent.macho.go_imports_names_entropy:
+      dashed_name: process-parent-macho-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.parent.macho.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.parent.macho.go_imports_names_var_entropy:
+      dashed_name: process-parent-macho-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.parent.macho.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.parent.macho.go_stripped:
+      dashed_name: process-parent-macho-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.parent.macho.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: macho
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.parent.macho.import_hash:
+      dashed_name: process-parent-macho-import-hash
+      description: 'A hash of the imports in an Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.parent.macho.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in an ELF file.
+      type: keyword
+    process.parent.macho.imports:
+      dashed_name: process-parent-macho-imports
+      description: List of imported element names and types.
+      flat_name: process.parent.macho.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: macho
+      short: List of imported element names and types.
+      type: flattened
+    process.parent.macho.imports_names_entropy:
+      dashed_name: process-parent-macho-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.parent.macho.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.parent.macho.imports_names_var_entropy:
+      dashed_name: process-parent-macho-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.parent.macho.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.parent.macho.sections:
+      dashed_name: process-parent-macho-sections
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      flat_name: process.parent.macho.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: macho
+      short: Section information of the Mach-O file.
+      type: nested
+    process.parent.macho.sections.entropy:
+      dashed_name: process-parent-macho-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.parent.macho.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.parent.macho.sections.name:
+      dashed_name: process-parent-macho-sections-name
+      description: Mach-O Section List name.
+      flat_name: process.parent.macho.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
       normalize: []
-      original_fieldset: hash
-      short: SSDEEP hash.
+      original_fieldset: macho
+      short: Mach-O Section List name.
       type: keyword
-    process.parent.hash.tlsh:
-      dashed_name: process-parent-hash-tlsh
-      description: TLSH hash.
-      flat_name: process.parent.hash.tlsh
-      ignore_above: 1024
+    process.parent.macho.sections.physical_size:
+      dashed_name: process-parent-macho-sections-physical-size
+      description: Mach-O Section List physical size.
+      flat_name: process.parent.macho.sections.physical_size
+      format: bytes
       level: extended
-      name: tlsh
+      name: sections.physical_size
       normalize: []
-      original_fieldset: hash
-      short: TLSH hash.
-      type: keyword
-    process.parent.interactive:
-      dashed_name: process-parent-interactive
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
+      original_fieldset: macho
+      short: Mach-O Section List physical size.
+      type: long
+    process.parent.macho.sections.var_entropy:
+      dashed_name: process-parent-macho-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.parent.macho.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.parent.macho.sections.virtual_size:
+      dashed_name: process-parent-macho-sections-virtual-size
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.parent.macho.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.parent.macho.symhash:
+      dashed_name: process-parent-macho-symhash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
 
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      flat_name: process.parent.interactive
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      flat_name: process.parent.macho.symhash
+      ignore_above: 1024
       level: extended
-      name: interactive
+      name: symhash
       normalize: []
-      original_fieldset: process
-      short: Whether the process is connected to an interactive shell.
-      type: boolean
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
     process.parent.name:
       dashed_name: process-parent-name
       description: 'Process name.
@@ -11095,6 +12882,67 @@ process:
       original_fieldset: pe
       short: Process name.
       type: keyword
+    process.parent.pe.go_import_hash:
+      dashed_name: process-parent-pe-go-import-hash
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.parent.pe.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    process.parent.pe.go_imports:
+      dashed_name: process-parent-pe-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.parent.pe.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: pe
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.parent.pe.go_imports_names_entropy:
+      dashed_name: process-parent-pe-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.parent.pe.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.parent.pe.go_imports_names_var_entropy:
+      dashed_name: process-parent-pe-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.parent.pe.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.parent.pe.go_stripped:
+      dashed_name: process-parent-pe-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.parent.pe.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: pe
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
     process.parent.pe.imphash:
       dashed_name: process-parent-pe-imphash
       description: 'A hash of the imports in a PE file. An imphash -- or import hash
@@ -11111,6 +12959,59 @@ process:
       original_fieldset: pe
       short: A hash of the imports in a PE file.
       type: keyword
+    process.parent.pe.import_hash:
+      dashed_name: process-parent-pe-import-hash
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.parent.pe.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in an ELF file.
+      type: keyword
+    process.parent.pe.imports:
+      dashed_name: process-parent-pe-imports
+      description: List of imported element names and types.
+      flat_name: process.parent.pe.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of imported element names and types.
+      type: flattened
+    process.parent.pe.imports_names_entropy:
+      dashed_name: process-parent-pe-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.parent.pe.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.parent.pe.imports_names_var_entropy:
+      dashed_name: process-parent-pe-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.parent.pe.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
     process.parent.pe.original_file_name:
       dashed_name: process-parent-pe-original-file-name
       description: Internal name of the file, provided at compile-time.
@@ -11151,6 +13052,75 @@ process:
       original_fieldset: pe
       short: Internal product name of the file, provided at compile-time.
       type: keyword
+    process.parent.pe.sections:
+      dashed_name: process-parent-pe-sections
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      flat_name: process.parent.pe.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Section information of the PE file.
+      type: nested
+    process.parent.pe.sections.entropy:
+      dashed_name: process-parent-pe-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.parent.pe.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.parent.pe.sections.name:
+      dashed_name: process-parent-pe-sections-name
+      description: PE Section List name.
+      flat_name: process.parent.pe.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List name.
+      type: keyword
+    process.parent.pe.sections.physical_size:
+      dashed_name: process-parent-pe-sections-physical-size
+      description: PE Section List physical size.
+      flat_name: process.parent.pe.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List physical size.
+      type: long
+    process.parent.pe.sections.var_entropy:
+      dashed_name: process-parent-pe-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.parent.pe.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.parent.pe.sections.virtual_size:
+      dashed_name: process-parent-pe-sections-virtual-size
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.parent.pe.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List virtual size. This is always the same as `physical_size`.
+      type: long
     process.parent.pgid:
       dashed_name: process-parent-pgid
       description: 'Deprecated for removal in next major version release. This field
@@ -11494,6 +13464,67 @@ process:
       original_fieldset: pe
       short: Process name.
       type: keyword
+    process.pe.go_import_hash:
+      dashed_name: process-pe-go-import-hash
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.pe.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    process.pe.go_imports:
+      dashed_name: process-pe-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.pe.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: pe
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.pe.go_imports_names_entropy:
+      dashed_name: process-pe-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.pe.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.pe.go_imports_names_var_entropy:
+      dashed_name: process-pe-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.pe.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.pe.go_stripped:
+      dashed_name: process-pe-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.pe.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: pe
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
     process.pe.imphash:
       dashed_name: process-pe-imphash
       description: 'A hash of the imports in a PE file. An imphash -- or import hash
@@ -11510,6 +13541,59 @@ process:
       original_fieldset: pe
       short: A hash of the imports in a PE file.
       type: keyword
+    process.pe.import_hash:
+      dashed_name: process-pe-import-hash
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.pe.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in an ELF file.
+      type: keyword
+    process.pe.imports:
+      dashed_name: process-pe-imports
+      description: List of imported element names and types.
+      flat_name: process.pe.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of imported element names and types.
+      type: flattened
+    process.pe.imports_names_entropy:
+      dashed_name: process-pe-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.pe.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.pe.imports_names_var_entropy:
+      dashed_name: process-pe-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.pe.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
     process.pe.original_file_name:
       dashed_name: process-pe-original-file-name
       description: Internal name of the file, provided at compile-time.
@@ -11550,6 +13634,75 @@ process:
       original_fieldset: pe
       short: Internal product name of the file, provided at compile-time.
       type: keyword
+    process.pe.sections:
+      dashed_name: process-pe-sections
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      flat_name: process.pe.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Section information of the PE file.
+      type: nested
+    process.pe.sections.entropy:
+      dashed_name: process-pe-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.pe.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.pe.sections.name:
+      dashed_name: process-pe-sections-name
+      description: PE Section List name.
+      flat_name: process.pe.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List name.
+      type: keyword
+    process.pe.sections.physical_size:
+      dashed_name: process-pe-sections-physical-size
+      description: PE Section List physical size.
+      flat_name: process.pe.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List physical size.
+      type: long
+    process.pe.sections.var_entropy:
+      dashed_name: process-pe-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.pe.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.pe.sections.virtual_size:
+      dashed_name: process-pe-sections-virtual-size
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.pe.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List virtual size. This is always the same as `physical_size`.
+      type: long
     process.pgid:
       dashed_name: process-pgid
       description: 'Deprecated for removal in next major version release. This field
@@ -12413,6 +14566,7 @@ process:
   - process.group
   - process.group_leader
   - process.hash
+  - process.macho
   - process.parent
   - process.parent.group_leader
   - process.pe
@@ -12516,6 +14670,10 @@ process:
     full: process.elf
     schema_name: elf
     short: These fields contain Linux Executable Linkable Format (ELF) metadata.
+  - beta: This field reuse is beta and subject to change.
+    full: process.macho
+    schema_name: macho
+    short: These fields contain Mac OS Mach Object file format (Mach-O) metadata.
   - full: process.entry_meta.source
     schema_name: source
     short: Remote client information such as ip, port and geo location.
@@ -14980,22 +17138,83 @@ threat:
         it was built or compiled. It can also be faked by malware creators.
       flat_name: threat.enrichments.indicator.file.elf.creation_date
       level: extended
-      name: creation_date
+      name: creation_date
+      normalize: []
+      original_fieldset: elf
+      short: Build or compile date.
+      type: date
+    threat.enrichments.indicator.file.elf.exports:
+      dashed_name: threat-enrichments-indicator-file-elf-exports
+      description: List of exported element names and types.
+      flat_name: threat.enrichments.indicator.file.elf.exports
+      level: extended
+      name: exports
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of exported element names and types.
+      type: flattened
+    threat.enrichments.indicator.file.elf.go_import_hash:
+      dashed_name: threat-enrichments-indicator-file-elf-go-import-hash
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: threat.enrichments.indicator.file.elf.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    threat.enrichments.indicator.file.elf.go_imports:
+      dashed_name: threat-enrichments-indicator-file-elf-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: threat.enrichments.indicator.file.elf.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: elf
+      short: List of imported Go language element names and types.
+      type: flattened
+    threat.enrichments.indicator.file.elf.go_imports_names_entropy:
+      dashed_name: threat-enrichments-indicator-file-elf-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: threat.enrichments.indicator.file.elf.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    threat.enrichments.indicator.file.elf.go_imports_names_var_entropy:
+      dashed_name: threat-enrichments-indicator-file-elf-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: threat.enrichments.indicator.file.elf.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
       normalize: []
       original_fieldset: elf
-      short: Build or compile date.
-      type: date
-    threat.enrichments.indicator.file.elf.exports:
-      dashed_name: threat-enrichments-indicator-file-elf-exports
-      description: List of exported element names and types.
-      flat_name: threat.enrichments.indicator.file.elf.exports
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    threat.enrichments.indicator.file.elf.go_stripped:
+      dashed_name: threat-enrichments-indicator-file-elf-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: threat.enrichments.indicator.file.elf.go_stripped
       level: extended
-      name: exports
-      normalize:
-      - array
+      name: go_stripped
+      normalize: []
       original_fieldset: elf
-      short: List of exported element names and types.
-      type: flattened
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
     threat.enrichments.indicator.file.elf.header.abi_version:
       dashed_name: threat-enrichments-indicator-file-elf-header-abi-version
       description: Version of the ELF Application Binary Interface (ABI).
@@ -15084,6 +17303,22 @@ threat:
       original_fieldset: elf
       short: Version of the ELF header.
       type: keyword
+    threat.enrichments.indicator.file.elf.import_hash:
+      dashed_name: threat-enrichments-indicator-file-elf-import-hash
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: threat.enrichments.indicator.file.elf.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the imports in an ELF file.
+      type: keyword
     threat.enrichments.indicator.file.elf.imports:
       dashed_name: threat-enrichments-indicator-file-elf-imports
       description: List of imported element names and types.
@@ -15095,6 +17330,32 @@ threat:
       original_fieldset: elf
       short: List of imported element names and types.
       type: flattened
+    threat.enrichments.indicator.file.elf.imports_names_entropy:
+      dashed_name: threat-enrichments-indicator-file-elf-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: threat.enrichments.indicator.file.elf.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    threat.enrichments.indicator.file.elf.imports_names_var_entropy:
+      dashed_name: threat-enrichments-indicator-file-elf-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: threat.enrichments.indicator.file.elf.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
     threat.enrichments.indicator.file.elf.sections:
       dashed_name: threat-enrichments-indicator-file-elf-sections
       description: 'An array containing an object for each section of the ELF file.
@@ -15186,6 +17447,17 @@ threat:
       original_fieldset: elf
       short: ELF Section List type.
       type: keyword
+    threat.enrichments.indicator.file.elf.sections.var_entropy:
+      dashed_name: threat-enrichments-indicator-file-elf-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: threat.enrichments.indicator.file.elf.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
     threat.enrichments.indicator.file.elf.sections.virtual_address:
       dashed_name: threat-enrichments-indicator-file-elf-sections-virtual-address
       description: ELF Section List virtual address.
@@ -15544,6 +17816,67 @@ threat:
       original_fieldset: pe
       short: Process name.
       type: keyword
+    threat.enrichments.indicator.file.pe.go_import_hash:
+      dashed_name: threat-enrichments-indicator-file-pe-go-import-hash
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: threat.enrichments.indicator.file.pe.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    threat.enrichments.indicator.file.pe.go_imports:
+      dashed_name: threat-enrichments-indicator-file-pe-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: threat.enrichments.indicator.file.pe.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: pe
+      short: List of imported Go language element names and types.
+      type: flattened
+    threat.enrichments.indicator.file.pe.go_imports_names_entropy:
+      dashed_name: threat-enrichments-indicator-file-pe-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: threat.enrichments.indicator.file.pe.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    threat.enrichments.indicator.file.pe.go_imports_names_var_entropy:
+      dashed_name: threat-enrichments-indicator-file-pe-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: threat.enrichments.indicator.file.pe.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    threat.enrichments.indicator.file.pe.go_stripped:
+      dashed_name: threat-enrichments-indicator-file-pe-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: threat.enrichments.indicator.file.pe.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: pe
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
     threat.enrichments.indicator.file.pe.imphash:
       dashed_name: threat-enrichments-indicator-file-pe-imphash
       description: 'A hash of the imports in a PE file. An imphash -- or import hash
@@ -15560,6 +17893,59 @@ threat:
       original_fieldset: pe
       short: A hash of the imports in a PE file.
       type: keyword
+    threat.enrichments.indicator.file.pe.import_hash:
+      dashed_name: threat-enrichments-indicator-file-pe-import-hash
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: threat.enrichments.indicator.file.pe.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in an ELF file.
+      type: keyword
+    threat.enrichments.indicator.file.pe.imports:
+      dashed_name: threat-enrichments-indicator-file-pe-imports
+      description: List of imported element names and types.
+      flat_name: threat.enrichments.indicator.file.pe.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of imported element names and types.
+      type: flattened
+    threat.enrichments.indicator.file.pe.imports_names_entropy:
+      dashed_name: threat-enrichments-indicator-file-pe-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: threat.enrichments.indicator.file.pe.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    threat.enrichments.indicator.file.pe.imports_names_var_entropy:
+      dashed_name: threat-enrichments-indicator-file-pe-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: threat.enrichments.indicator.file.pe.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
     threat.enrichments.indicator.file.pe.original_file_name:
       dashed_name: threat-enrichments-indicator-file-pe-original-file-name
       description: Internal name of the file, provided at compile-time.
@@ -15600,6 +17986,75 @@ threat:
       original_fieldset: pe
       short: Internal product name of the file, provided at compile-time.
       type: keyword
+    threat.enrichments.indicator.file.pe.sections:
+      dashed_name: threat-enrichments-indicator-file-pe-sections
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      flat_name: threat.enrichments.indicator.file.pe.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Section information of the PE file.
+      type: nested
+    threat.enrichments.indicator.file.pe.sections.entropy:
+      dashed_name: threat-enrichments-indicator-file-pe-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: threat.enrichments.indicator.file.pe.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the section.
+      type: long
+    threat.enrichments.indicator.file.pe.sections.name:
+      dashed_name: threat-enrichments-indicator-file-pe-sections-name
+      description: PE Section List name.
+      flat_name: threat.enrichments.indicator.file.pe.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List name.
+      type: keyword
+    threat.enrichments.indicator.file.pe.sections.physical_size:
+      dashed_name: threat-enrichments-indicator-file-pe-sections-physical-size
+      description: PE Section List physical size.
+      flat_name: threat.enrichments.indicator.file.pe.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List physical size.
+      type: long
+    threat.enrichments.indicator.file.pe.sections.var_entropy:
+      dashed_name: threat-enrichments-indicator-file-pe-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: threat.enrichments.indicator.file.pe.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    threat.enrichments.indicator.file.pe.sections.virtual_size:
+      dashed_name: threat-enrichments-indicator-file-pe-sections-virtual-size
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      flat_name: threat.enrichments.indicator.file.pe.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List virtual size. This is always the same as `physical_size`.
+      type: long
     threat.enrichments.indicator.file.size:
       dashed_name: threat-enrichments-indicator-file-size
       description: 'File size in bytes.
@@ -17383,6 +19838,67 @@ threat:
       original_fieldset: elf
       short: List of exported element names and types.
       type: flattened
+    threat.indicator.file.elf.go_import_hash:
+      dashed_name: threat-indicator-file-elf-go-import-hash
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: threat.indicator.file.elf.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    threat.indicator.file.elf.go_imports:
+      dashed_name: threat-indicator-file-elf-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: threat.indicator.file.elf.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: elf
+      short: List of imported Go language element names and types.
+      type: flattened
+    threat.indicator.file.elf.go_imports_names_entropy:
+      dashed_name: threat-indicator-file-elf-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: threat.indicator.file.elf.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    threat.indicator.file.elf.go_imports_names_var_entropy:
+      dashed_name: threat-indicator-file-elf-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: threat.indicator.file.elf.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    threat.indicator.file.elf.go_stripped:
+      dashed_name: threat-indicator-file-elf-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: threat.indicator.file.elf.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: elf
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
     threat.indicator.file.elf.header.abi_version:
       dashed_name: threat-indicator-file-elf-header-abi-version
       description: Version of the ELF Application Binary Interface (ABI).
@@ -17471,6 +19987,22 @@ threat:
       original_fieldset: elf
       short: Version of the ELF header.
       type: keyword
+    threat.indicator.file.elf.import_hash:
+      dashed_name: threat-indicator-file-elf-import-hash
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: threat.indicator.file.elf.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the imports in an ELF file.
+      type: keyword
     threat.indicator.file.elf.imports:
       dashed_name: threat-indicator-file-elf-imports
       description: List of imported element names and types.
@@ -17482,6 +20014,32 @@ threat:
       original_fieldset: elf
       short: List of imported element names and types.
       type: flattened
+    threat.indicator.file.elf.imports_names_entropy:
+      dashed_name: threat-indicator-file-elf-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: threat.indicator.file.elf.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    threat.indicator.file.elf.imports_names_var_entropy:
+      dashed_name: threat-indicator-file-elf-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: threat.indicator.file.elf.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
     threat.indicator.file.elf.sections:
       dashed_name: threat-indicator-file-elf-sections
       description: 'An array containing an object for each section of the ELF file.
@@ -17573,6 +20131,17 @@ threat:
       original_fieldset: elf
       short: ELF Section List type.
       type: keyword
+    threat.indicator.file.elf.sections.var_entropy:
+      dashed_name: threat-indicator-file-elf-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: threat.indicator.file.elf.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
     threat.indicator.file.elf.sections.virtual_address:
       dashed_name: threat-indicator-file-elf-sections-virtual-address
       description: ELF Section List virtual address.
@@ -17931,6 +20500,67 @@ threat:
       original_fieldset: pe
       short: Process name.
       type: keyword
+    threat.indicator.file.pe.go_import_hash:
+      dashed_name: threat-indicator-file-pe-go-import-hash
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: threat.indicator.file.pe.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    threat.indicator.file.pe.go_imports:
+      dashed_name: threat-indicator-file-pe-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: threat.indicator.file.pe.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: pe
+      short: List of imported Go language element names and types.
+      type: flattened
+    threat.indicator.file.pe.go_imports_names_entropy:
+      dashed_name: threat-indicator-file-pe-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: threat.indicator.file.pe.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    threat.indicator.file.pe.go_imports_names_var_entropy:
+      dashed_name: threat-indicator-file-pe-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: threat.indicator.file.pe.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    threat.indicator.file.pe.go_stripped:
+      dashed_name: threat-indicator-file-pe-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: threat.indicator.file.pe.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: pe
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
     threat.indicator.file.pe.imphash:
       dashed_name: threat-indicator-file-pe-imphash
       description: 'A hash of the imports in a PE file. An imphash -- or import hash
@@ -17947,6 +20577,59 @@ threat:
       original_fieldset: pe
       short: A hash of the imports in a PE file.
       type: keyword
+    threat.indicator.file.pe.import_hash:
+      dashed_name: threat-indicator-file-pe-import-hash
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: threat.indicator.file.pe.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in an ELF file.
+      type: keyword
+    threat.indicator.file.pe.imports:
+      dashed_name: threat-indicator-file-pe-imports
+      description: List of imported element names and types.
+      flat_name: threat.indicator.file.pe.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of imported element names and types.
+      type: flattened
+    threat.indicator.file.pe.imports_names_entropy:
+      dashed_name: threat-indicator-file-pe-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: threat.indicator.file.pe.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    threat.indicator.file.pe.imports_names_var_entropy:
+      dashed_name: threat-indicator-file-pe-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: threat.indicator.file.pe.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
     threat.indicator.file.pe.original_file_name:
       dashed_name: threat-indicator-file-pe-original-file-name
       description: Internal name of the file, provided at compile-time.
@@ -17987,6 +20670,75 @@ threat:
       original_fieldset: pe
       short: Internal product name of the file, provided at compile-time.
       type: keyword
+    threat.indicator.file.pe.sections:
+      dashed_name: threat-indicator-file-pe-sections
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      flat_name: threat.indicator.file.pe.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Section information of the PE file.
+      type: nested
+    threat.indicator.file.pe.sections.entropy:
+      dashed_name: threat-indicator-file-pe-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: threat.indicator.file.pe.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the section.
+      type: long
+    threat.indicator.file.pe.sections.name:
+      dashed_name: threat-indicator-file-pe-sections-name
+      description: PE Section List name.
+      flat_name: threat.indicator.file.pe.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List name.
+      type: keyword
+    threat.indicator.file.pe.sections.physical_size:
+      dashed_name: threat-indicator-file-pe-sections-physical-size
+      description: PE Section List physical size.
+      flat_name: threat.indicator.file.pe.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List physical size.
+      type: long
+    threat.indicator.file.pe.sections.var_entropy:
+      dashed_name: threat-indicator-file-pe-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: threat.indicator.file.pe.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    threat.indicator.file.pe.sections.virtual_size:
+      dashed_name: threat-indicator-file-pe-sections-virtual-size
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      flat_name: threat.indicator.file.pe.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List virtual size. This is always the same as `physical_size`.
+      type: long
     threat.indicator.file.size:
       dashed_name: threat-indicator-file-size
       description: 'File size in bytes.
diff --git a/generated/elasticsearch/composable/component/dll.json b/generated/elasticsearch/composable/component/dll.json
index 1286f8ea02..7b1f7da1b7 100644
--- a/generated/elasticsearch/composable/component/dll.json
+++ b/generated/elasticsearch/composable/component/dll.json
@@ -102,10 +102,39 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "go_import_hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "go_imports": {
+                  "type": "flattened"
+                },
+                "go_imports_names_entropy": {
+                  "type": "long"
+                },
+                "go_imports_names_var_entropy": {
+                  "type": "long"
+                },
+                "go_stripped": {
+                  "type": "boolean"
+                },
                 "imphash": {
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "import_hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "imports": {
+                  "type": "flattened"
+                },
+                "imports_names_entropy": {
+                  "type": "long"
+                },
+                "imports_names_var_entropy": {
+                  "type": "long"
+                },
                 "original_file_name": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -117,6 +146,27 @@
                 "product": {
                   "ignore_above": 1024,
                   "type": "keyword"
+                },
+                "sections": {
+                  "properties": {
+                    "entropy": {
+                      "type": "long"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "physical_size": {
+                      "type": "long"
+                    },
+                    "var_entropy": {
+                      "type": "long"
+                    },
+                    "virtual_size": {
+                      "type": "long"
+                    }
+                  },
+                  "type": "nested"
                 }
               }
             }
diff --git a/generated/elasticsearch/composable/component/file.json b/generated/elasticsearch/composable/component/file.json
index a9190e1ea9..32845366bb 100644
--- a/generated/elasticsearch/composable/component/file.json
+++ b/generated/elasticsearch/composable/component/file.json
@@ -89,6 +89,22 @@
                 "exports": {
                   "type": "flattened"
                 },
+                "go_import_hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "go_imports": {
+                  "type": "flattened"
+                },
+                "go_imports_names_entropy": {
+                  "type": "long"
+                },
+                "go_imports_names_var_entropy": {
+                  "type": "long"
+                },
+                "go_stripped": {
+                  "type": "boolean"
+                },
                 "header": {
                   "properties": {
                     "abi_version": {
@@ -124,9 +140,19 @@
                     }
                   }
                 },
+                "import_hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "imports": {
                   "type": "flattened"
                 },
+                "imports_names_entropy": {
+                  "type": "long"
+                },
+                "imports_names_var_entropy": {
+                  "type": "long"
+                },
                 "sections": {
                   "properties": {
                     "chi2": {
@@ -154,6 +180,9 @@
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
+                    "var_entropy": {
+                      "type": "long"
+                    },
                     "virtual_address": {
                       "type": "long"
                     },
@@ -238,6 +267,64 @@
               "ignore_above": 1024,
               "type": "keyword"
             },
+            "macho": {
+              "properties": {
+                "go_import_hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "go_imports": {
+                  "type": "flattened"
+                },
+                "go_imports_names_entropy": {
+                  "type": "long"
+                },
+                "go_imports_names_var_entropy": {
+                  "type": "long"
+                },
+                "go_stripped": {
+                  "type": "boolean"
+                },
+                "import_hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "imports": {
+                  "type": "flattened"
+                },
+                "imports_names_entropy": {
+                  "type": "long"
+                },
+                "imports_names_var_entropy": {
+                  "type": "long"
+                },
+                "sections": {
+                  "properties": {
+                    "entropy": {
+                      "type": "long"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "physical_size": {
+                      "type": "long"
+                    },
+                    "var_entropy": {
+                      "type": "long"
+                    },
+                    "virtual_size": {
+                      "type": "long"
+                    }
+                  },
+                  "type": "nested"
+                },
+                "symhash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
             "mime_type": {
               "ignore_above": 1024,
               "type": "keyword"
@@ -284,10 +371,39 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "go_import_hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "go_imports": {
+                  "type": "flattened"
+                },
+                "go_imports_names_entropy": {
+                  "type": "long"
+                },
+                "go_imports_names_var_entropy": {
+                  "type": "long"
+                },
+                "go_stripped": {
+                  "type": "boolean"
+                },
                 "imphash": {
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "import_hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "imports": {
+                  "type": "flattened"
+                },
+                "imports_names_entropy": {
+                  "type": "long"
+                },
+                "imports_names_var_entropy": {
+                  "type": "long"
+                },
                 "original_file_name": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -299,6 +415,27 @@
                 "product": {
                   "ignore_above": 1024,
                   "type": "keyword"
+                },
+                "sections": {
+                  "properties": {
+                    "entropy": {
+                      "type": "long"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "physical_size": {
+                      "type": "long"
+                    },
+                    "var_entropy": {
+                      "type": "long"
+                    },
+                    "virtual_size": {
+                      "type": "long"
+                    }
+                  },
+                  "type": "nested"
                 }
               }
             },
diff --git a/generated/elasticsearch/composable/component/process.json b/generated/elasticsearch/composable/component/process.json
index 1268acae31..37d411c728 100644
--- a/generated/elasticsearch/composable/component/process.json
+++ b/generated/elasticsearch/composable/component/process.json
@@ -79,6 +79,22 @@
                 "exports": {
                   "type": "flattened"
                 },
+                "go_import_hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "go_imports": {
+                  "type": "flattened"
+                },
+                "go_imports_names_entropy": {
+                  "type": "long"
+                },
+                "go_imports_names_var_entropy": {
+                  "type": "long"
+                },
+                "go_stripped": {
+                  "type": "boolean"
+                },
                 "header": {
                   "properties": {
                     "abi_version": {
@@ -114,9 +130,19 @@
                     }
                   }
                 },
+                "import_hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "imports": {
                   "type": "flattened"
                 },
+                "imports_names_entropy": {
+                  "type": "long"
+                },
+                "imports_names_var_entropy": {
+                  "type": "long"
+                },
                 "sections": {
                   "properties": {
                     "chi2": {
@@ -144,6 +170,9 @@
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
+                    "var_entropy": {
+                      "type": "long"
+                    },
                     "virtual_address": {
                       "type": "long"
                     },
@@ -686,6 +715,64 @@
               },
               "type": "object"
             },
+            "macho": {
+              "properties": {
+                "go_import_hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "go_imports": {
+                  "type": "flattened"
+                },
+                "go_imports_names_entropy": {
+                  "type": "long"
+                },
+                "go_imports_names_var_entropy": {
+                  "type": "long"
+                },
+                "go_stripped": {
+                  "type": "boolean"
+                },
+                "import_hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "imports": {
+                  "type": "flattened"
+                },
+                "imports_names_entropy": {
+                  "type": "long"
+                },
+                "imports_names_var_entropy": {
+                  "type": "long"
+                },
+                "sections": {
+                  "properties": {
+                    "entropy": {
+                      "type": "long"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "physical_size": {
+                      "type": "long"
+                    },
+                    "var_entropy": {
+                      "type": "long"
+                    },
+                    "virtual_size": {
+                      "type": "long"
+                    }
+                  },
+                  "type": "nested"
+                },
+                "symhash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
             "name": {
               "fields": {
                 "text": {
@@ -768,6 +855,22 @@
                     "exports": {
                       "type": "flattened"
                     },
+                    "go_import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_imports": {
+                      "type": "flattened"
+                    },
+                    "go_imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "go_imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "go_stripped": {
+                      "type": "boolean"
+                    },
                     "header": {
                       "properties": {
                         "abi_version": {
@@ -803,9 +906,19 @@
                         }
                       }
                     },
+                    "import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
                     "imports": {
                       "type": "flattened"
                     },
+                    "imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "imports_names_var_entropy": {
+                      "type": "long"
+                    },
                     "sections": {
                       "properties": {
                         "chi2": {
@@ -833,6 +946,9 @@
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
+                        "var_entropy": {
+                          "type": "long"
+                        },
                         "virtual_address": {
                           "type": "long"
                         },
@@ -945,6 +1061,64 @@
                 "interactive": {
                   "type": "boolean"
                 },
+                "macho": {
+                  "properties": {
+                    "go_import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_imports": {
+                      "type": "flattened"
+                    },
+                    "go_imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "go_imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "go_stripped": {
+                      "type": "boolean"
+                    },
+                    "import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "sections": {
+                      "properties": {
+                        "entropy": {
+                          "type": "long"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_size": {
+                          "type": "long"
+                        },
+                        "var_entropy": {
+                          "type": "long"
+                        },
+                        "virtual_size": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "nested"
+                    },
+                    "symhash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
                 "name": {
                   "fields": {
                     "text": {
@@ -972,10 +1146,39 @@
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
+                    "go_import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_imports": {
+                      "type": "flattened"
+                    },
+                    "go_imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "go_imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "go_stripped": {
+                      "type": "boolean"
+                    },
                     "imphash": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
+                    "import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "imports_names_var_entropy": {
+                      "type": "long"
+                    },
                     "original_file_name": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -987,6 +1190,27 @@
                     "product": {
                       "ignore_above": 1024,
                       "type": "keyword"
+                    },
+                    "sections": {
+                      "properties": {
+                        "entropy": {
+                          "type": "long"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_size": {
+                          "type": "long"
+                        },
+                        "var_entropy": {
+                          "type": "long"
+                        },
+                        "virtual_size": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "nested"
                     }
                   }
                 },
@@ -1153,10 +1377,39 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "go_import_hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "go_imports": {
+                  "type": "flattened"
+                },
+                "go_imports_names_entropy": {
+                  "type": "long"
+                },
+                "go_imports_names_var_entropy": {
+                  "type": "long"
+                },
+                "go_stripped": {
+                  "type": "boolean"
+                },
                 "imphash": {
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "import_hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "imports": {
+                  "type": "flattened"
+                },
+                "imports_names_entropy": {
+                  "type": "long"
+                },
+                "imports_names_var_entropy": {
+                  "type": "long"
+                },
                 "original_file_name": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -1168,6 +1421,27 @@
                 "product": {
                   "ignore_above": 1024,
                   "type": "keyword"
+                },
+                "sections": {
+                  "properties": {
+                    "entropy": {
+                      "type": "long"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "physical_size": {
+                      "type": "long"
+                    },
+                    "var_entropy": {
+                      "type": "long"
+                    },
+                    "virtual_size": {
+                      "type": "long"
+                    }
+                  },
+                  "type": "nested"
                 }
               }
             },
diff --git a/generated/elasticsearch/composable/component/threat.json b/generated/elasticsearch/composable/component/threat.json
index 7a03c34938..3438cc5e80 100644
--- a/generated/elasticsearch/composable/component/threat.json
+++ b/generated/elasticsearch/composable/component/threat.json
@@ -131,6 +131,22 @@
                             "exports": {
                               "type": "flattened"
                             },
+                            "go_import_hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "go_imports": {
+                              "type": "flattened"
+                            },
+                            "go_imports_names_entropy": {
+                              "type": "long"
+                            },
+                            "go_imports_names_var_entropy": {
+                              "type": "long"
+                            },
+                            "go_stripped": {
+                              "type": "boolean"
+                            },
                             "header": {
                               "properties": {
                                 "abi_version": {
@@ -166,9 +182,19 @@
                                 }
                               }
                             },
+                            "import_hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
                             "imports": {
                               "type": "flattened"
                             },
+                            "imports_names_entropy": {
+                              "type": "long"
+                            },
+                            "imports_names_var_entropy": {
+                              "type": "long"
+                            },
                             "sections": {
                               "properties": {
                                 "chi2": {
@@ -196,6 +222,9 @@
                                   "ignore_above": 1024,
                                   "type": "keyword"
                                 },
+                                "var_entropy": {
+                                  "type": "long"
+                                },
                                 "virtual_address": {
                                   "type": "long"
                                 },
@@ -326,10 +355,39 @@
                               "ignore_above": 1024,
                               "type": "keyword"
                             },
+                            "go_import_hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "go_imports": {
+                              "type": "flattened"
+                            },
+                            "go_imports_names_entropy": {
+                              "type": "long"
+                            },
+                            "go_imports_names_var_entropy": {
+                              "type": "long"
+                            },
+                            "go_stripped": {
+                              "type": "boolean"
+                            },
                             "imphash": {
                               "ignore_above": 1024,
                               "type": "keyword"
                             },
+                            "import_hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "imports": {
+                              "type": "flattened"
+                            },
+                            "imports_names_entropy": {
+                              "type": "long"
+                            },
+                            "imports_names_var_entropy": {
+                              "type": "long"
+                            },
                             "original_file_name": {
                               "ignore_above": 1024,
                               "type": "keyword"
@@ -341,6 +399,27 @@
                             "product": {
                               "ignore_above": 1024,
                               "type": "keyword"
+                            },
+                            "sections": {
+                              "properties": {
+                                "entropy": {
+                                  "type": "long"
+                                },
+                                "name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "physical_size": {
+                                  "type": "long"
+                                },
+                                "var_entropy": {
+                                  "type": "long"
+                                },
+                                "virtual_size": {
+                                  "type": "long"
+                                }
+                              },
+                              "type": "nested"
                             }
                           }
                         },
@@ -969,6 +1048,22 @@
                         "exports": {
                           "type": "flattened"
                         },
+                        "go_import_hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "go_imports": {
+                          "type": "flattened"
+                        },
+                        "go_imports_names_entropy": {
+                          "type": "long"
+                        },
+                        "go_imports_names_var_entropy": {
+                          "type": "long"
+                        },
+                        "go_stripped": {
+                          "type": "boolean"
+                        },
                         "header": {
                           "properties": {
                             "abi_version": {
@@ -1004,9 +1099,19 @@
                             }
                           }
                         },
+                        "import_hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
                         "imports": {
                           "type": "flattened"
                         },
+                        "imports_names_entropy": {
+                          "type": "long"
+                        },
+                        "imports_names_var_entropy": {
+                          "type": "long"
+                        },
                         "sections": {
                           "properties": {
                             "chi2": {
@@ -1034,6 +1139,9 @@
                               "ignore_above": 1024,
                               "type": "keyword"
                             },
+                            "var_entropy": {
+                              "type": "long"
+                            },
                             "virtual_address": {
                               "type": "long"
                             },
@@ -1164,10 +1272,39 @@
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
+                        "go_import_hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "go_imports": {
+                          "type": "flattened"
+                        },
+                        "go_imports_names_entropy": {
+                          "type": "long"
+                        },
+                        "go_imports_names_var_entropy": {
+                          "type": "long"
+                        },
+                        "go_stripped": {
+                          "type": "boolean"
+                        },
                         "imphash": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
+                        "import_hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "imports": {
+                          "type": "flattened"
+                        },
+                        "imports_names_entropy": {
+                          "type": "long"
+                        },
+                        "imports_names_var_entropy": {
+                          "type": "long"
+                        },
                         "original_file_name": {
                           "ignore_above": 1024,
                           "type": "keyword"
@@ -1179,6 +1316,27 @@
                         "product": {
                           "ignore_above": 1024,
                           "type": "keyword"
+                        },
+                        "sections": {
+                          "properties": {
+                            "entropy": {
+                              "type": "long"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "physical_size": {
+                              "type": "long"
+                            },
+                            "var_entropy": {
+                              "type": "long"
+                            },
+                            "virtual_size": {
+                              "type": "long"
+                            }
+                          },
+                          "type": "nested"
                         }
                       }
                     },
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index 07590b8585..0c86d1e5d1 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -832,10 +832,39 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "go_import_hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "go_imports": {
+                "type": "flattened"
+              },
+              "go_imports_names_entropy": {
+                "type": "long"
+              },
+              "go_imports_names_var_entropy": {
+                "type": "long"
+              },
+              "go_stripped": {
+                "type": "boolean"
+              },
               "imphash": {
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "import_hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "imports": {
+                "type": "flattened"
+              },
+              "imports_names_entropy": {
+                "type": "long"
+              },
+              "imports_names_var_entropy": {
+                "type": "long"
+              },
               "original_file_name": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -847,6 +876,27 @@
               "product": {
                 "ignore_above": 1024,
                 "type": "keyword"
+              },
+              "sections": {
+                "properties": {
+                  "entropy": {
+                    "type": "long"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "physical_size": {
+                    "type": "long"
+                  },
+                  "var_entropy": {
+                    "type": "long"
+                  },
+                  "virtual_size": {
+                    "type": "long"
+                  }
+                },
+                "type": "nested"
               }
             }
           }
@@ -1327,6 +1377,22 @@
               "exports": {
                 "type": "flattened"
               },
+              "go_import_hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "go_imports": {
+                "type": "flattened"
+              },
+              "go_imports_names_entropy": {
+                "type": "long"
+              },
+              "go_imports_names_var_entropy": {
+                "type": "long"
+              },
+              "go_stripped": {
+                "type": "boolean"
+              },
               "header": {
                 "properties": {
                   "abi_version": {
@@ -1362,9 +1428,19 @@
                   }
                 }
               },
+              "import_hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "imports": {
                 "type": "flattened"
               },
+              "imports_names_entropy": {
+                "type": "long"
+              },
+              "imports_names_var_entropy": {
+                "type": "long"
+              },
               "sections": {
                 "properties": {
                   "chi2": {
@@ -1392,6 +1468,9 @@
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
+                  "var_entropy": {
+                    "type": "long"
+                  },
                   "virtual_address": {
                     "type": "long"
                   },
@@ -1476,6 +1555,64 @@
             "ignore_above": 1024,
             "type": "keyword"
           },
+          "macho": {
+            "properties": {
+              "go_import_hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "go_imports": {
+                "type": "flattened"
+              },
+              "go_imports_names_entropy": {
+                "type": "long"
+              },
+              "go_imports_names_var_entropy": {
+                "type": "long"
+              },
+              "go_stripped": {
+                "type": "boolean"
+              },
+              "import_hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "imports": {
+                "type": "flattened"
+              },
+              "imports_names_entropy": {
+                "type": "long"
+              },
+              "imports_names_var_entropy": {
+                "type": "long"
+              },
+              "sections": {
+                "properties": {
+                  "entropy": {
+                    "type": "long"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "physical_size": {
+                    "type": "long"
+                  },
+                  "var_entropy": {
+                    "type": "long"
+                  },
+                  "virtual_size": {
+                    "type": "long"
+                  }
+                },
+                "type": "nested"
+              },
+              "symhash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
           "mime_type": {
             "ignore_above": 1024,
             "type": "keyword"
@@ -1522,10 +1659,39 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "go_import_hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "go_imports": {
+                "type": "flattened"
+              },
+              "go_imports_names_entropy": {
+                "type": "long"
+              },
+              "go_imports_names_var_entropy": {
+                "type": "long"
+              },
+              "go_stripped": {
+                "type": "boolean"
+              },
               "imphash": {
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "import_hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "imports": {
+                "type": "flattened"
+              },
+              "imports_names_entropy": {
+                "type": "long"
+              },
+              "imports_names_var_entropy": {
+                "type": "long"
+              },
               "original_file_name": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -1537,6 +1703,27 @@
               "product": {
                 "ignore_above": 1024,
                 "type": "keyword"
+              },
+              "sections": {
+                "properties": {
+                  "entropy": {
+                    "type": "long"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "physical_size": {
+                    "type": "long"
+                  },
+                  "var_entropy": {
+                    "type": "long"
+                  },
+                  "virtual_size": {
+                    "type": "long"
+                  }
+                },
+                "type": "nested"
               }
             }
           },
@@ -2557,6 +2744,22 @@
               "exports": {
                 "type": "flattened"
               },
+              "go_import_hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "go_imports": {
+                "type": "flattened"
+              },
+              "go_imports_names_entropy": {
+                "type": "long"
+              },
+              "go_imports_names_var_entropy": {
+                "type": "long"
+              },
+              "go_stripped": {
+                "type": "boolean"
+              },
               "header": {
                 "properties": {
                   "abi_version": {
@@ -2592,9 +2795,19 @@
                   }
                 }
               },
+              "import_hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "imports": {
                 "type": "flattened"
               },
+              "imports_names_entropy": {
+                "type": "long"
+              },
+              "imports_names_var_entropy": {
+                "type": "long"
+              },
               "sections": {
                 "properties": {
                   "chi2": {
@@ -2622,6 +2835,9 @@
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
+                  "var_entropy": {
+                    "type": "long"
+                  },
                   "virtual_address": {
                     "type": "long"
                   },
@@ -3164,6 +3380,64 @@
             },
             "type": "object"
           },
+          "macho": {
+            "properties": {
+              "go_import_hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "go_imports": {
+                "type": "flattened"
+              },
+              "go_imports_names_entropy": {
+                "type": "long"
+              },
+              "go_imports_names_var_entropy": {
+                "type": "long"
+              },
+              "go_stripped": {
+                "type": "boolean"
+              },
+              "import_hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "imports": {
+                "type": "flattened"
+              },
+              "imports_names_entropy": {
+                "type": "long"
+              },
+              "imports_names_var_entropy": {
+                "type": "long"
+              },
+              "sections": {
+                "properties": {
+                  "entropy": {
+                    "type": "long"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "physical_size": {
+                    "type": "long"
+                  },
+                  "var_entropy": {
+                    "type": "long"
+                  },
+                  "virtual_size": {
+                    "type": "long"
+                  }
+                },
+                "type": "nested"
+              },
+              "symhash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
           "name": {
             "fields": {
               "text": {
@@ -3246,6 +3520,22 @@
                   "exports": {
                     "type": "flattened"
                   },
+                  "go_import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_imports": {
+                    "type": "flattened"
+                  },
+                  "go_imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "go_imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "go_stripped": {
+                    "type": "boolean"
+                  },
                   "header": {
                     "properties": {
                       "abi_version": {
@@ -3281,9 +3571,19 @@
                       }
                     }
                   },
+                  "import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
                   "imports": {
                     "type": "flattened"
                   },
+                  "imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "imports_names_var_entropy": {
+                    "type": "long"
+                  },
                   "sections": {
                     "properties": {
                       "chi2": {
@@ -3311,6 +3611,9 @@
                         "ignore_above": 1024,
                         "type": "keyword"
                       },
+                      "var_entropy": {
+                        "type": "long"
+                      },
                       "virtual_address": {
                         "type": "long"
                       },
@@ -3423,6 +3726,64 @@
               "interactive": {
                 "type": "boolean"
               },
+              "macho": {
+                "properties": {
+                  "go_import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_imports": {
+                    "type": "flattened"
+                  },
+                  "go_imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "go_imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "go_stripped": {
+                    "type": "boolean"
+                  },
+                  "import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "sections": {
+                    "properties": {
+                      "entropy": {
+                        "type": "long"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_size": {
+                        "type": "long"
+                      },
+                      "var_entropy": {
+                        "type": "long"
+                      },
+                      "virtual_size": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "nested"
+                  },
+                  "symhash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
               "name": {
                 "fields": {
                   "text": {
@@ -3450,10 +3811,39 @@
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
+                  "go_import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_imports": {
+                    "type": "flattened"
+                  },
+                  "go_imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "go_imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "go_stripped": {
+                    "type": "boolean"
+                  },
                   "imphash": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
+                  "import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "imports_names_var_entropy": {
+                    "type": "long"
+                  },
                   "original_file_name": {
                     "ignore_above": 1024,
                     "type": "keyword"
@@ -3465,6 +3855,27 @@
                   "product": {
                     "ignore_above": 1024,
                     "type": "keyword"
+                  },
+                  "sections": {
+                    "properties": {
+                      "entropy": {
+                        "type": "long"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_size": {
+                        "type": "long"
+                      },
+                      "var_entropy": {
+                        "type": "long"
+                      },
+                      "virtual_size": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "nested"
                   }
                 }
               },
@@ -3631,10 +4042,39 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "go_import_hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "go_imports": {
+                "type": "flattened"
+              },
+              "go_imports_names_entropy": {
+                "type": "long"
+              },
+              "go_imports_names_var_entropy": {
+                "type": "long"
+              },
+              "go_stripped": {
+                "type": "boolean"
+              },
               "imphash": {
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "import_hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "imports": {
+                "type": "flattened"
+              },
+              "imports_names_entropy": {
+                "type": "long"
+              },
+              "imports_names_var_entropy": {
+                "type": "long"
+              },
               "original_file_name": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -3646,6 +4086,27 @@
               "product": {
                 "ignore_above": 1024,
                 "type": "keyword"
+              },
+              "sections": {
+                "properties": {
+                  "entropy": {
+                    "type": "long"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "physical_size": {
+                    "type": "long"
+                  },
+                  "var_entropy": {
+                    "type": "long"
+                  },
+                  "virtual_size": {
+                    "type": "long"
+                  }
+                },
+                "type": "nested"
               }
             }
           },
@@ -4765,6 +5226,22 @@
                           "exports": {
                             "type": "flattened"
                           },
+                          "go_import_hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "go_imports": {
+                            "type": "flattened"
+                          },
+                          "go_imports_names_entropy": {
+                            "type": "long"
+                          },
+                          "go_imports_names_var_entropy": {
+                            "type": "long"
+                          },
+                          "go_stripped": {
+                            "type": "boolean"
+                          },
                           "header": {
                             "properties": {
                               "abi_version": {
@@ -4800,9 +5277,19 @@
                               }
                             }
                           },
+                          "import_hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
                           "imports": {
                             "type": "flattened"
                           },
+                          "imports_names_entropy": {
+                            "type": "long"
+                          },
+                          "imports_names_var_entropy": {
+                            "type": "long"
+                          },
                           "sections": {
                             "properties": {
                               "chi2": {
@@ -4830,6 +5317,9 @@
                                 "ignore_above": 1024,
                                 "type": "keyword"
                               },
+                              "var_entropy": {
+                                "type": "long"
+                              },
                               "virtual_address": {
                                 "type": "long"
                               },
@@ -4960,10 +5450,39 @@
                             "ignore_above": 1024,
                             "type": "keyword"
                           },
+                          "go_import_hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "go_imports": {
+                            "type": "flattened"
+                          },
+                          "go_imports_names_entropy": {
+                            "type": "long"
+                          },
+                          "go_imports_names_var_entropy": {
+                            "type": "long"
+                          },
+                          "go_stripped": {
+                            "type": "boolean"
+                          },
                           "imphash": {
                             "ignore_above": 1024,
                             "type": "keyword"
                           },
+                          "import_hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "imports": {
+                            "type": "flattened"
+                          },
+                          "imports_names_entropy": {
+                            "type": "long"
+                          },
+                          "imports_names_var_entropy": {
+                            "type": "long"
+                          },
                           "original_file_name": {
                             "ignore_above": 1024,
                             "type": "keyword"
@@ -4975,6 +5494,27 @@
                           "product": {
                             "ignore_above": 1024,
                             "type": "keyword"
+                          },
+                          "sections": {
+                            "properties": {
+                              "entropy": {
+                                "type": "long"
+                              },
+                              "name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "physical_size": {
+                                "type": "long"
+                              },
+                              "var_entropy": {
+                                "type": "long"
+                              },
+                              "virtual_size": {
+                                "type": "long"
+                              }
+                            },
+                            "type": "nested"
                           }
                         }
                       },
@@ -5603,6 +6143,22 @@
                       "exports": {
                         "type": "flattened"
                       },
+                      "go_import_hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "go_imports": {
+                        "type": "flattened"
+                      },
+                      "go_imports_names_entropy": {
+                        "type": "long"
+                      },
+                      "go_imports_names_var_entropy": {
+                        "type": "long"
+                      },
+                      "go_stripped": {
+                        "type": "boolean"
+                      },
                       "header": {
                         "properties": {
                           "abi_version": {
@@ -5638,9 +6194,19 @@
                           }
                         }
                       },
+                      "import_hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
                       "imports": {
                         "type": "flattened"
                       },
+                      "imports_names_entropy": {
+                        "type": "long"
+                      },
+                      "imports_names_var_entropy": {
+                        "type": "long"
+                      },
                       "sections": {
                         "properties": {
                           "chi2": {
@@ -5668,6 +6234,9 @@
                             "ignore_above": 1024,
                             "type": "keyword"
                           },
+                          "var_entropy": {
+                            "type": "long"
+                          },
                           "virtual_address": {
                             "type": "long"
                           },
@@ -5798,10 +6367,39 @@
                         "ignore_above": 1024,
                         "type": "keyword"
                       },
+                      "go_import_hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "go_imports": {
+                        "type": "flattened"
+                      },
+                      "go_imports_names_entropy": {
+                        "type": "long"
+                      },
+                      "go_imports_names_var_entropy": {
+                        "type": "long"
+                      },
+                      "go_stripped": {
+                        "type": "boolean"
+                      },
                       "imphash": {
                         "ignore_above": 1024,
                         "type": "keyword"
                       },
+                      "import_hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "imports": {
+                        "type": "flattened"
+                      },
+                      "imports_names_entropy": {
+                        "type": "long"
+                      },
+                      "imports_names_var_entropy": {
+                        "type": "long"
+                      },
                       "original_file_name": {
                         "ignore_above": 1024,
                         "type": "keyword"
@@ -5813,6 +6411,27 @@
                       "product": {
                         "ignore_above": 1024,
                         "type": "keyword"
+                      },
+                      "sections": {
+                        "properties": {
+                          "entropy": {
+                            "type": "long"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "physical_size": {
+                            "type": "long"
+                          },
+                          "var_entropy": {
+                            "type": "long"
+                          },
+                          "virtual_size": {
+                            "type": "long"
+                          }
+                        },
+                        "type": "nested"
                       }
                     }
                   },
diff --git a/schemas/elf.yml b/schemas/elf.yml
index 58d29fcc58..b5c93b4d99 100644
--- a/schemas/elf.yml
+++ b/schemas/elf.yml
@@ -62,6 +62,46 @@
       level: extended
       example: Intel
 
+    - name: go_import_hash
+      short: A hash of the Go language imports in an ELF file.
+      description: >
+        A hash of the Go language imports in an ELF file excluding standard library imports.
+        An import hash can be used to fingerprint binaries even after recompilation or other
+        code-level transformations have occurred, which would change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).
+      example: 10bddcb4cee42080f76c88d9ff964491
+      type: keyword
+      level: extended
+
+    - name: go_imports_names_entropy
+      description: >
+        Shannon entropy calculation from the list of Go imports.
+      type: long
+      format: number
+      level: extended
+
+    - name: go_imports_names_var_entropy
+      description: >
+        Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+      format: number
+      level: extended
+
+    - name: go_imports
+      description: >
+        List of imported Go language element names and types.
+      type: flattened
+      level: extended
+
+    - name: go_stripped
+      short: Whether the file is a stripped or obfuscated Go executable.
+      description: >
+        Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable.
+      type: boolean
+      level: extended
+
     - name: header.class
       description: >
         Header class of the ELF file.
@@ -111,6 +151,32 @@
       description: >
         "0x1" for original ELF files.
 
+    - name: import_hash
+      short: A hash of the imports in an ELF file.
+      description: >
+        A hash of the imports in an ELF file. An import hash can be used to
+        fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.
+      example: d41d8cd98f00b204e9800998ecf8427e
+      type: keyword
+      level: extended
+
+    - name: imports_names_entropy
+      description: >
+        Shannon entropy calculation from the list of imported element names and types.
+      format: number
+      type: long
+      level: extended
+
+    - name: imports_names_var_entropy
+      description: >
+        Variance for Shannon entropy calculation from the list of imported element names and types.
+      format: number
+      type: long
+      level: extended
+
     - name: sections
       short: Section information of the ELF file.
       description: >
@@ -154,6 +220,13 @@
       type: long
       level: extended
 
+    - name: sections.var_entropy
+      description: >
+        Variance for Shannon entropy calculation from the section.
+      format: number
+      type: long
+      level: extended
+
     - name: sections.virtual_address
       description: >
         ELF Section List virtual address.
diff --git a/schemas/macho.yml b/schemas/macho.yml
new file mode 100644
index 0000000000..fca3a0eb96
--- /dev/null
+++ b/schemas/macho.yml
@@ -0,0 +1,166 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+---
+- name: macho
+  title: Mach-O Header
+  group: 2
+  description: >
+    These fields contain Mac OS Mach Object file format (Mach-O) metadata.
+  beta: >
+    These fields are in beta and are subject to change.
+  type: group
+  reusable:
+    top_level: false
+    expected:
+      - at: file
+        as: macho
+        beta: This field reuse is beta and subject to change.
+      - at: process
+        as: macho
+        beta: This field reuse is beta and subject to change.
+  fields:
+    - name: go_import_hash
+      short: A hash of the Go language imports in an ELF file.
+      description: >
+        A hash of the Go language imports in a Mach-O file excluding standard library imports.
+        An import hash can be used to fingerprint binaries even after recompilation or other
+        code-level transformations have occurred, which would change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).
+      example: 10bddcb4cee42080f76c88d9ff964491
+      type: keyword
+      level: extended
+
+    - name: go_imports_names_entropy
+      description: >
+        Shannon entropy calculation from the list of Go imports.
+      type: long
+      format: number
+      level: extended
+
+    - name: go_imports_names_var_entropy
+      description: >
+        Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+      format: number
+      level: extended
+
+    - name: go_imports
+      description: >
+        List of imported Go language element names and types.
+      type: flattened
+      level: extended
+
+    - name: go_stripped
+      short: Whether the file is a stripped or obfuscated Go executable.
+      description: >
+        Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable.
+      type: boolean
+      level: extended
+
+    - name: import_hash
+      short: A hash of the imports in an ELF file.
+      description: >
+        A hash of the imports in an Mach-O file. An import hash can be used to
+        fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.
+      example: d41d8cd98f00b204e9800998ecf8427e
+      type: keyword
+      level: extended
+
+    - name: imports
+      description: >
+        List of imported element names and types.
+      type: flattened
+      level: extended
+      normalize:
+        - array
+
+    - name: imports_names_entropy
+      description: >
+        Shannon entropy calculation from the list of imported element names and types.
+      format: number
+      type: long
+      level: extended
+
+    - name: imports_names_var_entropy
+      description: >
+        Variance for Shannon entropy calculation from the list of imported element names and types.
+      format: number
+      type: long
+      level: extended
+
+    - name: sections
+      short: Section information of the Mach-O file.
+      description: >
+        An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.
+      type: nested
+      level: extended
+      normalize:
+        - "array"
+
+    - name: sections.entropy
+      description: >
+        Shannon entropy calculation from the section.
+      format: number
+      type: long
+      level: extended
+
+    - name: sections.name
+      description: >
+        Mach-O Section List name.
+      type: keyword
+      level: extended
+
+    - name: sections.physical_size
+      description: >
+        Mach-O Section List physical size.
+      format: bytes
+      type: long
+      level: extended
+
+    - name: sections.var_entropy
+      description: >
+        Variance for Shannon entropy calculation from the section.
+      format: number
+      type: long
+      level: extended
+
+    - name: sections.virtual_size
+      description: >
+        Mach-O Section List virtual size. This is always the same as `physical_size`.
+      format: string
+      type: long
+      level: extended
+
+    - name: symhash
+      short: A hash of the imports in a Mach-O file.
+      description: >
+        A hash of the imports in a Mach-O file. An import hash can be used to
+        fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash
+      example: d3ccf195b62a9279c3c19af1080497ec
+      type: keyword
+      level: extended
diff --git a/schemas/pe.yml b/schemas/pe.yml
index 33aa725391..cbbac60bbc 100644
--- a/schemas/pe.yml
+++ b/schemas/pe.yml
@@ -78,6 +78,80 @@
       description: CPU architecture target for the file.
       example: x64
 
+    - name: go_import_hash
+      short: A hash of the Go language imports in an ELF file.
+      description: >
+        A hash of the Go language imports in a PE file excluding standard library imports.
+        An import hash can be used to fingerprint binaries even after recompilation or other
+        code-level transformations have occurred, which would change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available [here](https://github.com/elastic/toutoumomoma).
+      example: 10bddcb4cee42080f76c88d9ff964491
+      type: keyword
+      level: extended
+
+    - name: go_imports
+      description: >
+        List of imported Go language element names and types.
+      type: flattened
+      level: extended
+
+    - name: go_imports_names_entropy
+      description: >
+        Shannon entropy calculation from the list of Go imports.
+      type: long
+      format: number
+      level: extended
+
+    - name: go_imports_names_var_entropy
+      description: >
+        Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+      format: number
+      level: extended
+
+    - name: go_stripped
+      short: Whether the file is a stripped or obfuscated Go executable.
+      description: >
+        Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable.
+      type: boolean
+      level: extended
+
+    - name: import_hash
+      short: A hash of the imports in an ELF file.
+      description: >
+        A hash of the imports in a PE file. An import hash can be used to
+        fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.
+      example: d41d8cd98f00b204e9800998ecf8427e
+      type: keyword
+      level: extended
+
+    - name: imports
+      description: >
+        List of imported element names and types.
+      type: flattened
+      level: extended
+      normalize:
+        - array
+
+    - name: imports_names_entropy
+      description: >
+        Shannon entropy calculation from the list of imported element names and types.
+      format: number
+      type: long
+      level: extended
+
+    - name: imports_names_var_entropy
+      description: >
+        Variance for Shannon entropy calculation from the list of imported element names and types.
+      format: number
+      type: long
+      level: extended
+
     - name: pehash
       level: extended
       type: keyword
@@ -88,3 +162,50 @@
 
         Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.
       example: 73ff189b63cd6be375a7ff25179a38d347651975
+
+    - name: sections
+      short: Section information of the PE file.
+      description: >
+        An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.
+      type: nested
+      level: extended
+      normalize:
+        - "array"
+
+    - name: sections.entropy
+      description: >
+        Shannon entropy calculation from the section.
+      format: number
+      type: long
+      level: extended
+
+    - name: sections.name
+      description: >
+        PE Section List name.
+      type: keyword
+      level: extended
+
+    - name: sections.physical_size
+      description: >
+        PE Section List physical size.
+      format: bytes
+      type: long
+      level: extended
+
+    - name: sections.var_entropy
+      description: >
+        Variance for Shannon entropy calculation from the section.
+      format: number
+      type: long
+      level: extended
+
+    - name: sections.virtual_size
+      description: >
+        PE Section List virtual size. This is always the same as `physical_size`.
+      format: string
+      type: long
+      level: extended
+
diff --git a/schemas/subsets/main.yml b/schemas/subsets/main.yml
index b836b721ea..0f2bc7dcd4 100644
--- a/schemas/subsets/main.yml
+++ b/schemas/subsets/main.yml
@@ -111,6 +111,8 @@ fields:
     fields: "*"
   log:
     fields: "*"
+  macho:
+    fields: "*"
   network:
     fields: "*"
   observer:
@@ -265,6 +267,8 @@ fields:
       interactive: {}
       io: 
         fields: "*"
+      macho:
+        fields: "*"
       name: {}
       parent:
         fields:
@@ -287,6 +291,8 @@ fields:
           hash:
             fields: "*"
           interactive: {}
+          macho:
+            fields: "*"
           name: {}
           pe:
             fields: "*"
@@ -569,4 +575,4 @@ fields:
   vulnerability:
     fields: "*"
   x509:
-    fields: "*"
\ No newline at end of file
+    fields: "*"

From 35ee4f3b3839030b4d418e71541a17e9fd6ad8d3 Mon Sep 17 00:00:00 2001
From: Dan Kortschak <90160302+efd6@users.noreply.github.com>
Date: Wed, 2 Nov 2022 20:02:52 +1030
Subject: [PATCH 052/186] Fix typos in macho and pe schema files (#2095)

---
 docs/fields/field-details.asciidoc          |  2 +-
 experimental/generated/beats/fields.ecs.yml |  8 ++--
 experimental/generated/csv/fields.csv       | 36 +++++++-------
 experimental/generated/ecs/ecs_flat.yml     | 42 ++++++++---------
 experimental/generated/ecs/ecs_nested.yml   | 52 ++++++++++-----------
 generated/beats/fields.ecs.yml              |  8 ++--
 generated/csv/fields.csv                    | 36 +++++++-------
 generated/ecs/ecs_flat.yml                  | 42 ++++++++---------
 generated/ecs/ecs_nested.yml                | 52 ++++++++++-----------
 schemas/macho.yml                           |  6 +--
 schemas/pe.yml                              |  4 +-
 11 files changed, 144 insertions(+), 144 deletions(-)

diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index 5a02560208..003d24545c 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -6061,7 +6061,7 @@ type: boolean
 [[field-macho-import-hash]]
 <<field-macho-import-hash, macho.import_hash>>
 
-a| A hash of the imports in an Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
+a| A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
 
 This is a synonym for symhash.
 
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index f0bf28be06..ed5dec9da2 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -3237,7 +3237,7 @@
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the imports in an Mach-O file. An import hash can be
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
         used to fingerprint binaries even after recompilation or other code-level
         transformations have occurred, which would change more traditional hash values.
 
@@ -4574,7 +4574,7 @@
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the imports in an Mach-O file. An import hash can be
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
         used to fingerprint binaries even after recompilation or other code-level
         transformations have occurred, which would change more traditional hash values.
 
@@ -6762,7 +6762,7 @@
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the imports in an Mach-O file. An import hash can be
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
         used to fingerprint binaries even after recompilation or other code-level
         transformations have occurred, which would change more traditional hash values.
 
@@ -7383,7 +7383,7 @@
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the imports in an Mach-O file. An import hash can be
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
         used to fingerprint binaries even after recompilation or other code-level
         transformations have occurred, which would change more traditional hash values.
 
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index f7026779f1..64abcfa89a 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -167,13 +167,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
 8.7.0-dev+exp,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
 8.7.0-dev+exp,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.7.0-dev+exp,true,dll,dll.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.7.0-dev+exp,true,dll,dll.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
 8.7.0-dev+exp,true,dll,dll.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
 8.7.0-dev+exp,true,dll,dll.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
 8.7.0-dev+exp,true,dll,dll.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
 8.7.0-dev+exp,true,dll,dll.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
 8.7.0-dev+exp,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.7.0-dev+exp,true,dll,dll.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.7.0-dev+exp,true,dll,dll.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
 8.7.0-dev+exp,true,dll,dll.pe.imports,flattened,extended,array,,List of imported element names and types.
 8.7.0-dev+exp,true,dll,dll.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
 8.7.0-dev+exp,true,dll,dll.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
@@ -338,12 +338,12 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
 8.7.0-dev+exp,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash.
 8.7.0-dev+exp,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.7.0-dev+exp,true,file,file.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.7.0-dev+exp,true,file,file.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
 8.7.0-dev+exp,true,file,file.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
 8.7.0-dev+exp,true,file,file.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
 8.7.0-dev+exp,true,file,file.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
 8.7.0-dev+exp,true,file,file.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.7.0-dev+exp,true,file,file.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.7.0-dev+exp,true,file,file.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
 8.7.0-dev+exp,true,file,file.macho.imports,flattened,extended,array,,List of imported element names and types.
 8.7.0-dev+exp,true,file,file.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
 8.7.0-dev+exp,true,file,file.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
@@ -365,13 +365,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
 8.7.0-dev+exp,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
 8.7.0-dev+exp,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.7.0-dev+exp,true,file,file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.7.0-dev+exp,true,file,file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
 8.7.0-dev+exp,true,file,file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
 8.7.0-dev+exp,true,file,file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
 8.7.0-dev+exp,true,file,file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
 8.7.0-dev+exp,true,file,file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
 8.7.0-dev+exp,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.7.0-dev+exp,true,file,file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.7.0-dev+exp,true,file,file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
 8.7.0-dev+exp,true,file,file.pe.imports,flattened,extended,array,,List of imported element names and types.
 8.7.0-dev+exp,true,file,file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
 8.7.0-dev+exp,true,file,file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
@@ -737,12 +737,12 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,process,process.io.total_bytes_captured,number,extended,,,The total number of bytes captured in this event.
 8.7.0-dev+exp,true,process,process.io.total_bytes_skipped,number,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
 8.7.0-dev+exp,true,process,process.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
-8.7.0-dev+exp,true,process,process.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.7.0-dev+exp,true,process,process.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
 8.7.0-dev+exp,true,process,process.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
 8.7.0-dev+exp,true,process,process.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
 8.7.0-dev+exp,true,process,process.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
 8.7.0-dev+exp,true,process,process.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.7.0-dev+exp,true,process,process.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.7.0-dev+exp,true,process,process.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
 8.7.0-dev+exp,true,process,process.macho.imports,flattened,extended,array,,List of imported element names and types.
 8.7.0-dev+exp,true,process,process.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
 8.7.0-dev+exp,true,process,process.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
@@ -824,12 +824,12 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
 8.7.0-dev+exp,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash.
 8.7.0-dev+exp,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.7.0-dev+exp,true,process,process.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.7.0-dev+exp,true,process,process.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
 8.7.0-dev+exp,true,process,process.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
 8.7.0-dev+exp,true,process,process.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
 8.7.0-dev+exp,true,process,process.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
 8.7.0-dev+exp,true,process,process.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.7.0-dev+exp,true,process,process.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.7.0-dev+exp,true,process,process.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
 8.7.0-dev+exp,true,process,process.parent.macho.imports,flattened,extended,array,,List of imported element names and types.
 8.7.0-dev+exp,true,process,process.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
 8.7.0-dev+exp,true,process,process.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
@@ -846,13 +846,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
 8.7.0-dev+exp,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
 8.7.0-dev+exp,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.7.0-dev+exp,true,process,process.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.7.0-dev+exp,true,process,process.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
 8.7.0-dev+exp,true,process,process.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
 8.7.0-dev+exp,true,process,process.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
 8.7.0-dev+exp,true,process,process.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
 8.7.0-dev+exp,true,process,process.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
 8.7.0-dev+exp,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.7.0-dev+exp,true,process,process.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.7.0-dev+exp,true,process,process.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
 8.7.0-dev+exp,true,process,process.parent.pe.imports,flattened,extended,array,,List of imported element names and types.
 8.7.0-dev+exp,true,process,process.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
 8.7.0-dev+exp,true,process,process.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
@@ -897,13 +897,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
 8.7.0-dev+exp,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
 8.7.0-dev+exp,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.7.0-dev+exp,true,process,process.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.7.0-dev+exp,true,process,process.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
 8.7.0-dev+exp,true,process,process.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
 8.7.0-dev+exp,true,process,process.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
 8.7.0-dev+exp,true,process,process.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
 8.7.0-dev+exp,true,process,process.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
 8.7.0-dev+exp,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.7.0-dev+exp,true,process,process.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.7.0-dev+exp,true,process,process.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
 8.7.0-dev+exp,true,process,process.pe.imports,flattened,extended,array,,List of imported element names and types.
 8.7.0-dev+exp,true,process,process.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
 8.7.0-dev+exp,true,process,process.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
@@ -1207,13 +1207,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
@@ -1422,13 +1422,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
 8.7.0-dev+exp,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
 8.7.0-dev+exp,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.7.0-dev+exp,true,threat,threat.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.7.0-dev+exp,true,threat,threat.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
 8.7.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
 8.7.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
 8.7.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
 8.7.0-dev+exp,true,threat,threat.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
 8.7.0-dev+exp,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.7.0-dev+exp,true,threat,threat.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.7.0-dev+exp,true,threat,threat.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
 8.7.0-dev+exp,true,threat,threat.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
 8.7.0-dev+exp,true,threat,threat.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
 8.7.0-dev+exp,true,threat,threat.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 2c85f9915f..47d547a164 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -2039,7 +2039,7 @@ dll.pe.go_import_hash:
   name: go_import_hash
   normalize: []
   original_fieldset: pe
-  short: A hash of the Go language imports in an ELF file.
+  short: A hash of the Go language imports in a PE file.
   type: keyword
 dll.pe.go_imports:
   dashed_name: dll-pe-go-imports
@@ -2114,7 +2114,7 @@ dll.pe.import_hash:
   name: import_hash
   normalize: []
   original_fieldset: pe
-  short: A hash of the imports in an ELF file.
+  short: A hash of the imports in a PE file.
   type: keyword
 dll.pe.imports:
   dashed_name: dll-pe-imports
@@ -4616,7 +4616,7 @@ file.macho.go_import_hash:
   name: go_import_hash
   normalize: []
   original_fieldset: macho
-  short: A hash of the Go language imports in an ELF file.
+  short: A hash of the Go language imports in a Mach-O file.
   type: keyword
 file.macho.go_imports:
   dashed_name: file-macho-go-imports
@@ -4663,7 +4663,7 @@ file.macho.go_stripped:
   type: boolean
 file.macho.import_hash:
   dashed_name: file-macho-import-hash
-  description: 'A hash of the imports in an Mach-O file. An import hash can be used
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
     to fingerprint binaries even after recompilation or other code-level transformations
     have occurred, which would change more traditional hash values.
 
@@ -4675,7 +4675,7 @@ file.macho.import_hash:
   name: import_hash
   normalize: []
   original_fieldset: macho
-  short: A hash of the imports in an ELF file.
+  short: A hash of the imports in a Mach-O file.
   type: keyword
 file.macho.imports:
   dashed_name: file-macho-imports
@@ -4933,7 +4933,7 @@ file.pe.go_import_hash:
   name: go_import_hash
   normalize: []
   original_fieldset: pe
-  short: A hash of the Go language imports in an ELF file.
+  short: A hash of the Go language imports in a PE file.
   type: keyword
 file.pe.go_imports:
   dashed_name: file-pe-go-imports
@@ -5008,7 +5008,7 @@ file.pe.import_hash:
   name: import_hash
   normalize: []
   original_fieldset: pe
-  short: A hash of the imports in an ELF file.
+  short: A hash of the imports in a PE file.
   type: keyword
 file.pe.imports:
   dashed_name: file-pe-imports
@@ -9442,7 +9442,7 @@ process.macho.go_import_hash:
   name: go_import_hash
   normalize: []
   original_fieldset: macho
-  short: A hash of the Go language imports in an ELF file.
+  short: A hash of the Go language imports in a Mach-O file.
   type: keyword
 process.macho.go_imports:
   dashed_name: process-macho-go-imports
@@ -9489,7 +9489,7 @@ process.macho.go_stripped:
   type: boolean
 process.macho.import_hash:
   dashed_name: process-macho-import-hash
-  description: 'A hash of the imports in an Mach-O file. An import hash can be used
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
     to fingerprint binaries even after recompilation or other code-level transformations
     have occurred, which would change more traditional hash values.
 
@@ -9501,7 +9501,7 @@ process.macho.import_hash:
   name: import_hash
   normalize: []
   original_fieldset: macho
-  short: A hash of the imports in an ELF file.
+  short: A hash of the imports in a Mach-O file.
   type: keyword
 process.macho.imports:
   dashed_name: process-macho-imports
@@ -10496,7 +10496,7 @@ process.parent.macho.go_import_hash:
   name: go_import_hash
   normalize: []
   original_fieldset: macho
-  short: A hash of the Go language imports in an ELF file.
+  short: A hash of the Go language imports in a Mach-O file.
   type: keyword
 process.parent.macho.go_imports:
   dashed_name: process-parent-macho-go-imports
@@ -10543,7 +10543,7 @@ process.parent.macho.go_stripped:
   type: boolean
 process.parent.macho.import_hash:
   dashed_name: process-parent-macho-import-hash
-  description: 'A hash of the imports in an Mach-O file. An import hash can be used
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
     to fingerprint binaries even after recompilation or other code-level transformations
     have occurred, which would change more traditional hash values.
 
@@ -10555,7 +10555,7 @@ process.parent.macho.import_hash:
   name: import_hash
   normalize: []
   original_fieldset: macho
-  short: A hash of the imports in an ELF file.
+  short: A hash of the imports in a Mach-O file.
   type: keyword
 process.parent.macho.imports:
   dashed_name: process-parent-macho-imports
@@ -10760,7 +10760,7 @@ process.parent.pe.go_import_hash:
   name: go_import_hash
   normalize: []
   original_fieldset: pe
-  short: A hash of the Go language imports in an ELF file.
+  short: A hash of the Go language imports in a PE file.
   type: keyword
 process.parent.pe.go_imports:
   dashed_name: process-parent-pe-go-imports
@@ -10835,7 +10835,7 @@ process.parent.pe.import_hash:
   name: import_hash
   normalize: []
   original_fieldset: pe
-  short: A hash of the imports in an ELF file.
+  short: A hash of the imports in a PE file.
   type: keyword
 process.parent.pe.imports:
   dashed_name: process-parent-pe-imports
@@ -11341,7 +11341,7 @@ process.pe.go_import_hash:
   name: go_import_hash
   normalize: []
   original_fieldset: pe
-  short: A hash of the Go language imports in an ELF file.
+  short: A hash of the Go language imports in a PE file.
   type: keyword
 process.pe.go_imports:
   dashed_name: process-pe-go-imports
@@ -11416,7 +11416,7 @@ process.pe.import_hash:
   name: import_hash
   normalize: []
   original_fieldset: pe
-  short: A hash of the imports in an ELF file.
+  short: A hash of the imports in a PE file.
   type: keyword
 process.pe.imports:
   dashed_name: process-pe-imports
@@ -15245,7 +15245,7 @@ threat.enrichments.indicator.file.pe.go_import_hash:
   name: go_import_hash
   normalize: []
   original_fieldset: pe
-  short: A hash of the Go language imports in an ELF file.
+  short: A hash of the Go language imports in a PE file.
   type: keyword
 threat.enrichments.indicator.file.pe.go_imports:
   dashed_name: threat-enrichments-indicator-file-pe-go-imports
@@ -15320,7 +15320,7 @@ threat.enrichments.indicator.file.pe.import_hash:
   name: import_hash
   normalize: []
   original_fieldset: pe
-  short: A hash of the imports in an ELF file.
+  short: A hash of the imports in a PE file.
   type: keyword
 threat.enrichments.indicator.file.pe.imports:
   dashed_name: threat-enrichments-indicator-file-pe-imports
@@ -17923,7 +17923,7 @@ threat.indicator.file.pe.go_import_hash:
   name: go_import_hash
   normalize: []
   original_fieldset: pe
-  short: A hash of the Go language imports in an ELF file.
+  short: A hash of the Go language imports in a PE file.
   type: keyword
 threat.indicator.file.pe.go_imports:
   dashed_name: threat-indicator-file-pe-go-imports
@@ -17998,7 +17998,7 @@ threat.indicator.file.pe.import_hash:
   name: import_hash
   normalize: []
   original_fieldset: pe
-  short: A hash of the imports in an ELF file.
+  short: A hash of the imports in a PE file.
   type: keyword
 threat.indicator.file.pe.imports:
   dashed_name: threat-indicator-file-pe-imports
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index b63b8115ef..07834aae46 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -2512,7 +2512,7 @@ dll:
       name: go_import_hash
       normalize: []
       original_fieldset: pe
-      short: A hash of the Go language imports in an ELF file.
+      short: A hash of the Go language imports in a PE file.
       type: keyword
     dll.pe.go_imports:
       dashed_name: dll-pe-go-imports
@@ -2587,7 +2587,7 @@ dll:
       name: import_hash
       normalize: []
       original_fieldset: pe
-      short: A hash of the imports in an ELF file.
+      short: A hash of the imports in a PE file.
       type: keyword
     dll.pe.imports:
       dashed_name: dll-pe-imports
@@ -5651,7 +5651,7 @@ file:
       name: go_import_hash
       normalize: []
       original_fieldset: macho
-      short: A hash of the Go language imports in an ELF file.
+      short: A hash of the Go language imports in a Mach-O file.
       type: keyword
     file.macho.go_imports:
       dashed_name: file-macho-go-imports
@@ -5698,7 +5698,7 @@ file:
       type: boolean
     file.macho.import_hash:
       dashed_name: file-macho-import-hash
-      description: 'A hash of the imports in an Mach-O file. An import hash can be
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
         used to fingerprint binaries even after recompilation or other code-level
         transformations have occurred, which would change more traditional hash values.
 
@@ -5710,7 +5710,7 @@ file:
       name: import_hash
       normalize: []
       original_fieldset: macho
-      short: A hash of the imports in an ELF file.
+      short: A hash of the imports in a Mach-O file.
       type: keyword
     file.macho.imports:
       dashed_name: file-macho-imports
@@ -5969,7 +5969,7 @@ file:
       name: go_import_hash
       normalize: []
       original_fieldset: pe
-      short: A hash of the Go language imports in an ELF file.
+      short: A hash of the Go language imports in a PE file.
       type: keyword
     file.pe.go_imports:
       dashed_name: file-pe-go-imports
@@ -6044,7 +6044,7 @@ file:
       name: import_hash
       normalize: []
       original_fieldset: pe
-      short: A hash of the imports in an ELF file.
+      short: A hash of the imports in a PE file.
       type: keyword
     file.pe.imports:
       dashed_name: file-pe-imports
@@ -8010,7 +8010,7 @@ macho:
       level: extended
       name: go_import_hash
       normalize: []
-      short: A hash of the Go language imports in an ELF file.
+      short: A hash of the Go language imports in a Mach-O file.
       type: keyword
     macho.go_imports:
       dashed_name: macho-go-imports
@@ -8053,7 +8053,7 @@ macho:
       type: boolean
     macho.import_hash:
       dashed_name: macho-import-hash
-      description: 'A hash of the imports in an Mach-O file. An import hash can be
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
         used to fingerprint binaries even after recompilation or other code-level
         transformations have occurred, which would change more traditional hash values.
 
@@ -8064,7 +8064,7 @@ macho:
       level: extended
       name: import_hash
       normalize: []
-      short: A hash of the imports in an ELF file.
+      short: A hash of the imports in a Mach-O file.
       type: keyword
     macho.imports:
       dashed_name: macho-imports
@@ -9558,7 +9558,7 @@ pe:
       level: extended
       name: go_import_hash
       normalize: []
-      short: A hash of the Go language imports in an ELF file.
+      short: A hash of the Go language imports in a PE file.
       type: keyword
     pe.go_imports:
       dashed_name: pe-go-imports
@@ -9627,7 +9627,7 @@ pe:
       level: extended
       name: import_hash
       normalize: []
-      short: A hash of the imports in an ELF file.
+      short: A hash of the imports in a PE file.
       type: keyword
     pe.imports:
       dashed_name: pe-imports
@@ -11657,7 +11657,7 @@ process:
       name: go_import_hash
       normalize: []
       original_fieldset: macho
-      short: A hash of the Go language imports in an ELF file.
+      short: A hash of the Go language imports in a Mach-O file.
       type: keyword
     process.macho.go_imports:
       dashed_name: process-macho-go-imports
@@ -11704,7 +11704,7 @@ process:
       type: boolean
     process.macho.import_hash:
       dashed_name: process-macho-import-hash
-      description: 'A hash of the imports in an Mach-O file. An import hash can be
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
         used to fingerprint binaries even after recompilation or other code-level
         transformations have occurred, which would change more traditional hash values.
 
@@ -11716,7 +11716,7 @@ process:
       name: import_hash
       normalize: []
       original_fieldset: macho
-      short: A hash of the imports in an ELF file.
+      short: A hash of the imports in a Mach-O file.
       type: keyword
     process.macho.imports:
       dashed_name: process-macho-imports
@@ -12713,7 +12713,7 @@ process:
       name: go_import_hash
       normalize: []
       original_fieldset: macho
-      short: A hash of the Go language imports in an ELF file.
+      short: A hash of the Go language imports in a Mach-O file.
       type: keyword
     process.parent.macho.go_imports:
       dashed_name: process-parent-macho-go-imports
@@ -12760,7 +12760,7 @@ process:
       type: boolean
     process.parent.macho.import_hash:
       dashed_name: process-parent-macho-import-hash
-      description: 'A hash of the imports in an Mach-O file. An import hash can be
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
         used to fingerprint binaries even after recompilation or other code-level
         transformations have occurred, which would change more traditional hash values.
 
@@ -12772,7 +12772,7 @@ process:
       name: import_hash
       normalize: []
       original_fieldset: macho
-      short: A hash of the imports in an ELF file.
+      short: A hash of the imports in a Mach-O file.
       type: keyword
     process.parent.macho.imports:
       dashed_name: process-parent-macho-imports
@@ -12978,7 +12978,7 @@ process:
       name: go_import_hash
       normalize: []
       original_fieldset: pe
-      short: A hash of the Go language imports in an ELF file.
+      short: A hash of the Go language imports in a PE file.
       type: keyword
     process.parent.pe.go_imports:
       dashed_name: process-parent-pe-go-imports
@@ -13053,7 +13053,7 @@ process:
       name: import_hash
       normalize: []
       original_fieldset: pe
-      short: A hash of the imports in an ELF file.
+      short: A hash of the imports in a PE file.
       type: keyword
     process.parent.pe.imports:
       dashed_name: process-parent-pe-imports
@@ -13560,7 +13560,7 @@ process:
       name: go_import_hash
       normalize: []
       original_fieldset: pe
-      short: A hash of the Go language imports in an ELF file.
+      short: A hash of the Go language imports in a PE file.
       type: keyword
     process.pe.go_imports:
       dashed_name: process-pe-go-imports
@@ -13635,7 +13635,7 @@ process:
       name: import_hash
       normalize: []
       original_fieldset: pe
-      short: A hash of the imports in an ELF file.
+      short: A hash of the imports in a PE file.
       type: keyword
     process.pe.imports:
       dashed_name: process-pe-imports
@@ -17912,7 +17912,7 @@ threat:
       name: go_import_hash
       normalize: []
       original_fieldset: pe
-      short: A hash of the Go language imports in an ELF file.
+      short: A hash of the Go language imports in a PE file.
       type: keyword
     threat.enrichments.indicator.file.pe.go_imports:
       dashed_name: threat-enrichments-indicator-file-pe-go-imports
@@ -17987,7 +17987,7 @@ threat:
       name: import_hash
       normalize: []
       original_fieldset: pe
-      short: A hash of the imports in an ELF file.
+      short: A hash of the imports in a PE file.
       type: keyword
     threat.enrichments.indicator.file.pe.imports:
       dashed_name: threat-enrichments-indicator-file-pe-imports
@@ -20596,7 +20596,7 @@ threat:
       name: go_import_hash
       normalize: []
       original_fieldset: pe
-      short: A hash of the Go language imports in an ELF file.
+      short: A hash of the Go language imports in a PE file.
       type: keyword
     threat.indicator.file.pe.go_imports:
       dashed_name: threat-indicator-file-pe-go-imports
@@ -20671,7 +20671,7 @@ threat:
       name: import_hash
       normalize: []
       original_fieldset: pe
-      short: A hash of the imports in an ELF file.
+      short: A hash of the imports in a PE file.
       type: keyword
     threat.indicator.file.pe.imports:
       dashed_name: threat-indicator-file-pe-imports
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index a091b25c5f..cc3d9963e9 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -3187,7 +3187,7 @@
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the imports in an Mach-O file. An import hash can be
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
         used to fingerprint binaries even after recompilation or other code-level
         transformations have occurred, which would change more traditional hash values.
 
@@ -4524,7 +4524,7 @@
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the imports in an Mach-O file. An import hash can be
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
         used to fingerprint binaries even after recompilation or other code-level
         transformations have occurred, which would change more traditional hash values.
 
@@ -6712,7 +6712,7 @@
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the imports in an Mach-O file. An import hash can be
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
         used to fingerprint binaries even after recompilation or other code-level
         transformations have occurred, which would change more traditional hash values.
 
@@ -7333,7 +7333,7 @@
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the imports in an Mach-O file. An import hash can be
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
         used to fingerprint binaries even after recompilation or other code-level
         transformations have occurred, which would change more traditional hash values.
 
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index e5d08c3228..cc35dae8c5 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -160,13 +160,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
 8.7.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
 8.7.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.7.0-dev,true,dll,dll.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.7.0-dev,true,dll,dll.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
 8.7.0-dev,true,dll,dll.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
 8.7.0-dev,true,dll,dll.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
 8.7.0-dev,true,dll,dll.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
 8.7.0-dev,true,dll,dll.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
 8.7.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.7.0-dev,true,dll,dll.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.7.0-dev,true,dll,dll.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
 8.7.0-dev,true,dll,dll.pe.imports,flattened,extended,array,,List of imported element names and types.
 8.7.0-dev,true,dll,dll.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
 8.7.0-dev,true,dll,dll.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
@@ -331,12 +331,12 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
 8.7.0-dev,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash.
 8.7.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.7.0-dev,true,file,file.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.7.0-dev,true,file,file.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
 8.7.0-dev,true,file,file.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
 8.7.0-dev,true,file,file.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
 8.7.0-dev,true,file,file.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
 8.7.0-dev,true,file,file.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.7.0-dev,true,file,file.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.7.0-dev,true,file,file.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
 8.7.0-dev,true,file,file.macho.imports,flattened,extended,array,,List of imported element names and types.
 8.7.0-dev,true,file,file.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
 8.7.0-dev,true,file,file.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
@@ -358,13 +358,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
 8.7.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
 8.7.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.7.0-dev,true,file,file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.7.0-dev,true,file,file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
 8.7.0-dev,true,file,file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
 8.7.0-dev,true,file,file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
 8.7.0-dev,true,file,file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
 8.7.0-dev,true,file,file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
 8.7.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.7.0-dev,true,file,file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.7.0-dev,true,file,file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
 8.7.0-dev,true,file,file.pe.imports,flattened,extended,array,,List of imported element names and types.
 8.7.0-dev,true,file,file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
 8.7.0-dev,true,file,file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
@@ -730,12 +730,12 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,process,process.io.total_bytes_captured,number,extended,,,The total number of bytes captured in this event.
 8.7.0-dev,true,process,process.io.total_bytes_skipped,number,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
 8.7.0-dev,true,process,process.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
-8.7.0-dev,true,process,process.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.7.0-dev,true,process,process.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
 8.7.0-dev,true,process,process.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
 8.7.0-dev,true,process,process.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
 8.7.0-dev,true,process,process.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
 8.7.0-dev,true,process,process.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.7.0-dev,true,process,process.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.7.0-dev,true,process,process.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
 8.7.0-dev,true,process,process.macho.imports,flattened,extended,array,,List of imported element names and types.
 8.7.0-dev,true,process,process.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
 8.7.0-dev,true,process,process.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
@@ -817,12 +817,12 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
 8.7.0-dev,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash.
 8.7.0-dev,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.7.0-dev,true,process,process.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.7.0-dev,true,process,process.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
 8.7.0-dev,true,process,process.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
 8.7.0-dev,true,process,process.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
 8.7.0-dev,true,process,process.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
 8.7.0-dev,true,process,process.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.7.0-dev,true,process,process.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.7.0-dev,true,process,process.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
 8.7.0-dev,true,process,process.parent.macho.imports,flattened,extended,array,,List of imported element names and types.
 8.7.0-dev,true,process,process.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
 8.7.0-dev,true,process,process.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
@@ -839,13 +839,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
 8.7.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
 8.7.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.7.0-dev,true,process,process.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.7.0-dev,true,process,process.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
 8.7.0-dev,true,process,process.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
 8.7.0-dev,true,process,process.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
 8.7.0-dev,true,process,process.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
 8.7.0-dev,true,process,process.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
 8.7.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.7.0-dev,true,process,process.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.7.0-dev,true,process,process.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
 8.7.0-dev,true,process,process.parent.pe.imports,flattened,extended,array,,List of imported element names and types.
 8.7.0-dev,true,process,process.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
 8.7.0-dev,true,process,process.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
@@ -890,13 +890,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
 8.7.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
 8.7.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.7.0-dev,true,process,process.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.7.0-dev,true,process,process.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
 8.7.0-dev,true,process,process.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
 8.7.0-dev,true,process,process.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
 8.7.0-dev,true,process,process.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
 8.7.0-dev,true,process,process.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
 8.7.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.7.0-dev,true,process,process.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.7.0-dev,true,process,process.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
 8.7.0-dev,true,process,process.pe.imports,flattened,extended,array,,List of imported element names and types.
 8.7.0-dev,true,process,process.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
 8.7.0-dev,true,process,process.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
@@ -1200,13 +1200,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
 8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
 8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
 8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
 8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
 8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
 8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
 8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
 8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
 8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
 8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
@@ -1415,13 +1415,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
 8.7.0-dev,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
 8.7.0-dev,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.7.0-dev,true,threat,threat.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.7.0-dev,true,threat,threat.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
 8.7.0-dev,true,threat,threat.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
 8.7.0-dev,true,threat,threat.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
 8.7.0-dev,true,threat,threat.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
 8.7.0-dev,true,threat,threat.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
 8.7.0-dev,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.7.0-dev,true,threat,threat.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.7.0-dev,true,threat,threat.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
 8.7.0-dev,true,threat,threat.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
 8.7.0-dev,true,threat,threat.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
 8.7.0-dev,true,threat,threat.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 954701ab12..bfe99f78ee 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -1970,7 +1970,7 @@ dll.pe.go_import_hash:
   name: go_import_hash
   normalize: []
   original_fieldset: pe
-  short: A hash of the Go language imports in an ELF file.
+  short: A hash of the Go language imports in a PE file.
   type: keyword
 dll.pe.go_imports:
   dashed_name: dll-pe-go-imports
@@ -2045,7 +2045,7 @@ dll.pe.import_hash:
   name: import_hash
   normalize: []
   original_fieldset: pe
-  short: A hash of the imports in an ELF file.
+  short: A hash of the imports in a PE file.
   type: keyword
 dll.pe.imports:
   dashed_name: dll-pe-imports
@@ -4547,7 +4547,7 @@ file.macho.go_import_hash:
   name: go_import_hash
   normalize: []
   original_fieldset: macho
-  short: A hash of the Go language imports in an ELF file.
+  short: A hash of the Go language imports in a Mach-O file.
   type: keyword
 file.macho.go_imports:
   dashed_name: file-macho-go-imports
@@ -4594,7 +4594,7 @@ file.macho.go_stripped:
   type: boolean
 file.macho.import_hash:
   dashed_name: file-macho-import-hash
-  description: 'A hash of the imports in an Mach-O file. An import hash can be used
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
     to fingerprint binaries even after recompilation or other code-level transformations
     have occurred, which would change more traditional hash values.
 
@@ -4606,7 +4606,7 @@ file.macho.import_hash:
   name: import_hash
   normalize: []
   original_fieldset: macho
-  short: A hash of the imports in an ELF file.
+  short: A hash of the imports in a Mach-O file.
   type: keyword
 file.macho.imports:
   dashed_name: file-macho-imports
@@ -4864,7 +4864,7 @@ file.pe.go_import_hash:
   name: go_import_hash
   normalize: []
   original_fieldset: pe
-  short: A hash of the Go language imports in an ELF file.
+  short: A hash of the Go language imports in a PE file.
   type: keyword
 file.pe.go_imports:
   dashed_name: file-pe-go-imports
@@ -4939,7 +4939,7 @@ file.pe.import_hash:
   name: import_hash
   normalize: []
   original_fieldset: pe
-  short: A hash of the imports in an ELF file.
+  short: A hash of the imports in a PE file.
   type: keyword
 file.pe.imports:
   dashed_name: file-pe-imports
@@ -9373,7 +9373,7 @@ process.macho.go_import_hash:
   name: go_import_hash
   normalize: []
   original_fieldset: macho
-  short: A hash of the Go language imports in an ELF file.
+  short: A hash of the Go language imports in a Mach-O file.
   type: keyword
 process.macho.go_imports:
   dashed_name: process-macho-go-imports
@@ -9420,7 +9420,7 @@ process.macho.go_stripped:
   type: boolean
 process.macho.import_hash:
   dashed_name: process-macho-import-hash
-  description: 'A hash of the imports in an Mach-O file. An import hash can be used
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
     to fingerprint binaries even after recompilation or other code-level transformations
     have occurred, which would change more traditional hash values.
 
@@ -9432,7 +9432,7 @@ process.macho.import_hash:
   name: import_hash
   normalize: []
   original_fieldset: macho
-  short: A hash of the imports in an ELF file.
+  short: A hash of the imports in a Mach-O file.
   type: keyword
 process.macho.imports:
   dashed_name: process-macho-imports
@@ -10427,7 +10427,7 @@ process.parent.macho.go_import_hash:
   name: go_import_hash
   normalize: []
   original_fieldset: macho
-  short: A hash of the Go language imports in an ELF file.
+  short: A hash of the Go language imports in a Mach-O file.
   type: keyword
 process.parent.macho.go_imports:
   dashed_name: process-parent-macho-go-imports
@@ -10474,7 +10474,7 @@ process.parent.macho.go_stripped:
   type: boolean
 process.parent.macho.import_hash:
   dashed_name: process-parent-macho-import-hash
-  description: 'A hash of the imports in an Mach-O file. An import hash can be used
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
     to fingerprint binaries even after recompilation or other code-level transformations
     have occurred, which would change more traditional hash values.
 
@@ -10486,7 +10486,7 @@ process.parent.macho.import_hash:
   name: import_hash
   normalize: []
   original_fieldset: macho
-  short: A hash of the imports in an ELF file.
+  short: A hash of the imports in a Mach-O file.
   type: keyword
 process.parent.macho.imports:
   dashed_name: process-parent-macho-imports
@@ -10691,7 +10691,7 @@ process.parent.pe.go_import_hash:
   name: go_import_hash
   normalize: []
   original_fieldset: pe
-  short: A hash of the Go language imports in an ELF file.
+  short: A hash of the Go language imports in a PE file.
   type: keyword
 process.parent.pe.go_imports:
   dashed_name: process-parent-pe-go-imports
@@ -10766,7 +10766,7 @@ process.parent.pe.import_hash:
   name: import_hash
   normalize: []
   original_fieldset: pe
-  short: A hash of the imports in an ELF file.
+  short: A hash of the imports in a PE file.
   type: keyword
 process.parent.pe.imports:
   dashed_name: process-parent-pe-imports
@@ -11272,7 +11272,7 @@ process.pe.go_import_hash:
   name: go_import_hash
   normalize: []
   original_fieldset: pe
-  short: A hash of the Go language imports in an ELF file.
+  short: A hash of the Go language imports in a PE file.
   type: keyword
 process.pe.go_imports:
   dashed_name: process-pe-go-imports
@@ -11347,7 +11347,7 @@ process.pe.import_hash:
   name: import_hash
   normalize: []
   original_fieldset: pe
-  short: A hash of the imports in an ELF file.
+  short: A hash of the imports in a PE file.
   type: keyword
 process.pe.imports:
   dashed_name: process-pe-imports
@@ -15176,7 +15176,7 @@ threat.enrichments.indicator.file.pe.go_import_hash:
   name: go_import_hash
   normalize: []
   original_fieldset: pe
-  short: A hash of the Go language imports in an ELF file.
+  short: A hash of the Go language imports in a PE file.
   type: keyword
 threat.enrichments.indicator.file.pe.go_imports:
   dashed_name: threat-enrichments-indicator-file-pe-go-imports
@@ -15251,7 +15251,7 @@ threat.enrichments.indicator.file.pe.import_hash:
   name: import_hash
   normalize: []
   original_fieldset: pe
-  short: A hash of the imports in an ELF file.
+  short: A hash of the imports in a PE file.
   type: keyword
 threat.enrichments.indicator.file.pe.imports:
   dashed_name: threat-enrichments-indicator-file-pe-imports
@@ -17854,7 +17854,7 @@ threat.indicator.file.pe.go_import_hash:
   name: go_import_hash
   normalize: []
   original_fieldset: pe
-  short: A hash of the Go language imports in an ELF file.
+  short: A hash of the Go language imports in a PE file.
   type: keyword
 threat.indicator.file.pe.go_imports:
   dashed_name: threat-indicator-file-pe-go-imports
@@ -17929,7 +17929,7 @@ threat.indicator.file.pe.import_hash:
   name: import_hash
   normalize: []
   original_fieldset: pe
-  short: A hash of the imports in an ELF file.
+  short: A hash of the imports in a PE file.
   type: keyword
 threat.indicator.file.pe.imports:
   dashed_name: threat-indicator-file-pe-imports
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index ea6af99d24..fe2e1d6d2f 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -2432,7 +2432,7 @@ dll:
       name: go_import_hash
       normalize: []
       original_fieldset: pe
-      short: A hash of the Go language imports in an ELF file.
+      short: A hash of the Go language imports in a PE file.
       type: keyword
     dll.pe.go_imports:
       dashed_name: dll-pe-go-imports
@@ -2507,7 +2507,7 @@ dll:
       name: import_hash
       normalize: []
       original_fieldset: pe
-      short: A hash of the imports in an ELF file.
+      short: A hash of the imports in a PE file.
       type: keyword
     dll.pe.imports:
       dashed_name: dll-pe-imports
@@ -5571,7 +5571,7 @@ file:
       name: go_import_hash
       normalize: []
       original_fieldset: macho
-      short: A hash of the Go language imports in an ELF file.
+      short: A hash of the Go language imports in a Mach-O file.
       type: keyword
     file.macho.go_imports:
       dashed_name: file-macho-go-imports
@@ -5618,7 +5618,7 @@ file:
       type: boolean
     file.macho.import_hash:
       dashed_name: file-macho-import-hash
-      description: 'A hash of the imports in an Mach-O file. An import hash can be
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
         used to fingerprint binaries even after recompilation or other code-level
         transformations have occurred, which would change more traditional hash values.
 
@@ -5630,7 +5630,7 @@ file:
       name: import_hash
       normalize: []
       original_fieldset: macho
-      short: A hash of the imports in an ELF file.
+      short: A hash of the imports in a Mach-O file.
       type: keyword
     file.macho.imports:
       dashed_name: file-macho-imports
@@ -5889,7 +5889,7 @@ file:
       name: go_import_hash
       normalize: []
       original_fieldset: pe
-      short: A hash of the Go language imports in an ELF file.
+      short: A hash of the Go language imports in a PE file.
       type: keyword
     file.pe.go_imports:
       dashed_name: file-pe-go-imports
@@ -5964,7 +5964,7 @@ file:
       name: import_hash
       normalize: []
       original_fieldset: pe
-      short: A hash of the imports in an ELF file.
+      short: A hash of the imports in a PE file.
       type: keyword
     file.pe.imports:
       dashed_name: file-pe-imports
@@ -7930,7 +7930,7 @@ macho:
       level: extended
       name: go_import_hash
       normalize: []
-      short: A hash of the Go language imports in an ELF file.
+      short: A hash of the Go language imports in a Mach-O file.
       type: keyword
     macho.go_imports:
       dashed_name: macho-go-imports
@@ -7973,7 +7973,7 @@ macho:
       type: boolean
     macho.import_hash:
       dashed_name: macho-import-hash
-      description: 'A hash of the imports in an Mach-O file. An import hash can be
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
         used to fingerprint binaries even after recompilation or other code-level
         transformations have occurred, which would change more traditional hash values.
 
@@ -7984,7 +7984,7 @@ macho:
       level: extended
       name: import_hash
       normalize: []
-      short: A hash of the imports in an ELF file.
+      short: A hash of the imports in a Mach-O file.
       type: keyword
     macho.imports:
       dashed_name: macho-imports
@@ -9478,7 +9478,7 @@ pe:
       level: extended
       name: go_import_hash
       normalize: []
-      short: A hash of the Go language imports in an ELF file.
+      short: A hash of the Go language imports in a PE file.
       type: keyword
     pe.go_imports:
       dashed_name: pe-go-imports
@@ -9547,7 +9547,7 @@ pe:
       level: extended
       name: import_hash
       normalize: []
-      short: A hash of the imports in an ELF file.
+      short: A hash of the imports in a PE file.
       type: keyword
     pe.imports:
       dashed_name: pe-imports
@@ -11577,7 +11577,7 @@ process:
       name: go_import_hash
       normalize: []
       original_fieldset: macho
-      short: A hash of the Go language imports in an ELF file.
+      short: A hash of the Go language imports in a Mach-O file.
       type: keyword
     process.macho.go_imports:
       dashed_name: process-macho-go-imports
@@ -11624,7 +11624,7 @@ process:
       type: boolean
     process.macho.import_hash:
       dashed_name: process-macho-import-hash
-      description: 'A hash of the imports in an Mach-O file. An import hash can be
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
         used to fingerprint binaries even after recompilation or other code-level
         transformations have occurred, which would change more traditional hash values.
 
@@ -11636,7 +11636,7 @@ process:
       name: import_hash
       normalize: []
       original_fieldset: macho
-      short: A hash of the imports in an ELF file.
+      short: A hash of the imports in a Mach-O file.
       type: keyword
     process.macho.imports:
       dashed_name: process-macho-imports
@@ -12633,7 +12633,7 @@ process:
       name: go_import_hash
       normalize: []
       original_fieldset: macho
-      short: A hash of the Go language imports in an ELF file.
+      short: A hash of the Go language imports in a Mach-O file.
       type: keyword
     process.parent.macho.go_imports:
       dashed_name: process-parent-macho-go-imports
@@ -12680,7 +12680,7 @@ process:
       type: boolean
     process.parent.macho.import_hash:
       dashed_name: process-parent-macho-import-hash
-      description: 'A hash of the imports in an Mach-O file. An import hash can be
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
         used to fingerprint binaries even after recompilation or other code-level
         transformations have occurred, which would change more traditional hash values.
 
@@ -12692,7 +12692,7 @@ process:
       name: import_hash
       normalize: []
       original_fieldset: macho
-      short: A hash of the imports in an ELF file.
+      short: A hash of the imports in a Mach-O file.
       type: keyword
     process.parent.macho.imports:
       dashed_name: process-parent-macho-imports
@@ -12898,7 +12898,7 @@ process:
       name: go_import_hash
       normalize: []
       original_fieldset: pe
-      short: A hash of the Go language imports in an ELF file.
+      short: A hash of the Go language imports in a PE file.
       type: keyword
     process.parent.pe.go_imports:
       dashed_name: process-parent-pe-go-imports
@@ -12973,7 +12973,7 @@ process:
       name: import_hash
       normalize: []
       original_fieldset: pe
-      short: A hash of the imports in an ELF file.
+      short: A hash of the imports in a PE file.
       type: keyword
     process.parent.pe.imports:
       dashed_name: process-parent-pe-imports
@@ -13480,7 +13480,7 @@ process:
       name: go_import_hash
       normalize: []
       original_fieldset: pe
-      short: A hash of the Go language imports in an ELF file.
+      short: A hash of the Go language imports in a PE file.
       type: keyword
     process.pe.go_imports:
       dashed_name: process-pe-go-imports
@@ -13555,7 +13555,7 @@ process:
       name: import_hash
       normalize: []
       original_fieldset: pe
-      short: A hash of the imports in an ELF file.
+      short: A hash of the imports in a PE file.
       type: keyword
     process.pe.imports:
       dashed_name: process-pe-imports
@@ -17832,7 +17832,7 @@ threat:
       name: go_import_hash
       normalize: []
       original_fieldset: pe
-      short: A hash of the Go language imports in an ELF file.
+      short: A hash of the Go language imports in a PE file.
       type: keyword
     threat.enrichments.indicator.file.pe.go_imports:
       dashed_name: threat-enrichments-indicator-file-pe-go-imports
@@ -17907,7 +17907,7 @@ threat:
       name: import_hash
       normalize: []
       original_fieldset: pe
-      short: A hash of the imports in an ELF file.
+      short: A hash of the imports in a PE file.
       type: keyword
     threat.enrichments.indicator.file.pe.imports:
       dashed_name: threat-enrichments-indicator-file-pe-imports
@@ -20516,7 +20516,7 @@ threat:
       name: go_import_hash
       normalize: []
       original_fieldset: pe
-      short: A hash of the Go language imports in an ELF file.
+      short: A hash of the Go language imports in a PE file.
       type: keyword
     threat.indicator.file.pe.go_imports:
       dashed_name: threat-indicator-file-pe-go-imports
@@ -20591,7 +20591,7 @@ threat:
       name: import_hash
       normalize: []
       original_fieldset: pe
-      short: A hash of the imports in an ELF file.
+      short: A hash of the imports in a PE file.
       type: keyword
     threat.indicator.file.pe.imports:
       dashed_name: threat-indicator-file-pe-imports
diff --git a/schemas/macho.yml b/schemas/macho.yml
index fca3a0eb96..11d235e69f 100644
--- a/schemas/macho.yml
+++ b/schemas/macho.yml
@@ -34,7 +34,7 @@
         beta: This field reuse is beta and subject to change.
   fields:
     - name: go_import_hash
-      short: A hash of the Go language imports in an ELF file.
+      short: A hash of the Go language imports in a Mach-O file.
       description: >
         A hash of the Go language imports in a Mach-O file excluding standard library imports.
         An import hash can be used to fingerprint binaries even after recompilation or other
@@ -74,9 +74,9 @@
       level: extended
 
     - name: import_hash
-      short: A hash of the imports in an ELF file.
+      short: A hash of the imports in a Mach-O file.
       description: >
-        A hash of the imports in an Mach-O file. An import hash can be used to
+        A hash of the imports in a Mach-O file. An import hash can be used to
         fingerprint binaries even after recompilation or other code-level
         transformations have occurred, which would change more traditional hash values.
 
diff --git a/schemas/pe.yml b/schemas/pe.yml
index cbbac60bbc..f2a5f1561e 100644
--- a/schemas/pe.yml
+++ b/schemas/pe.yml
@@ -79,7 +79,7 @@
       example: x64
 
     - name: go_import_hash
-      short: A hash of the Go language imports in an ELF file.
+      short: A hash of the Go language imports in a PE file.
       description: >
         A hash of the Go language imports in a PE file excluding standard library imports.
         An import hash can be used to fingerprint binaries even after recompilation or other
@@ -119,7 +119,7 @@
       level: extended
 
     - name: import_hash
-      short: A hash of the imports in an ELF file.
+      short: A hash of the imports in a PE file.
       description: >
         A hash of the imports in a PE file. An import hash can be used to
         fingerprint binaries even after recompilation or other code-level

From 98ae70c417f386d88a74c3c90360be65cdc03ccc Mon Sep 17 00:00:00 2001
From: Dan Kortschak <90160302+efd6@users.noreply.github.com>
Date: Thu, 3 Nov 2022 01:31:06 +1030
Subject: [PATCH 053/186] Fix type of normalize for process.io.bytes_skipped
 (#2094)

* Test that normalize fields are always lists

Fails with AssertionError: 'array' is not an instance of <class 'list'> : process.io.bytes_skipped

* Fix type of normalize for process.io.bytes_skipped

* update changelog

Co-authored-by: Kylie Geller <kylie.geller@elastic.co>
---
 CHANGELOG.next.md                         | 14 ++++++++++++++
 experimental/generated/csv/fields.csv     |  2 +-
 experimental/generated/ecs/ecs_flat.yml   |  3 ++-
 experimental/generated/ecs/ecs_nested.yml |  3 ++-
 generated/csv/fields.csv                  |  2 +-
 generated/ecs/ecs_flat.yml                |  3 ++-
 generated/ecs/ecs_nested.yml              |  3 ++-
 schemas/process.yml                       |  3 ++-
 scripts/tests/test_ecs_spec.py            |  4 ++++
 9 files changed, 30 insertions(+), 7 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 74d36b843a..30440a3739 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -65,6 +65,20 @@ Thanks, you're awesome :-) -->
 
 #### Deprecated
 
+## [8.5.1](https://github.com/elastic/ecs/compare/v8.5.0...v8.5.1)
+
+### Schema Changes
+
+#### Added
+
+#### Improvements
+
+### Tooling and Artifact Changes
+
+#### Bugfixes
+
+* Fix type of `normalize` in `process.io.bytes_skipped`. #2094
+
 ## 8.5.0 (Hard Feature Freeze)
 
 ### Schema Changes
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index 64abcfa89a..fcbd1ba48a 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -729,7 +729,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash.
 8.7.0-dev+exp,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
 8.7.0-dev+exp,true,process,process.io,object,extended,,,A chunk of input or output (IO) from a single process.
-8.7.0-dev+exp,true,process,process.io.bytes_skipped,object,extended,"a, r, r, a, y",,An array of byte offsets and lengths denoting where IO data has been skipped.
+8.7.0-dev+exp,true,process,process.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
 8.7.0-dev+exp,true,process,process.io.bytes_skipped.length,number,extended,,,The length of bytes skipped.
 8.7.0-dev+exp,true,process,process.io.bytes_skipped.offset,number,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
 8.7.0-dev+exp,true,process,process.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 47d547a164..7abaaaeb2f 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -9337,7 +9337,8 @@ process.io.bytes_skipped:
   flat_name: process.io.bytes_skipped
   level: extended
   name: io.bytes_skipped
-  normalize: array
+  normalize:
+  - array
   short: An array of byte offsets and lengths denoting where IO data has been skipped.
   type: object
 process.io.bytes_skipped.length:
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 07834aae46..8923664f80 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -11549,7 +11549,8 @@ process:
       flat_name: process.io.bytes_skipped
       level: extended
       name: io.bytes_skipped
-      normalize: array
+      normalize:
+      - array
       short: An array of byte offsets and lengths denoting where IO data has been
         skipped.
       type: object
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index cc35dae8c5..b373f090eb 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -722,7 +722,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash.
 8.7.0-dev,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
 8.7.0-dev,true,process,process.io,object,extended,,,A chunk of input or output (IO) from a single process.
-8.7.0-dev,true,process,process.io.bytes_skipped,object,extended,"a, r, r, a, y",,An array of byte offsets and lengths denoting where IO data has been skipped.
+8.7.0-dev,true,process,process.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
 8.7.0-dev,true,process,process.io.bytes_skipped.length,number,extended,,,The length of bytes skipped.
 8.7.0-dev,true,process,process.io.bytes_skipped.offset,number,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
 8.7.0-dev,true,process,process.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index bfe99f78ee..8b6b2a9f5c 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -9268,7 +9268,8 @@ process.io.bytes_skipped:
   flat_name: process.io.bytes_skipped
   level: extended
   name: io.bytes_skipped
-  normalize: array
+  normalize:
+  - array
   short: An array of byte offsets and lengths denoting where IO data has been skipped.
   type: object
 process.io.bytes_skipped.length:
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index fe2e1d6d2f..9c7ed12b5b 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -11469,7 +11469,8 @@ process:
       flat_name: process.io.bytes_skipped
       level: extended
       name: io.bytes_skipped
-      normalize: array
+      normalize:
+      - array
       short: An array of byte offsets and lengths denoting where IO data has been
         skipped.
       type: object
diff --git a/schemas/process.yml b/schemas/process.yml
index 06e91758f4..f1de1df6d2 100644
--- a/schemas/process.yml
+++ b/schemas/process.yml
@@ -403,7 +403,8 @@
       description: >
         An array of byte offsets and lengths denoting where IO data has been skipped.
 
-      normalize: array
+      normalize:
+        - array
 
     - name: io.bytes_skipped.offset
       level: extended
diff --git a/scripts/tests/test_ecs_spec.py b/scripts/tests/test_ecs_spec.py
index a7a3d591c7..edb0b8420c 100644
--- a/scripts/tests/test_ecs_spec.py
+++ b/scripts/tests/test_ecs_spec.py
@@ -126,6 +126,10 @@ def test_related_fields_always_arrays(self):
             self.assertIn('array', field['normalize'],
                           "All fields under `related.*` should be arrays")
 
+    def test_normalize_always_array(self):
+        for (field_name, field) in self.ecs_fields.items():
+            self.assertIsInstance(field.get('normalize'), list, field_name)
+
 
 if __name__ == '__main__':
     unittest.main()

From 56d222d94d11dedb3bfd06faf0395864ae645ce7 Mon Sep 17 00:00:00 2001
From: Taylor Swanson <90622908+taylor-swanson@users.noreply.github.com>
Date: Wed, 2 Nov 2022 12:10:03 -0500
Subject: [PATCH 054/186] Cut changelog for 8.5.1 (#2099) (#2101)

---
 CHANGELOG.md      |  8 ++++++++
 CHANGELOG.next.md | 14 --------------
 2 files changed, 8 insertions(+), 14 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 043328caa9..2ecf93c8a1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,14 @@
 # CHANGELOG
 All notable changes to this project will be documented in this file based on the [Keep a Changelog](http://keepachangelog.com/) Standard. This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [8.5.1](https://github.com/elastic/ecs/compare/v8.5.0...v8.5.1)
+
+### Tooling and Artifact Changes
+
+#### Bugfixes
+
+* Fix type of `normalize` in `process.io.bytes_skipped`. #2094
+
 ## [8.5.0](https://github.com/elastic/ecs/compare/v8.4.0...v8.5.0)
 
 ### Schema Changes
diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 30440a3739..74d36b843a 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -65,20 +65,6 @@ Thanks, you're awesome :-) -->
 
 #### Deprecated
 
-## [8.5.1](https://github.com/elastic/ecs/compare/v8.5.0...v8.5.1)
-
-### Schema Changes
-
-#### Added
-
-#### Improvements
-
-### Tooling and Artifact Changes
-
-#### Bugfixes
-
-* Fix type of `normalize` in `process.io.bytes_skipped`. #2094
-
 ## 8.5.0 (Hard Feature Freeze)
 
 ### Schema Changes

From 0e60cb7b1cc21a61a3d2fed877bc88bb06a98fe5 Mon Sep 17 00:00:00 2001
From: Taylor Swanson <90622908+taylor-swanson@users.noreply.github.com>
Date: Wed, 2 Nov 2022 12:22:40 -0500
Subject: [PATCH 055/186] Add release notes for 8.5.1 (#2100) (#2103)

---
 docs/release-notes/8.5.1.asciidoc | 12 ++++++++++++
 docs/release-notes/index.asciidoc |  2 ++
 2 files changed, 14 insertions(+)
 create mode 100644 docs/release-notes/8.5.1.asciidoc

diff --git a/docs/release-notes/8.5.1.asciidoc b/docs/release-notes/8.5.1.asciidoc
new file mode 100644
index 0000000000..254f1d9018
--- /dev/null
+++ b/docs/release-notes/8.5.1.asciidoc
@@ -0,0 +1,12 @@
+[[ecs-release-notes-8.5.1]]
+=== 8.5.1
+
+[[tooling-changes-8.5.1]]
+[float]
+==== Tooling and artifact changes
+
+[[tooling-bugfixes-8.5.1]]
+[float]
+===== Bugfixes
+
+* Fix type of `normalize` in `process.io.bytes_skipped`. {ecs_pull}2094[#2094]
diff --git a/docs/release-notes/index.asciidoc b/docs/release-notes/index.asciidoc
index 206f2c8196..d15ca2250d 100644
--- a/docs/release-notes/index.asciidoc
+++ b/docs/release-notes/index.asciidoc
@@ -4,6 +4,7 @@
 This section summarizes the changes in each release.
 
 * <<ecs-release-notes-8.6.0, {ecs} version 8.6.0>>
+* <<ecs-release-notes-8.5.1, {ecs} version 8.5.1>>
 * <<ecs-release-notes-8.5.0, {ecs} version 8.5.0>>
 * <<ecs-release-notes-8.4.0, {ecs} version 8.4.0>>
 * <<ecs-release-notes-8.3.1, {ecs} version 8.3.1>>
@@ -20,6 +21,7 @@ This section summarizes the changes in each release.
 :pull: https://github.com/elastic/ecs/pull/
 
 include::8.6.asciidoc[]
+include::8.5.1.asciidoc[]
 include::8.5.asciidoc[]
 include::8.4.asciidoc[]
 include::8.3.1.asciidoc[]

From 3034298872a06abd4b5cd9c7261da0d7cfabab6e Mon Sep 17 00:00:00 2001
From: Karl Godard <kg@cmd.com>
Date: Tue, 8 Nov 2022 10:21:45 -0800
Subject: [PATCH 056/186] Fixes invalid 'number' type on 4 process.io
 subfields. (#2105)

---
 CHANGELOG.md                                              | 8 ++++++++
 docs/fields/field-details.asciidoc                        | 8 ++++----
 experimental/generated/beats/fields.ecs.yml               | 8 ++++----
 experimental/generated/csv/fields.csv                     | 8 ++++----
 experimental/generated/ecs/ecs_flat.yml                   | 8 ++++----
 experimental/generated/ecs/ecs_nested.yml                 | 8 ++++----
 .../elasticsearch/composable/component/process.json       | 8 ++++----
 experimental/generated/elasticsearch/legacy/template.json | 8 ++++----
 generated/beats/fields.ecs.yml                            | 8 ++++----
 generated/csv/fields.csv                                  | 8 ++++----
 generated/ecs/ecs_flat.yml                                | 8 ++++----
 generated/ecs/ecs_nested.yml                              | 8 ++++----
 generated/elasticsearch/composable/component/process.json | 8 ++++----
 generated/elasticsearch/legacy/template.json              | 8 ++++----
 schemas/process.yml                                       | 8 ++++----
 15 files changed, 64 insertions(+), 56 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2ecf93c8a1..a076383dc8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,14 @@
 # CHANGELOG
 All notable changes to this project will be documented in this file based on the [Keep a Changelog](http://keepachangelog.com/) Standard. This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [8.5.2](https://github.com/elastic/ecs/compare/v8.5.1...v8.5.2)
+
+### Schema Changes
+
+#### Bugfixes
+
+* Fixes invalid `number` type on 4 `process.io` subfields. #2105
+
 ## [8.5.1](https://github.com/elastic/ecs/compare/v8.5.0...v8.5.1)
 
 ### Tooling and Artifact Changes
diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index 003d24545c..d9df94ed1e 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -8191,7 +8191,7 @@ a| beta:[ This field is beta and subject to change. ]
 
 The length of bytes skipped.
 
-type: number
+type: long
 
 
 
@@ -8209,7 +8209,7 @@ a| beta:[ This field is beta and subject to change. ]
 
 The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
 
-type: number
+type: long
 
 
 
@@ -8265,7 +8265,7 @@ a| beta:[ This field is beta and subject to change. ]
 
 The total number of bytes captured in this event.
 
-type: number
+type: long
 
 
 
@@ -8283,7 +8283,7 @@ a| beta:[ This field is beta and subject to change. ]
 
 The total number of bytes that were not captured due to implementation restrictions such as buffer size limits. Implementors should strive to ensure this value is always zero
 
-type: number
+type: long
 
 
 
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index ed5dec9da2..37b6b29566 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -6674,12 +6674,12 @@
       default_field: false
     - name: io.bytes_skipped.length
       level: extended
-      type: number
+      type: long
       description: The length of bytes skipped.
       default_field: false
     - name: io.bytes_skipped.offset
       level: extended
-      type: number
+      type: long
       description: The byte offset into this event's io.text (or io.bytes in the future)
         where length bytes were skipped.
       default_field: false
@@ -6702,12 +6702,12 @@
       default_field: false
     - name: io.total_bytes_captured
       level: extended
-      type: number
+      type: long
       description: The total number of bytes captured in this event.
       default_field: false
     - name: io.total_bytes_skipped
       level: extended
-      type: number
+      type: long
       description: The total number of bytes that were not captured due to implementation
         restrictions such as buffer size limits. Implementors should strive to ensure
         this value is always zero
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index fcbd1ba48a..d3503c2c59 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -730,12 +730,12 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
 8.7.0-dev+exp,true,process,process.io,object,extended,,,A chunk of input or output (IO) from a single process.
 8.7.0-dev+exp,true,process,process.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
-8.7.0-dev+exp,true,process,process.io.bytes_skipped.length,number,extended,,,The length of bytes skipped.
-8.7.0-dev+exp,true,process,process.io.bytes_skipped.offset,number,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
+8.7.0-dev+exp,true,process,process.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
+8.7.0-dev+exp,true,process,process.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
 8.7.0-dev+exp,true,process,process.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
 8.7.0-dev+exp,true,process,process.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
-8.7.0-dev+exp,true,process,process.io.total_bytes_captured,number,extended,,,The total number of bytes captured in this event.
-8.7.0-dev+exp,true,process,process.io.total_bytes_skipped,number,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
+8.7.0-dev+exp,true,process,process.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
+8.7.0-dev+exp,true,process,process.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
 8.7.0-dev+exp,true,process,process.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
 8.7.0-dev+exp,true,process,process.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
 8.7.0-dev+exp,true,process,process.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 7abaaaeb2f..bccec4080d 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -9350,7 +9350,7 @@ process.io.bytes_skipped.length:
   name: io.bytes_skipped.length
   normalize: []
   short: The length of bytes skipped.
-  type: number
+  type: long
 process.io.bytes_skipped.offset:
   beta: This field is beta and subject to change.
   dashed_name: process-io-bytes-skipped-offset
@@ -9362,7 +9362,7 @@ process.io.bytes_skipped.offset:
   normalize: []
   short: The byte offset into this event's io.text (or io.bytes in the future) where
     length bytes were skipped.
-  type: number
+  type: long
 process.io.max_bytes_per_process_exceeded:
   beta: This field is beta and subject to change.
   dashed_name: process-io-max-bytes-per-process-exceeded
@@ -9399,7 +9399,7 @@ process.io.total_bytes_captured:
   name: io.total_bytes_captured
   normalize: []
   short: The total number of bytes captured in this event.
-  type: number
+  type: long
 process.io.total_bytes_skipped:
   beta: This field is beta and subject to change.
   dashed_name: process-io-total-bytes-skipped
@@ -9412,7 +9412,7 @@ process.io.total_bytes_skipped:
   normalize: []
   short: The total number of bytes that were not captured due to implementation restrictions
     such as buffer size limits.
-  type: number
+  type: long
 process.io.type:
   beta: This field is beta and subject to change.
   dashed_name: process-io-type
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 8923664f80..8baed6a64f 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -11563,7 +11563,7 @@ process:
       name: io.bytes_skipped.length
       normalize: []
       short: The length of bytes skipped.
-      type: number
+      type: long
     process.io.bytes_skipped.offset:
       beta: This field is beta and subject to change.
       dashed_name: process-io-bytes-skipped-offset
@@ -11575,7 +11575,7 @@ process:
       normalize: []
       short: The byte offset into this event's io.text (or io.bytes in the future)
         where length bytes were skipped.
-      type: number
+      type: long
     process.io.max_bytes_per_process_exceeded:
       beta: This field is beta and subject to change.
       dashed_name: process-io-max-bytes-per-process-exceeded
@@ -11613,7 +11613,7 @@ process:
       name: io.total_bytes_captured
       normalize: []
       short: The total number of bytes captured in this event.
-      type: number
+      type: long
     process.io.total_bytes_skipped:
       beta: This field is beta and subject to change.
       dashed_name: process-io-total-bytes-skipped
@@ -11626,7 +11626,7 @@ process:
       normalize: []
       short: The total number of bytes that were not captured due to implementation
         restrictions such as buffer size limits.
-      type: number
+      type: long
     process.io.type:
       beta: This field is beta and subject to change.
       dashed_name: process-io-type
diff --git a/experimental/generated/elasticsearch/composable/component/process.json b/experimental/generated/elasticsearch/composable/component/process.json
index d299ecd870..653a777d0a 100644
--- a/experimental/generated/elasticsearch/composable/component/process.json
+++ b/experimental/generated/elasticsearch/composable/component/process.json
@@ -688,10 +688,10 @@
                 "bytes_skipped": {
                   "properties": {
                     "length": {
-                      "type": "number"
+                      "type": "long"
                     },
                     "offset": {
-                      "type": "number"
+                      "type": "long"
                     }
                   },
                   "type": "object"
@@ -703,10 +703,10 @@
                   "type": "wildcard"
                 },
                 "total_bytes_captured": {
-                  "type": "number"
+                  "type": "long"
                 },
                 "total_bytes_skipped": {
-                  "type": "number"
+                  "type": "long"
                 },
                 "type": {
                   "ignore_above": 1024,
diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json
index ed83955ed3..c45b707d01 100644
--- a/experimental/generated/elasticsearch/legacy/template.json
+++ b/experimental/generated/elasticsearch/legacy/template.json
@@ -3395,10 +3395,10 @@
               "bytes_skipped": {
                 "properties": {
                   "length": {
-                    "type": "number"
+                    "type": "long"
                   },
                   "offset": {
-                    "type": "number"
+                    "type": "long"
                   }
                 },
                 "type": "object"
@@ -3410,10 +3410,10 @@
                 "type": "wildcard"
               },
               "total_bytes_captured": {
-                "type": "number"
+                "type": "long"
               },
               "total_bytes_skipped": {
-                "type": "number"
+                "type": "long"
               },
               "type": {
                 "ignore_above": 1024,
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index cc3d9963e9..1c94750300 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -6624,12 +6624,12 @@
       default_field: false
     - name: io.bytes_skipped.length
       level: extended
-      type: number
+      type: long
       description: The length of bytes skipped.
       default_field: false
     - name: io.bytes_skipped.offset
       level: extended
-      type: number
+      type: long
       description: The byte offset into this event's io.text (or io.bytes in the future)
         where length bytes were skipped.
       default_field: false
@@ -6652,12 +6652,12 @@
       default_field: false
     - name: io.total_bytes_captured
       level: extended
-      type: number
+      type: long
       description: The total number of bytes captured in this event.
       default_field: false
     - name: io.total_bytes_skipped
       level: extended
-      type: number
+      type: long
       description: The total number of bytes that were not captured due to implementation
         restrictions such as buffer size limits. Implementors should strive to ensure
         this value is always zero
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index b373f090eb..fef3259259 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -723,12 +723,12 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
 8.7.0-dev,true,process,process.io,object,extended,,,A chunk of input or output (IO) from a single process.
 8.7.0-dev,true,process,process.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
-8.7.0-dev,true,process,process.io.bytes_skipped.length,number,extended,,,The length of bytes skipped.
-8.7.0-dev,true,process,process.io.bytes_skipped.offset,number,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
+8.7.0-dev,true,process,process.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
+8.7.0-dev,true,process,process.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
 8.7.0-dev,true,process,process.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
 8.7.0-dev,true,process,process.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
-8.7.0-dev,true,process,process.io.total_bytes_captured,number,extended,,,The total number of bytes captured in this event.
-8.7.0-dev,true,process,process.io.total_bytes_skipped,number,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
+8.7.0-dev,true,process,process.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
+8.7.0-dev,true,process,process.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
 8.7.0-dev,true,process,process.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
 8.7.0-dev,true,process,process.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
 8.7.0-dev,true,process,process.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 8b6b2a9f5c..643ef2d2fe 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -9281,7 +9281,7 @@ process.io.bytes_skipped.length:
   name: io.bytes_skipped.length
   normalize: []
   short: The length of bytes skipped.
-  type: number
+  type: long
 process.io.bytes_skipped.offset:
   beta: This field is beta and subject to change.
   dashed_name: process-io-bytes-skipped-offset
@@ -9293,7 +9293,7 @@ process.io.bytes_skipped.offset:
   normalize: []
   short: The byte offset into this event's io.text (or io.bytes in the future) where
     length bytes were skipped.
-  type: number
+  type: long
 process.io.max_bytes_per_process_exceeded:
   beta: This field is beta and subject to change.
   dashed_name: process-io-max-bytes-per-process-exceeded
@@ -9330,7 +9330,7 @@ process.io.total_bytes_captured:
   name: io.total_bytes_captured
   normalize: []
   short: The total number of bytes captured in this event.
-  type: number
+  type: long
 process.io.total_bytes_skipped:
   beta: This field is beta and subject to change.
   dashed_name: process-io-total-bytes-skipped
@@ -9343,7 +9343,7 @@ process.io.total_bytes_skipped:
   normalize: []
   short: The total number of bytes that were not captured due to implementation restrictions
     such as buffer size limits.
-  type: number
+  type: long
 process.io.type:
   beta: This field is beta and subject to change.
   dashed_name: process-io-type
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 9c7ed12b5b..1ec7b4e7ac 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -11483,7 +11483,7 @@ process:
       name: io.bytes_skipped.length
       normalize: []
       short: The length of bytes skipped.
-      type: number
+      type: long
     process.io.bytes_skipped.offset:
       beta: This field is beta and subject to change.
       dashed_name: process-io-bytes-skipped-offset
@@ -11495,7 +11495,7 @@ process:
       normalize: []
       short: The byte offset into this event's io.text (or io.bytes in the future)
         where length bytes were skipped.
-      type: number
+      type: long
     process.io.max_bytes_per_process_exceeded:
       beta: This field is beta and subject to change.
       dashed_name: process-io-max-bytes-per-process-exceeded
@@ -11533,7 +11533,7 @@ process:
       name: io.total_bytes_captured
       normalize: []
       short: The total number of bytes captured in this event.
-      type: number
+      type: long
     process.io.total_bytes_skipped:
       beta: This field is beta and subject to change.
       dashed_name: process-io-total-bytes-skipped
@@ -11546,7 +11546,7 @@ process:
       normalize: []
       short: The total number of bytes that were not captured due to implementation
         restrictions such as buffer size limits.
-      type: number
+      type: long
     process.io.type:
       beta: This field is beta and subject to change.
       dashed_name: process-io-type
diff --git a/generated/elasticsearch/composable/component/process.json b/generated/elasticsearch/composable/component/process.json
index 37d411c728..6db5e13354 100644
--- a/generated/elasticsearch/composable/component/process.json
+++ b/generated/elasticsearch/composable/component/process.json
@@ -688,10 +688,10 @@
                 "bytes_skipped": {
                   "properties": {
                     "length": {
-                      "type": "number"
+                      "type": "long"
                     },
                     "offset": {
-                      "type": "number"
+                      "type": "long"
                     }
                   },
                   "type": "object"
@@ -703,10 +703,10 @@
                   "type": "wildcard"
                 },
                 "total_bytes_captured": {
-                  "type": "number"
+                  "type": "long"
                 },
                 "total_bytes_skipped": {
-                  "type": "number"
+                  "type": "long"
                 },
                 "type": {
                   "ignore_above": 1024,
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index 0c86d1e5d1..b69dae1515 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -3353,10 +3353,10 @@
               "bytes_skipped": {
                 "properties": {
                   "length": {
-                    "type": "number"
+                    "type": "long"
                   },
                   "offset": {
-                    "type": "number"
+                    "type": "long"
                   }
                 },
                 "type": "object"
@@ -3368,10 +3368,10 @@
                 "type": "wildcard"
               },
               "total_bytes_captured": {
-                "type": "number"
+                "type": "long"
               },
               "total_bytes_skipped": {
-                "type": "number"
+                "type": "long"
               },
               "type": {
                 "ignore_above": 1024,
diff --git a/schemas/process.yml b/schemas/process.yml
index f1de1df6d2..1a42e401f5 100644
--- a/schemas/process.yml
+++ b/schemas/process.yml
@@ -376,14 +376,14 @@
 
     - name: io.total_bytes_captured
       level: extended
-      type: number
+      type: long
       beta: This field is beta and subject to change.
       description: >
         The total number of bytes captured in this event.
 
     - name: io.total_bytes_skipped
       level: extended
-      type: number
+      type: long
       beta: This field is beta and subject to change.
       short: The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
       description: >
@@ -408,14 +408,14 @@
 
     - name: io.bytes_skipped.offset
       level: extended
-      type: number
+      type: long
       beta: This field is beta and subject to change.
       description: >
         The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
 
     - name: io.bytes_skipped.length
       level: extended
-      type: number
+      type: long
       beta: This field is beta and subject to change.
       description: >
         The length of bytes skipped.

From fc9d072f0051608ca1a61109265059cae348fd71 Mon Sep 17 00:00:00 2001
From: Kylie Geller <kylie.geller@elastic.co>
Date: Tue, 8 Nov 2022 14:29:47 -0500
Subject: [PATCH 057/186] [main] Release notes for 8.5.2 (#2112)

---
 docs/release-notes/8.5.2.asciidoc | 12 ++++++++++++
 docs/release-notes/index.asciidoc |  2 ++
 2 files changed, 14 insertions(+)
 create mode 100644 docs/release-notes/8.5.2.asciidoc

diff --git a/docs/release-notes/8.5.2.asciidoc b/docs/release-notes/8.5.2.asciidoc
new file mode 100644
index 0000000000..b00717afc4
--- /dev/null
+++ b/docs/release-notes/8.5.2.asciidoc
@@ -0,0 +1,12 @@
+[[ecs-release-notes-8.5.2]]
+=== 8.5.2
+
+[[schema-changes-8.5.2]]
+[float]
+==== Schema changes
+
+[[schema-bugfixes-8.5.2]]
+[float]
+===== Bugfixes
+
+* Fixes invalid `number` type on 4 `process.io` subfields. {ecs_pull}2105[#2105]
diff --git a/docs/release-notes/index.asciidoc b/docs/release-notes/index.asciidoc
index d15ca2250d..4f8e1c8106 100644
--- a/docs/release-notes/index.asciidoc
+++ b/docs/release-notes/index.asciidoc
@@ -4,6 +4,7 @@
 This section summarizes the changes in each release.
 
 * <<ecs-release-notes-8.6.0, {ecs} version 8.6.0>>
+* <<ecs-release-notes-8.5.2, {ecs} version 8.5.2>>
 * <<ecs-release-notes-8.5.1, {ecs} version 8.5.1>>
 * <<ecs-release-notes-8.5.0, {ecs} version 8.5.0>>
 * <<ecs-release-notes-8.4.0, {ecs} version 8.4.0>>
@@ -21,6 +22,7 @@ This section summarizes the changes in each release.
 :pull: https://github.com/elastic/ecs/pull/
 
 include::8.6.asciidoc[]
+include::8.5.2.asciidoc[]
 include::8.5.1.asciidoc[]
 include::8.5.asciidoc[]
 include::8.4.asciidoc[]

From 16e1876802d3f90ec8302316c746717dc6850808 Mon Sep 17 00:00:00 2001
From: Dominic Page <11043991+djptek@users.noreply.github.com>
Date: Fri, 18 Nov 2022 18:58:40 +0000
Subject: [PATCH 058/186] [elastic/ecs] Cutting 8.6 changelog for HFF (#2114)
 (#2116)

* CHANGELOG.next.md prepared for HFF
---
 CHANGELOG.next.md | 49 ++---------------------------------------------
 1 file changed, 2 insertions(+), 47 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 74d36b843a..1b2ffa10ba 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -32,17 +32,13 @@ Thanks, you're awesome :-) -->
 
 #### Deprecated
 
-## 8.6.0 (Soft Feature Freeze)
+## 8.6.0 (Hard Feature Freeze)
 
 ### Schema Changes
 
-#### Breaking changes
-
-#### Bugfixes
-
 #### Added
 
-* Adding `vulnerability` option for `event.catgeory`. #2029
+* Adding `vulnerability` option for `event.category`. #2029
 * Added `device.*` field set as beta. #2030
 * Added `tlp.version` to threat #2074
 * Added fields for executable object format metadata for ELF, Mach-O and PE #2083
@@ -51,47 +47,6 @@ Thanks, you're awesome :-) -->
 
 * Added `CLEAR` and `AMBER+STRICT` as valid values for `threat.indicator.marking.tlp` and `enrichments.indicator.marking.tlp` to accept new [TLP 2.0](https://www.first.org/tlp/) markings #2022, #2074
 
-#### Deprecated
-
-### Tooling and Artifact Changes
-
-#### Breaking changes
-
-#### Bugfixes
-
-#### Added
-
-#### Improvements
-
-#### Deprecated
-
-## 8.5.0 (Hard Feature Freeze)
-
-### Schema Changes
-
-* Fields added to process, user and group fieldsets in RFC 0030 (Linux event model) are now GA. Beta removed.
-
-#### Added
-
-* Adding `risk.*` fields as experimental. #1994, #2010
-* Adding `process.io.*` as beta fields. #1956, #2031
-* Adding `process.tty.rows` and `process.tty.columns` as beta fields. #2031
-* Changed `process.env_vars` field type to be an array of keywords. #2038
-* `process.attested_user` and `process.attested_groups` as beta fields. #2050
-* Added `risk.*` fieldset to beta. #2051, #2058
-
-#### Improvements
-
-* Advances `threat.enrichments.indicator` to GA. #1928
-* Added `ios` and `android` as valid values for `os.type` #1999
-
-### Tooling and Artifact Changes
-
-#### Bugfixes
-
-* Added Deprecation Warning for `misspell` task #1993
-* Fix typo in client schema #2014
-
 <!-- All empty sections:
 
 ## Unreleased

From 47a4cde8b9a4361436d27609358722d57e2a7217 Mon Sep 17 00:00:00 2001
From: Jan Starke <7724055+janstarke@users.noreply.github.com>
Date: Thu, 1 Dec 2022 14:59:26 +0100
Subject: [PATCH 059/186] fixes #2219: remove the less documented domain field
 (#2120)

* remove the less documented domain field

* Update CHANGELOG.next.md

Co-authored-by: Eric Beahan <eric.beahan@elastic.co>
---
 CHANGELOG.next.md  | 2 ++
 schemas/client.yml | 6 ------
 2 files changed, 2 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 1b2ffa10ba..61529c4fbf 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -14,6 +14,8 @@ Thanks, you're awesome :-) -->
 
 #### Bugfixes
 
+* remove duplicated `client.domain` definition #212
+
 #### Added
 
 #### Improvements
diff --git a/schemas/client.yml b/schemas/client.yml
index b19251acf3..cfa1ae0da0 100644
--- a/schemas/client.yml
+++ b/schemas/client.yml
@@ -75,12 +75,6 @@
         the octet as an unsigned integer. Successive octets are separated by a
         hyphen.
 
-    - name: domain
-      level: core
-      type: keyword
-      description: >
-        Client domain.
-
     - name: domain
       level: core
       type: keyword

From 9fe1894374c7c5458f63f0fba2b08942c370a692 Mon Sep 17 00:00:00 2001
From: mr1716 <msr1716@rit.edu>
Date: Fri, 16 Dec 2022 14:10:01 -0500
Subject: [PATCH 060/186] RFC Stage 0: Create 0000-authentication-fields.md
 (#2023)

---
 rfcs/text/0036-authentication-fields.md | 137 ++++++++++++++++++++++++
 1 file changed, 137 insertions(+)
 create mode 100644 rfcs/text/0036-authentication-fields.md

diff --git a/rfcs/text/0036-authentication-fields.md b/rfcs/text/0036-authentication-fields.md
new file mode 100644
index 0000000000..4c9335cf07
--- /dev/null
+++ b/rfcs/text/0036-authentication-fields.md
@@ -0,0 +1,137 @@
+# 0036: Authentication Fields RFC
+
+Stage: 0
+Date: 2022-12-16
+
+This RFC will provide normalization for fields related to authentication fields to assure that they are retained primarily in ECS core and in any extended fieldset when needed. These fields are important to normalize into ECS fields in order to maximize effectiveness of cross log utilization. 
+
+## Fields
+
+#### Log
+|Proposed Field Name|Type|Value|Description|
+| --- | --- | --- | --- |
+|authentication.scope|keyword|user_impersonation|azure.activitylogs.identity.claims.http://schemas_microsoft_com/identity/claims/scope|
+|authentication.requirement|keyword|multiFactorAuthentication|azure.activitylogs.properties.authentication_requirement|
+|authentication.additional.details|keyword|MFA requirement satisfied by claim in the token|azure.activitylogs.properties.status.additionalDetails|
+|authentication.authorization|keyword|ROOTMANAGESHAREDACCESSKEY|azure.resource.authorization_rule|
+|authentication.interactive|boolean|FALSE|azure.signinlogs.properties.interactive|
+|authentication.risk|keyword|low|azure.signinlogs.properties.risk_level_aggregated|
+|authentication.id|keyword||Unique ID given across primary authentication and additional (multi factor) authentication.|
+|authentication.protocol|keyword||Authentication Protocol (authproto)|
+|authentication.token|keyword||Unique token provided during the event|
+|authentication.token.identifier|keyword||Login token identifier/value|
+
+## Source data
+
+The source data for the logn fields came from multiple data sources, such as Azure Eventhubs, Azure Blob Storage, or PanOS Authentication Logs.
+
+Here is a copy and example of a rawLog that came from Azure EventHubs.
+```json
+[
+    {
+        "@timestamp": "2019-10-24T00:13:46.355Z",
+        "azure.activitylogs.category": "Action",
+        "azure.activitylogs.event_category": "Administrative",
+        "azure.activitylogs.identity.authorization.action": "Microsoft.EventHub/namespaces/authorizationRules/listKeys/action",
+        "azure.activitylogs.identity.authorization.evidence.principal_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53",
+        "azure.activitylogs.identity.authorization.evidence.principal_type": "ServicePrincipal",
+        "azure.activitylogs.identity.authorization.evidence.role": "Azure EventGrid Service BuiltIn Role",
+        "azure.activitylogs.identity.authorization.evidence.role_assignment_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53",
+        "azure.activitylogs.identity.authorization.evidence.role_assignment_scope": "/subscriptions/8a4de8b5-095c-47d0-a96f-a75130c61d53",
+        "azure.activitylogs.identity.authorization.evidence.role_definition_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53",
+        "azure.activitylogs.identity.authorization.scope": "/subscriptions/8a4de8b5-095c-47d0-a96f-a75130c61d53/resourceGroups/sa-hem/providers/Microsoft.EventHub/namespaces/azurelsevents/authorizationRules/RootManageSharedAccessKey",
+        "azure.activitylogs.identity.claims.aio": "8a4de8b5-095c-47d0-a96f-a75130c61d53",
+        "azure.activitylogs.identity.claims.appid": "8a4de8b5-095c-47d0-a96f-a75130c61d53",
+        "azure.activitylogs.identity.claims.appidacr": "2",
+        "azure.activitylogs.identity.claims.aud": "https://management.core.windows.net/",
+        "azure.activitylogs.identity.claims.exp": "1571904826",
+        "azure.activitylogs.identity.claims.http://schemas_microsoft_com/identity/claims/identityprovider": "https://sts.windows.net/8a4de8b5-095c-47d0-a96f-a75130c61d53/",
+        "azure.activitylogs.identity.claims.http://schemas_microsoft_com/identity/claims/objectidentifier": "8a4de8b5-095c-47d0-a96f-a75130c61d53",
+        "azure.activitylogs.identity.claims.http://schemas_microsoft_com/identity/claims/tenantid": "8a4de8b5-095c-47d0-a96f-a75130c61d53",
+        "azure.activitylogs.identity.claims.http://schemas_xmlsoap_org/ws/2005/05/identity/claims/nameidentifier": "8a4de8b5-095c-47d0-a96f-a75130c61d53",
+        "azure.activitylogs.identity.claims.iat": "1571875726",
+        "azure.activitylogs.identity.claims.iss": "https://sts.windows.net/8a4de8b5-095c-47d0-a96f-a75130c61d53/",
+        "azure.activitylogs.identity.claims.nbf": "1571875726",
+        "azure.activitylogs.identity.claims.uti": "8a4de8b5-095c-47d0-a96f-a75130c61d53",
+        "azure.activitylogs.identity.claims.ver": "1.0",
+        "azure.activitylogs.operation_name": "MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/LISTKEYS/ACTION",
+        "azure.activitylogs.result_signature": "Started.",
+        "azure.activitylogs.result_type": "Start",
+        "azure.correlation_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53",
+        "azure.resource.authorization_rule": "ROOTMANAGESHAREDACCESSKEY",
+        "azure.resource.group": "SA-HEMA",
+        "azure.resource.id": "/SUBSCRIPTIONS/8a4de8b5-095c-47d0-a96f-a75130c61d53/RESOURCEGROUPS/SA-HEMA/PROVIDERS/MICROSOFT.EVENTHUB/NAMESPACES/AZURELSEVENTS/AUTHORIZATIONRULES/ROOTMANAGESHAREDACCESSKEY",
+        "azure.resource.namespace": "AZURELSEVENTS",
+        "azure.resource.provider": "MICROSOFT.EVENTHUB",
+        "azure.subscription_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53",
+        "client.ip": "216.160.83.61",
+        "cloud.provider": "azure",
+        "event.action": "MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/LISTKEYS/ACTION",
+        "event.dataset": "azure.activitylogs",
+        "event.duration": 0,
+        "event.kind": "event",
+        "event.module": "azure",
+        "event.original": "{\"callerIpAddress\":\"216.160.83.61\",\"category\":\"Action\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"durationMs\":0,\"identity\":{\"authorization\":{\"action\":\"Microsoft.EventHub/namespaces/authorizationRules/listKeys/action\",\"evidence\":{\"principalId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"principalType\":\"ServicePrincipal\",\"role\":\"Azure EventGrid Service BuiltIn Role\",\"roleAssignmentId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"roleAssignmentScope\":\"/subscriptions/8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"roleDefinitionId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\"},\"scope\":\"/subscriptions/8a4de8b5-095c-47d0-a96f-a75130c61d53/resourceGroups/sa-hem/providers/Microsoft.EventHub/namespaces/azurelsevents/authorizationRules/RootManageSharedAccessKey\"},\"claims\":{\"aio\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"appid\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"appidacr\":\"2\",\"aud\":\"https://management.core.windows.net/\",\"exp\":\"1571904826\",\"http://schemas.microsoft.com/identity/claims/identityprovider\":\"https://sts.windows.net/8a4de8b5-095c-47d0-a96f-a75130c61d53/\",\"http://schemas.microsoft.com/identity/claims/objectidentifier\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"http://schemas.microsoft.com/identity/claims/tenantid\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"iat\":\"1571875726\",\"iss\":\"https://sts.windows.net/8a4de8b5-095c-47d0-a96f-a75130c61d53/\",\"nbf\":\"1571875726\",\"uti\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"ver\":\"1.0\"}},\"level\":\"Information\",\"location\":\"global\",\"operationName\":\"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/LISTKEYS/ACTION\",\"resourceId\":\"/SUBSCRIPTIONS/8a4de8b5-095c-47d0-a96f-a75130c61d53/RESOURCEGROUPS/SA-HEMA/PROVIDERS/MICROSOFT.EVENTHUB/NAMESPACES/AZURELSEVENTS/AUTHORIZATIONRULES/ROOTMANAGESHAREDACCESSKEY\",\"resultSignature\":\"Started.\",\"resultType\":\"Start\",\"time\":\"2019-10-24T00:13:46.3554259Z\"}",
+        "event.type": [
+            "change"
+        ],
+        "fileset.name": "activitylogs",
+        "geo.city_name": "Milton",
+        "geo.continent_name": "North America",
+        "geo.country_iso_code": "US",
+        "geo.country_name": "United States",
+        "geo.location.lat": 47.2513,
+        "geo.location.lon": -122.3149,
+        "geo.region_iso_code": "US-WA",
+        "geo.region_name": "Washington",
+        "input.type": "log",
+        "log.level": "Information",
+        "log.offset": 0,
+        "related.ip": [
+            "216.160.83.61"
+        ],
+        "service.type": "azure",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.61",
+        "tags": [
+            "forwarded"
+        ]
+    }
+]
+```
+Palo Alto Authentication Logs:
+FUTURE_USE, Receive Time, Serial Number, Type, Threat/Content Type, FUTURE_USE, Generated Time, Virtual System, Source IP, User, Normalize User, Object, Authentication Policy, Repeat Count, Authentication ID, Vendor, Log Action, Server Profile, Description, Client Type, Event Type, Factor Number, Sequence Number, Action Flags, Device Group Hierarchy 1, Device Group Hierarchy 2, Device Group Hierarchy 3, Device Group Hierarchy 4, Virtual System Name, Device Name, Virtual System ID, Authentication Protocol, UUID for rule, High Resolution Timestamp, Source Device Category, Source Device Profile, Source Device Model, Source Device Vendor, Source Device OS Family, Source Device OS Version, Source Hostname, Source Mac Address, Region, FUTURE_USE, User Agent, Session ID
+
+
+## Scope of impact
+
+No impact expected as login fieldsets are not impacting any existing fields, as these proposed fields are new. Moreover, these fields allow logs to be in a greater alignment with the ECS base fields and allow for expanded utilization and wider adoption.
+
+## Concerns
+
+The concerns that might arise relate to how the nested fields could be broken out into separate fields or that fields that are arrays are numbered. There are additional potential fields that could be implemented, but until they are seen in other vendor information, it makes sense to wait to add them to ECS.
+
+## People
+
+The following are the people that consulted on the contents of this RFC.
+
+•	@mr1716 | author
+
+## References
+
+## RFC Pull Requests
+•	Stage 0: https://github.com/elastic/ecs/pull/2023
+
+
+## RFC References:
+ecs/0027-faas-fields.md at main · elastic/ecs (github.com)
+ecs/0011-sip-fields.md at main · elastic/ecs (github.com)
+ecs/0025-container-metric-fields.md at main · elastic/ecs (github.com)

From 4b3fe9a6db948b2e06b3968007bf0ba690ee02b4 Mon Sep 17 00:00:00 2001
From: Andrew Pease <7442091+peasead@users.noreply.github.com>
Date: Wed, 21 Dec 2022 12:59:10 -0600
Subject: [PATCH 061/186] [Docs] Add url.domain to the Threat usage docs
 (#2124)

* updated usage docs for url.domain and TLP CLEAR

* added missing quote around url for threat docs

* changed last TLP WHITE to TLP CLEAR in usage docs for threat

* updated PR number in changelog.next
---
 CHANGELOG.next.md                 |  1 +
 docs/fields/usage/threat.asciidoc | 12 +++++++-----
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 61529c4fbf..88cfc5d6f5 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -19,6 +19,7 @@ Thanks, you're awesome :-) -->
 #### Added
 
 #### Improvements
+* Updated usage docs to include `threat.indicator.url.domain` and changed `indicator.marking.tlp` and `indicator.enrichments.marking.tlp` from "WHITE" to "CLEAR" to align with TLP 2.0. #2124
 
 #### Deprecated
 
diff --git a/docs/fields/usage/threat.asciidoc b/docs/fields/usage/threat.asciidoc
index d57d812c5d..7693250d30 100644
--- a/docs/fields/usage/threat.asciidoc
+++ b/docs/fields/usage/threat.asciidoc
@@ -43,11 +43,13 @@ indicators from a known malware site.
             "reference": "https://urlhaus.abuse.ch/url/abcdefg/",
             "confidence": "High",
             "ip": 1.2.3.4,
-            "domain": "malicious.evil",
             "port": 443,
             "email.address": "phish@malicious.evil",
-            "marking: {
-                "tlp": "WHITE"
+            "marking": {
+                "tlp": "CLEAR"
+            },
+            "url": {
+                "domain": "malicious.evil",
             },
             "scanner_stats": 4
         }
@@ -102,7 +104,7 @@ The following example maps a file-based indicator.
                 "name": "invoice.doc"
                 },
             "marking": {
-                "tlp": "WHITE"
+                "tlp": "CLEAR"
             },
             "scanner_stats": 4
         }
@@ -148,7 +150,7 @@ Event enrichment searches for known threats using an event's values and, if foun
       {
         "indicator": {
           "marking": {
-            "tlp": "WHITE"
+            "tlp": "CLEAR"
           },
           "first_seen": "2020-11-17T19:07:46.0956672Z",
           "file": {

From 753a893c5f09598bdc06d95d44738747a0ae18d3 Mon Sep 17 00:00:00 2001
From: Luke Gmys <lgmys@users.noreply.github.com>
Date: Thu, 5 Jan 2023 09:54:35 +0100
Subject: [PATCH 062/186] Introduce threat.indicator.name field (#2121)

This PR addresses issue #1998

Co-authored-by: Kylie (Geller) Meli <kylie.geller@elastic.co>
---
 CHANGELOG.next.md                             |  2 +
 docs/fields/field-details.asciidoc            | 60 +++++++++++++++++++
 experimental/generated/beats/fields.ecs.yml   | 14 +++++
 experimental/generated/csv/fields.csv         |  2 +
 experimental/generated/ecs/ecs_flat.yml       | 46 ++++++++++++++
 experimental/generated/ecs/ecs_nested.yml     | 46 ++++++++++++++
 .../composable/component/threat.json          |  8 +++
 .../elasticsearch/legacy/template.json        |  8 +++
 generated/beats/fields.ecs.yml                | 14 +++++
 generated/csv/fields.csv                      |  2 +
 generated/ecs/ecs_flat.yml                    | 46 ++++++++++++++
 generated/ecs/ecs_nested.yml                  | 46 ++++++++++++++
 .../composable/component/threat.json          |  8 +++
 generated/elasticsearch/legacy/template.json  |  8 +++
 schemas/threat.yml                            | 40 +++++++++++++
 15 files changed, 350 insertions(+)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 88cfc5d6f5..fa895528a3 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -18,6 +18,8 @@ Thanks, you're awesome :-) -->
 
 #### Added
 
+* adding `name` field to `threat.indicator` #2121
+
 #### Improvements
 * Updated usage docs to include `threat.indicator.url.domain` and changed `indicator.marking.tlp` and `indicator.enrichments.marking.tlp` from "WHITE" to "CLEAR" to align with TLP 2.0. #2124
 
diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index d9df94ed1e..9e59a7882e 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -10401,6 +10401,36 @@ example: `2020-11-05T17:25:47.000Z`
 
 // ===============================================================
 
+|
+[[field-threat-enrichments-indicator-name]]
+<<field-threat-enrichments-indicator-name, threat.enrichments.indicator.name>>
+
+a| The display name indicator in an UI friendly format
+
+Expected values for this field:
+
+* `5.2.75.227`
+* `2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6`
+* `https://example.com/some/path`
+* `example.com`
+* `373d34874d7bc89fd4cefa6272ee80bf`
+* `b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7`
+* `email@example.com`
+* `HKLM\\SOFTWARE\\Microsoft\\Active`
+* `13335`
+* `00:00:5e:00:53:af`
+* `8008`
+
+type: keyword
+
+
+
+example: `5.2.75.227`
+
+| extended
+
+// ===============================================================
+
 |
 [[field-threat-enrichments-indicator-port]]
 <<field-threat-enrichments-indicator-port, threat.enrichments.indicator.port>>
@@ -10913,6 +10943,36 @@ example: `2020-11-05T17:25:47.000Z`
 
 // ===============================================================
 
+|
+[[field-threat-indicator-name]]
+<<field-threat-indicator-name, threat.indicator.name>>
+
+a| The display name indicator in an UI friendly format
+
+Expected values for this field:
+
+* `5.2.75.227`
+* `2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6`
+* `https://example.com/some/path`
+* `example.com`
+* `373d34874d7bc89fd4cefa6272ee80bf`
+* `b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7`
+* `email@example.com`
+* `HKLM\\SOFTWARE\\Microsoft\\Active`
+* `13335`
+* `00:00:5e:00:53:af`
+* `8008`
+
+type: keyword
+
+
+
+example: `5.2.75.227`
+
+| extended
+
+// ===============================================================
+
 |
 [[field-threat-indicator-port]]
 <<field-threat-indicator-port, threat.indicator.port>>
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 37b6b29566..162874f361 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -10862,6 +10862,13 @@
         for this indicator.
       example: '2020-11-05T17:25:47.000Z'
       default_field: false
+    - name: enrichments.indicator.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The display name indicator in an UI friendly format
+      example: 5.2.75.227
+      default_field: false
     - name: enrichments.indicator.port
       level: extended
       type: long
@@ -12452,6 +12459,13 @@
         for this indicator.
       example: '2020-11-05T17:25:47.000Z'
       default_field: false
+    - name: indicator.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The display name indicator in an UI friendly format
+      example: 5.2.75.227
+      default_field: false
     - name: indicator.port
       level: extended
       type: long
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index d3503c2c59..d7a9fc3005 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -1271,6 +1271,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp.version,keyword,extended,,2.0,Indicator TLP version
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
@@ -1486,6 +1487,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
 8.7.0-dev+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
 8.7.0-dev+exp,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
+8.7.0-dev+exp,true,threat,threat.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
 8.7.0-dev+exp,true,threat,threat.indicator.port,long,extended,,443,Indicator port
 8.7.0-dev+exp,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
 8.7.0-dev+exp,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index bccec4080d..602bf2e5db 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -16020,6 +16020,29 @@ threat.enrichments.indicator.modified_at:
   normalize: []
   short: Date/time indicator was last updated.
   type: date
+threat.enrichments.indicator.name:
+  dashed_name: threat-enrichments-indicator-name
+  description: The display name indicator in an UI friendly format
+  example: 5.2.75.227
+  expected_values:
+  - 5.2.75.227
+  - 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6
+  - https://example.com/some/path
+  - example.com
+  - 373d34874d7bc89fd4cefa6272ee80bf
+  - b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7
+  - email@example.com
+  - HKLM\\SOFTWARE\\Microsoft\\Active
+  - 13335
+  - 00:00:5e:00:53:af
+  - 8008
+  flat_name: threat.enrichments.indicator.name
+  ignore_above: 1024
+  level: extended
+  name: enrichments.indicator.name
+  normalize: []
+  short: Indicator display name
+  type: keyword
 threat.enrichments.indicator.port:
   dashed_name: threat-enrichments-indicator-port
   description: Identifies a threat indicator as a port number (irrespective of direction).
@@ -18705,6 +18728,29 @@ threat.indicator.modified_at:
   normalize: []
   short: Date/time indicator was last updated.
   type: date
+threat.indicator.name:
+  dashed_name: threat-indicator-name
+  description: The display name indicator in an UI friendly format
+  example: 5.2.75.227
+  expected_values:
+  - 5.2.75.227
+  - 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6
+  - https://example.com/some/path
+  - example.com
+  - 373d34874d7bc89fd4cefa6272ee80bf
+  - b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7
+  - email@example.com
+  - HKLM\\SOFTWARE\\Microsoft\\Active
+  - 13335
+  - 00:00:5e:00:53:af
+  - 8008
+  flat_name: threat.indicator.name
+  ignore_above: 1024
+  level: extended
+  name: indicator.name
+  normalize: []
+  short: Indicator display name
+  type: keyword
 threat.indicator.port:
   dashed_name: threat-indicator-port
   description: Identifies a threat indicator as a port number (irrespective of direction).
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 8baed6a64f..95671d36fb 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -18689,6 +18689,29 @@ threat:
       normalize: []
       short: Date/time indicator was last updated.
       type: date
+    threat.enrichments.indicator.name:
+      dashed_name: threat-enrichments-indicator-name
+      description: The display name indicator in an UI friendly format
+      example: 5.2.75.227
+      expected_values:
+      - 5.2.75.227
+      - 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6
+      - https://example.com/some/path
+      - example.com
+      - 373d34874d7bc89fd4cefa6272ee80bf
+      - b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7
+      - email@example.com
+      - HKLM\\SOFTWARE\\Microsoft\\Active
+      - 13335
+      - 00:00:5e:00:53:af
+      - 8008
+      flat_name: threat.enrichments.indicator.name
+      ignore_above: 1024
+      level: extended
+      name: enrichments.indicator.name
+      normalize: []
+      short: Indicator display name
+      type: keyword
     threat.enrichments.indicator.port:
       dashed_name: threat-enrichments-indicator-port
       description: Identifies a threat indicator as a port number (irrespective of
@@ -21380,6 +21403,29 @@ threat:
       normalize: []
       short: Date/time indicator was last updated.
       type: date
+    threat.indicator.name:
+      dashed_name: threat-indicator-name
+      description: The display name indicator in an UI friendly format
+      example: 5.2.75.227
+      expected_values:
+      - 5.2.75.227
+      - 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6
+      - https://example.com/some/path
+      - example.com
+      - 373d34874d7bc89fd4cefa6272ee80bf
+      - b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7
+      - email@example.com
+      - HKLM\\SOFTWARE\\Microsoft\\Active
+      - 13335
+      - 00:00:5e:00:53:af
+      - 8008
+      flat_name: threat.indicator.name
+      ignore_above: 1024
+      level: extended
+      name: indicator.name
+      normalize: []
+      short: Indicator display name
+      type: keyword
     threat.indicator.port:
       dashed_name: threat-indicator-port
       description: Identifies a threat indicator as a port number (irrespective of
diff --git a/experimental/generated/elasticsearch/composable/component/threat.json b/experimental/generated/elasticsearch/composable/component/threat.json
index 81cfd9376b..2bc7c47449 100644
--- a/experimental/generated/elasticsearch/composable/component/threat.json
+++ b/experimental/generated/elasticsearch/composable/component/threat.json
@@ -622,6 +622,10 @@
                     "modified_at": {
                       "type": "date"
                     },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
                     "port": {
                       "type": "long"
                     },
@@ -1535,6 +1539,10 @@
                 "modified_at": {
                   "type": "date"
                 },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "port": {
                   "type": "long"
                 },
diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json
index c45b707d01..2a3e49ff91 100644
--- a/experimental/generated/elasticsearch/legacy/template.json
+++ b/experimental/generated/elasticsearch/legacy/template.json
@@ -5759,6 +5759,10 @@
                   "modified_at": {
                     "type": "date"
                   },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
                   "port": {
                     "type": "long"
                   },
@@ -6672,6 +6676,10 @@
               "modified_at": {
                 "type": "date"
               },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "port": {
                 "type": "long"
               },
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 1c94750300..fecfd9a678 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -10812,6 +10812,13 @@
         for this indicator.
       example: '2020-11-05T17:25:47.000Z'
       default_field: false
+    - name: enrichments.indicator.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The display name indicator in an UI friendly format
+      example: 5.2.75.227
+      default_field: false
     - name: enrichments.indicator.port
       level: extended
       type: long
@@ -12402,6 +12409,13 @@
         for this indicator.
       example: '2020-11-05T17:25:47.000Z'
       default_field: false
+    - name: indicator.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The display name indicator in an UI friendly format
+      example: 5.2.75.227
+      default_field: false
     - name: indicator.port
       level: extended
       type: long
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index fef3259259..73dbda330d 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -1264,6 +1264,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
 8.7.0-dev,true,threat,threat.enrichments.indicator.marking.tlp.version,keyword,extended,,2.0,Indicator TLP version
 8.7.0-dev,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
+8.7.0-dev,true,threat,threat.enrichments.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
 8.7.0-dev,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
 8.7.0-dev,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
 8.7.0-dev,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
@@ -1479,6 +1480,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
 8.7.0-dev,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
 8.7.0-dev,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
+8.7.0-dev,true,threat,threat.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
 8.7.0-dev,true,threat,threat.indicator.port,long,extended,,443,Indicator port
 8.7.0-dev,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
 8.7.0-dev,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 643ef2d2fe..495d263b6b 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -15951,6 +15951,29 @@ threat.enrichments.indicator.modified_at:
   normalize: []
   short: Date/time indicator was last updated.
   type: date
+threat.enrichments.indicator.name:
+  dashed_name: threat-enrichments-indicator-name
+  description: The display name indicator in an UI friendly format
+  example: 5.2.75.227
+  expected_values:
+  - 5.2.75.227
+  - 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6
+  - https://example.com/some/path
+  - example.com
+  - 373d34874d7bc89fd4cefa6272ee80bf
+  - b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7
+  - email@example.com
+  - HKLM\\SOFTWARE\\Microsoft\\Active
+  - 13335
+  - 00:00:5e:00:53:af
+  - 8008
+  flat_name: threat.enrichments.indicator.name
+  ignore_above: 1024
+  level: extended
+  name: enrichments.indicator.name
+  normalize: []
+  short: Indicator display name
+  type: keyword
 threat.enrichments.indicator.port:
   dashed_name: threat-enrichments-indicator-port
   description: Identifies a threat indicator as a port number (irrespective of direction).
@@ -18636,6 +18659,29 @@ threat.indicator.modified_at:
   normalize: []
   short: Date/time indicator was last updated.
   type: date
+threat.indicator.name:
+  dashed_name: threat-indicator-name
+  description: The display name indicator in an UI friendly format
+  example: 5.2.75.227
+  expected_values:
+  - 5.2.75.227
+  - 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6
+  - https://example.com/some/path
+  - example.com
+  - 373d34874d7bc89fd4cefa6272ee80bf
+  - b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7
+  - email@example.com
+  - HKLM\\SOFTWARE\\Microsoft\\Active
+  - 13335
+  - 00:00:5e:00:53:af
+  - 8008
+  flat_name: threat.indicator.name
+  ignore_above: 1024
+  level: extended
+  name: indicator.name
+  normalize: []
+  short: Indicator display name
+  type: keyword
 threat.indicator.port:
   dashed_name: threat-indicator-port
   description: Identifies a threat indicator as a port number (irrespective of direction).
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 1ec7b4e7ac..dd9dc82791 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -18609,6 +18609,29 @@ threat:
       normalize: []
       short: Date/time indicator was last updated.
       type: date
+    threat.enrichments.indicator.name:
+      dashed_name: threat-enrichments-indicator-name
+      description: The display name indicator in an UI friendly format
+      example: 5.2.75.227
+      expected_values:
+      - 5.2.75.227
+      - 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6
+      - https://example.com/some/path
+      - example.com
+      - 373d34874d7bc89fd4cefa6272ee80bf
+      - b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7
+      - email@example.com
+      - HKLM\\SOFTWARE\\Microsoft\\Active
+      - 13335
+      - 00:00:5e:00:53:af
+      - 8008
+      flat_name: threat.enrichments.indicator.name
+      ignore_above: 1024
+      level: extended
+      name: enrichments.indicator.name
+      normalize: []
+      short: Indicator display name
+      type: keyword
     threat.enrichments.indicator.port:
       dashed_name: threat-enrichments-indicator-port
       description: Identifies a threat indicator as a port number (irrespective of
@@ -21300,6 +21323,29 @@ threat:
       normalize: []
       short: Date/time indicator was last updated.
       type: date
+    threat.indicator.name:
+      dashed_name: threat-indicator-name
+      description: The display name indicator in an UI friendly format
+      example: 5.2.75.227
+      expected_values:
+      - 5.2.75.227
+      - 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6
+      - https://example.com/some/path
+      - example.com
+      - 373d34874d7bc89fd4cefa6272ee80bf
+      - b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7
+      - email@example.com
+      - HKLM\\SOFTWARE\\Microsoft\\Active
+      - 13335
+      - 00:00:5e:00:53:af
+      - 8008
+      flat_name: threat.indicator.name
+      ignore_above: 1024
+      level: extended
+      name: indicator.name
+      normalize: []
+      short: Indicator display name
+      type: keyword
     threat.indicator.port:
       dashed_name: threat-indicator-port
       description: Identifies a threat indicator as a port number (irrespective of
diff --git a/generated/elasticsearch/composable/component/threat.json b/generated/elasticsearch/composable/component/threat.json
index 3438cc5e80..17aede99ce 100644
--- a/generated/elasticsearch/composable/component/threat.json
+++ b/generated/elasticsearch/composable/component/threat.json
@@ -622,6 +622,10 @@
                     "modified_at": {
                       "type": "date"
                     },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
                     "port": {
                       "type": "long"
                     },
@@ -1535,6 +1539,10 @@
                 "modified_at": {
                   "type": "date"
                 },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "port": {
                   "type": "long"
                 },
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index b69dae1515..3f0ce2703d 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -5717,6 +5717,10 @@
                   "modified_at": {
                     "type": "date"
                   },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
                   "port": {
                     "type": "long"
                   },
@@ -6630,6 +6634,10 @@
               "modified_at": {
                 "type": "date"
               },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "port": {
                 "type": "long"
               },
diff --git a/schemas/threat.yml b/schemas/threat.yml
index 59b6328d8a..d5cffb5809 100644
--- a/schemas/threat.yml
+++ b/schemas/threat.yml
@@ -105,6 +105,26 @@
         - x509-certificate
       example: ipv4-addr
 
+    - name: enrichments.indicator.name
+      level: extended
+      type: keyword
+      short: Indicator display name
+      description: >
+        The display name indicator in an UI friendly format
+      expected_values:
+        - 5.2.75.227
+        - 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6
+        - https://example.com/some/path
+        - example.com
+        - 373d34874d7bc89fd4cefa6272ee80bf
+        - b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7
+        - email@example.com
+        - HKLM\\SOFTWARE\\Microsoft\\Active
+        - 13335
+        - 00:00:5e:00:53:af
+        - 8008
+      example: 5.2.75.227
+
     - name: enrichments.indicator.description
       level: extended
       type: keyword
@@ -393,6 +413,26 @@
         - x509-certificate
       example: ipv4-addr
 
+    - name: indicator.name
+      level: extended
+      type: keyword
+      short: Indicator display name
+      description: >
+        The display name indicator in an UI friendly format
+      expected_values:
+        - 5.2.75.227
+        - 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6
+        - https://example.com/some/path
+        - example.com
+        - 373d34874d7bc89fd4cefa6272ee80bf
+        - b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7
+        - email@example.com
+        - HKLM\\SOFTWARE\\Microsoft\\Active
+        - 13335
+        - 00:00:5e:00:53:af
+        - 8008
+      example: 5.2.75.227
+
     - name: indicator.description
       level: extended
       type: keyword

From 0c5afa681120abae8df5cee32184c104306eba40 Mon Sep 17 00:00:00 2001
From: Dominic Page <11043991+djptek@users.noreply.github.com>
Date: Tue, 10 Jan 2023 17:37:40 +0100
Subject: [PATCH 063/186] Forward port 8.6 changelog to main (#2134)

Forward port 8.6 changelog to main #2134
---
 CHANGELOG.md      | 15 +++++++++++++++
 CHANGELOG.next.md | 15 ---------------
 2 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a076383dc8..85158d5589 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,21 @@
 # CHANGELOG
 All notable changes to this project will be documented in this file based on the [Keep a Changelog](http://keepachangelog.com/) Standard. This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [8.6.0](https://github.com/elastic/ecs/compare/v8.5.2...v8.6.0)
+
+### Schema Changes
+
+#### Added
+
+* Adding `vulnerability` option for `event.category`. #2029
+* Added `device.*` field set as beta. #2030
+* Added `tlp.version` to threat #2074
+* Added fields for executable object format metadata for ELF, Mach-O and PE #2083
+
+#### Improvements
+
+* Added `CLEAR` and `AMBER+STRICT` as valid values for `threat.indicator.marking.tlp` and `enrichments.indicator.marking.tlp` to accept new [TLP 2.0](https://www.first.org/tlp/) markings #2022, #2074
+
 ## [8.5.2](https://github.com/elastic/ecs/compare/v8.5.1...v8.5.2)
 
 ### Schema Changes
diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index fa895528a3..8bca2e43be 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -37,21 +37,6 @@ Thanks, you're awesome :-) -->
 
 #### Deprecated
 
-## 8.6.0 (Hard Feature Freeze)
-
-### Schema Changes
-
-#### Added
-
-* Adding `vulnerability` option for `event.category`. #2029
-* Added `device.*` field set as beta. #2030
-* Added `tlp.version` to threat #2074
-* Added fields for executable object format metadata for ELF, Mach-O and PE #2083
-
-#### Improvements
-
-* Added `CLEAR` and `AMBER+STRICT` as valid values for `threat.indicator.marking.tlp` and `enrichments.indicator.marking.tlp` to accept new [TLP 2.0](https://www.first.org/tlp/) markings #2022, #2074
-
 <!-- All empty sections:
 
 ## Unreleased

From 03e475c1d7cf2005c03331e3e29ddb3a1dcf9e57 Mon Sep 17 00:00:00 2001
From: Dominic Page <11043991+djptek@users.noreply.github.com>
Date: Tue, 10 Jan 2023 17:57:11 +0100
Subject: [PATCH 064/186] Forward port 8.6 docs to main (#2136)

Forward port 8.6 docs to main (#2136)
---
 docs/release-notes/8.6.asciidoc | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/docs/release-notes/8.6.asciidoc b/docs/release-notes/8.6.asciidoc
index d2dc0f0ffe..142ff4e64e 100644
--- a/docs/release-notes/8.6.asciidoc
+++ b/docs/release-notes/8.6.asciidoc
@@ -1,4 +1,21 @@
 [[ecs-release-notes-8.6.0]]
 === 8.6.0
 
-coming[8.6.0]
+[[schema-changes-8.6.0]]
+[float]
+==== Schema changes
+
+[[schema-added-8.6.0]]
+[float]
+===== Added
+
+* Adding `vulnerability` option for `event.category`. {ecs_pull}2029[#2029]
+* Added `device.*` field set as beta. {ecs_pull}2030[#2030]
+* Added `tlp.version` to threat {ecs_pull}2074[#2074]
+* Added fields for executable object format metadata for ELF, Mach-O and PE {ecs_pull}2083[#2083]
+
+[[schema-improvements-8.6.0]]
+[float]
+===== Improvements
+
+* Added `CLEAR` and `AMBER+STRICT` as valid values for `threat.indicator.marking.tlp` and `enrichments.indicator.marking.tlp` to accept new [TLP 2.0](https://www.first.org/tlp/) markings {ecs_pull}2022[#2022], {ecs_pull}2074[#2074]

From 0a840114b191fca2d4fbccaf08074c49d7b202b5 Mon Sep 17 00:00:00 2001
From: Marc Guasch <marc-gr@users.noreply.github.com>
Date: Wed, 18 Jan 2023 11:17:39 +0100
Subject: [PATCH 065/186] Update version file to 8.8.0-dev (#2133)

* Update version file to 8.8.0-dev

* make generate

Co-authored-by: Dominic Page <11043991+djptek@users.noreply.github.com>
Co-authored-by: Dominic Page <dominic.page@elastic.co>
---
 docs/fields/fields.asciidoc                   |    2 +-
 docs/index.asciidoc                           |    2 +-
 experimental/generated/beats/fields.ecs.yml   |    2 +-
 experimental/generated/csv/fields.csv         | 3474 ++++++++---------
 .../composable/component/agent.json           |    2 +-
 .../composable/component/base.json            |    2 +-
 .../composable/component/cgroup.json          |    2 +-
 .../composable/component/client.json          |    2 +-
 .../composable/component/cloud.json           |    2 +-
 .../composable/component/container.json       |    2 +-
 .../composable/component/data_stream.json     |    2 +-
 .../composable/component/destination.json     |    2 +-
 .../composable/component/device.json          |    2 +-
 .../composable/component/dll.json             |    2 +-
 .../composable/component/dns.json             |    2 +-
 .../composable/component/ecs.json             |    2 +-
 .../composable/component/email.json           |    2 +-
 .../composable/component/error.json           |    2 +-
 .../composable/component/event.json           |    2 +-
 .../composable/component/faas.json            |    2 +-
 .../composable/component/file.json            |    2 +-
 .../composable/component/group.json           |    2 +-
 .../composable/component/host.json            |    2 +-
 .../composable/component/http.json            |    2 +-
 .../composable/component/log.json             |    2 +-
 .../composable/component/network.json         |    2 +-
 .../composable/component/observer.json        |    2 +-
 .../composable/component/orchestrator.json    |    2 +-
 .../composable/component/organization.json    |    2 +-
 .../composable/component/package.json         |    2 +-
 .../composable/component/process.json         |    2 +-
 .../composable/component/registry.json        |    2 +-
 .../composable/component/related.json         |    2 +-
 .../composable/component/rule.json            |    2 +-
 .../composable/component/server.json          |    2 +-
 .../composable/component/service.json         |    2 +-
 .../composable/component/source.json          |    2 +-
 .../composable/component/threat.json          |    2 +-
 .../composable/component/tls.json             |    2 +-
 .../composable/component/tracing.json         |    2 +-
 .../composable/component/url.json             |    2 +-
 .../composable/component/user.json            |    2 +-
 .../composable/component/user_agent.json      |    2 +-
 .../composable/component/vulnerability.json   |    2 +-
 .../elasticsearch/composable/template.json    |   82 +-
 .../elasticsearch/legacy/template.json        |    2 +-
 generated/beats/fields.ecs.yml                |    2 +-
 generated/csv/fields.csv                      | 3460 ++++++++--------
 .../composable/component/agent.json           |    2 +-
 .../composable/component/base.json            |    2 +-
 .../composable/component/client.json          |    2 +-
 .../composable/component/cloud.json           |    2 +-
 .../composable/component/container.json       |    2 +-
 .../composable/component/data_stream.json     |    2 +-
 .../composable/component/destination.json     |    2 +-
 .../composable/component/device.json          |    2 +-
 .../composable/component/dll.json             |    2 +-
 .../composable/component/dns.json             |    2 +-
 .../composable/component/ecs.json             |    2 +-
 .../composable/component/email.json           |    2 +-
 .../composable/component/error.json           |    2 +-
 .../composable/component/event.json           |    2 +-
 .../composable/component/faas.json            |    2 +-
 .../composable/component/file.json            |    2 +-
 .../composable/component/group.json           |    2 +-
 .../composable/component/host.json            |    2 +-
 .../composable/component/http.json            |    2 +-
 .../composable/component/log.json             |    2 +-
 .../composable/component/network.json         |    2 +-
 .../composable/component/observer.json        |    2 +-
 .../composable/component/orchestrator.json    |    2 +-
 .../composable/component/organization.json    |    2 +-
 .../composable/component/package.json         |    2 +-
 .../composable/component/process.json         |    2 +-
 .../composable/component/registry.json        |    2 +-
 .../composable/component/related.json         |    2 +-
 .../composable/component/rule.json            |    2 +-
 .../composable/component/server.json          |    2 +-
 .../composable/component/service.json         |    2 +-
 .../composable/component/source.json          |    2 +-
 .../composable/component/threat.json          |    2 +-
 .../composable/component/tls.json             |    2 +-
 .../composable/component/tracing.json         |    2 +-
 .../composable/component/url.json             |    2 +-
 .../composable/component/user.json            |    2 +-
 .../composable/component/user_agent.json      |    2 +-
 .../composable/component/vulnerability.json   |    2 +-
 .../elasticsearch/composable/template.json    |   80 +-
 generated/elasticsearch/legacy/template.json  |    2 +-
 version                                       |    2 +-
 90 files changed, 3634 insertions(+), 3634 deletions(-)

diff --git a/docs/fields/fields.asciidoc b/docs/fields/fields.asciidoc
index 14282c52f2..a968563dfa 100644
--- a/docs/fields/fields.asciidoc
+++ b/docs/fields/fields.asciidoc
@@ -1,7 +1,7 @@
 [[ecs-field-reference]]
 == {ecs} Field Reference
 
-This is the documentation of ECS version 8.7.0-dev.
+This is the documentation of ECS version 8.8.0-dev.
 
 ECS defines multiple groups of related fields. They are called "field sets".
 The <<ecs-base,Base>> field set is the only one whose fields are defined
diff --git a/docs/index.asciidoc b/docs/index.asciidoc
index 2e6965fcc9..b892ce24bd 100644
--- a/docs/index.asciidoc
+++ b/docs/index.asciidoc
@@ -13,7 +13,7 @@ include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
 [[ecs-reference]]
 == Overview
 
-This is the documentation of ECS version 8.7.0-dev.
+This is the documentation of ECS version 8.8.0-dev.
 
 [float]
 === What is ECS?
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 162874f361..ed0babf839 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -1,5 +1,5 @@
 # WARNING! Do not edit this file directly, it was generated by the ECS project,
-# based on ECS version 8.7.0-dev+exp.
+# based on ECS version 8.8.0-dev+exp.
 # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields.
 
 - key: ecs
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index d7a9fc3005..bd492d3b4f 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -1,1738 +1,1738 @@
 ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
-8.7.0-dev+exp,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
-8.7.0-dev+exp,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
-8.7.0-dev+exp,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer.
-8.7.0-dev+exp,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
-8.7.0-dev+exp,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
-8.7.0-dev+exp,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
-8.7.0-dev+exp,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
-8.7.0-dev+exp,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
-8.7.0-dev+exp,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
-8.7.0-dev+exp,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
-8.7.0-dev+exp,true,cgroup,cgroup.cpu.periods,long,extended,,454839343,Number of period intervals that have elapsed.
-8.7.0-dev+exp,true,cgroup,cgroup.cpu.throttled.us,long,extended,,15000,Microseconds of CPU throttled time.
-8.7.0-dev+exp,true,cgroup,cgroup.cpu.usage,scaled_float,extended,,,"CPU usage, normalized by the CPU count."
-8.7.0-dev+exp,true,cgroup,cgroup.memory.limit,long,extended,,256,Memory limit within the cgroup.
-8.7.0-dev+exp,true,cgroup,cgroup.memory.swap.usage,long,extended,,5600,The amount of cgroup memory in swap.
-8.7.0-dev+exp,true,cgroup,cgroup.memory.usage,long,extended,,25600,Memory usage in bytes
-8.7.0-dev+exp,true,cgroup,cgroup.version,long,extended,,,The cgroup version linked to the metrics
-8.7.0-dev+exp,true,client,client.address,keyword,extended,,,Client network address.
-8.7.0-dev+exp,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.7.0-dev+exp,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.7.0-dev+exp,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.7.0-dev+exp,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
-8.7.0-dev+exp,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client.
-8.7.0-dev+exp,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
-8.7.0-dev+exp,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
-8.7.0-dev+exp,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.7.0-dev+exp,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.7.0-dev+exp,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
-8.7.0-dev+exp,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.7.0-dev+exp,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.7.0-dev+exp,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
-8.7.0-dev+exp,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.7.0-dev+exp,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
-8.7.0-dev+exp,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.7.0-dev+exp,true,client,client.ip,ip,core,,,IP address of the client.
-8.7.0-dev+exp,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
-8.7.0-dev+exp,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
-8.7.0-dev+exp,true,client,client.nat.port,long,extended,,,Client NAT port
-8.7.0-dev+exp,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
-8.7.0-dev+exp,true,client,client.port,long,core,,,Port of the client.
-8.7.0-dev+exp,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
-8.7.0-dev+exp,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.7.0-dev+exp,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.7.0-dev+exp,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.7.0-dev+exp,true,client,client.user.email,keyword,extended,,,User email address.
-8.7.0-dev+exp,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.7.0-dev+exp,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.7.0-dev+exp,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.7.0-dev+exp,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev+exp,true,client,client.user.group.name,keyword,extended,,,Name of the group.
-8.7.0-dev+exp,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.7.0-dev+exp,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev+exp,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.7.0-dev+exp,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.7.0-dev+exp,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.7.0-dev+exp,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.7.0-dev+exp,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.7.0-dev+exp,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
-8.7.0-dev+exp,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.7.0-dev+exp,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.7.0-dev+exp,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.7.0-dev+exp,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.7.0-dev+exp,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.7.0-dev+exp,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine.
-8.7.0-dev+exp,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.7.0-dev+exp,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id.
-8.7.0-dev+exp,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name.
-8.7.0-dev+exp,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider.
-8.7.0-dev+exp,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.7.0-dev+exp,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name.
-8.7.0-dev+exp,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
-8.7.0-dev+exp,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
-8.7.0-dev+exp,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
-8.7.0-dev+exp,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.7.0-dev+exp,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name.
-8.7.0-dev+exp,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.7.0-dev+exp,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.7.0-dev+exp,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.7.0-dev+exp,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.7.0-dev+exp,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine.
-8.7.0-dev+exp,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.7.0-dev+exp,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id.
-8.7.0-dev+exp,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name.
-8.7.0-dev+exp,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider.
-8.7.0-dev+exp,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.7.0-dev+exp,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name.
-8.7.0-dev+exp,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
-8.7.0-dev+exp,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
-8.7.0-dev+exp,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
-8.7.0-dev+exp,true,container,container.id,keyword,core,,,Unique container id.
-8.7.0-dev+exp,true,container,container.image.hash.all,keyword,extended,array,[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26],An array of digests of the image the container was built on.
-8.7.0-dev+exp,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
-8.7.0-dev+exp,true,container,container.image.tag,keyword,extended,array,,Container image tags.
-8.7.0-dev+exp,true,container,container.labels,object,extended,,,Image labels.
-8.7.0-dev+exp,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1."
-8.7.0-dev+exp,true,container,container.name,keyword,extended,,,Container name.
-8.7.0-dev+exp,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
-8.7.0-dev+exp,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
-8.7.0-dev+exp,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
-8.7.0-dev+exp,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
-8.7.0-dev+exp,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
-8.7.0-dev+exp,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
-8.7.0-dev+exp,true,destination,destination.address,keyword,extended,,,Destination network address.
-8.7.0-dev+exp,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.7.0-dev+exp,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.7.0-dev+exp,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.7.0-dev+exp,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
-8.7.0-dev+exp,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination.
-8.7.0-dev+exp,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
-8.7.0-dev+exp,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
-8.7.0-dev+exp,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.7.0-dev+exp,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.7.0-dev+exp,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
-8.7.0-dev+exp,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.7.0-dev+exp,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.7.0-dev+exp,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
-8.7.0-dev+exp,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.7.0-dev+exp,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
-8.7.0-dev+exp,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.7.0-dev+exp,true,destination,destination.ip,ip,core,,,IP address of the destination.
-8.7.0-dev+exp,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
-8.7.0-dev+exp,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
-8.7.0-dev+exp,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
-8.7.0-dev+exp,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
-8.7.0-dev+exp,true,destination,destination.port,long,core,,,Port of the destination.
-8.7.0-dev+exp,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
-8.7.0-dev+exp,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.7.0-dev+exp,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.7.0-dev+exp,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.7.0-dev+exp,true,destination,destination.user.email,keyword,extended,,,User email address.
-8.7.0-dev+exp,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.7.0-dev+exp,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.7.0-dev+exp,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.7.0-dev+exp,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev+exp,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
-8.7.0-dev+exp,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.7.0-dev+exp,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev+exp,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.7.0-dev+exp,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device.
-8.7.0-dev+exp,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer.
-8.7.0-dev+exp,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model.
-8.7.0-dev+exp,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model.
-8.7.0-dev+exp,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.7.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.7.0-dev+exp,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.7.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.7.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.7.0-dev+exp,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.7.0-dev+exp,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.7.0-dev+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.7.0-dev+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.7.0-dev+exp,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
-8.7.0-dev+exp,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
-8.7.0-dev+exp,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
-8.7.0-dev+exp,true,dll,dll.hash.sha384,keyword,extended,,,SHA384 hash.
-8.7.0-dev+exp,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
-8.7.0-dev+exp,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.7.0-dev+exp,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash.
-8.7.0-dev+exp,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
-8.7.0-dev+exp,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
-8.7.0-dev+exp,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.7.0-dev+exp,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.7.0-dev+exp,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.7.0-dev+exp,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.7.0-dev+exp,true,dll,dll.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.7.0-dev+exp,true,dll,dll.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.7.0-dev+exp,true,dll,dll.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.7.0-dev+exp,true,dll,dll.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.7.0-dev+exp,true,dll,dll.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.7.0-dev+exp,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.7.0-dev+exp,true,dll,dll.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.7.0-dev+exp,true,dll,dll.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.7.0-dev+exp,true,dll,dll.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev+exp,true,dll,dll.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev+exp,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.7.0-dev+exp,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.7.0-dev+exp,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.7.0-dev+exp,true,dll,dll.pe.sections,nested,extended,array,,Section information of the PE file.
-8.7.0-dev+exp,true,dll,dll.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.7.0-dev+exp,true,dll,dll.pe.sections.name,keyword,extended,,,PE Section List name.
-8.7.0-dev+exp,true,dll,dll.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.7.0-dev+exp,true,dll,dll.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.7.0-dev+exp,true,dll,dll.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.7.0-dev+exp,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
-8.7.0-dev+exp,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
-8.7.0-dev+exp,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
-8.7.0-dev+exp,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
-8.7.0-dev+exp,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
-8.7.0-dev+exp,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
-8.7.0-dev+exp,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
-8.7.0-dev+exp,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
-8.7.0-dev+exp,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
-8.7.0-dev+exp,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
-8.7.0-dev+exp,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
-8.7.0-dev+exp,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
-8.7.0-dev+exp,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
-8.7.0-dev+exp,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.7.0-dev+exp,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
-8.7.0-dev+exp,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
-8.7.0-dev+exp,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
-8.7.0-dev+exp,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
-8.7.0-dev+exp,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
-8.7.0-dev+exp,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
-8.7.0-dev+exp,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
-8.7.0-dev+exp,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash.
-8.7.0-dev+exp,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.7.0-dev+exp,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.7.0-dev+exp,true,email,email.attachments.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.7.0-dev+exp,true,email,email.attachments.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.7.0-dev+exp,true,email,email.attachments.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.7.0-dev+exp,true,email,email.attachments.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.7.0-dev+exp,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file.
-8.7.0-dev+exp,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file.
-8.7.0-dev+exp,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size.
-8.7.0-dev+exp,true,email,email.bcc.address,keyword,extended,array,bcc.user1@example.com,Email address of BCC recipient
-8.7.0-dev+exp,true,email,email.cc.address,keyword,extended,array,cc.user1@example.com,Email address of CC recipient
-8.7.0-dev+exp,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message.
-8.7.0-dev+exp,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered.
-8.7.0-dev+exp,true,email,email.direction,keyword,extended,,inbound,Direction of the message.
-8.7.0-dev+exp,true,email,email.from.address,keyword,extended,array,sender@example.com,The sender's email address.
-8.7.0-dev+exp,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source.
-8.7.0-dev+exp,true,email,email.message_id,wildcard,extended,,81ce15$8r2j59@mail01.example.com,Value from the Message-ID header.
-8.7.0-dev+exp,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed.
-8.7.0-dev+exp,true,email,email.reply_to.address,keyword,extended,array,reply.here@example.com,Address replies should be delivered to.
-8.7.0-dev+exp,true,email,email.sender.address,keyword,extended,,,Address of the message sender.
-8.7.0-dev+exp,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message.
-8.7.0-dev+exp,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
-8.7.0-dev+exp,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient
-8.7.0-dev+exp,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
-8.7.0-dev+exp,true,error,error.code,keyword,core,,,Error code describing the error.
-8.7.0-dev+exp,true,error,error.id,keyword,core,,,Unique identifier for the error.
-8.7.0-dev+exp,true,error,error.message,match_only_text,core,,,Error message.
-8.7.0-dev+exp,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
-8.7.0-dev+exp,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text.
-8.7.0-dev+exp,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
-8.7.0-dev+exp,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
-8.7.0-dev+exp,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field.
-8.7.0-dev+exp,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
-8.7.0-dev+exp,true,event,event.code,keyword,extended,,4648,Identification code for this event.
-8.7.0-dev+exp,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
-8.7.0-dev+exp,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
-8.7.0-dev+exp,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
-8.7.0-dev+exp,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed.
-8.7.0-dev+exp,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
-8.7.0-dev+exp,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
-8.7.0-dev+exp,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
-8.7.0-dev+exp,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
-8.7.0-dev+exp,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
-8.7.0-dev+exp,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
-8.7.0-dev+exp,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
-8.7.0-dev+exp,true,event,event.provider,keyword,extended,,kernel,Source of the event.
-8.7.0-dev+exp,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
-8.7.0-dev+exp,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
-8.7.0-dev+exp,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
-8.7.0-dev+exp,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
-8.7.0-dev+exp,true,event,event.sequence,long,extended,,,Sequence number of the event.
-8.7.0-dev+exp,true,event,event.severity,long,core,,7,Numeric severity of the event.
-8.7.0-dev+exp,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed.
-8.7.0-dev+exp,true,event,event.timezone,keyword,extended,,,Event time zone.
-8.7.0-dev+exp,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
-8.7.0-dev+exp,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
-8.7.0-dev+exp,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function.
-8.7.0-dev+exp,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution.
-8.7.0-dev+exp,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function.
-8.7.0-dev+exp,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function.
-8.7.0-dev+exp,true,faas,faas.trigger,nested,extended,,,Details about the function trigger.
-8.7.0-dev+exp,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc."
-8.7.0-dev+exp,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution.
-8.7.0-dev+exp,true,faas,faas.version,keyword,extended,,123,The version of a serverless function.
-8.7.0-dev+exp,true,file,file.accessed,date,extended,,,Last time the file was accessed.
-8.7.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.7.0-dev+exp,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.7.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.7.0-dev+exp,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.7.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.7.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.7.0-dev+exp,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.7.0-dev+exp,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.7.0-dev+exp,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.7.0-dev+exp,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.7.0-dev+exp,true,file,file.created,date,extended,,,File creation time.
-8.7.0-dev+exp,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.7.0-dev+exp,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
-8.7.0-dev+exp,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.7.0-dev+exp,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.7.0-dev+exp,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.7.0-dev+exp,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.7.0-dev+exp,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.7.0-dev+exp,true,file,file.elf.creation_date,date,extended,,,Build or compile date.
-8.7.0-dev+exp,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.7.0-dev+exp,true,file,file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.7.0-dev+exp,true,file,file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.7.0-dev+exp,true,file,file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.7.0-dev+exp,true,file,file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.7.0-dev+exp,true,file,file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.7.0-dev+exp,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.7.0-dev+exp,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.7.0-dev+exp,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.7.0-dev+exp,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.7.0-dev+exp,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.7.0-dev+exp,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.7.0-dev+exp,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.7.0-dev+exp,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.7.0-dev+exp,true,file,file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.7.0-dev+exp,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.7.0-dev+exp,true,file,file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev+exp,true,file,file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev+exp,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.7.0-dev+exp,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.7.0-dev+exp,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.7.0-dev+exp,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.7.0-dev+exp,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.7.0-dev+exp,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.7.0-dev+exp,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.7.0-dev+exp,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.7.0-dev+exp,true,file,file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.7.0-dev+exp,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.7.0-dev+exp,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.7.0-dev+exp,true,file,file.elf.segments,nested,extended,array,,ELF object segment list.
-8.7.0-dev+exp,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.7.0-dev+exp,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.7.0-dev+exp,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.7.0-dev+exp,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.7.0-dev+exp,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.7.0-dev+exp,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.7.0-dev+exp,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.7.0-dev+exp,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
-8.7.0-dev+exp,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
-8.7.0-dev+exp,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.7.0-dev+exp,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.7.0-dev+exp,true,file,file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.7.0-dev+exp,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.7.0-dev+exp,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.7.0-dev+exp,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.7.0-dev+exp,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.7.0-dev+exp,true,file,file.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-8.7.0-dev+exp,true,file,file.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.7.0-dev+exp,true,file,file.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.7.0-dev+exp,true,file,file.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.7.0-dev+exp,true,file,file.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.7.0-dev+exp,true,file,file.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-8.7.0-dev+exp,true,file,file.macho.imports,flattened,extended,array,,List of imported element names and types.
-8.7.0-dev+exp,true,file,file.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev+exp,true,file,file.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev+exp,true,file,file.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-8.7.0-dev+exp,true,file,file.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.7.0-dev+exp,true,file,file.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-8.7.0-dev+exp,true,file,file.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-8.7.0-dev+exp,true,file,file.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.7.0-dev+exp,true,file,file.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-8.7.0-dev+exp,true,file,file.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-8.7.0-dev+exp,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.7.0-dev+exp,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.7.0-dev+exp,true,file,file.mtime,date,extended,,,Last time the file content was modified.
-8.7.0-dev+exp,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.7.0-dev+exp,true,file,file.owner,keyword,extended,,alice,File owner's username.
-8.7.0-dev+exp,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.7.0-dev+exp,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.7.0-dev+exp,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.7.0-dev+exp,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.7.0-dev+exp,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.7.0-dev+exp,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.7.0-dev+exp,true,file,file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.7.0-dev+exp,true,file,file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.7.0-dev+exp,true,file,file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.7.0-dev+exp,true,file,file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.7.0-dev+exp,true,file,file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.7.0-dev+exp,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.7.0-dev+exp,true,file,file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.7.0-dev+exp,true,file,file.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.7.0-dev+exp,true,file,file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev+exp,true,file,file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev+exp,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.7.0-dev+exp,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.7.0-dev+exp,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.7.0-dev+exp,true,file,file.pe.sections,nested,extended,array,,Section information of the PE file.
-8.7.0-dev+exp,true,file,file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.7.0-dev+exp,true,file,file.pe.sections.name,keyword,extended,,,PE Section List name.
-8.7.0-dev+exp,true,file,file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.7.0-dev+exp,true,file,file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.7.0-dev+exp,true,file,file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.7.0-dev+exp,true,file,file.size,long,extended,,16384,File size in bytes.
-8.7.0-dev+exp,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
-8.7.0-dev+exp,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.7.0-dev+exp,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.7.0-dev+exp,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.7.0-dev+exp,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.7.0-dev+exp,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.7.0-dev+exp,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.7.0-dev+exp,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.7.0-dev+exp,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.7.0-dev+exp,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.7.0-dev+exp,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.7.0-dev+exp,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.7.0-dev+exp,true,file,file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.7.0-dev+exp,true,file,file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.7.0-dev+exp,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.7.0-dev+exp,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.7.0-dev+exp,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.7.0-dev+exp,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.7.0-dev+exp,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.7.0-dev+exp,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.7.0-dev+exp,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.7.0-dev+exp,true,file,file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.7.0-dev+exp,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.7.0-dev+exp,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.7.0-dev+exp,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.7.0-dev+exp,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.7.0-dev+exp,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.7.0-dev+exp,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.7.0-dev+exp,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.7.0-dev+exp,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev+exp,true,group,group.name,keyword,extended,,,Name of the group.
-8.7.0-dev+exp,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
-8.7.0-dev+exp,true,host,host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id
-8.7.0-dev+exp,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
-8.7.0-dev+exp,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
-8.7.0-dev+exp,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
-8.7.0-dev+exp,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
-8.7.0-dev+exp,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
-8.7.0-dev+exp,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
-8.7.0-dev+exp,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.7.0-dev+exp,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.7.0-dev+exp,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
-8.7.0-dev+exp,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.7.0-dev+exp,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.7.0-dev+exp,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
-8.7.0-dev+exp,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.7.0-dev+exp,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
-8.7.0-dev+exp,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.7.0-dev+exp,true,host,host.hostname,keyword,core,,,Hostname of the host.
-8.7.0-dev+exp,true,host,host.id,keyword,core,,,Unique host id.
-8.7.0-dev+exp,true,host,host.ip,ip,core,array,,Host ip addresses.
-8.7.0-dev+exp,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
-8.7.0-dev+exp,true,host,host.name,keyword,core,,,Name of the host.
-8.7.0-dev+exp,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
-8.7.0-dev+exp,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
-8.7.0-dev+exp,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
-8.7.0-dev+exp,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
-8.7.0-dev+exp,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.7.0-dev+exp,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.7.0-dev+exp,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.7.0-dev+exp,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.7.0-dev+exp,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.7.0-dev+exp,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.7.0-dev+exp,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.7.0-dev+exp,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-8.7.0-dev+exp,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.7.0-dev+exp,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode
-8.7.0-dev+exp,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.7.0-dev+exp,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.7.0-dev+exp,true,host,host.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.7.0-dev+exp,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.7.0-dev+exp,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.7.0-dev+exp,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-8.7.0-dev+exp,true,host,host.type,keyword,core,,,Type of host.
-8.7.0-dev+exp,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
-8.7.0-dev+exp,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
-8.7.0-dev+exp,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
-8.7.0-dev+exp,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body.
-8.7.0-dev+exp,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
-8.7.0-dev+exp,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
-8.7.0-dev+exp,true,http,http.request.method,keyword,extended,,POST,HTTP request method.
-8.7.0-dev+exp,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
-8.7.0-dev+exp,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
-8.7.0-dev+exp,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
-8.7.0-dev+exp,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
-8.7.0-dev+exp,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body.
-8.7.0-dev+exp,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
-8.7.0-dev+exp,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
-8.7.0-dev+exp,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
-8.7.0-dev+exp,true,http,http.version,keyword,extended,,1.1,HTTP version.
-8.7.0-dev+exp,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
-8.7.0-dev+exp,true,log,log.level,keyword,core,,error,Log level of the log event.
-8.7.0-dev+exp,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
-8.7.0-dev+exp,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event.
-8.7.0-dev+exp,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
-8.7.0-dev+exp,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
-8.7.0-dev+exp,true,log,log.syslog,object,extended,,,Syslog metadata
-8.7.0-dev+exp,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message.
-8.7.0-dev+exp,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
-8.7.0-dev+exp,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
-8.7.0-dev+exp,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message.
-8.7.0-dev+exp,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message.
-8.7.0-dev+exp,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
-8.7.0-dev+exp,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message.
-8.7.0-dev+exp,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
-8.7.0-dev+exp,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
-8.7.0-dev+exp,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages.
-8.7.0-dev+exp,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version.
-8.7.0-dev+exp,true,network,network.application,keyword,extended,,aim,Application level protocol name.
-8.7.0-dev+exp,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
-8.7.0-dev+exp,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
-8.7.0-dev+exp,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
-8.7.0-dev+exp,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
-8.7.0-dev+exp,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
-8.7.0-dev+exp,true,network,network.inner,object,extended,,,Inner VLAN tag information
-8.7.0-dev+exp,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.7.0-dev+exp,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.7.0-dev+exp,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
-8.7.0-dev+exp,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
-8.7.0-dev+exp,true,network,network.protocol,keyword,core,,http,Application protocol name.
-8.7.0-dev+exp,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
-8.7.0-dev+exp,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
-8.7.0-dev+exp,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.7.0-dev+exp,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.7.0-dev+exp,true,observer,observer.egress,object,extended,,,Object field for egress information
-8.7.0-dev+exp,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
-8.7.0-dev+exp,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
-8.7.0-dev+exp,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
-8.7.0-dev+exp,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.7.0-dev+exp,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.7.0-dev+exp,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
-8.7.0-dev+exp,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
-8.7.0-dev+exp,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code.
-8.7.0-dev+exp,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.7.0-dev+exp,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.7.0-dev+exp,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
-8.7.0-dev+exp,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.7.0-dev+exp,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.7.0-dev+exp,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code.
-8.7.0-dev+exp,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.7.0-dev+exp,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
-8.7.0-dev+exp,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.7.0-dev+exp,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
-8.7.0-dev+exp,true,observer,observer.ingress,object,extended,,,Object field for ingress information
-8.7.0-dev+exp,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
-8.7.0-dev+exp,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
-8.7.0-dev+exp,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
-8.7.0-dev+exp,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.7.0-dev+exp,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.7.0-dev+exp,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
-8.7.0-dev+exp,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
-8.7.0-dev+exp,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer.
-8.7.0-dev+exp,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
-8.7.0-dev+exp,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.7.0-dev+exp,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.7.0-dev+exp,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.7.0-dev+exp,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.7.0-dev+exp,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.7.0-dev+exp,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.7.0-dev+exp,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.7.0-dev+exp,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-8.7.0-dev+exp,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.7.0-dev+exp,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
-8.7.0-dev+exp,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
-8.7.0-dev+exp,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
-8.7.0-dev+exp,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
-8.7.0-dev+exp,true,observer,observer.version,keyword,core,,,Observer version.
-8.7.0-dev+exp,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action
-8.7.0-dev+exp,true,orchestrator,orchestrator.cluster.id,keyword,extended,,,Unique ID of the cluster.
-8.7.0-dev+exp,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster.
-8.7.0-dev+exp,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster.
-8.7.0-dev+exp,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster.
-8.7.0-dev+exp,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place.
-8.7.0-dev+exp,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups).
-8.7.0-dev+exp,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon.
-8.7.0-dev+exp,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed.
-8.7.0-dev+exp,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon.
-8.7.0-dev+exp,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed.
-8.7.0-dev+exp,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon.
-8.7.0-dev+exp,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)."
-8.7.0-dev+exp,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
-8.7.0-dev+exp,true,organization,organization.name,keyword,extended,,,Organization name.
-8.7.0-dev+exp,true,organization,organization.name.text,match_only_text,extended,,,Organization name.
-8.7.0-dev+exp,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
-8.7.0-dev+exp,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
-8.7.0-dev+exp,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
-8.7.0-dev+exp,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
-8.7.0-dev+exp,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
-8.7.0-dev+exp,true,package,package.installed,date,extended,,,Time when package was installed.
-8.7.0-dev+exp,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
-8.7.0-dev+exp,true,package,package.name,keyword,extended,,go,Package name
-8.7.0-dev+exp,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
-8.7.0-dev+exp,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
-8.7.0-dev+exp,true,package,package.size,long,extended,,62231,Package size in bytes.
-8.7.0-dev+exp,true,package,package.type,keyword,extended,,rpm,Package type
-8.7.0-dev+exp,true,package,package.version,keyword,extended,,1.12.9,Package version
-8.7.0-dev+exp,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.7.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array.
-8.7.0-dev+exp,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.7.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.7.0-dev+exp,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.7.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.7.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.7.0-dev+exp,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.7.0-dev+exp,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.7.0-dev+exp,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.7.0-dev+exp,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.7.0-dev+exp,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.7.0-dev+exp,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.7.0-dev+exp,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.7.0-dev+exp,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.7.0-dev+exp,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.7.0-dev+exp,true,process,process.elf.creation_date,date,extended,,,Build or compile date.
-8.7.0-dev+exp,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.7.0-dev+exp,true,process,process.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.7.0-dev+exp,true,process,process.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.7.0-dev+exp,true,process,process.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.7.0-dev+exp,true,process,process.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.7.0-dev+exp,true,process,process.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.7.0-dev+exp,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.7.0-dev+exp,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.7.0-dev+exp,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.7.0-dev+exp,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.7.0-dev+exp,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.7.0-dev+exp,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.7.0-dev+exp,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.7.0-dev+exp,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.7.0-dev+exp,true,process,process.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.7.0-dev+exp,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.7.0-dev+exp,true,process,process.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev+exp,true,process,process.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev+exp,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.7.0-dev+exp,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.7.0-dev+exp,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.7.0-dev+exp,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.7.0-dev+exp,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.7.0-dev+exp,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.7.0-dev+exp,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.7.0-dev+exp,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.7.0-dev+exp,true,process,process.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.7.0-dev+exp,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.7.0-dev+exp,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.7.0-dev+exp,true,process,process.elf.segments,nested,extended,array,,ELF object segment list.
-8.7.0-dev+exp,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.7.0-dev+exp,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.7.0-dev+exp,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.7.0-dev+exp,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.7.0-dev+exp,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-8.7.0-dev+exp,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.7.0-dev+exp,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.7.0-dev+exp,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array.
-8.7.0-dev+exp,true,process,process.entry_leader.attested_groups.name,keyword,extended,,,Name of the group.
-8.7.0-dev+exp,true,process,process.entry_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev+exp,true,process,process.entry_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,process,process.entry_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.7.0-dev+exp,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.7.0-dev+exp,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.7.0-dev+exp,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
-8.7.0-dev+exp,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
-8.7.0-dev+exp,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.7.0-dev+exp,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.7.0-dev+exp,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev+exp,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group.
-8.7.0-dev+exp,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.7.0-dev+exp,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name.
-8.7.0-dev+exp,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.7.0-dev+exp,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.7.0-dev+exp,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id.
-8.7.0-dev+exp,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.7.0-dev+exp,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id.
-8.7.0-dev+exp,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.7.0-dev+exp,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.7.0-dev+exp,true,process,process.entry_leader.pid,long,core,,4242,Process id.
-8.7.0-dev+exp,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev+exp,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group.
-8.7.0-dev+exp,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev+exp,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,process,process.entry_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.7.0-dev+exp,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev+exp,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.7.0-dev+exp,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev+exp,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,process,process.entry_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.7.0-dev+exp,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev+exp,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.7.0-dev+exp,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.7.0-dev+exp,true,process,process.entry_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.7.0-dev+exp,true,process,process.entry_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.7.0-dev+exp,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev+exp,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.7.0-dev+exp,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.7.0-dev+exp,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
-8.7.0-dev+exp,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.7.0-dev+exp,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.7.0-dev+exp,true,process,process.exit_code,long,extended,,137,The exit code of the process.
-8.7.0-dev+exp,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.7.0-dev+exp,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array.
-8.7.0-dev+exp,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.7.0-dev+exp,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.7.0-dev+exp,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.7.0-dev+exp,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.7.0-dev+exp,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.7.0-dev+exp,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev+exp,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group.
-8.7.0-dev+exp,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.7.0-dev+exp,true,process,process.group_leader.name,keyword,extended,,ssh,Process name.
-8.7.0-dev+exp,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.7.0-dev+exp,true,process,process.group_leader.pid,long,core,,4242,Process id.
-8.7.0-dev+exp,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev+exp,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group.
-8.7.0-dev+exp,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev+exp,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,process,process.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.7.0-dev+exp,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev+exp,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.7.0-dev+exp,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev+exp,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,process,process.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.7.0-dev+exp,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev+exp,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.7.0-dev+exp,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.7.0-dev+exp,true,process,process.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.7.0-dev+exp,true,process,process.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.7.0-dev+exp,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev+exp,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.7.0-dev+exp,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.7.0-dev+exp,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
-8.7.0-dev+exp,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
-8.7.0-dev+exp,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
-8.7.0-dev+exp,true,process,process.hash.sha384,keyword,extended,,,SHA384 hash.
-8.7.0-dev+exp,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
-8.7.0-dev+exp,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.7.0-dev+exp,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash.
-8.7.0-dev+exp,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.7.0-dev+exp,true,process,process.io,object,extended,,,A chunk of input or output (IO) from a single process.
-8.7.0-dev+exp,true,process,process.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
-8.7.0-dev+exp,true,process,process.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
-8.7.0-dev+exp,true,process,process.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
-8.7.0-dev+exp,true,process,process.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
-8.7.0-dev+exp,true,process,process.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
-8.7.0-dev+exp,true,process,process.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
-8.7.0-dev+exp,true,process,process.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
-8.7.0-dev+exp,true,process,process.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
-8.7.0-dev+exp,true,process,process.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-8.7.0-dev+exp,true,process,process.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.7.0-dev+exp,true,process,process.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.7.0-dev+exp,true,process,process.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.7.0-dev+exp,true,process,process.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.7.0-dev+exp,true,process,process.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-8.7.0-dev+exp,true,process,process.macho.imports,flattened,extended,array,,List of imported element names and types.
-8.7.0-dev+exp,true,process,process.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev+exp,true,process,process.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev+exp,true,process,process.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-8.7.0-dev+exp,true,process,process.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.7.0-dev+exp,true,process,process.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-8.7.0-dev+exp,true,process,process.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-8.7.0-dev+exp,true,process,process.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.7.0-dev+exp,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-8.7.0-dev+exp,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-8.7.0-dev+exp,true,process,process.name,keyword,extended,,ssh,Process name.
-8.7.0-dev+exp,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
-8.7.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.7.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
-8.7.0-dev+exp,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.7.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.7.0-dev+exp,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.7.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.7.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.7.0-dev+exp,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.7.0-dev+exp,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.7.0-dev+exp,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.7.0-dev+exp,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.7.0-dev+exp,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.7.0-dev+exp,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.7.0-dev+exp,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.7.0-dev+exp,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.7.0-dev+exp,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.7.0-dev+exp,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date.
-8.7.0-dev+exp,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.7.0-dev+exp,true,process,process.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.7.0-dev+exp,true,process,process.parent.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.7.0-dev+exp,true,process,process.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.7.0-dev+exp,true,process,process.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.7.0-dev+exp,true,process,process.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.7.0-dev+exp,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.7.0-dev+exp,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.7.0-dev+exp,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.7.0-dev+exp,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.7.0-dev+exp,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.7.0-dev+exp,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.7.0-dev+exp,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.7.0-dev+exp,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.7.0-dev+exp,true,process,process.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.7.0-dev+exp,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.7.0-dev+exp,true,process,process.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev+exp,true,process,process.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev+exp,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.7.0-dev+exp,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.7.0-dev+exp,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.7.0-dev+exp,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.7.0-dev+exp,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.7.0-dev+exp,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.7.0-dev+exp,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.7.0-dev+exp,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.7.0-dev+exp,true,process,process.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.7.0-dev+exp,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.7.0-dev+exp,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.7.0-dev+exp,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list.
-8.7.0-dev+exp,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.7.0-dev+exp,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.7.0-dev+exp,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.7.0-dev+exp,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.7.0-dev+exp,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-8.7.0-dev+exp,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.7.0-dev+exp,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.7.0-dev+exp,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.7.0-dev+exp,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
-8.7.0-dev+exp,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev+exp,true,process,process.parent.group.name,keyword,extended,,,Name of the group.
-8.7.0-dev+exp,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.7.0-dev+exp,true,process,process.parent.group_leader.pid,long,core,,4242,Process id.
-8.7.0-dev+exp,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.7.0-dev+exp,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
-8.7.0-dev+exp,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
-8.7.0-dev+exp,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
-8.7.0-dev+exp,true,process,process.parent.hash.sha384,keyword,extended,,,SHA384 hash.
-8.7.0-dev+exp,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
-8.7.0-dev+exp,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.7.0-dev+exp,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash.
-8.7.0-dev+exp,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.7.0-dev+exp,true,process,process.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-8.7.0-dev+exp,true,process,process.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.7.0-dev+exp,true,process,process.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.7.0-dev+exp,true,process,process.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.7.0-dev+exp,true,process,process.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.7.0-dev+exp,true,process,process.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-8.7.0-dev+exp,true,process,process.parent.macho.imports,flattened,extended,array,,List of imported element names and types.
-8.7.0-dev+exp,true,process,process.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev+exp,true,process,process.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev+exp,true,process,process.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-8.7.0-dev+exp,true,process,process.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.7.0-dev+exp,true,process,process.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-8.7.0-dev+exp,true,process,process.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-8.7.0-dev+exp,true,process,process.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.7.0-dev+exp,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-8.7.0-dev+exp,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-8.7.0-dev+exp,true,process,process.parent.name,keyword,extended,,ssh,Process name.
-8.7.0-dev+exp,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
-8.7.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.7.0-dev+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.7.0-dev+exp,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.7.0-dev+exp,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.7.0-dev+exp,true,process,process.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.7.0-dev+exp,true,process,process.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.7.0-dev+exp,true,process,process.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.7.0-dev+exp,true,process,process.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.7.0-dev+exp,true,process,process.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.7.0-dev+exp,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.7.0-dev+exp,true,process,process.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.7.0-dev+exp,true,process,process.parent.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.7.0-dev+exp,true,process,process.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev+exp,true,process,process.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev+exp,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.7.0-dev+exp,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.7.0-dev+exp,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.7.0-dev+exp,true,process,process.parent.pe.sections,nested,extended,array,,Section information of the PE file.
-8.7.0-dev+exp,true,process,process.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.7.0-dev+exp,true,process,process.parent.pe.sections.name,keyword,extended,,,PE Section List name.
-8.7.0-dev+exp,true,process,process.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.7.0-dev+exp,true,process,process.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.7.0-dev+exp,true,process,process.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.7.0-dev+exp,true,process,process.parent.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
-8.7.0-dev+exp,true,process,process.parent.pid,long,core,,4242,Process id.
-8.7.0-dev+exp,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev+exp,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group.
-8.7.0-dev+exp,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev+exp,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,process,process.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev+exp,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group.
-8.7.0-dev+exp,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev+exp,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,process,process.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.7.0-dev+exp,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev+exp,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.7.0-dev+exp,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
-8.7.0-dev+exp,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
-8.7.0-dev+exp,true,process,process.parent.title,keyword,extended,,,Process title.
-8.7.0-dev+exp,true,process,process.parent.title.text,match_only_text,extended,,,Process title.
-8.7.0-dev+exp,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device.
-8.7.0-dev+exp,true,process,process.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.7.0-dev+exp,true,process,process.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.7.0-dev+exp,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
-8.7.0-dev+exp,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev+exp,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.7.0-dev+exp,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.7.0-dev+exp,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.7.0-dev+exp,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.7.0-dev+exp,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.7.0-dev+exp,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.7.0-dev+exp,true,process,process.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.7.0-dev+exp,true,process,process.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.7.0-dev+exp,true,process,process.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.7.0-dev+exp,true,process,process.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.7.0-dev+exp,true,process,process.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.7.0-dev+exp,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.7.0-dev+exp,true,process,process.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.7.0-dev+exp,true,process,process.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.7.0-dev+exp,true,process,process.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev+exp,true,process,process.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev+exp,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.7.0-dev+exp,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.7.0-dev+exp,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.7.0-dev+exp,true,process,process.pe.sections,nested,extended,array,,Section information of the PE file.
-8.7.0-dev+exp,true,process,process.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.7.0-dev+exp,true,process,process.pe.sections.name,keyword,extended,,,PE Section List name.
-8.7.0-dev+exp,true,process,process.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.7.0-dev+exp,true,process,process.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.7.0-dev+exp,true,process,process.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.7.0-dev+exp,true,process,process.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
-8.7.0-dev+exp,true,process,process.pid,long,core,,4242,Process id.
-8.7.0-dev+exp,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.7.0-dev+exp,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array.
-8.7.0-dev+exp,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.7.0-dev+exp,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.7.0-dev+exp,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev+exp,true,process,process.real_group.name,keyword,extended,,,Name of the group.
-8.7.0-dev+exp,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev+exp,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,process,process.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev+exp,true,process,process.saved_group.name,keyword,extended,,,Name of the group.
-8.7.0-dev+exp,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev+exp,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,process,process.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.7.0-dev+exp,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array.
-8.7.0-dev+exp,true,process,process.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.7.0-dev+exp,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.7.0-dev+exp,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.7.0-dev+exp,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.7.0-dev+exp,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.7.0-dev+exp,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev+exp,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group.
-8.7.0-dev+exp,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.7.0-dev+exp,true,process,process.session_leader.name,keyword,extended,,ssh,Process name.
-8.7.0-dev+exp,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.7.0-dev+exp,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.7.0-dev+exp,true,process,process.session_leader.parent.pid,long,core,,4242,Process id.
-8.7.0-dev+exp,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.7.0-dev+exp,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id.
-8.7.0-dev+exp,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.7.0-dev+exp,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.7.0-dev+exp,true,process,process.session_leader.pid,long,core,,4242,Process id.
-8.7.0-dev+exp,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev+exp,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group.
-8.7.0-dev+exp,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev+exp,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,process,process.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.7.0-dev+exp,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev+exp,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.7.0-dev+exp,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev+exp,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,process,process.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.7.0-dev+exp,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev+exp,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.7.0-dev+exp,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.7.0-dev+exp,true,process,process.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.7.0-dev+exp,true,process,process.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.7.0-dev+exp,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev+exp,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.7.0-dev+exp,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.7.0-dev+exp,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.7.0-dev+exp,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev+exp,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.7.0-dev+exp,true,process,process.thread.id,long,extended,,4242,Thread ID.
-8.7.0-dev+exp,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
-8.7.0-dev+exp,true,process,process.title,keyword,extended,,,Process title.
-8.7.0-dev+exp,true,process,process.title.text,match_only_text,extended,,,Process title.
-8.7.0-dev+exp,true,process,process.tty,object,extended,,,Information about the controlling TTY device.
-8.7.0-dev+exp,true,process,process.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.7.0-dev+exp,true,process,process.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.7.0-dev+exp,true,process,process.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
-8.7.0-dev+exp,true,process,process.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
-8.7.0-dev+exp,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
-8.7.0-dev+exp,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev+exp,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.7.0-dev+exp,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.7.0-dev+exp,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.7.0-dev+exp,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.7.0-dev+exp,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.7.0-dev+exp,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.7.0-dev+exp,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.7.0-dev+exp,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.7.0-dev+exp,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
-8.7.0-dev+exp,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
-8.7.0-dev+exp,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
-8.7.0-dev+exp,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
-8.7.0-dev+exp,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event.
-8.7.0-dev+exp,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
-8.7.0-dev+exp,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
-8.7.0-dev+exp,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
-8.7.0-dev+exp,true,rule,rule.id,keyword,extended,,101,Rule ID
-8.7.0-dev+exp,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
-8.7.0-dev+exp,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
-8.7.0-dev+exp,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
-8.7.0-dev+exp,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
-8.7.0-dev+exp,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
-8.7.0-dev+exp,true,rule,rule.version,keyword,extended,,1.1,Rule version
-8.7.0-dev+exp,true,server,server.address,keyword,extended,,,Server network address.
-8.7.0-dev+exp,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.7.0-dev+exp,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.7.0-dev+exp,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.7.0-dev+exp,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
-8.7.0-dev+exp,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server.
-8.7.0-dev+exp,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
-8.7.0-dev+exp,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
-8.7.0-dev+exp,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.7.0-dev+exp,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.7.0-dev+exp,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
-8.7.0-dev+exp,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.7.0-dev+exp,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.7.0-dev+exp,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
-8.7.0-dev+exp,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.7.0-dev+exp,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
-8.7.0-dev+exp,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.7.0-dev+exp,true,server,server.ip,ip,core,,,IP address of the server.
-8.7.0-dev+exp,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
-8.7.0-dev+exp,true,server,server.nat.ip,ip,extended,,,Server NAT ip
-8.7.0-dev+exp,true,server,server.nat.port,long,extended,,,Server NAT port
-8.7.0-dev+exp,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
-8.7.0-dev+exp,true,server,server.port,long,core,,,Port of the server.
-8.7.0-dev+exp,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
-8.7.0-dev+exp,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.7.0-dev+exp,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.7.0-dev+exp,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.7.0-dev+exp,true,server,server.user.email,keyword,extended,,,User email address.
-8.7.0-dev+exp,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.7.0-dev+exp,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.7.0-dev+exp,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.7.0-dev+exp,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev+exp,true,server,server.user.group.name,keyword,extended,,,Name of the group.
-8.7.0-dev+exp,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.7.0-dev+exp,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev+exp,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.7.0-dev+exp,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.7.0-dev+exp,true,service,service.environment,keyword,extended,,production,Environment of the service.
-8.7.0-dev+exp,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.7.0-dev+exp,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.7.0-dev+exp,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.7.0-dev+exp,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.7.0-dev+exp,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.7.0-dev+exp,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.7.0-dev+exp,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.7.0-dev+exp,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
-8.7.0-dev+exp,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.7.0-dev+exp,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.7.0-dev+exp,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.7.0-dev+exp,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.7.0-dev+exp,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.7.0-dev+exp,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.7.0-dev+exp,true,service,service.origin.state,keyword,core,,,Current state of the service.
-8.7.0-dev+exp,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service.
-8.7.0-dev+exp,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service.
-8.7.0-dev+exp,true,service,service.state,keyword,core,,,Current state of the service.
-8.7.0-dev+exp,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.7.0-dev+exp,true,service,service.target.environment,keyword,extended,,production,Environment of the service.
-8.7.0-dev+exp,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.7.0-dev+exp,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.7.0-dev+exp,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.7.0-dev+exp,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.7.0-dev+exp,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.7.0-dev+exp,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.7.0-dev+exp,true,service,service.target.state,keyword,core,,,Current state of the service.
-8.7.0-dev+exp,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service.
-8.7.0-dev+exp,true,service,service.target.version,keyword,core,,3.2.4,Version of the service.
-8.7.0-dev+exp,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
-8.7.0-dev+exp,true,service,service.version,keyword,core,,3.2.4,Version of the service.
-8.7.0-dev+exp,true,source,source.address,keyword,extended,,,Source network address.
-8.7.0-dev+exp,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.7.0-dev+exp,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.7.0-dev+exp,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.7.0-dev+exp,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
-8.7.0-dev+exp,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source.
-8.7.0-dev+exp,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
-8.7.0-dev+exp,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
-8.7.0-dev+exp,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.7.0-dev+exp,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.7.0-dev+exp,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
-8.7.0-dev+exp,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.7.0-dev+exp,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.7.0-dev+exp,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
-8.7.0-dev+exp,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.7.0-dev+exp,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
-8.7.0-dev+exp,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.7.0-dev+exp,true,source,source.ip,ip,core,,,IP address of the source.
-8.7.0-dev+exp,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
-8.7.0-dev+exp,true,source,source.nat.ip,ip,extended,,,Source NAT ip
-8.7.0-dev+exp,true,source,source.nat.port,long,extended,,,Source NAT port
-8.7.0-dev+exp,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
-8.7.0-dev+exp,true,source,source.port,long,core,,,Port of the source.
-8.7.0-dev+exp,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-8.7.0-dev+exp,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.7.0-dev+exp,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.7.0-dev+exp,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.7.0-dev+exp,true,source,source.user.email,keyword,extended,,,User email address.
-8.7.0-dev+exp,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.7.0-dev+exp,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.7.0-dev+exp,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.7.0-dev+exp,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev+exp,true,source,source.user.group.name,keyword,extended,,,Name of the group.
-8.7.0-dev+exp,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.7.0-dev+exp,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev+exp,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.7.0-dev+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
-8.7.0-dev+exp,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.7.0-dev+exp,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp.version,keyword,extended,,2.0,Indicator TLP version
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.7.0-dev+exp,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.7.0-dev+exp,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value
-8.7.0-dev+exp,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field
-8.7.0-dev+exp,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier
-8.7.0-dev+exp,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index
-8.7.0-dev+exp,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05T17:00:58.326Z,Date of match
-8.7.0-dev+exp,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match
-8.7.0-dev+exp,true,threat,threat.feed.dashboard_id,keyword,extended,,5ba16340-72e6-11eb-a3e3-b3cc7c78a70f,Feed dashboard ID.
-8.7.0-dev+exp,true,threat,threat.feed.description,keyword,extended,,Threat feed from the AlienVault Open Threat eXchange network.,Description of the threat feed.
-8.7.0-dev+exp,true,threat,threat.feed.name,keyword,extended,,AlienVault OTX,Name of the threat feed.
-8.7.0-dev+exp,true,threat,threat.feed.reference,keyword,extended,,https://otx.alienvault.com,Reference for the threat feed.
-8.7.0-dev+exp,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
-8.7.0-dev+exp,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group.
-8.7.0-dev+exp,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group.
-8.7.0-dev+exp,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group.
-8.7.0-dev+exp,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group.
-8.7.0-dev+exp,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.7.0-dev+exp,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.7.0-dev+exp,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.7.0-dev+exp,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
-8.7.0-dev+exp,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
-8.7.0-dev+exp,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
-8.7.0-dev+exp,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed.
-8.7.0-dev+exp,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.7.0-dev+exp,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.7.0-dev+exp,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.7.0-dev+exp,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.7.0-dev+exp,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.7.0-dev+exp,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.7.0-dev+exp,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.7.0-dev+exp,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.7.0-dev+exp,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.7.0-dev+exp,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.7.0-dev+exp,true,threat,threat.indicator.file.created,date,extended,,,File creation time.
-8.7.0-dev+exp,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.7.0-dev+exp,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
-8.7.0-dev+exp,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.7.0-dev+exp,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.7.0-dev+exp,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.7.0-dev+exp,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.7.0-dev+exp,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.7.0-dev+exp,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
-8.7.0-dev+exp,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.7.0-dev+exp,true,threat,threat.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.7.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.7.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.7.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.7.0-dev+exp,true,threat,threat.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.7.0-dev+exp,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.7.0-dev+exp,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.7.0-dev+exp,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.7.0-dev+exp,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.7.0-dev+exp,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.7.0-dev+exp,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.7.0-dev+exp,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.7.0-dev+exp,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.7.0-dev+exp,true,threat,threat.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.7.0-dev+exp,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.7.0-dev+exp,true,threat,threat.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev+exp,true,threat,threat.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev+exp,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.7.0-dev+exp,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.7.0-dev+exp,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.7.0-dev+exp,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.7.0-dev+exp,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.7.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.7.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.7.0-dev+exp,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.7.0-dev+exp,true,threat,threat.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.7.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.7.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.7.0-dev+exp,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
-8.7.0-dev+exp,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.7.0-dev+exp,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.7.0-dev+exp,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.7.0-dev+exp,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.7.0-dev+exp,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.7.0-dev+exp,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.7.0-dev+exp,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.7.0-dev+exp,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
-8.7.0-dev+exp,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
-8.7.0-dev+exp,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.7.0-dev+exp,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.7.0-dev+exp,true,threat,threat.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.7.0-dev+exp,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.7.0-dev+exp,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.7.0-dev+exp,true,threat,threat.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.7.0-dev+exp,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.7.0-dev+exp,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.7.0-dev+exp,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.7.0-dev+exp,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified.
-8.7.0-dev+exp,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.7.0-dev+exp,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username.
-8.7.0-dev+exp,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.7.0-dev+exp,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.7.0-dev+exp,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.7.0-dev+exp,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.7.0-dev+exp,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.7.0-dev+exp,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.7.0-dev+exp,true,threat,threat.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.7.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.7.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.7.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.7.0-dev+exp,true,threat,threat.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.7.0-dev+exp,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.7.0-dev+exp,true,threat,threat.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.7.0-dev+exp,true,threat,threat.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.7.0-dev+exp,true,threat,threat.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev+exp,true,threat,threat.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev+exp,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.7.0-dev+exp,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.7.0-dev+exp,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.7.0-dev+exp,true,threat,threat.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
-8.7.0-dev+exp,true,threat,threat.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.7.0-dev+exp,true,threat,threat.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
-8.7.0-dev+exp,true,threat,threat.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.7.0-dev+exp,true,threat,threat.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.7.0-dev+exp,true,threat,threat.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.7.0-dev+exp,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes.
-8.7.0-dev+exp,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
-8.7.0-dev+exp,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.7.0-dev+exp,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.7.0-dev+exp,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.7.0-dev+exp,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.7.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.7.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.7.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.7.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.7.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.7.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.7.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.7.0-dev+exp,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.7.0-dev+exp,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.7.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.7.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.7.0-dev+exp,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.7.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.7.0-dev+exp,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.7.0-dev+exp,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.7.0-dev+exp,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.7.0-dev+exp,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.7.0-dev+exp,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.7.0-dev+exp,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.7.0-dev+exp,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.7.0-dev+exp,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.7.0-dev+exp,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.7.0-dev+exp,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.7.0-dev+exp,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
-8.7.0-dev+exp,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name.
-8.7.0-dev+exp,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code.
-8.7.0-dev+exp,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.7.0-dev+exp,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.7.0-dev+exp,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name.
-8.7.0-dev+exp,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.7.0-dev+exp,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.7.0-dev+exp,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code.
-8.7.0-dev+exp,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.7.0-dev+exp,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name.
-8.7.0-dev+exp,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.7.0-dev+exp,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
-8.7.0-dev+exp,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-8.7.0-dev+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
-8.7.0-dev+exp,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
-8.7.0-dev+exp,true,threat,threat.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
-8.7.0-dev+exp,true,threat,threat.indicator.port,long,extended,,443,Indicator port
-8.7.0-dev+exp,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
-8.7.0-dev+exp,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
-8.7.0-dev+exp,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.7.0-dev+exp,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.7.0-dev+exp,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.7.0-dev+exp,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.7.0-dev+exp,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.7.0-dev+exp,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.7.0-dev+exp,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
-8.7.0-dev+exp,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics
-8.7.0-dev+exp,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed
-8.7.0-dev+exp,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
-8.7.0-dev+exp,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.7.0-dev+exp,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.7.0-dev+exp,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.7.0-dev+exp,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.7.0-dev+exp,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.7.0-dev+exp,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.7.0-dev+exp,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.7.0-dev+exp,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request.
-8.7.0-dev+exp,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.7.0-dev+exp,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
-8.7.0-dev+exp,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request.
-8.7.0-dev+exp,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.7.0-dev+exp,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
-8.7.0-dev+exp,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.7.0-dev+exp,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.7.0-dev+exp,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request.
-8.7.0-dev+exp,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.7.0-dev+exp,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.7.0-dev+exp,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.7.0-dev+exp,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.7.0-dev+exp,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.7.0-dev+exp,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.7.0-dev+exp,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.7.0-dev+exp,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.7.0-dev+exp,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.7.0-dev+exp,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.7.0-dev+exp,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.7.0-dev+exp,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.7.0-dev+exp,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.7.0-dev+exp,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.7.0-dev+exp,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.7.0-dev+exp,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.7.0-dev+exp,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.7.0-dev+exp,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.7.0-dev+exp,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.7.0-dev+exp,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.7.0-dev+exp,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.7.0-dev+exp,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.7.0-dev+exp,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.7.0-dev+exp,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.7.0-dev+exp,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software
-8.7.0-dev+exp,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software
-8.7.0-dev+exp,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software.
-8.7.0-dev+exp,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software.
-8.7.0-dev+exp,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL.
-8.7.0-dev+exp,true,threat,threat.software.type,keyword,extended,,Tool,Software type.
-8.7.0-dev+exp,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
-8.7.0-dev+exp,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
-8.7.0-dev+exp,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
-8.7.0-dev+exp,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
-8.7.0-dev+exp,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
-8.7.0-dev+exp,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name.
-8.7.0-dev+exp,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
-8.7.0-dev+exp,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
-8.7.0-dev+exp,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
-8.7.0-dev+exp,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
-8.7.0-dev+exp,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
-8.7.0-dev+exp,true,threat,threat.threat.indicator.marking.tlp.version,keyword,extended,,2.0,Indicator TLP version
-8.7.0-dev+exp,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
-8.7.0-dev+exp,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
-8.7.0-dev+exp,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
-8.7.0-dev+exp,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
-8.7.0-dev+exp,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
-8.7.0-dev+exp,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
-8.7.0-dev+exp,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
-8.7.0-dev+exp,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
-8.7.0-dev+exp,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
-8.7.0-dev+exp,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
-8.7.0-dev+exp,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
-8.7.0-dev+exp,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
-8.7.0-dev+exp,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
-8.7.0-dev+exp,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.7.0-dev+exp,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.7.0-dev+exp,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.7.0-dev+exp,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.7.0-dev+exp,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.7.0-dev+exp,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.7.0-dev+exp,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.7.0-dev+exp,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.7.0-dev+exp,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.7.0-dev+exp,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.7.0-dev+exp,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.7.0-dev+exp,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.7.0-dev+exp,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.7.0-dev+exp,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.7.0-dev+exp,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.7.0-dev+exp,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.7.0-dev+exp,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.7.0-dev+exp,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.7.0-dev+exp,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.7.0-dev+exp,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.7.0-dev+exp,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.7.0-dev+exp,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.7.0-dev+exp,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.7.0-dev+exp,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.7.0-dev+exp,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
-8.7.0-dev+exp,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
-8.7.0-dev+exp,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
-8.7.0-dev+exp,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
-8.7.0-dev+exp,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
-8.7.0-dev+exp,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
-8.7.0-dev+exp,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
-8.7.0-dev+exp,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
-8.7.0-dev+exp,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
-8.7.0-dev+exp,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
-8.7.0-dev+exp,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
-8.7.0-dev+exp,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
-8.7.0-dev+exp,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
-8.7.0-dev+exp,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
-8.7.0-dev+exp,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.7.0-dev+exp,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.7.0-dev+exp,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.7.0-dev+exp,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.7.0-dev+exp,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.7.0-dev+exp,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.7.0-dev+exp,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.7.0-dev+exp,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.7.0-dev+exp,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.7.0-dev+exp,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.7.0-dev+exp,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.7.0-dev+exp,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.7.0-dev+exp,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.7.0-dev+exp,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.7.0-dev+exp,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.7.0-dev+exp,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.7.0-dev+exp,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.7.0-dev+exp,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.7.0-dev+exp,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.7.0-dev+exp,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.7.0-dev+exp,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.7.0-dev+exp,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.7.0-dev+exp,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.7.0-dev+exp,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.7.0-dev+exp,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
-8.7.0-dev+exp,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
-8.7.0-dev+exp,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
-8.7.0-dev+exp,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
-8.7.0-dev+exp,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.7.0-dev+exp,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.7.0-dev+exp,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.7.0-dev+exp,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.7.0-dev+exp,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.7.0-dev+exp,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.7.0-dev+exp,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.7.0-dev+exp,true,url,url.password,keyword,extended,,,Password of the request.
-8.7.0-dev+exp,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.7.0-dev+exp,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
-8.7.0-dev+exp,true,url,url.query,keyword,extended,,,Query string of the request.
-8.7.0-dev+exp,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.7.0-dev+exp,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
-8.7.0-dev+exp,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.7.0-dev+exp,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.7.0-dev+exp,true,url,url.username,keyword,extended,,,Username of the request.
-8.7.0-dev+exp,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.7.0-dev+exp,true,user,user.changes.email,keyword,extended,,,User email address.
-8.7.0-dev+exp,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.7.0-dev+exp,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.7.0-dev+exp,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.7.0-dev+exp,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev+exp,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
-8.7.0-dev+exp,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.7.0-dev+exp,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev+exp,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.7.0-dev+exp,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.7.0-dev+exp,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.7.0-dev+exp,true,user,user.effective.email,keyword,extended,,,User email address.
-8.7.0-dev+exp,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.7.0-dev+exp,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.7.0-dev+exp,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.7.0-dev+exp,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev+exp,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
-8.7.0-dev+exp,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.7.0-dev+exp,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev+exp,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.7.0-dev+exp,true,user,user.email,keyword,extended,,,User email address.
-8.7.0-dev+exp,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.7.0-dev+exp,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.7.0-dev+exp,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.7.0-dev+exp,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev+exp,true,user,user.group.name,keyword,extended,,,Name of the group.
-8.7.0-dev+exp,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.7.0-dev+exp,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev+exp,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.7.0-dev+exp,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.7.0-dev+exp,true,user,user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.7.0-dev+exp,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.7.0-dev+exp,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.7.0-dev+exp,true,user,user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-8.7.0-dev+exp,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.7.0-dev+exp,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.7.0-dev+exp,true,user,user.target.email,keyword,extended,,,User email address.
-8.7.0-dev+exp,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.7.0-dev+exp,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.7.0-dev+exp,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.7.0-dev+exp,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev+exp,true,user,user.target.group.name,keyword,extended,,,Name of the group.
-8.7.0-dev+exp,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.7.0-dev+exp,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev+exp,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev+exp,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.7.0-dev+exp,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
-8.7.0-dev+exp,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
-8.7.0-dev+exp,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-8.7.0-dev+exp,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-8.7.0-dev+exp,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.7.0-dev+exp,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.7.0-dev+exp,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.7.0-dev+exp,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.7.0-dev+exp,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.7.0-dev+exp,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.7.0-dev+exp,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.7.0-dev+exp,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-8.7.0-dev+exp,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.7.0-dev+exp,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
-8.7.0-dev+exp,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
-8.7.0-dev+exp,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
-8.7.0-dev+exp,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-8.7.0-dev+exp,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-8.7.0-dev+exp,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
-8.7.0-dev+exp,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
-8.7.0-dev+exp,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
-8.7.0-dev+exp,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
-8.7.0-dev+exp,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
-8.7.0-dev+exp,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
-8.7.0-dev+exp,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
-8.7.0-dev+exp,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
-8.7.0-dev+exp,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
-8.7.0-dev+exp,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
+8.8.0-dev+exp,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
+8.8.0-dev+exp,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
+8.8.0-dev+exp,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer.
+8.8.0-dev+exp,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
+8.8.0-dev+exp,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
+8.8.0-dev+exp,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
+8.8.0-dev+exp,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
+8.8.0-dev+exp,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
+8.8.0-dev+exp,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
+8.8.0-dev+exp,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
+8.8.0-dev+exp,true,cgroup,cgroup.cpu.periods,long,extended,,454839343,Number of period intervals that have elapsed.
+8.8.0-dev+exp,true,cgroup,cgroup.cpu.throttled.us,long,extended,,15000,Microseconds of CPU throttled time.
+8.8.0-dev+exp,true,cgroup,cgroup.cpu.usage,scaled_float,extended,,,"CPU usage, normalized by the CPU count."
+8.8.0-dev+exp,true,cgroup,cgroup.memory.limit,long,extended,,256,Memory limit within the cgroup.
+8.8.0-dev+exp,true,cgroup,cgroup.memory.swap.usage,long,extended,,5600,The amount of cgroup memory in swap.
+8.8.0-dev+exp,true,cgroup,cgroup.memory.usage,long,extended,,25600,Memory usage in bytes
+8.8.0-dev+exp,true,cgroup,cgroup.version,long,extended,,,The cgroup version linked to the metrics
+8.8.0-dev+exp,true,client,client.address,keyword,extended,,,Client network address.
+8.8.0-dev+exp,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.8.0-dev+exp,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.8.0-dev+exp,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.8.0-dev+exp,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
+8.8.0-dev+exp,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client.
+8.8.0-dev+exp,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
+8.8.0-dev+exp,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
+8.8.0-dev+exp,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.8.0-dev+exp,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.8.0-dev+exp,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
+8.8.0-dev+exp,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.8.0-dev+exp,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.8.0-dev+exp,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
+8.8.0-dev+exp,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.8.0-dev+exp,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
+8.8.0-dev+exp,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.8.0-dev+exp,true,client,client.ip,ip,core,,,IP address of the client.
+8.8.0-dev+exp,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
+8.8.0-dev+exp,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
+8.8.0-dev+exp,true,client,client.nat.port,long,extended,,,Client NAT port
+8.8.0-dev+exp,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
+8.8.0-dev+exp,true,client,client.port,long,core,,,Port of the client.
+8.8.0-dev+exp,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
+8.8.0-dev+exp,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.8.0-dev+exp,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.8.0-dev+exp,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.8.0-dev+exp,true,client,client.user.email,keyword,extended,,,User email address.
+8.8.0-dev+exp,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.8.0-dev+exp,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.8.0-dev+exp,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.8.0-dev+exp,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev+exp,true,client,client.user.group.name,keyword,extended,,,Name of the group.
+8.8.0-dev+exp,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.8.0-dev+exp,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev+exp,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.8.0-dev+exp,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.8.0-dev+exp,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.8.0-dev+exp,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.8.0-dev+exp,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.8.0-dev+exp,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
+8.8.0-dev+exp,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.8.0-dev+exp,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.8.0-dev+exp,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.8.0-dev+exp,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.8.0-dev+exp,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.8.0-dev+exp,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine.
+8.8.0-dev+exp,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.8.0-dev+exp,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id.
+8.8.0-dev+exp,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name.
+8.8.0-dev+exp,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider.
+8.8.0-dev+exp,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.8.0-dev+exp,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name.
+8.8.0-dev+exp,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
+8.8.0-dev+exp,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
+8.8.0-dev+exp,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
+8.8.0-dev+exp,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.8.0-dev+exp,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name.
+8.8.0-dev+exp,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.8.0-dev+exp,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.8.0-dev+exp,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.8.0-dev+exp,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.8.0-dev+exp,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine.
+8.8.0-dev+exp,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.8.0-dev+exp,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id.
+8.8.0-dev+exp,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name.
+8.8.0-dev+exp,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider.
+8.8.0-dev+exp,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.8.0-dev+exp,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name.
+8.8.0-dev+exp,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
+8.8.0-dev+exp,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
+8.8.0-dev+exp,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
+8.8.0-dev+exp,true,container,container.id,keyword,core,,,Unique container id.
+8.8.0-dev+exp,true,container,container.image.hash.all,keyword,extended,array,[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26],An array of digests of the image the container was built on.
+8.8.0-dev+exp,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
+8.8.0-dev+exp,true,container,container.image.tag,keyword,extended,array,,Container image tags.
+8.8.0-dev+exp,true,container,container.labels,object,extended,,,Image labels.
+8.8.0-dev+exp,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1."
+8.8.0-dev+exp,true,container,container.name,keyword,extended,,,Container name.
+8.8.0-dev+exp,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
+8.8.0-dev+exp,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+8.8.0-dev+exp,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
+8.8.0-dev+exp,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
+8.8.0-dev+exp,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
+8.8.0-dev+exp,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
+8.8.0-dev+exp,true,destination,destination.address,keyword,extended,,,Destination network address.
+8.8.0-dev+exp,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.8.0-dev+exp,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.8.0-dev+exp,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.8.0-dev+exp,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
+8.8.0-dev+exp,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination.
+8.8.0-dev+exp,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
+8.8.0-dev+exp,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
+8.8.0-dev+exp,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.8.0-dev+exp,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.8.0-dev+exp,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
+8.8.0-dev+exp,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.8.0-dev+exp,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.8.0-dev+exp,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
+8.8.0-dev+exp,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.8.0-dev+exp,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
+8.8.0-dev+exp,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.8.0-dev+exp,true,destination,destination.ip,ip,core,,,IP address of the destination.
+8.8.0-dev+exp,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
+8.8.0-dev+exp,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
+8.8.0-dev+exp,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
+8.8.0-dev+exp,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
+8.8.0-dev+exp,true,destination,destination.port,long,core,,,Port of the destination.
+8.8.0-dev+exp,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
+8.8.0-dev+exp,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.8.0-dev+exp,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.8.0-dev+exp,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.8.0-dev+exp,true,destination,destination.user.email,keyword,extended,,,User email address.
+8.8.0-dev+exp,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.8.0-dev+exp,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.8.0-dev+exp,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.8.0-dev+exp,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev+exp,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
+8.8.0-dev+exp,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.8.0-dev+exp,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev+exp,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.8.0-dev+exp,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device.
+8.8.0-dev+exp,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer.
+8.8.0-dev+exp,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model.
+8.8.0-dev+exp,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model.
+8.8.0-dev+exp,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.8.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.8.0-dev+exp,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.8.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.8.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.8.0-dev+exp,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.8.0-dev+exp,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.8.0-dev+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.8.0-dev+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.8.0-dev+exp,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
+8.8.0-dev+exp,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
+8.8.0-dev+exp,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
+8.8.0-dev+exp,true,dll,dll.hash.sha384,keyword,extended,,,SHA384 hash.
+8.8.0-dev+exp,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
+8.8.0-dev+exp,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.8.0-dev+exp,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash.
+8.8.0-dev+exp,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
+8.8.0-dev+exp,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
+8.8.0-dev+exp,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.8.0-dev+exp,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.8.0-dev+exp,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.8.0-dev+exp,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.8.0-dev+exp,true,dll,dll.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.8.0-dev+exp,true,dll,dll.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.8.0-dev+exp,true,dll,dll.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.8.0-dev+exp,true,dll,dll.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.8.0-dev+exp,true,dll,dll.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.8.0-dev+exp,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.8.0-dev+exp,true,dll,dll.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.8.0-dev+exp,true,dll,dll.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.8.0-dev+exp,true,dll,dll.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev+exp,true,dll,dll.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev+exp,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.8.0-dev+exp,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.8.0-dev+exp,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.8.0-dev+exp,true,dll,dll.pe.sections,nested,extended,array,,Section information of the PE file.
+8.8.0-dev+exp,true,dll,dll.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.8.0-dev+exp,true,dll,dll.pe.sections.name,keyword,extended,,,PE Section List name.
+8.8.0-dev+exp,true,dll,dll.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.8.0-dev+exp,true,dll,dll.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.8.0-dev+exp,true,dll,dll.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.8.0-dev+exp,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
+8.8.0-dev+exp,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
+8.8.0-dev+exp,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
+8.8.0-dev+exp,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
+8.8.0-dev+exp,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
+8.8.0-dev+exp,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
+8.8.0-dev+exp,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
+8.8.0-dev+exp,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
+8.8.0-dev+exp,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
+8.8.0-dev+exp,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
+8.8.0-dev+exp,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
+8.8.0-dev+exp,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
+8.8.0-dev+exp,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
+8.8.0-dev+exp,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.8.0-dev+exp,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
+8.8.0-dev+exp,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
+8.8.0-dev+exp,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
+8.8.0-dev+exp,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
+8.8.0-dev+exp,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
+8.8.0-dev+exp,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
+8.8.0-dev+exp,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
+8.8.0-dev+exp,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash.
+8.8.0-dev+exp,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.8.0-dev+exp,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.8.0-dev+exp,true,email,email.attachments.file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.8.0-dev+exp,true,email,email.attachments.file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.8.0-dev+exp,true,email,email.attachments.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.8.0-dev+exp,true,email,email.attachments.file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.8.0-dev+exp,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file.
+8.8.0-dev+exp,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file.
+8.8.0-dev+exp,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size.
+8.8.0-dev+exp,true,email,email.bcc.address,keyword,extended,array,bcc.user1@example.com,Email address of BCC recipient
+8.8.0-dev+exp,true,email,email.cc.address,keyword,extended,array,cc.user1@example.com,Email address of CC recipient
+8.8.0-dev+exp,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message.
+8.8.0-dev+exp,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered.
+8.8.0-dev+exp,true,email,email.direction,keyword,extended,,inbound,Direction of the message.
+8.8.0-dev+exp,true,email,email.from.address,keyword,extended,array,sender@example.com,The sender's email address.
+8.8.0-dev+exp,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source.
+8.8.0-dev+exp,true,email,email.message_id,wildcard,extended,,81ce15$8r2j59@mail01.example.com,Value from the Message-ID header.
+8.8.0-dev+exp,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed.
+8.8.0-dev+exp,true,email,email.reply_to.address,keyword,extended,array,reply.here@example.com,Address replies should be delivered to.
+8.8.0-dev+exp,true,email,email.sender.address,keyword,extended,,,Address of the message sender.
+8.8.0-dev+exp,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message.
+8.8.0-dev+exp,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
+8.8.0-dev+exp,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient
+8.8.0-dev+exp,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
+8.8.0-dev+exp,true,error,error.code,keyword,core,,,Error code describing the error.
+8.8.0-dev+exp,true,error,error.id,keyword,core,,,Unique identifier for the error.
+8.8.0-dev+exp,true,error,error.message,match_only_text,core,,,Error message.
+8.8.0-dev+exp,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
+8.8.0-dev+exp,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text.
+8.8.0-dev+exp,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
+8.8.0-dev+exp,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
+8.8.0-dev+exp,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field.
+8.8.0-dev+exp,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
+8.8.0-dev+exp,true,event,event.code,keyword,extended,,4648,Identification code for this event.
+8.8.0-dev+exp,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
+8.8.0-dev+exp,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
+8.8.0-dev+exp,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
+8.8.0-dev+exp,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed.
+8.8.0-dev+exp,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
+8.8.0-dev+exp,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
+8.8.0-dev+exp,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
+8.8.0-dev+exp,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
+8.8.0-dev+exp,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
+8.8.0-dev+exp,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
+8.8.0-dev+exp,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
+8.8.0-dev+exp,true,event,event.provider,keyword,extended,,kernel,Source of the event.
+8.8.0-dev+exp,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
+8.8.0-dev+exp,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
+8.8.0-dev+exp,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
+8.8.0-dev+exp,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
+8.8.0-dev+exp,true,event,event.sequence,long,extended,,,Sequence number of the event.
+8.8.0-dev+exp,true,event,event.severity,long,core,,7,Numeric severity of the event.
+8.8.0-dev+exp,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed.
+8.8.0-dev+exp,true,event,event.timezone,keyword,extended,,,Event time zone.
+8.8.0-dev+exp,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
+8.8.0-dev+exp,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
+8.8.0-dev+exp,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function.
+8.8.0-dev+exp,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution.
+8.8.0-dev+exp,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function.
+8.8.0-dev+exp,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function.
+8.8.0-dev+exp,true,faas,faas.trigger,nested,extended,,,Details about the function trigger.
+8.8.0-dev+exp,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc."
+8.8.0-dev+exp,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution.
+8.8.0-dev+exp,true,faas,faas.version,keyword,extended,,123,The version of a serverless function.
+8.8.0-dev+exp,true,file,file.accessed,date,extended,,,Last time the file was accessed.
+8.8.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.8.0-dev+exp,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.8.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.8.0-dev+exp,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.8.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.8.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.8.0-dev+exp,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.8.0-dev+exp,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.8.0-dev+exp,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.8.0-dev+exp,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.8.0-dev+exp,true,file,file.created,date,extended,,,File creation time.
+8.8.0-dev+exp,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.8.0-dev+exp,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
+8.8.0-dev+exp,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.8.0-dev+exp,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.8.0-dev+exp,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.8.0-dev+exp,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.8.0-dev+exp,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.8.0-dev+exp,true,file,file.elf.creation_date,date,extended,,,Build or compile date.
+8.8.0-dev+exp,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.8.0-dev+exp,true,file,file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.8.0-dev+exp,true,file,file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.8.0-dev+exp,true,file,file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.8.0-dev+exp,true,file,file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.8.0-dev+exp,true,file,file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.8.0-dev+exp,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.8.0-dev+exp,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.8.0-dev+exp,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.8.0-dev+exp,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.8.0-dev+exp,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.8.0-dev+exp,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.8.0-dev+exp,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.8.0-dev+exp,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.8.0-dev+exp,true,file,file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.8.0-dev+exp,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.8.0-dev+exp,true,file,file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev+exp,true,file,file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev+exp,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.8.0-dev+exp,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.8.0-dev+exp,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.8.0-dev+exp,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.8.0-dev+exp,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.8.0-dev+exp,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.8.0-dev+exp,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.8.0-dev+exp,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.8.0-dev+exp,true,file,file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.8.0-dev+exp,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.8.0-dev+exp,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.8.0-dev+exp,true,file,file.elf.segments,nested,extended,array,,ELF object segment list.
+8.8.0-dev+exp,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.8.0-dev+exp,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.8.0-dev+exp,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.8.0-dev+exp,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.8.0-dev+exp,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.8.0-dev+exp,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.8.0-dev+exp,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.8.0-dev+exp,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
+8.8.0-dev+exp,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
+8.8.0-dev+exp,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.8.0-dev+exp,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.8.0-dev+exp,true,file,file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.8.0-dev+exp,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.8.0-dev+exp,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.8.0-dev+exp,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.8.0-dev+exp,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.8.0-dev+exp,true,file,file.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+8.8.0-dev+exp,true,file,file.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.8.0-dev+exp,true,file,file.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.8.0-dev+exp,true,file,file.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.8.0-dev+exp,true,file,file.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.8.0-dev+exp,true,file,file.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+8.8.0-dev+exp,true,file,file.macho.imports,flattened,extended,array,,List of imported element names and types.
+8.8.0-dev+exp,true,file,file.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev+exp,true,file,file.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev+exp,true,file,file.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+8.8.0-dev+exp,true,file,file.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.8.0-dev+exp,true,file,file.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+8.8.0-dev+exp,true,file,file.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+8.8.0-dev+exp,true,file,file.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.8.0-dev+exp,true,file,file.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+8.8.0-dev+exp,true,file,file.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+8.8.0-dev+exp,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.8.0-dev+exp,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.8.0-dev+exp,true,file,file.mtime,date,extended,,,Last time the file content was modified.
+8.8.0-dev+exp,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.8.0-dev+exp,true,file,file.owner,keyword,extended,,alice,File owner's username.
+8.8.0-dev+exp,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.8.0-dev+exp,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.8.0-dev+exp,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.8.0-dev+exp,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.8.0-dev+exp,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.8.0-dev+exp,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.8.0-dev+exp,true,file,file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.8.0-dev+exp,true,file,file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.8.0-dev+exp,true,file,file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.8.0-dev+exp,true,file,file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.8.0-dev+exp,true,file,file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.8.0-dev+exp,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.8.0-dev+exp,true,file,file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.8.0-dev+exp,true,file,file.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.8.0-dev+exp,true,file,file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev+exp,true,file,file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev+exp,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.8.0-dev+exp,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.8.0-dev+exp,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.8.0-dev+exp,true,file,file.pe.sections,nested,extended,array,,Section information of the PE file.
+8.8.0-dev+exp,true,file,file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.8.0-dev+exp,true,file,file.pe.sections.name,keyword,extended,,,PE Section List name.
+8.8.0-dev+exp,true,file,file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.8.0-dev+exp,true,file,file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.8.0-dev+exp,true,file,file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.8.0-dev+exp,true,file,file.size,long,extended,,16384,File size in bytes.
+8.8.0-dev+exp,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
+8.8.0-dev+exp,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.8.0-dev+exp,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.8.0-dev+exp,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.8.0-dev+exp,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.8.0-dev+exp,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.8.0-dev+exp,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.8.0-dev+exp,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.8.0-dev+exp,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.8.0-dev+exp,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.8.0-dev+exp,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.8.0-dev+exp,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.8.0-dev+exp,true,file,file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.8.0-dev+exp,true,file,file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.8.0-dev+exp,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.8.0-dev+exp,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.8.0-dev+exp,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.8.0-dev+exp,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.8.0-dev+exp,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.8.0-dev+exp,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.8.0-dev+exp,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.8.0-dev+exp,true,file,file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.8.0-dev+exp,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.8.0-dev+exp,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.8.0-dev+exp,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.8.0-dev+exp,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.8.0-dev+exp,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.8.0-dev+exp,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.8.0-dev+exp,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.8.0-dev+exp,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev+exp,true,group,group.name,keyword,extended,,,Name of the group.
+8.8.0-dev+exp,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
+8.8.0-dev+exp,true,host,host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id
+8.8.0-dev+exp,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
+8.8.0-dev+exp,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
+8.8.0-dev+exp,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
+8.8.0-dev+exp,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
+8.8.0-dev+exp,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
+8.8.0-dev+exp,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
+8.8.0-dev+exp,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.8.0-dev+exp,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.8.0-dev+exp,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
+8.8.0-dev+exp,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.8.0-dev+exp,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.8.0-dev+exp,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
+8.8.0-dev+exp,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.8.0-dev+exp,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
+8.8.0-dev+exp,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.8.0-dev+exp,true,host,host.hostname,keyword,core,,,Hostname of the host.
+8.8.0-dev+exp,true,host,host.id,keyword,core,,,Unique host id.
+8.8.0-dev+exp,true,host,host.ip,ip,core,array,,Host ip addresses.
+8.8.0-dev+exp,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
+8.8.0-dev+exp,true,host,host.name,keyword,core,,,Name of the host.
+8.8.0-dev+exp,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
+8.8.0-dev+exp,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
+8.8.0-dev+exp,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+8.8.0-dev+exp,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
+8.8.0-dev+exp,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.8.0-dev+exp,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.8.0-dev+exp,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.8.0-dev+exp,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.8.0-dev+exp,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.8.0-dev+exp,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.8.0-dev+exp,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.8.0-dev+exp,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+8.8.0-dev+exp,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.8.0-dev+exp,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode
+8.8.0-dev+exp,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.8.0-dev+exp,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.8.0-dev+exp,true,host,host.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.8.0-dev+exp,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.8.0-dev+exp,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.8.0-dev+exp,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+8.8.0-dev+exp,true,host,host.type,keyword,core,,,Type of host.
+8.8.0-dev+exp,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
+8.8.0-dev+exp,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
+8.8.0-dev+exp,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
+8.8.0-dev+exp,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body.
+8.8.0-dev+exp,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
+8.8.0-dev+exp,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
+8.8.0-dev+exp,true,http,http.request.method,keyword,extended,,POST,HTTP request method.
+8.8.0-dev+exp,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
+8.8.0-dev+exp,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
+8.8.0-dev+exp,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
+8.8.0-dev+exp,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
+8.8.0-dev+exp,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body.
+8.8.0-dev+exp,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
+8.8.0-dev+exp,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
+8.8.0-dev+exp,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
+8.8.0-dev+exp,true,http,http.version,keyword,extended,,1.1,HTTP version.
+8.8.0-dev+exp,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
+8.8.0-dev+exp,true,log,log.level,keyword,core,,error,Log level of the log event.
+8.8.0-dev+exp,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
+8.8.0-dev+exp,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event.
+8.8.0-dev+exp,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
+8.8.0-dev+exp,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
+8.8.0-dev+exp,true,log,log.syslog,object,extended,,,Syslog metadata
+8.8.0-dev+exp,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message.
+8.8.0-dev+exp,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
+8.8.0-dev+exp,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
+8.8.0-dev+exp,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message.
+8.8.0-dev+exp,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message.
+8.8.0-dev+exp,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
+8.8.0-dev+exp,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message.
+8.8.0-dev+exp,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
+8.8.0-dev+exp,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
+8.8.0-dev+exp,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages.
+8.8.0-dev+exp,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version.
+8.8.0-dev+exp,true,network,network.application,keyword,extended,,aim,Application level protocol name.
+8.8.0-dev+exp,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
+8.8.0-dev+exp,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
+8.8.0-dev+exp,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
+8.8.0-dev+exp,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
+8.8.0-dev+exp,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
+8.8.0-dev+exp,true,network,network.inner,object,extended,,,Inner VLAN tag information
+8.8.0-dev+exp,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.8.0-dev+exp,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.8.0-dev+exp,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
+8.8.0-dev+exp,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
+8.8.0-dev+exp,true,network,network.protocol,keyword,core,,http,Application protocol name.
+8.8.0-dev+exp,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
+8.8.0-dev+exp,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
+8.8.0-dev+exp,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.8.0-dev+exp,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.8.0-dev+exp,true,observer,observer.egress,object,extended,,,Object field for egress information
+8.8.0-dev+exp,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
+8.8.0-dev+exp,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
+8.8.0-dev+exp,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
+8.8.0-dev+exp,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.8.0-dev+exp,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.8.0-dev+exp,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
+8.8.0-dev+exp,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
+8.8.0-dev+exp,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code.
+8.8.0-dev+exp,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.8.0-dev+exp,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.8.0-dev+exp,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
+8.8.0-dev+exp,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.8.0-dev+exp,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.8.0-dev+exp,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code.
+8.8.0-dev+exp,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.8.0-dev+exp,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
+8.8.0-dev+exp,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.8.0-dev+exp,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
+8.8.0-dev+exp,true,observer,observer.ingress,object,extended,,,Object field for ingress information
+8.8.0-dev+exp,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
+8.8.0-dev+exp,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
+8.8.0-dev+exp,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
+8.8.0-dev+exp,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.8.0-dev+exp,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.8.0-dev+exp,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
+8.8.0-dev+exp,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
+8.8.0-dev+exp,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer.
+8.8.0-dev+exp,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
+8.8.0-dev+exp,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.8.0-dev+exp,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.8.0-dev+exp,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.8.0-dev+exp,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.8.0-dev+exp,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.8.0-dev+exp,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.8.0-dev+exp,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.8.0-dev+exp,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+8.8.0-dev+exp,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.8.0-dev+exp,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
+8.8.0-dev+exp,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
+8.8.0-dev+exp,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
+8.8.0-dev+exp,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
+8.8.0-dev+exp,true,observer,observer.version,keyword,core,,,Observer version.
+8.8.0-dev+exp,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action
+8.8.0-dev+exp,true,orchestrator,orchestrator.cluster.id,keyword,extended,,,Unique ID of the cluster.
+8.8.0-dev+exp,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster.
+8.8.0-dev+exp,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster.
+8.8.0-dev+exp,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster.
+8.8.0-dev+exp,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place.
+8.8.0-dev+exp,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups).
+8.8.0-dev+exp,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon.
+8.8.0-dev+exp,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed.
+8.8.0-dev+exp,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon.
+8.8.0-dev+exp,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed.
+8.8.0-dev+exp,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon.
+8.8.0-dev+exp,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)."
+8.8.0-dev+exp,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
+8.8.0-dev+exp,true,organization,organization.name,keyword,extended,,,Organization name.
+8.8.0-dev+exp,true,organization,organization.name.text,match_only_text,extended,,,Organization name.
+8.8.0-dev+exp,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
+8.8.0-dev+exp,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
+8.8.0-dev+exp,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
+8.8.0-dev+exp,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
+8.8.0-dev+exp,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
+8.8.0-dev+exp,true,package,package.installed,date,extended,,,Time when package was installed.
+8.8.0-dev+exp,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
+8.8.0-dev+exp,true,package,package.name,keyword,extended,,go,Package name
+8.8.0-dev+exp,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
+8.8.0-dev+exp,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
+8.8.0-dev+exp,true,package,package.size,long,extended,,62231,Package size in bytes.
+8.8.0-dev+exp,true,package,package.type,keyword,extended,,rpm,Package type
+8.8.0-dev+exp,true,package,package.version,keyword,extended,,1.12.9,Package version
+8.8.0-dev+exp,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.8.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array.
+8.8.0-dev+exp,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.8.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.8.0-dev+exp,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.8.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.8.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.8.0-dev+exp,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.8.0-dev+exp,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.8.0-dev+exp,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.8.0-dev+exp,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.8.0-dev+exp,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.8.0-dev+exp,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.8.0-dev+exp,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.8.0-dev+exp,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.8.0-dev+exp,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.8.0-dev+exp,true,process,process.elf.creation_date,date,extended,,,Build or compile date.
+8.8.0-dev+exp,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.8.0-dev+exp,true,process,process.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.8.0-dev+exp,true,process,process.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.8.0-dev+exp,true,process,process.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.8.0-dev+exp,true,process,process.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.8.0-dev+exp,true,process,process.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.8.0-dev+exp,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.8.0-dev+exp,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.8.0-dev+exp,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.8.0-dev+exp,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.8.0-dev+exp,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.8.0-dev+exp,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.8.0-dev+exp,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.8.0-dev+exp,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.8.0-dev+exp,true,process,process.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.8.0-dev+exp,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.8.0-dev+exp,true,process,process.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev+exp,true,process,process.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev+exp,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.8.0-dev+exp,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.8.0-dev+exp,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.8.0-dev+exp,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.8.0-dev+exp,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.8.0-dev+exp,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.8.0-dev+exp,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.8.0-dev+exp,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.8.0-dev+exp,true,process,process.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.8.0-dev+exp,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.8.0-dev+exp,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.8.0-dev+exp,true,process,process.elf.segments,nested,extended,array,,ELF object segment list.
+8.8.0-dev+exp,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.8.0-dev+exp,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.8.0-dev+exp,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.8.0-dev+exp,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.8.0-dev+exp,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+8.8.0-dev+exp,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.8.0-dev+exp,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.8.0-dev+exp,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array.
+8.8.0-dev+exp,true,process,process.entry_leader.attested_groups.name,keyword,extended,,,Name of the group.
+8.8.0-dev+exp,true,process,process.entry_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev+exp,true,process,process.entry_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,process,process.entry_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.8.0-dev+exp,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.8.0-dev+exp,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.8.0-dev+exp,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
+8.8.0-dev+exp,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
+8.8.0-dev+exp,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.8.0-dev+exp,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.8.0-dev+exp,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev+exp,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group.
+8.8.0-dev+exp,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.8.0-dev+exp,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name.
+8.8.0-dev+exp,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name.
+8.8.0-dev+exp,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.8.0-dev+exp,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id.
+8.8.0-dev+exp,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.8.0-dev+exp,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id.
+8.8.0-dev+exp,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.8.0-dev+exp,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.8.0-dev+exp,true,process,process.entry_leader.pid,long,core,,4242,Process id.
+8.8.0-dev+exp,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev+exp,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group.
+8.8.0-dev+exp,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev+exp,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,process,process.entry_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+8.8.0-dev+exp,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev+exp,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group.
+8.8.0-dev+exp,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev+exp,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,process,process.entry_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.8.0-dev+exp,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev+exp,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.8.0-dev+exp,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device.
+8.8.0-dev+exp,true,process,process.entry_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.8.0-dev+exp,true,process,process.entry_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.8.0-dev+exp,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev+exp,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.8.0-dev+exp,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.8.0-dev+exp,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
+8.8.0-dev+exp,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.8.0-dev+exp,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.8.0-dev+exp,true,process,process.exit_code,long,extended,,137,The exit code of the process.
+8.8.0-dev+exp,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.8.0-dev+exp,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array.
+8.8.0-dev+exp,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.8.0-dev+exp,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.8.0-dev+exp,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.8.0-dev+exp,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.8.0-dev+exp,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.8.0-dev+exp,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev+exp,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group.
+8.8.0-dev+exp,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.8.0-dev+exp,true,process,process.group_leader.name,keyword,extended,,ssh,Process name.
+8.8.0-dev+exp,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name.
+8.8.0-dev+exp,true,process,process.group_leader.pid,long,core,,4242,Process id.
+8.8.0-dev+exp,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev+exp,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group.
+8.8.0-dev+exp,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev+exp,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,process,process.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+8.8.0-dev+exp,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev+exp,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group.
+8.8.0-dev+exp,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev+exp,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,process,process.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.8.0-dev+exp,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev+exp,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.8.0-dev+exp,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device.
+8.8.0-dev+exp,true,process,process.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.8.0-dev+exp,true,process,process.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.8.0-dev+exp,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev+exp,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.8.0-dev+exp,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.8.0-dev+exp,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
+8.8.0-dev+exp,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
+8.8.0-dev+exp,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
+8.8.0-dev+exp,true,process,process.hash.sha384,keyword,extended,,,SHA384 hash.
+8.8.0-dev+exp,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
+8.8.0-dev+exp,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.8.0-dev+exp,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash.
+8.8.0-dev+exp,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.8.0-dev+exp,true,process,process.io,object,extended,,,A chunk of input or output (IO) from a single process.
+8.8.0-dev+exp,true,process,process.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
+8.8.0-dev+exp,true,process,process.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
+8.8.0-dev+exp,true,process,process.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
+8.8.0-dev+exp,true,process,process.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
+8.8.0-dev+exp,true,process,process.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
+8.8.0-dev+exp,true,process,process.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
+8.8.0-dev+exp,true,process,process.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
+8.8.0-dev+exp,true,process,process.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
+8.8.0-dev+exp,true,process,process.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+8.8.0-dev+exp,true,process,process.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.8.0-dev+exp,true,process,process.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.8.0-dev+exp,true,process,process.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.8.0-dev+exp,true,process,process.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.8.0-dev+exp,true,process,process.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+8.8.0-dev+exp,true,process,process.macho.imports,flattened,extended,array,,List of imported element names and types.
+8.8.0-dev+exp,true,process,process.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev+exp,true,process,process.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev+exp,true,process,process.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+8.8.0-dev+exp,true,process,process.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.8.0-dev+exp,true,process,process.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+8.8.0-dev+exp,true,process,process.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+8.8.0-dev+exp,true,process,process.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.8.0-dev+exp,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+8.8.0-dev+exp,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+8.8.0-dev+exp,true,process,process.name,keyword,extended,,ssh,Process name.
+8.8.0-dev+exp,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
+8.8.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.8.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
+8.8.0-dev+exp,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.8.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.8.0-dev+exp,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.8.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.8.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.8.0-dev+exp,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.8.0-dev+exp,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.8.0-dev+exp,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.8.0-dev+exp,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.8.0-dev+exp,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.8.0-dev+exp,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.8.0-dev+exp,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.8.0-dev+exp,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.8.0-dev+exp,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.8.0-dev+exp,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date.
+8.8.0-dev+exp,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.8.0-dev+exp,true,process,process.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.8.0-dev+exp,true,process,process.parent.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.8.0-dev+exp,true,process,process.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.8.0-dev+exp,true,process,process.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.8.0-dev+exp,true,process,process.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.8.0-dev+exp,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.8.0-dev+exp,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.8.0-dev+exp,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.8.0-dev+exp,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.8.0-dev+exp,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.8.0-dev+exp,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.8.0-dev+exp,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.8.0-dev+exp,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.8.0-dev+exp,true,process,process.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.8.0-dev+exp,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.8.0-dev+exp,true,process,process.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev+exp,true,process,process.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev+exp,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.8.0-dev+exp,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.8.0-dev+exp,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.8.0-dev+exp,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.8.0-dev+exp,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.8.0-dev+exp,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.8.0-dev+exp,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.8.0-dev+exp,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.8.0-dev+exp,true,process,process.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.8.0-dev+exp,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.8.0-dev+exp,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.8.0-dev+exp,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list.
+8.8.0-dev+exp,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.8.0-dev+exp,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.8.0-dev+exp,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.8.0-dev+exp,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.8.0-dev+exp,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+8.8.0-dev+exp,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.8.0-dev+exp,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.8.0-dev+exp,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.8.0-dev+exp,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
+8.8.0-dev+exp,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev+exp,true,process,process.parent.group.name,keyword,extended,,,Name of the group.
+8.8.0-dev+exp,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.8.0-dev+exp,true,process,process.parent.group_leader.pid,long,core,,4242,Process id.
+8.8.0-dev+exp,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.8.0-dev+exp,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
+8.8.0-dev+exp,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
+8.8.0-dev+exp,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
+8.8.0-dev+exp,true,process,process.parent.hash.sha384,keyword,extended,,,SHA384 hash.
+8.8.0-dev+exp,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
+8.8.0-dev+exp,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.8.0-dev+exp,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash.
+8.8.0-dev+exp,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.8.0-dev+exp,true,process,process.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+8.8.0-dev+exp,true,process,process.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.8.0-dev+exp,true,process,process.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.8.0-dev+exp,true,process,process.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.8.0-dev+exp,true,process,process.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.8.0-dev+exp,true,process,process.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+8.8.0-dev+exp,true,process,process.parent.macho.imports,flattened,extended,array,,List of imported element names and types.
+8.8.0-dev+exp,true,process,process.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev+exp,true,process,process.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev+exp,true,process,process.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+8.8.0-dev+exp,true,process,process.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.8.0-dev+exp,true,process,process.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+8.8.0-dev+exp,true,process,process.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+8.8.0-dev+exp,true,process,process.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.8.0-dev+exp,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+8.8.0-dev+exp,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+8.8.0-dev+exp,true,process,process.parent.name,keyword,extended,,ssh,Process name.
+8.8.0-dev+exp,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
+8.8.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.8.0-dev+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.8.0-dev+exp,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.8.0-dev+exp,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.8.0-dev+exp,true,process,process.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.8.0-dev+exp,true,process,process.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.8.0-dev+exp,true,process,process.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.8.0-dev+exp,true,process,process.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.8.0-dev+exp,true,process,process.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.8.0-dev+exp,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.8.0-dev+exp,true,process,process.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.8.0-dev+exp,true,process,process.parent.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.8.0-dev+exp,true,process,process.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev+exp,true,process,process.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev+exp,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.8.0-dev+exp,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.8.0-dev+exp,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.8.0-dev+exp,true,process,process.parent.pe.sections,nested,extended,array,,Section information of the PE file.
+8.8.0-dev+exp,true,process,process.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.8.0-dev+exp,true,process,process.parent.pe.sections.name,keyword,extended,,,PE Section List name.
+8.8.0-dev+exp,true,process,process.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.8.0-dev+exp,true,process,process.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.8.0-dev+exp,true,process,process.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.8.0-dev+exp,true,process,process.parent.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
+8.8.0-dev+exp,true,process,process.parent.pid,long,core,,4242,Process id.
+8.8.0-dev+exp,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev+exp,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group.
+8.8.0-dev+exp,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev+exp,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,process,process.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev+exp,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group.
+8.8.0-dev+exp,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev+exp,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,process,process.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.8.0-dev+exp,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev+exp,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.8.0-dev+exp,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
+8.8.0-dev+exp,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
+8.8.0-dev+exp,true,process,process.parent.title,keyword,extended,,,Process title.
+8.8.0-dev+exp,true,process,process.parent.title.text,match_only_text,extended,,,Process title.
+8.8.0-dev+exp,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device.
+8.8.0-dev+exp,true,process,process.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.8.0-dev+exp,true,process,process.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.8.0-dev+exp,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
+8.8.0-dev+exp,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev+exp,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.8.0-dev+exp,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.8.0-dev+exp,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.8.0-dev+exp,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.8.0-dev+exp,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.8.0-dev+exp,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.8.0-dev+exp,true,process,process.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.8.0-dev+exp,true,process,process.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.8.0-dev+exp,true,process,process.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.8.0-dev+exp,true,process,process.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.8.0-dev+exp,true,process,process.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.8.0-dev+exp,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.8.0-dev+exp,true,process,process.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.8.0-dev+exp,true,process,process.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.8.0-dev+exp,true,process,process.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev+exp,true,process,process.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev+exp,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.8.0-dev+exp,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.8.0-dev+exp,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.8.0-dev+exp,true,process,process.pe.sections,nested,extended,array,,Section information of the PE file.
+8.8.0-dev+exp,true,process,process.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.8.0-dev+exp,true,process,process.pe.sections.name,keyword,extended,,,PE Section List name.
+8.8.0-dev+exp,true,process,process.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.8.0-dev+exp,true,process,process.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.8.0-dev+exp,true,process,process.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.8.0-dev+exp,true,process,process.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
+8.8.0-dev+exp,true,process,process.pid,long,core,,4242,Process id.
+8.8.0-dev+exp,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.8.0-dev+exp,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array.
+8.8.0-dev+exp,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.8.0-dev+exp,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.8.0-dev+exp,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev+exp,true,process,process.real_group.name,keyword,extended,,,Name of the group.
+8.8.0-dev+exp,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev+exp,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,process,process.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev+exp,true,process,process.saved_group.name,keyword,extended,,,Name of the group.
+8.8.0-dev+exp,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev+exp,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,process,process.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.8.0-dev+exp,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array.
+8.8.0-dev+exp,true,process,process.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.8.0-dev+exp,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.8.0-dev+exp,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.8.0-dev+exp,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.8.0-dev+exp,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.8.0-dev+exp,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev+exp,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group.
+8.8.0-dev+exp,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.8.0-dev+exp,true,process,process.session_leader.name,keyword,extended,,ssh,Process name.
+8.8.0-dev+exp,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name.
+8.8.0-dev+exp,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.8.0-dev+exp,true,process,process.session_leader.parent.pid,long,core,,4242,Process id.
+8.8.0-dev+exp,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.8.0-dev+exp,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id.
+8.8.0-dev+exp,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.8.0-dev+exp,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.8.0-dev+exp,true,process,process.session_leader.pid,long,core,,4242,Process id.
+8.8.0-dev+exp,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev+exp,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group.
+8.8.0-dev+exp,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev+exp,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,process,process.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+8.8.0-dev+exp,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev+exp,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group.
+8.8.0-dev+exp,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev+exp,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,process,process.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.8.0-dev+exp,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev+exp,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.8.0-dev+exp,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device.
+8.8.0-dev+exp,true,process,process.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.8.0-dev+exp,true,process,process.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.8.0-dev+exp,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev+exp,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.8.0-dev+exp,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.8.0-dev+exp,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.8.0-dev+exp,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev+exp,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.8.0-dev+exp,true,process,process.thread.id,long,extended,,4242,Thread ID.
+8.8.0-dev+exp,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
+8.8.0-dev+exp,true,process,process.title,keyword,extended,,,Process title.
+8.8.0-dev+exp,true,process,process.title.text,match_only_text,extended,,,Process title.
+8.8.0-dev+exp,true,process,process.tty,object,extended,,,Information about the controlling TTY device.
+8.8.0-dev+exp,true,process,process.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.8.0-dev+exp,true,process,process.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.8.0-dev+exp,true,process,process.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
+8.8.0-dev+exp,true,process,process.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
+8.8.0-dev+exp,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
+8.8.0-dev+exp,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev+exp,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.8.0-dev+exp,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.8.0-dev+exp,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.8.0-dev+exp,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.8.0-dev+exp,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.8.0-dev+exp,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.8.0-dev+exp,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.8.0-dev+exp,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.8.0-dev+exp,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
+8.8.0-dev+exp,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
+8.8.0-dev+exp,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
+8.8.0-dev+exp,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
+8.8.0-dev+exp,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event.
+8.8.0-dev+exp,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
+8.8.0-dev+exp,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
+8.8.0-dev+exp,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
+8.8.0-dev+exp,true,rule,rule.id,keyword,extended,,101,Rule ID
+8.8.0-dev+exp,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
+8.8.0-dev+exp,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
+8.8.0-dev+exp,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
+8.8.0-dev+exp,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
+8.8.0-dev+exp,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
+8.8.0-dev+exp,true,rule,rule.version,keyword,extended,,1.1,Rule version
+8.8.0-dev+exp,true,server,server.address,keyword,extended,,,Server network address.
+8.8.0-dev+exp,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.8.0-dev+exp,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.8.0-dev+exp,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.8.0-dev+exp,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
+8.8.0-dev+exp,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server.
+8.8.0-dev+exp,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
+8.8.0-dev+exp,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
+8.8.0-dev+exp,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.8.0-dev+exp,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.8.0-dev+exp,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
+8.8.0-dev+exp,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.8.0-dev+exp,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.8.0-dev+exp,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
+8.8.0-dev+exp,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.8.0-dev+exp,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
+8.8.0-dev+exp,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.8.0-dev+exp,true,server,server.ip,ip,core,,,IP address of the server.
+8.8.0-dev+exp,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
+8.8.0-dev+exp,true,server,server.nat.ip,ip,extended,,,Server NAT ip
+8.8.0-dev+exp,true,server,server.nat.port,long,extended,,,Server NAT port
+8.8.0-dev+exp,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
+8.8.0-dev+exp,true,server,server.port,long,core,,,Port of the server.
+8.8.0-dev+exp,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
+8.8.0-dev+exp,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.8.0-dev+exp,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.8.0-dev+exp,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.8.0-dev+exp,true,server,server.user.email,keyword,extended,,,User email address.
+8.8.0-dev+exp,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.8.0-dev+exp,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.8.0-dev+exp,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.8.0-dev+exp,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev+exp,true,server,server.user.group.name,keyword,extended,,,Name of the group.
+8.8.0-dev+exp,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.8.0-dev+exp,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev+exp,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.8.0-dev+exp,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.8.0-dev+exp,true,service,service.environment,keyword,extended,,production,Environment of the service.
+8.8.0-dev+exp,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.8.0-dev+exp,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.8.0-dev+exp,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.8.0-dev+exp,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.8.0-dev+exp,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.8.0-dev+exp,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+8.8.0-dev+exp,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.8.0-dev+exp,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
+8.8.0-dev+exp,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.8.0-dev+exp,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.8.0-dev+exp,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.8.0-dev+exp,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.8.0-dev+exp,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.8.0-dev+exp,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+8.8.0-dev+exp,true,service,service.origin.state,keyword,core,,,Current state of the service.
+8.8.0-dev+exp,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service.
+8.8.0-dev+exp,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service.
+8.8.0-dev+exp,true,service,service.state,keyword,core,,,Current state of the service.
+8.8.0-dev+exp,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.8.0-dev+exp,true,service,service.target.environment,keyword,extended,,production,Environment of the service.
+8.8.0-dev+exp,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.8.0-dev+exp,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.8.0-dev+exp,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.8.0-dev+exp,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.8.0-dev+exp,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.8.0-dev+exp,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+8.8.0-dev+exp,true,service,service.target.state,keyword,core,,,Current state of the service.
+8.8.0-dev+exp,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service.
+8.8.0-dev+exp,true,service,service.target.version,keyword,core,,3.2.4,Version of the service.
+8.8.0-dev+exp,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
+8.8.0-dev+exp,true,service,service.version,keyword,core,,3.2.4,Version of the service.
+8.8.0-dev+exp,true,source,source.address,keyword,extended,,,Source network address.
+8.8.0-dev+exp,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.8.0-dev+exp,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.8.0-dev+exp,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.8.0-dev+exp,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
+8.8.0-dev+exp,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source.
+8.8.0-dev+exp,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
+8.8.0-dev+exp,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
+8.8.0-dev+exp,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.8.0-dev+exp,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.8.0-dev+exp,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
+8.8.0-dev+exp,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.8.0-dev+exp,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.8.0-dev+exp,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
+8.8.0-dev+exp,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.8.0-dev+exp,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
+8.8.0-dev+exp,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.8.0-dev+exp,true,source,source.ip,ip,core,,,IP address of the source.
+8.8.0-dev+exp,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
+8.8.0-dev+exp,true,source,source.nat.ip,ip,extended,,,Source NAT ip
+8.8.0-dev+exp,true,source,source.nat.port,long,extended,,,Source NAT port
+8.8.0-dev+exp,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
+8.8.0-dev+exp,true,source,source.port,long,core,,,Port of the source.
+8.8.0-dev+exp,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+8.8.0-dev+exp,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.8.0-dev+exp,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.8.0-dev+exp,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.8.0-dev+exp,true,source,source.user.email,keyword,extended,,,User email address.
+8.8.0-dev+exp,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.8.0-dev+exp,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.8.0-dev+exp,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.8.0-dev+exp,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev+exp,true,source,source.user.group.name,keyword,extended,,,Name of the group.
+8.8.0-dev+exp,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.8.0-dev+exp,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev+exp,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.8.0-dev+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
+8.8.0-dev+exp,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.8.0-dev+exp,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp.version,keyword,extended,,2.0,Indicator TLP version
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.8.0-dev+exp,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.8.0-dev+exp,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value
+8.8.0-dev+exp,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field
+8.8.0-dev+exp,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier
+8.8.0-dev+exp,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index
+8.8.0-dev+exp,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05T17:00:58.326Z,Date of match
+8.8.0-dev+exp,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match
+8.8.0-dev+exp,true,threat,threat.feed.dashboard_id,keyword,extended,,5ba16340-72e6-11eb-a3e3-b3cc7c78a70f,Feed dashboard ID.
+8.8.0-dev+exp,true,threat,threat.feed.description,keyword,extended,,Threat feed from the AlienVault Open Threat eXchange network.,Description of the threat feed.
+8.8.0-dev+exp,true,threat,threat.feed.name,keyword,extended,,AlienVault OTX,Name of the threat feed.
+8.8.0-dev+exp,true,threat,threat.feed.reference,keyword,extended,,https://otx.alienvault.com,Reference for the threat feed.
+8.8.0-dev+exp,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
+8.8.0-dev+exp,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group.
+8.8.0-dev+exp,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group.
+8.8.0-dev+exp,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group.
+8.8.0-dev+exp,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group.
+8.8.0-dev+exp,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.8.0-dev+exp,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.8.0-dev+exp,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.8.0-dev+exp,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
+8.8.0-dev+exp,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
+8.8.0-dev+exp,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
+8.8.0-dev+exp,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed.
+8.8.0-dev+exp,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.8.0-dev+exp,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.8.0-dev+exp,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.8.0-dev+exp,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.8.0-dev+exp,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.8.0-dev+exp,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.8.0-dev+exp,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.8.0-dev+exp,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.8.0-dev+exp,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.8.0-dev+exp,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.8.0-dev+exp,true,threat,threat.indicator.file.created,date,extended,,,File creation time.
+8.8.0-dev+exp,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.8.0-dev+exp,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
+8.8.0-dev+exp,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.8.0-dev+exp,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.8.0-dev+exp,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.8.0-dev+exp,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.8.0-dev+exp,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.8.0-dev+exp,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
+8.8.0-dev+exp,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.8.0-dev+exp,true,threat,threat.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.8.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.8.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.8.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.8.0-dev+exp,true,threat,threat.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.8.0-dev+exp,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.8.0-dev+exp,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.8.0-dev+exp,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.8.0-dev+exp,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.8.0-dev+exp,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.8.0-dev+exp,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.8.0-dev+exp,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.8.0-dev+exp,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.8.0-dev+exp,true,threat,threat.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.8.0-dev+exp,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.8.0-dev+exp,true,threat,threat.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev+exp,true,threat,threat.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev+exp,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.8.0-dev+exp,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.8.0-dev+exp,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.8.0-dev+exp,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.8.0-dev+exp,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.8.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.8.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.8.0-dev+exp,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.8.0-dev+exp,true,threat,threat.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.8.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.8.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.8.0-dev+exp,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
+8.8.0-dev+exp,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.8.0-dev+exp,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.8.0-dev+exp,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.8.0-dev+exp,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.8.0-dev+exp,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.8.0-dev+exp,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.8.0-dev+exp,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.8.0-dev+exp,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
+8.8.0-dev+exp,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
+8.8.0-dev+exp,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.8.0-dev+exp,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.8.0-dev+exp,true,threat,threat.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.8.0-dev+exp,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.8.0-dev+exp,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.8.0-dev+exp,true,threat,threat.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.8.0-dev+exp,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.8.0-dev+exp,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.8.0-dev+exp,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.8.0-dev+exp,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified.
+8.8.0-dev+exp,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.8.0-dev+exp,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username.
+8.8.0-dev+exp,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.8.0-dev+exp,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.8.0-dev+exp,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.8.0-dev+exp,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.8.0-dev+exp,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.8.0-dev+exp,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.8.0-dev+exp,true,threat,threat.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.8.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.8.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.8.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.8.0-dev+exp,true,threat,threat.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.8.0-dev+exp,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.8.0-dev+exp,true,threat,threat.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.8.0-dev+exp,true,threat,threat.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.8.0-dev+exp,true,threat,threat.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev+exp,true,threat,threat.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev+exp,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.8.0-dev+exp,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.8.0-dev+exp,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.8.0-dev+exp,true,threat,threat.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
+8.8.0-dev+exp,true,threat,threat.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.8.0-dev+exp,true,threat,threat.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
+8.8.0-dev+exp,true,threat,threat.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.8.0-dev+exp,true,threat,threat.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.8.0-dev+exp,true,threat,threat.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.8.0-dev+exp,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes.
+8.8.0-dev+exp,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
+8.8.0-dev+exp,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.8.0-dev+exp,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.8.0-dev+exp,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.8.0-dev+exp,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.8.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.8.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.8.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.8.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.8.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.8.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.8.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.8.0-dev+exp,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.8.0-dev+exp,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.8.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.8.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.8.0-dev+exp,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.8.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.8.0-dev+exp,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.8.0-dev+exp,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.8.0-dev+exp,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.8.0-dev+exp,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.8.0-dev+exp,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.8.0-dev+exp,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.8.0-dev+exp,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.8.0-dev+exp,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.8.0-dev+exp,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.8.0-dev+exp,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.8.0-dev+exp,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
+8.8.0-dev+exp,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name.
+8.8.0-dev+exp,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code.
+8.8.0-dev+exp,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.8.0-dev+exp,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.8.0-dev+exp,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name.
+8.8.0-dev+exp,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.8.0-dev+exp,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.8.0-dev+exp,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code.
+8.8.0-dev+exp,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.8.0-dev+exp,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name.
+8.8.0-dev+exp,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.8.0-dev+exp,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
+8.8.0-dev+exp,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
+8.8.0-dev+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
+8.8.0-dev+exp,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
+8.8.0-dev+exp,true,threat,threat.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
+8.8.0-dev+exp,true,threat,threat.indicator.port,long,extended,,443,Indicator port
+8.8.0-dev+exp,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
+8.8.0-dev+exp,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
+8.8.0-dev+exp,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.8.0-dev+exp,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.8.0-dev+exp,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.8.0-dev+exp,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.8.0-dev+exp,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.8.0-dev+exp,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.8.0-dev+exp,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
+8.8.0-dev+exp,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics
+8.8.0-dev+exp,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed
+8.8.0-dev+exp,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
+8.8.0-dev+exp,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.8.0-dev+exp,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.8.0-dev+exp,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.8.0-dev+exp,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.8.0-dev+exp,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.8.0-dev+exp,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.8.0-dev+exp,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.8.0-dev+exp,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request.
+8.8.0-dev+exp,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.8.0-dev+exp,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
+8.8.0-dev+exp,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request.
+8.8.0-dev+exp,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.8.0-dev+exp,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
+8.8.0-dev+exp,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.8.0-dev+exp,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.8.0-dev+exp,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request.
+8.8.0-dev+exp,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.8.0-dev+exp,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.8.0-dev+exp,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.8.0-dev+exp,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.8.0-dev+exp,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.8.0-dev+exp,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.8.0-dev+exp,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.8.0-dev+exp,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.8.0-dev+exp,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.8.0-dev+exp,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.8.0-dev+exp,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.8.0-dev+exp,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.8.0-dev+exp,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.8.0-dev+exp,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.8.0-dev+exp,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.8.0-dev+exp,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.8.0-dev+exp,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.8.0-dev+exp,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.8.0-dev+exp,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.8.0-dev+exp,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.8.0-dev+exp,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.8.0-dev+exp,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.8.0-dev+exp,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.8.0-dev+exp,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.8.0-dev+exp,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software
+8.8.0-dev+exp,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software
+8.8.0-dev+exp,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software.
+8.8.0-dev+exp,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software.
+8.8.0-dev+exp,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL.
+8.8.0-dev+exp,true,threat,threat.software.type,keyword,extended,,Tool,Software type.
+8.8.0-dev+exp,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
+8.8.0-dev+exp,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
+8.8.0-dev+exp,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
+8.8.0-dev+exp,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
+8.8.0-dev+exp,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
+8.8.0-dev+exp,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name.
+8.8.0-dev+exp,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
+8.8.0-dev+exp,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
+8.8.0-dev+exp,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
+8.8.0-dev+exp,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
+8.8.0-dev+exp,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
+8.8.0-dev+exp,true,threat,threat.threat.indicator.marking.tlp.version,keyword,extended,,2.0,Indicator TLP version
+8.8.0-dev+exp,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
+8.8.0-dev+exp,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
+8.8.0-dev+exp,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
+8.8.0-dev+exp,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
+8.8.0-dev+exp,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
+8.8.0-dev+exp,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
+8.8.0-dev+exp,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
+8.8.0-dev+exp,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
+8.8.0-dev+exp,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
+8.8.0-dev+exp,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
+8.8.0-dev+exp,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
+8.8.0-dev+exp,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
+8.8.0-dev+exp,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
+8.8.0-dev+exp,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.8.0-dev+exp,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.8.0-dev+exp,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.8.0-dev+exp,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.8.0-dev+exp,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.8.0-dev+exp,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.8.0-dev+exp,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.8.0-dev+exp,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.8.0-dev+exp,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.8.0-dev+exp,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.8.0-dev+exp,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.8.0-dev+exp,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.8.0-dev+exp,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.8.0-dev+exp,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.8.0-dev+exp,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.8.0-dev+exp,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.8.0-dev+exp,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.8.0-dev+exp,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.8.0-dev+exp,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.8.0-dev+exp,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.8.0-dev+exp,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.8.0-dev+exp,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.8.0-dev+exp,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.8.0-dev+exp,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.8.0-dev+exp,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
+8.8.0-dev+exp,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
+8.8.0-dev+exp,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
+8.8.0-dev+exp,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
+8.8.0-dev+exp,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
+8.8.0-dev+exp,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
+8.8.0-dev+exp,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
+8.8.0-dev+exp,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
+8.8.0-dev+exp,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
+8.8.0-dev+exp,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
+8.8.0-dev+exp,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
+8.8.0-dev+exp,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
+8.8.0-dev+exp,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
+8.8.0-dev+exp,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
+8.8.0-dev+exp,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.8.0-dev+exp,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.8.0-dev+exp,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.8.0-dev+exp,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.8.0-dev+exp,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.8.0-dev+exp,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.8.0-dev+exp,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.8.0-dev+exp,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.8.0-dev+exp,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.8.0-dev+exp,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.8.0-dev+exp,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.8.0-dev+exp,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.8.0-dev+exp,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.8.0-dev+exp,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.8.0-dev+exp,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.8.0-dev+exp,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.8.0-dev+exp,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.8.0-dev+exp,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.8.0-dev+exp,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.8.0-dev+exp,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.8.0-dev+exp,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.8.0-dev+exp,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.8.0-dev+exp,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.8.0-dev+exp,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.8.0-dev+exp,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
+8.8.0-dev+exp,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
+8.8.0-dev+exp,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
+8.8.0-dev+exp,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
+8.8.0-dev+exp,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.8.0-dev+exp,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.8.0-dev+exp,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.8.0-dev+exp,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.8.0-dev+exp,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.8.0-dev+exp,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.8.0-dev+exp,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.8.0-dev+exp,true,url,url.password,keyword,extended,,,Password of the request.
+8.8.0-dev+exp,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.8.0-dev+exp,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
+8.8.0-dev+exp,true,url,url.query,keyword,extended,,,Query string of the request.
+8.8.0-dev+exp,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.8.0-dev+exp,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
+8.8.0-dev+exp,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.8.0-dev+exp,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.8.0-dev+exp,true,url,url.username,keyword,extended,,,Username of the request.
+8.8.0-dev+exp,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.8.0-dev+exp,true,user,user.changes.email,keyword,extended,,,User email address.
+8.8.0-dev+exp,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.8.0-dev+exp,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.8.0-dev+exp,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.8.0-dev+exp,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev+exp,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
+8.8.0-dev+exp,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.8.0-dev+exp,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev+exp,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.8.0-dev+exp,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.8.0-dev+exp,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.8.0-dev+exp,true,user,user.effective.email,keyword,extended,,,User email address.
+8.8.0-dev+exp,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.8.0-dev+exp,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.8.0-dev+exp,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.8.0-dev+exp,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev+exp,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
+8.8.0-dev+exp,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.8.0-dev+exp,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev+exp,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.8.0-dev+exp,true,user,user.email,keyword,extended,,,User email address.
+8.8.0-dev+exp,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.8.0-dev+exp,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.8.0-dev+exp,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.8.0-dev+exp,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev+exp,true,user,user.group.name,keyword,extended,,,Name of the group.
+8.8.0-dev+exp,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.8.0-dev+exp,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev+exp,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.8.0-dev+exp,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.8.0-dev+exp,true,user,user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.8.0-dev+exp,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.8.0-dev+exp,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.8.0-dev+exp,true,user,user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+8.8.0-dev+exp,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.8.0-dev+exp,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.8.0-dev+exp,true,user,user.target.email,keyword,extended,,,User email address.
+8.8.0-dev+exp,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.8.0-dev+exp,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.8.0-dev+exp,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.8.0-dev+exp,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev+exp,true,user,user.target.group.name,keyword,extended,,,Name of the group.
+8.8.0-dev+exp,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.8.0-dev+exp,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev+exp,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev+exp,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.8.0-dev+exp,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
+8.8.0-dev+exp,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
+8.8.0-dev+exp,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+8.8.0-dev+exp,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+8.8.0-dev+exp,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.8.0-dev+exp,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.8.0-dev+exp,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.8.0-dev+exp,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.8.0-dev+exp,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.8.0-dev+exp,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.8.0-dev+exp,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.8.0-dev+exp,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+8.8.0-dev+exp,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.8.0-dev+exp,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
+8.8.0-dev+exp,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
+8.8.0-dev+exp,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
+8.8.0-dev+exp,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+8.8.0-dev+exp,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+8.8.0-dev+exp,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
+8.8.0-dev+exp,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
+8.8.0-dev+exp,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
+8.8.0-dev+exp,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
+8.8.0-dev+exp,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
+8.8.0-dev+exp,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
+8.8.0-dev+exp,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
+8.8.0-dev+exp,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
+8.8.0-dev+exp,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
+8.8.0-dev+exp,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
diff --git a/experimental/generated/elasticsearch/composable/component/agent.json b/experimental/generated/elasticsearch/composable/component/agent.json
index 39efdec673..e52b67ec44 100644
--- a/experimental/generated/elasticsearch/composable/component/agent.json
+++ b/experimental/generated/elasticsearch/composable/component/agent.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html",
-    "ecs_version": "8.7.0-dev+exp"
+    "ecs_version": "8.8.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/base.json b/experimental/generated/elasticsearch/composable/component/base.json
index a405283633..eb246c9ef7 100644
--- a/experimental/generated/elasticsearch/composable/component/base.json
+++ b/experimental/generated/elasticsearch/composable/component/base.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
-    "ecs_version": "8.7.0-dev+exp"
+    "ecs_version": "8.8.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/cgroup.json b/experimental/generated/elasticsearch/composable/component/cgroup.json
index 4a85ffdb6c..3aa21fad23 100644
--- a/experimental/generated/elasticsearch/composable/component/cgroup.json
+++ b/experimental/generated/elasticsearch/composable/component/cgroup.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cgroup.html",
-    "ecs_version": "8.7.0-dev+exp"
+    "ecs_version": "8.8.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/client.json b/experimental/generated/elasticsearch/composable/component/client.json
index e28f531fcc..df38ab9509 100644
--- a/experimental/generated/elasticsearch/composable/component/client.json
+++ b/experimental/generated/elasticsearch/composable/component/client.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-client.html",
-    "ecs_version": "8.7.0-dev+exp"
+    "ecs_version": "8.8.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/cloud.json b/experimental/generated/elasticsearch/composable/component/cloud.json
index af88c146ef..eef6083f19 100644
--- a/experimental/generated/elasticsearch/composable/component/cloud.json
+++ b/experimental/generated/elasticsearch/composable/component/cloud.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cloud.html",
-    "ecs_version": "8.7.0-dev+exp"
+    "ecs_version": "8.8.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/container.json b/experimental/generated/elasticsearch/composable/component/container.json
index 978f181787..f4fb7438fd 100644
--- a/experimental/generated/elasticsearch/composable/component/container.json
+++ b/experimental/generated/elasticsearch/composable/component/container.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-container.html",
-    "ecs_version": "8.7.0-dev+exp"
+    "ecs_version": "8.8.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/data_stream.json b/experimental/generated/elasticsearch/composable/component/data_stream.json
index 98f611d8b2..55ba0a77bf 100644
--- a/experimental/generated/elasticsearch/composable/component/data_stream.json
+++ b/experimental/generated/elasticsearch/composable/component/data_stream.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-data_stream.html",
-    "ecs_version": "8.7.0-dev+exp"
+    "ecs_version": "8.8.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/destination.json b/experimental/generated/elasticsearch/composable/component/destination.json
index c0008fe505..a910cfbb91 100644
--- a/experimental/generated/elasticsearch/composable/component/destination.json
+++ b/experimental/generated/elasticsearch/composable/component/destination.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-destination.html",
-    "ecs_version": "8.7.0-dev+exp"
+    "ecs_version": "8.8.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/device.json b/experimental/generated/elasticsearch/composable/component/device.json
index 50ac72cf11..2a25ea990b 100644
--- a/experimental/generated/elasticsearch/composable/component/device.json
+++ b/experimental/generated/elasticsearch/composable/component/device.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-device.html",
-    "ecs_version": "8.7.0-dev+exp"
+    "ecs_version": "8.8.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/dll.json b/experimental/generated/elasticsearch/composable/component/dll.json
index 6ce95d6d39..5f7b494ded 100644
--- a/experimental/generated/elasticsearch/composable/component/dll.json
+++ b/experimental/generated/elasticsearch/composable/component/dll.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dll.html",
-    "ecs_version": "8.7.0-dev+exp"
+    "ecs_version": "8.8.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/dns.json b/experimental/generated/elasticsearch/composable/component/dns.json
index 99300ea08e..2c9fe7749e 100644
--- a/experimental/generated/elasticsearch/composable/component/dns.json
+++ b/experimental/generated/elasticsearch/composable/component/dns.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html",
-    "ecs_version": "8.7.0-dev+exp"
+    "ecs_version": "8.8.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/ecs.json b/experimental/generated/elasticsearch/composable/component/ecs.json
index 77e6e935a0..c2fee4a8eb 100644
--- a/experimental/generated/elasticsearch/composable/component/ecs.json
+++ b/experimental/generated/elasticsearch/composable/component/ecs.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html",
-    "ecs_version": "8.7.0-dev+exp"
+    "ecs_version": "8.8.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/email.json b/experimental/generated/elasticsearch/composable/component/email.json
index ed1c7c86ed..b9ed2f5bf7 100644
--- a/experimental/generated/elasticsearch/composable/component/email.json
+++ b/experimental/generated/elasticsearch/composable/component/email.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-email.html",
-    "ecs_version": "8.7.0-dev+exp"
+    "ecs_version": "8.8.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/error.json b/experimental/generated/elasticsearch/composable/component/error.json
index e4b17ee799..fee88de784 100644
--- a/experimental/generated/elasticsearch/composable/component/error.json
+++ b/experimental/generated/elasticsearch/composable/component/error.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-error.html",
-    "ecs_version": "8.7.0-dev+exp"
+    "ecs_version": "8.8.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/event.json b/experimental/generated/elasticsearch/composable/component/event.json
index 7b78209293..385a7bffe9 100644
--- a/experimental/generated/elasticsearch/composable/component/event.json
+++ b/experimental/generated/elasticsearch/composable/component/event.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html",
-    "ecs_version": "8.7.0-dev+exp"
+    "ecs_version": "8.8.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/faas.json b/experimental/generated/elasticsearch/composable/component/faas.json
index 5c3b0398c1..cc3e8a54d0 100644
--- a/experimental/generated/elasticsearch/composable/component/faas.json
+++ b/experimental/generated/elasticsearch/composable/component/faas.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-faas.html",
-    "ecs_version": "8.7.0-dev+exp"
+    "ecs_version": "8.8.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/file.json b/experimental/generated/elasticsearch/composable/component/file.json
index 902e77b2f7..52a0993bab 100644
--- a/experimental/generated/elasticsearch/composable/component/file.json
+++ b/experimental/generated/elasticsearch/composable/component/file.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html",
-    "ecs_version": "8.7.0-dev+exp"
+    "ecs_version": "8.8.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/group.json b/experimental/generated/elasticsearch/composable/component/group.json
index d4365d1775..59f118394a 100644
--- a/experimental/generated/elasticsearch/composable/component/group.json
+++ b/experimental/generated/elasticsearch/composable/component/group.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-group.html",
-    "ecs_version": "8.7.0-dev+exp"
+    "ecs_version": "8.8.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/host.json b/experimental/generated/elasticsearch/composable/component/host.json
index 67888e5ec1..d6004161fc 100644
--- a/experimental/generated/elasticsearch/composable/component/host.json
+++ b/experimental/generated/elasticsearch/composable/component/host.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-host.html",
-    "ecs_version": "8.7.0-dev+exp"
+    "ecs_version": "8.8.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/http.json b/experimental/generated/elasticsearch/composable/component/http.json
index ca58acd6a8..eaebc7d394 100644
--- a/experimental/generated/elasticsearch/composable/component/http.json
+++ b/experimental/generated/elasticsearch/composable/component/http.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-http.html",
-    "ecs_version": "8.7.0-dev+exp"
+    "ecs_version": "8.8.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/log.json b/experimental/generated/elasticsearch/composable/component/log.json
index 8b0995bbcd..568b809190 100644
--- a/experimental/generated/elasticsearch/composable/component/log.json
+++ b/experimental/generated/elasticsearch/composable/component/log.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-log.html",
-    "ecs_version": "8.7.0-dev+exp"
+    "ecs_version": "8.8.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/network.json b/experimental/generated/elasticsearch/composable/component/network.json
index b37f5391bf..0a4778d232 100644
--- a/experimental/generated/elasticsearch/composable/component/network.json
+++ b/experimental/generated/elasticsearch/composable/component/network.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html",
-    "ecs_version": "8.7.0-dev+exp"
+    "ecs_version": "8.8.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/observer.json b/experimental/generated/elasticsearch/composable/component/observer.json
index 22c7d8cbda..e4ae0fd566 100644
--- a/experimental/generated/elasticsearch/composable/component/observer.json
+++ b/experimental/generated/elasticsearch/composable/component/observer.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html",
-    "ecs_version": "8.7.0-dev+exp"
+    "ecs_version": "8.8.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/orchestrator.json b/experimental/generated/elasticsearch/composable/component/orchestrator.json
index 29e0e41a73..60bdac6c72 100644
--- a/experimental/generated/elasticsearch/composable/component/orchestrator.json
+++ b/experimental/generated/elasticsearch/composable/component/orchestrator.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-orchestrator.html",
-    "ecs_version": "8.7.0-dev+exp"
+    "ecs_version": "8.8.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/organization.json b/experimental/generated/elasticsearch/composable/component/organization.json
index f538a6df2e..0e60476ea0 100644
--- a/experimental/generated/elasticsearch/composable/component/organization.json
+++ b/experimental/generated/elasticsearch/composable/component/organization.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-organization.html",
-    "ecs_version": "8.7.0-dev+exp"
+    "ecs_version": "8.8.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/package.json b/experimental/generated/elasticsearch/composable/component/package.json
index 867b222c24..5422c0eb77 100644
--- a/experimental/generated/elasticsearch/composable/component/package.json
+++ b/experimental/generated/elasticsearch/composable/component/package.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-package.html",
-    "ecs_version": "8.7.0-dev+exp"
+    "ecs_version": "8.8.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/process.json b/experimental/generated/elasticsearch/composable/component/process.json
index 653a777d0a..ef143c5723 100644
--- a/experimental/generated/elasticsearch/composable/component/process.json
+++ b/experimental/generated/elasticsearch/composable/component/process.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-process.html",
-    "ecs_version": "8.7.0-dev+exp"
+    "ecs_version": "8.8.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/registry.json b/experimental/generated/elasticsearch/composable/component/registry.json
index b371d77795..758ed88085 100644
--- a/experimental/generated/elasticsearch/composable/component/registry.json
+++ b/experimental/generated/elasticsearch/composable/component/registry.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-registry.html",
-    "ecs_version": "8.7.0-dev+exp"
+    "ecs_version": "8.8.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/related.json b/experimental/generated/elasticsearch/composable/component/related.json
index c1a884fd23..3a340e2069 100644
--- a/experimental/generated/elasticsearch/composable/component/related.json
+++ b/experimental/generated/elasticsearch/composable/component/related.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-related.html",
-    "ecs_version": "8.7.0-dev+exp"
+    "ecs_version": "8.8.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/rule.json b/experimental/generated/elasticsearch/composable/component/rule.json
index 284c329c2b..9d13e275f0 100644
--- a/experimental/generated/elasticsearch/composable/component/rule.json
+++ b/experimental/generated/elasticsearch/composable/component/rule.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-rule.html",
-    "ecs_version": "8.7.0-dev+exp"
+    "ecs_version": "8.8.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/server.json b/experimental/generated/elasticsearch/composable/component/server.json
index ac3ed07976..d8488a404c 100644
--- a/experimental/generated/elasticsearch/composable/component/server.json
+++ b/experimental/generated/elasticsearch/composable/component/server.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-server.html",
-    "ecs_version": "8.7.0-dev+exp"
+    "ecs_version": "8.8.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/service.json b/experimental/generated/elasticsearch/composable/component/service.json
index 7a3a9714be..4317fd42f3 100644
--- a/experimental/generated/elasticsearch/composable/component/service.json
+++ b/experimental/generated/elasticsearch/composable/component/service.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-service.html",
-    "ecs_version": "8.7.0-dev+exp"
+    "ecs_version": "8.8.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/source.json b/experimental/generated/elasticsearch/composable/component/source.json
index c0f6d097e6..35ec5f5ddd 100644
--- a/experimental/generated/elasticsearch/composable/component/source.json
+++ b/experimental/generated/elasticsearch/composable/component/source.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-source.html",
-    "ecs_version": "8.7.0-dev+exp"
+    "ecs_version": "8.8.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/threat.json b/experimental/generated/elasticsearch/composable/component/threat.json
index 2bc7c47449..fed4b48b73 100644
--- a/experimental/generated/elasticsearch/composable/component/threat.json
+++ b/experimental/generated/elasticsearch/composable/component/threat.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-threat.html",
-    "ecs_version": "8.7.0-dev+exp"
+    "ecs_version": "8.8.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/tls.json b/experimental/generated/elasticsearch/composable/component/tls.json
index b5a39a8ef5..987dedd026 100644
--- a/experimental/generated/elasticsearch/composable/component/tls.json
+++ b/experimental/generated/elasticsearch/composable/component/tls.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tls.html",
-    "ecs_version": "8.7.0-dev+exp"
+    "ecs_version": "8.8.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/tracing.json b/experimental/generated/elasticsearch/composable/component/tracing.json
index d8658ca2ad..74cebfc103 100644
--- a/experimental/generated/elasticsearch/composable/component/tracing.json
+++ b/experimental/generated/elasticsearch/composable/component/tracing.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tracing.html",
-    "ecs_version": "8.7.0-dev+exp"
+    "ecs_version": "8.8.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/url.json b/experimental/generated/elasticsearch/composable/component/url.json
index eb2a91de55..360f97cfdc 100644
--- a/experimental/generated/elasticsearch/composable/component/url.json
+++ b/experimental/generated/elasticsearch/composable/component/url.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-url.html",
-    "ecs_version": "8.7.0-dev+exp"
+    "ecs_version": "8.8.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/user.json b/experimental/generated/elasticsearch/composable/component/user.json
index 10a154c534..e34644ca9a 100644
--- a/experimental/generated/elasticsearch/composable/component/user.json
+++ b/experimental/generated/elasticsearch/composable/component/user.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user.html",
-    "ecs_version": "8.7.0-dev+exp"
+    "ecs_version": "8.8.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/user_agent.json b/experimental/generated/elasticsearch/composable/component/user_agent.json
index 16a5eb26e9..20a9f5c9e8 100644
--- a/experimental/generated/elasticsearch/composable/component/user_agent.json
+++ b/experimental/generated/elasticsearch/composable/component/user_agent.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html",
-    "ecs_version": "8.7.0-dev+exp"
+    "ecs_version": "8.8.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/vulnerability.json b/experimental/generated/elasticsearch/composable/component/vulnerability.json
index b96a469ac0..855879710c 100644
--- a/experimental/generated/elasticsearch/composable/component/vulnerability.json
+++ b/experimental/generated/elasticsearch/composable/component/vulnerability.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html",
-    "ecs_version": "8.7.0-dev+exp"
+    "ecs_version": "8.8.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/template.json b/experimental/generated/elasticsearch/composable/template.json
index c485a08faf..e99d177dfd 100644
--- a/experimental/generated/elasticsearch/composable/template.json
+++ b/experimental/generated/elasticsearch/composable/template.json
@@ -1,49 +1,49 @@
 {
   "_meta": {
     "description": "Sample composable template that includes all ECS fields",
-    "ecs_version": "8.7.0-dev+exp"
+    "ecs_version": "8.8.0-dev+exp"
   },
   "composed_of": [
-    "ecs_8.7.0-dev-exp_cgroup",
-    "ecs_8.7.0-dev-exp_base",
-    "ecs_8.7.0-dev-exp_agent",
-    "ecs_8.7.0-dev-exp_client",
-    "ecs_8.7.0-dev-exp_cloud",
-    "ecs_8.7.0-dev-exp_container",
-    "ecs_8.7.0-dev-exp_data_stream",
-    "ecs_8.7.0-dev-exp_destination",
-    "ecs_8.7.0-dev-exp_device",
-    "ecs_8.7.0-dev-exp_dll",
-    "ecs_8.7.0-dev-exp_dns",
-    "ecs_8.7.0-dev-exp_ecs",
-    "ecs_8.7.0-dev-exp_email",
-    "ecs_8.7.0-dev-exp_error",
-    "ecs_8.7.0-dev-exp_event",
-    "ecs_8.7.0-dev-exp_faas",
-    "ecs_8.7.0-dev-exp_file",
-    "ecs_8.7.0-dev-exp_group",
-    "ecs_8.7.0-dev-exp_host",
-    "ecs_8.7.0-dev-exp_http",
-    "ecs_8.7.0-dev-exp_log",
-    "ecs_8.7.0-dev-exp_network",
-    "ecs_8.7.0-dev-exp_observer",
-    "ecs_8.7.0-dev-exp_orchestrator",
-    "ecs_8.7.0-dev-exp_organization",
-    "ecs_8.7.0-dev-exp_package",
-    "ecs_8.7.0-dev-exp_process",
-    "ecs_8.7.0-dev-exp_registry",
-    "ecs_8.7.0-dev-exp_related",
-    "ecs_8.7.0-dev-exp_rule",
-    "ecs_8.7.0-dev-exp_server",
-    "ecs_8.7.0-dev-exp_service",
-    "ecs_8.7.0-dev-exp_source",
-    "ecs_8.7.0-dev-exp_threat",
-    "ecs_8.7.0-dev-exp_tls",
-    "ecs_8.7.0-dev-exp_tracing",
-    "ecs_8.7.0-dev-exp_url",
-    "ecs_8.7.0-dev-exp_user_agent",
-    "ecs_8.7.0-dev-exp_user",
-    "ecs_8.7.0-dev-exp_vulnerability"
+    "ecs_8.8.0-dev-exp_cgroup",
+    "ecs_8.8.0-dev-exp_base",
+    "ecs_8.8.0-dev-exp_agent",
+    "ecs_8.8.0-dev-exp_client",
+    "ecs_8.8.0-dev-exp_cloud",
+    "ecs_8.8.0-dev-exp_container",
+    "ecs_8.8.0-dev-exp_data_stream",
+    "ecs_8.8.0-dev-exp_destination",
+    "ecs_8.8.0-dev-exp_device",
+    "ecs_8.8.0-dev-exp_dll",
+    "ecs_8.8.0-dev-exp_dns",
+    "ecs_8.8.0-dev-exp_ecs",
+    "ecs_8.8.0-dev-exp_email",
+    "ecs_8.8.0-dev-exp_error",
+    "ecs_8.8.0-dev-exp_event",
+    "ecs_8.8.0-dev-exp_faas",
+    "ecs_8.8.0-dev-exp_file",
+    "ecs_8.8.0-dev-exp_group",
+    "ecs_8.8.0-dev-exp_host",
+    "ecs_8.8.0-dev-exp_http",
+    "ecs_8.8.0-dev-exp_log",
+    "ecs_8.8.0-dev-exp_network",
+    "ecs_8.8.0-dev-exp_observer",
+    "ecs_8.8.0-dev-exp_orchestrator",
+    "ecs_8.8.0-dev-exp_organization",
+    "ecs_8.8.0-dev-exp_package",
+    "ecs_8.8.0-dev-exp_process",
+    "ecs_8.8.0-dev-exp_registry",
+    "ecs_8.8.0-dev-exp_related",
+    "ecs_8.8.0-dev-exp_rule",
+    "ecs_8.8.0-dev-exp_server",
+    "ecs_8.8.0-dev-exp_service",
+    "ecs_8.8.0-dev-exp_source",
+    "ecs_8.8.0-dev-exp_threat",
+    "ecs_8.8.0-dev-exp_tls",
+    "ecs_8.8.0-dev-exp_tracing",
+    "ecs_8.8.0-dev-exp_url",
+    "ecs_8.8.0-dev-exp_user_agent",
+    "ecs_8.8.0-dev-exp_user",
+    "ecs_8.8.0-dev-exp_vulnerability"
   ],
   "index_patterns": [
     "try-ecs-*"
diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json
index 2a3e49ff91..f48aa37e07 100644
--- a/experimental/generated/elasticsearch/legacy/template.json
+++ b/experimental/generated/elasticsearch/legacy/template.json
@@ -4,7 +4,7 @@
   ],
   "mappings": {
     "_meta": {
-      "version": "8.7.0-dev+exp"
+      "version": "8.8.0-dev+exp"
     },
     "date_detection": false,
     "dynamic_templates": [
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index fecfd9a678..f09dc4cc4b 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -1,5 +1,5 @@
 # WARNING! Do not edit this file directly, it was generated by the ECS project,
-# based on ECS version 8.7.0-dev.
+# based on ECS version 8.8.0-dev.
 # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields.
 
 - key: ecs
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index 73dbda330d..f73eefbf84 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -1,1731 +1,1731 @@
 ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
-8.7.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
-8.7.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
-8.7.0-dev,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer.
-8.7.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
-8.7.0-dev,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
-8.7.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
-8.7.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
-8.7.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
-8.7.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
-8.7.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
-8.7.0-dev,true,client,client.address,keyword,extended,,,Client network address.
-8.7.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.7.0-dev,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.7.0-dev,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.7.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
-8.7.0-dev,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client.
-8.7.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
-8.7.0-dev,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
-8.7.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.7.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.7.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
-8.7.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.7.0-dev,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.7.0-dev,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
-8.7.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.7.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
-8.7.0-dev,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.7.0-dev,true,client,client.ip,ip,core,,,IP address of the client.
-8.7.0-dev,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
-8.7.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
-8.7.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port
-8.7.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
-8.7.0-dev,true,client,client.port,long,core,,,Port of the client.
-8.7.0-dev,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
-8.7.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.7.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.7.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.7.0-dev,true,client,client.user.email,keyword,extended,,,User email address.
-8.7.0-dev,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.7.0-dev,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.7.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.7.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group.
-8.7.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.7.0-dev,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.7.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.7.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.7.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.7.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.7.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
-8.7.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.7.0-dev,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.7.0-dev,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.7.0-dev,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.7.0-dev,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.7.0-dev,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine.
-8.7.0-dev,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.7.0-dev,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id.
-8.7.0-dev,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name.
-8.7.0-dev,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider.
-8.7.0-dev,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.7.0-dev,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name.
-8.7.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
-8.7.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
-8.7.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
-8.7.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.7.0-dev,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name.
-8.7.0-dev,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.7.0-dev,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.7.0-dev,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.7.0-dev,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.7.0-dev,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine.
-8.7.0-dev,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.7.0-dev,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id.
-8.7.0-dev,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name.
-8.7.0-dev,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider.
-8.7.0-dev,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.7.0-dev,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name.
-8.7.0-dev,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
-8.7.0-dev,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
-8.7.0-dev,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
-8.7.0-dev,true,container,container.id,keyword,core,,,Unique container id.
-8.7.0-dev,true,container,container.image.hash.all,keyword,extended,array,[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26],An array of digests of the image the container was built on.
-8.7.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
-8.7.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags.
-8.7.0-dev,true,container,container.labels,object,extended,,,Image labels.
-8.7.0-dev,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1."
-8.7.0-dev,true,container,container.name,keyword,extended,,,Container name.
-8.7.0-dev,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
-8.7.0-dev,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
-8.7.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
-8.7.0-dev,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
-8.7.0-dev,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
-8.7.0-dev,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
-8.7.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address.
-8.7.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.7.0-dev,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.7.0-dev,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.7.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
-8.7.0-dev,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination.
-8.7.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
-8.7.0-dev,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
-8.7.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.7.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.7.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
-8.7.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.7.0-dev,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.7.0-dev,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
-8.7.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.7.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
-8.7.0-dev,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.7.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination.
-8.7.0-dev,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
-8.7.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
-8.7.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
-8.7.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
-8.7.0-dev,true,destination,destination.port,long,core,,,Port of the destination.
-8.7.0-dev,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
-8.7.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.7.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.7.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.7.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address.
-8.7.0-dev,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.7.0-dev,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.7.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.7.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
-8.7.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.7.0-dev,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.7.0-dev,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device.
-8.7.0-dev,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer.
-8.7.0-dev,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model.
-8.7.0-dev,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model.
-8.7.0-dev,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.7.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.7.0-dev,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.7.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.7.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.7.0-dev,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.7.0-dev,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.7.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.7.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.7.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
-8.7.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
-8.7.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
-8.7.0-dev,true,dll,dll.hash.sha384,keyword,extended,,,SHA384 hash.
-8.7.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
-8.7.0-dev,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.7.0-dev,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash.
-8.7.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
-8.7.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
-8.7.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.7.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.7.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.7.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.7.0-dev,true,dll,dll.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.7.0-dev,true,dll,dll.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.7.0-dev,true,dll,dll.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.7.0-dev,true,dll,dll.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.7.0-dev,true,dll,dll.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.7.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.7.0-dev,true,dll,dll.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.7.0-dev,true,dll,dll.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.7.0-dev,true,dll,dll.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev,true,dll,dll.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.7.0-dev,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.7.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.7.0-dev,true,dll,dll.pe.sections,nested,extended,array,,Section information of the PE file.
-8.7.0-dev,true,dll,dll.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.7.0-dev,true,dll,dll.pe.sections.name,keyword,extended,,,PE Section List name.
-8.7.0-dev,true,dll,dll.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.7.0-dev,true,dll,dll.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.7.0-dev,true,dll,dll.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.7.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
-8.7.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
-8.7.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
-8.7.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
-8.7.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
-8.7.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
-8.7.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
-8.7.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
-8.7.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
-8.7.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
-8.7.0-dev,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
-8.7.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
-8.7.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
-8.7.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.7.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
-8.7.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
-8.7.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
-8.7.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
-8.7.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
-8.7.0-dev,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
-8.7.0-dev,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
-8.7.0-dev,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash.
-8.7.0-dev,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.7.0-dev,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.7.0-dev,true,email,email.attachments.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.7.0-dev,true,email,email.attachments.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.7.0-dev,true,email,email.attachments.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.7.0-dev,true,email,email.attachments.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.7.0-dev,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file.
-8.7.0-dev,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file.
-8.7.0-dev,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size.
-8.7.0-dev,true,email,email.bcc.address,keyword,extended,array,bcc.user1@example.com,Email address of BCC recipient
-8.7.0-dev,true,email,email.cc.address,keyword,extended,array,cc.user1@example.com,Email address of CC recipient
-8.7.0-dev,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message.
-8.7.0-dev,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered.
-8.7.0-dev,true,email,email.direction,keyword,extended,,inbound,Direction of the message.
-8.7.0-dev,true,email,email.from.address,keyword,extended,array,sender@example.com,The sender's email address.
-8.7.0-dev,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source.
-8.7.0-dev,true,email,email.message_id,wildcard,extended,,81ce15$8r2j59@mail01.example.com,Value from the Message-ID header.
-8.7.0-dev,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed.
-8.7.0-dev,true,email,email.reply_to.address,keyword,extended,array,reply.here@example.com,Address replies should be delivered to.
-8.7.0-dev,true,email,email.sender.address,keyword,extended,,,Address of the message sender.
-8.7.0-dev,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message.
-8.7.0-dev,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
-8.7.0-dev,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient
-8.7.0-dev,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
-8.7.0-dev,true,error,error.code,keyword,core,,,Error code describing the error.
-8.7.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error.
-8.7.0-dev,true,error,error.message,match_only_text,core,,,Error message.
-8.7.0-dev,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
-8.7.0-dev,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text.
-8.7.0-dev,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
-8.7.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
-8.7.0-dev,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field.
-8.7.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
-8.7.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event.
-8.7.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
-8.7.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
-8.7.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
-8.7.0-dev,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed.
-8.7.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
-8.7.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
-8.7.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
-8.7.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
-8.7.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
-8.7.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
-8.7.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
-8.7.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event.
-8.7.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
-8.7.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
-8.7.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
-8.7.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
-8.7.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event.
-8.7.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event.
-8.7.0-dev,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed.
-8.7.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone.
-8.7.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
-8.7.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
-8.7.0-dev,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function.
-8.7.0-dev,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution.
-8.7.0-dev,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function.
-8.7.0-dev,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function.
-8.7.0-dev,true,faas,faas.trigger,nested,extended,,,Details about the function trigger.
-8.7.0-dev,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc."
-8.7.0-dev,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution.
-8.7.0-dev,true,faas,faas.version,keyword,extended,,123,The version of a serverless function.
-8.7.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed.
-8.7.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.7.0-dev,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.7.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.7.0-dev,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.7.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.7.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.7.0-dev,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.7.0-dev,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.7.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.7.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.7.0-dev,true,file,file.created,date,extended,,,File creation time.
-8.7.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.7.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
-8.7.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.7.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.7.0-dev,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.7.0-dev,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.7.0-dev,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.7.0-dev,true,file,file.elf.creation_date,date,extended,,,Build or compile date.
-8.7.0-dev,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.7.0-dev,true,file,file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.7.0-dev,true,file,file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.7.0-dev,true,file,file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.7.0-dev,true,file,file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.7.0-dev,true,file,file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.7.0-dev,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.7.0-dev,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.7.0-dev,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.7.0-dev,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.7.0-dev,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.7.0-dev,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.7.0-dev,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.7.0-dev,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.7.0-dev,true,file,file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.7.0-dev,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.7.0-dev,true,file,file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev,true,file,file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.7.0-dev,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.7.0-dev,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.7.0-dev,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.7.0-dev,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.7.0-dev,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.7.0-dev,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.7.0-dev,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.7.0-dev,true,file,file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.7.0-dev,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.7.0-dev,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.7.0-dev,true,file,file.elf.segments,nested,extended,array,,ELF object segment list.
-8.7.0-dev,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.7.0-dev,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.7.0-dev,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.7.0-dev,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.7.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.7.0-dev,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.7.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.7.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
-8.7.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
-8.7.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.7.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.7.0-dev,true,file,file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.7.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.7.0-dev,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.7.0-dev,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.7.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.7.0-dev,true,file,file.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-8.7.0-dev,true,file,file.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.7.0-dev,true,file,file.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.7.0-dev,true,file,file.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.7.0-dev,true,file,file.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.7.0-dev,true,file,file.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-8.7.0-dev,true,file,file.macho.imports,flattened,extended,array,,List of imported element names and types.
-8.7.0-dev,true,file,file.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev,true,file,file.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev,true,file,file.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-8.7.0-dev,true,file,file.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.7.0-dev,true,file,file.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-8.7.0-dev,true,file,file.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-8.7.0-dev,true,file,file.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.7.0-dev,true,file,file.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-8.7.0-dev,true,file,file.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-8.7.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.7.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.7.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified.
-8.7.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.7.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username.
-8.7.0-dev,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.7.0-dev,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.7.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.7.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.7.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.7.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.7.0-dev,true,file,file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.7.0-dev,true,file,file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.7.0-dev,true,file,file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.7.0-dev,true,file,file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.7.0-dev,true,file,file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.7.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.7.0-dev,true,file,file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.7.0-dev,true,file,file.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.7.0-dev,true,file,file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev,true,file,file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.7.0-dev,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.7.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.7.0-dev,true,file,file.pe.sections,nested,extended,array,,Section information of the PE file.
-8.7.0-dev,true,file,file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.7.0-dev,true,file,file.pe.sections.name,keyword,extended,,,PE Section List name.
-8.7.0-dev,true,file,file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.7.0-dev,true,file,file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.7.0-dev,true,file,file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.7.0-dev,true,file,file.size,long,extended,,16384,File size in bytes.
-8.7.0-dev,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
-8.7.0-dev,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.7.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.7.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.7.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.7.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.7.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.7.0-dev,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.7.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.7.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.7.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.7.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.7.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.7.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.7.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.7.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.7.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.7.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.7.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.7.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.7.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.7.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.7.0-dev,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.7.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.7.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.7.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.7.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.7.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.7.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.7.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev,true,group,group.name,keyword,extended,,,Name of the group.
-8.7.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
-8.7.0-dev,true,host,host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id
-8.7.0-dev,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
-8.7.0-dev,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
-8.7.0-dev,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
-8.7.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
-8.7.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
-8.7.0-dev,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
-8.7.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.7.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.7.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
-8.7.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.7.0-dev,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.7.0-dev,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
-8.7.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.7.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
-8.7.0-dev,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.7.0-dev,true,host,host.hostname,keyword,core,,,Hostname of the host.
-8.7.0-dev,true,host,host.id,keyword,core,,,Unique host id.
-8.7.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses.
-8.7.0-dev,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
-8.7.0-dev,true,host,host.name,keyword,core,,,Name of the host.
-8.7.0-dev,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
-8.7.0-dev,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
-8.7.0-dev,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
-8.7.0-dev,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
-8.7.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.7.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.7.0-dev,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.7.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.7.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.7.0-dev,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.7.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.7.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-8.7.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.7.0-dev,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode
-8.7.0-dev,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.7.0-dev,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.7.0-dev,true,host,host.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.7.0-dev,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.7.0-dev,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.7.0-dev,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-8.7.0-dev,true,host,host.type,keyword,core,,,Type of host.
-8.7.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
-8.7.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
-8.7.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
-8.7.0-dev,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body.
-8.7.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
-8.7.0-dev,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
-8.7.0-dev,true,http,http.request.method,keyword,extended,,POST,HTTP request method.
-8.7.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
-8.7.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
-8.7.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
-8.7.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
-8.7.0-dev,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body.
-8.7.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
-8.7.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
-8.7.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
-8.7.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version.
-8.7.0-dev,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
-8.7.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event.
-8.7.0-dev,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
-8.7.0-dev,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event.
-8.7.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
-8.7.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
-8.7.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata
-8.7.0-dev,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message.
-8.7.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
-8.7.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
-8.7.0-dev,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message.
-8.7.0-dev,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message.
-8.7.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
-8.7.0-dev,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message.
-8.7.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
-8.7.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
-8.7.0-dev,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages.
-8.7.0-dev,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version.
-8.7.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name.
-8.7.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
-8.7.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
-8.7.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
-8.7.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
-8.7.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
-8.7.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information
-8.7.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.7.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.7.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
-8.7.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
-8.7.0-dev,true,network,network.protocol,keyword,core,,http,Application protocol name.
-8.7.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
-8.7.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
-8.7.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.7.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.7.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information
-8.7.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
-8.7.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
-8.7.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
-8.7.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.7.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.7.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
-8.7.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
-8.7.0-dev,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code.
-8.7.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.7.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.7.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
-8.7.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.7.0-dev,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.7.0-dev,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code.
-8.7.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.7.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
-8.7.0-dev,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.7.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
-8.7.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information
-8.7.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
-8.7.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
-8.7.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
-8.7.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.7.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.7.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
-8.7.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
-8.7.0-dev,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer.
-8.7.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
-8.7.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.7.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.7.0-dev,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.7.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.7.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.7.0-dev,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.7.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.7.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-8.7.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.7.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
-8.7.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
-8.7.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
-8.7.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
-8.7.0-dev,true,observer,observer.version,keyword,core,,,Observer version.
-8.7.0-dev,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action
-8.7.0-dev,true,orchestrator,orchestrator.cluster.id,keyword,extended,,,Unique ID of the cluster.
-8.7.0-dev,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster.
-8.7.0-dev,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster.
-8.7.0-dev,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster.
-8.7.0-dev,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place.
-8.7.0-dev,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups).
-8.7.0-dev,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon.
-8.7.0-dev,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed.
-8.7.0-dev,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon.
-8.7.0-dev,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed.
-8.7.0-dev,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon.
-8.7.0-dev,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)."
-8.7.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
-8.7.0-dev,true,organization,organization.name,keyword,extended,,,Organization name.
-8.7.0-dev,true,organization,organization.name.text,match_only_text,extended,,,Organization name.
-8.7.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
-8.7.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
-8.7.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
-8.7.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
-8.7.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
-8.7.0-dev,true,package,package.installed,date,extended,,,Time when package was installed.
-8.7.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
-8.7.0-dev,true,package,package.name,keyword,extended,,go,Package name
-8.7.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
-8.7.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
-8.7.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes.
-8.7.0-dev,true,package,package.type,keyword,extended,,rpm,Package type
-8.7.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version
-8.7.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.7.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array.
-8.7.0-dev,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.7.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.7.0-dev,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.7.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.7.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.7.0-dev,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.7.0-dev,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.7.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.7.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.7.0-dev,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.7.0-dev,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.7.0-dev,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.7.0-dev,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.7.0-dev,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.7.0-dev,true,process,process.elf.creation_date,date,extended,,,Build or compile date.
-8.7.0-dev,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.7.0-dev,true,process,process.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.7.0-dev,true,process,process.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.7.0-dev,true,process,process.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.7.0-dev,true,process,process.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.7.0-dev,true,process,process.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.7.0-dev,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.7.0-dev,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.7.0-dev,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.7.0-dev,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.7.0-dev,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.7.0-dev,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.7.0-dev,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.7.0-dev,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.7.0-dev,true,process,process.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.7.0-dev,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.7.0-dev,true,process,process.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev,true,process,process.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.7.0-dev,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.7.0-dev,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.7.0-dev,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.7.0-dev,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.7.0-dev,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.7.0-dev,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.7.0-dev,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.7.0-dev,true,process,process.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.7.0-dev,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.7.0-dev,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.7.0-dev,true,process,process.elf.segments,nested,extended,array,,ELF object segment list.
-8.7.0-dev,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.7.0-dev,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.7.0-dev,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.7.0-dev,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.7.0-dev,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-8.7.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.7.0-dev,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.7.0-dev,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array.
-8.7.0-dev,true,process,process.entry_leader.attested_groups.name,keyword,extended,,,Name of the group.
-8.7.0-dev,true,process,process.entry_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev,true,process,process.entry_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,process,process.entry_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.7.0-dev,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.7.0-dev,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.7.0-dev,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
-8.7.0-dev,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
-8.7.0-dev,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.7.0-dev,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.7.0-dev,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group.
-8.7.0-dev,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.7.0-dev,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name.
-8.7.0-dev,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.7.0-dev,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.7.0-dev,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id.
-8.7.0-dev,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.7.0-dev,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id.
-8.7.0-dev,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.7.0-dev,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.7.0-dev,true,process,process.entry_leader.pid,long,core,,4242,Process id.
-8.7.0-dev,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group.
-8.7.0-dev,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,process,process.entry_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.7.0-dev,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.7.0-dev,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,process,process.entry_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.7.0-dev,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.7.0-dev,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.7.0-dev,true,process,process.entry_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.7.0-dev,true,process,process.entry_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.7.0-dev,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.7.0-dev,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.7.0-dev,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
-8.7.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.7.0-dev,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.7.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process.
-8.7.0-dev,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.7.0-dev,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array.
-8.7.0-dev,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.7.0-dev,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.7.0-dev,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.7.0-dev,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.7.0-dev,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.7.0-dev,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group.
-8.7.0-dev,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.7.0-dev,true,process,process.group_leader.name,keyword,extended,,ssh,Process name.
-8.7.0-dev,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.7.0-dev,true,process,process.group_leader.pid,long,core,,4242,Process id.
-8.7.0-dev,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group.
-8.7.0-dev,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,process,process.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.7.0-dev,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.7.0-dev,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,process,process.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.7.0-dev,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.7.0-dev,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.7.0-dev,true,process,process.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.7.0-dev,true,process,process.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.7.0-dev,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.7.0-dev,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.7.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
-8.7.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
-8.7.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
-8.7.0-dev,true,process,process.hash.sha384,keyword,extended,,,SHA384 hash.
-8.7.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
-8.7.0-dev,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.7.0-dev,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash.
-8.7.0-dev,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.7.0-dev,true,process,process.io,object,extended,,,A chunk of input or output (IO) from a single process.
-8.7.0-dev,true,process,process.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
-8.7.0-dev,true,process,process.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
-8.7.0-dev,true,process,process.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
-8.7.0-dev,true,process,process.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
-8.7.0-dev,true,process,process.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
-8.7.0-dev,true,process,process.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
-8.7.0-dev,true,process,process.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
-8.7.0-dev,true,process,process.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
-8.7.0-dev,true,process,process.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-8.7.0-dev,true,process,process.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.7.0-dev,true,process,process.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.7.0-dev,true,process,process.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.7.0-dev,true,process,process.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.7.0-dev,true,process,process.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-8.7.0-dev,true,process,process.macho.imports,flattened,extended,array,,List of imported element names and types.
-8.7.0-dev,true,process,process.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev,true,process,process.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev,true,process,process.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-8.7.0-dev,true,process,process.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.7.0-dev,true,process,process.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-8.7.0-dev,true,process,process.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-8.7.0-dev,true,process,process.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.7.0-dev,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-8.7.0-dev,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-8.7.0-dev,true,process,process.name,keyword,extended,,ssh,Process name.
-8.7.0-dev,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
-8.7.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.7.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
-8.7.0-dev,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.7.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.7.0-dev,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.7.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.7.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.7.0-dev,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.7.0-dev,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.7.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.7.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.7.0-dev,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.7.0-dev,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.7.0-dev,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.7.0-dev,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.7.0-dev,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.7.0-dev,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date.
-8.7.0-dev,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.7.0-dev,true,process,process.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.7.0-dev,true,process,process.parent.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.7.0-dev,true,process,process.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.7.0-dev,true,process,process.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.7.0-dev,true,process,process.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.7.0-dev,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.7.0-dev,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.7.0-dev,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.7.0-dev,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.7.0-dev,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.7.0-dev,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.7.0-dev,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.7.0-dev,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.7.0-dev,true,process,process.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.7.0-dev,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.7.0-dev,true,process,process.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev,true,process,process.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.7.0-dev,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.7.0-dev,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.7.0-dev,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.7.0-dev,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.7.0-dev,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.7.0-dev,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.7.0-dev,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.7.0-dev,true,process,process.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.7.0-dev,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.7.0-dev,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.7.0-dev,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list.
-8.7.0-dev,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.7.0-dev,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.7.0-dev,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.7.0-dev,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.7.0-dev,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-8.7.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.7.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.7.0-dev,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.7.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
-8.7.0-dev,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev,true,process,process.parent.group.name,keyword,extended,,,Name of the group.
-8.7.0-dev,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.7.0-dev,true,process,process.parent.group_leader.pid,long,core,,4242,Process id.
-8.7.0-dev,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.7.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
-8.7.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
-8.7.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
-8.7.0-dev,true,process,process.parent.hash.sha384,keyword,extended,,,SHA384 hash.
-8.7.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
-8.7.0-dev,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.7.0-dev,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash.
-8.7.0-dev,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.7.0-dev,true,process,process.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-8.7.0-dev,true,process,process.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.7.0-dev,true,process,process.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.7.0-dev,true,process,process.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.7.0-dev,true,process,process.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.7.0-dev,true,process,process.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-8.7.0-dev,true,process,process.parent.macho.imports,flattened,extended,array,,List of imported element names and types.
-8.7.0-dev,true,process,process.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev,true,process,process.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev,true,process,process.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-8.7.0-dev,true,process,process.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.7.0-dev,true,process,process.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-8.7.0-dev,true,process,process.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-8.7.0-dev,true,process,process.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.7.0-dev,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-8.7.0-dev,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-8.7.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name.
-8.7.0-dev,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
-8.7.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.7.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.7.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.7.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.7.0-dev,true,process,process.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.7.0-dev,true,process,process.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.7.0-dev,true,process,process.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.7.0-dev,true,process,process.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.7.0-dev,true,process,process.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.7.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.7.0-dev,true,process,process.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.7.0-dev,true,process,process.parent.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.7.0-dev,true,process,process.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev,true,process,process.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.7.0-dev,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.7.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.7.0-dev,true,process,process.parent.pe.sections,nested,extended,array,,Section information of the PE file.
-8.7.0-dev,true,process,process.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.7.0-dev,true,process,process.parent.pe.sections.name,keyword,extended,,,PE Section List name.
-8.7.0-dev,true,process,process.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.7.0-dev,true,process,process.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.7.0-dev,true,process,process.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.7.0-dev,true,process,process.parent.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
-8.7.0-dev,true,process,process.parent.pid,long,core,,4242,Process id.
-8.7.0-dev,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group.
-8.7.0-dev,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,process,process.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group.
-8.7.0-dev,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,process,process.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.7.0-dev,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.7.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
-8.7.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
-8.7.0-dev,true,process,process.parent.title,keyword,extended,,,Process title.
-8.7.0-dev,true,process,process.parent.title.text,match_only_text,extended,,,Process title.
-8.7.0-dev,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device.
-8.7.0-dev,true,process,process.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.7.0-dev,true,process,process.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.7.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
-8.7.0-dev,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.7.0-dev,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.7.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.7.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.7.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.7.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.7.0-dev,true,process,process.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.7.0-dev,true,process,process.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.7.0-dev,true,process,process.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.7.0-dev,true,process,process.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.7.0-dev,true,process,process.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.7.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.7.0-dev,true,process,process.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.7.0-dev,true,process,process.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.7.0-dev,true,process,process.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev,true,process,process.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.7.0-dev,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.7.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.7.0-dev,true,process,process.pe.sections,nested,extended,array,,Section information of the PE file.
-8.7.0-dev,true,process,process.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.7.0-dev,true,process,process.pe.sections.name,keyword,extended,,,PE Section List name.
-8.7.0-dev,true,process,process.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.7.0-dev,true,process,process.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.7.0-dev,true,process,process.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.7.0-dev,true,process,process.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
-8.7.0-dev,true,process,process.pid,long,core,,4242,Process id.
-8.7.0-dev,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.7.0-dev,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array.
-8.7.0-dev,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.7.0-dev,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.7.0-dev,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev,true,process,process.real_group.name,keyword,extended,,,Name of the group.
-8.7.0-dev,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,process,process.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev,true,process,process.saved_group.name,keyword,extended,,,Name of the group.
-8.7.0-dev,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,process,process.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.7.0-dev,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array.
-8.7.0-dev,true,process,process.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.7.0-dev,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.7.0-dev,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.7.0-dev,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.7.0-dev,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.7.0-dev,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group.
-8.7.0-dev,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.7.0-dev,true,process,process.session_leader.name,keyword,extended,,ssh,Process name.
-8.7.0-dev,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.7.0-dev,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.7.0-dev,true,process,process.session_leader.parent.pid,long,core,,4242,Process id.
-8.7.0-dev,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.7.0-dev,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id.
-8.7.0-dev,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.7.0-dev,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.7.0-dev,true,process,process.session_leader.pid,long,core,,4242,Process id.
-8.7.0-dev,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group.
-8.7.0-dev,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,process,process.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.7.0-dev,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.7.0-dev,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,process,process.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.7.0-dev,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.7.0-dev,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.7.0-dev,true,process,process.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.7.0-dev,true,process,process.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.7.0-dev,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.7.0-dev,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.7.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.7.0-dev,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.7.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID.
-8.7.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
-8.7.0-dev,true,process,process.title,keyword,extended,,,Process title.
-8.7.0-dev,true,process,process.title.text,match_only_text,extended,,,Process title.
-8.7.0-dev,true,process,process.tty,object,extended,,,Information about the controlling TTY device.
-8.7.0-dev,true,process,process.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.7.0-dev,true,process,process.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.7.0-dev,true,process,process.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
-8.7.0-dev,true,process,process.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
-8.7.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
-8.7.0-dev,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.7.0-dev,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.7.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.7.0-dev,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.7.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.7.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.7.0-dev,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.7.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.7.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
-8.7.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
-8.7.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
-8.7.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
-8.7.0-dev,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event.
-8.7.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
-8.7.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
-8.7.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
-8.7.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID
-8.7.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
-8.7.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
-8.7.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
-8.7.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
-8.7.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
-8.7.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version
-8.7.0-dev,true,server,server.address,keyword,extended,,,Server network address.
-8.7.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.7.0-dev,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.7.0-dev,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.7.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
-8.7.0-dev,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server.
-8.7.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
-8.7.0-dev,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
-8.7.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.7.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.7.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
-8.7.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.7.0-dev,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.7.0-dev,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
-8.7.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.7.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
-8.7.0-dev,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.7.0-dev,true,server,server.ip,ip,core,,,IP address of the server.
-8.7.0-dev,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
-8.7.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip
-8.7.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port
-8.7.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
-8.7.0-dev,true,server,server.port,long,core,,,Port of the server.
-8.7.0-dev,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
-8.7.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.7.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.7.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.7.0-dev,true,server,server.user.email,keyword,extended,,,User email address.
-8.7.0-dev,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.7.0-dev,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.7.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.7.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group.
-8.7.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.7.0-dev,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.7.0-dev,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.7.0-dev,true,service,service.environment,keyword,extended,,production,Environment of the service.
-8.7.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.7.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.7.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.7.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.7.0-dev,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.7.0-dev,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.7.0-dev,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.7.0-dev,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
-8.7.0-dev,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.7.0-dev,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.7.0-dev,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.7.0-dev,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.7.0-dev,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.7.0-dev,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.7.0-dev,true,service,service.origin.state,keyword,core,,,Current state of the service.
-8.7.0-dev,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service.
-8.7.0-dev,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service.
-8.7.0-dev,true,service,service.state,keyword,core,,,Current state of the service.
-8.7.0-dev,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.7.0-dev,true,service,service.target.environment,keyword,extended,,production,Environment of the service.
-8.7.0-dev,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.7.0-dev,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.7.0-dev,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.7.0-dev,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.7.0-dev,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.7.0-dev,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.7.0-dev,true,service,service.target.state,keyword,core,,,Current state of the service.
-8.7.0-dev,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service.
-8.7.0-dev,true,service,service.target.version,keyword,core,,3.2.4,Version of the service.
-8.7.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
-8.7.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service.
-8.7.0-dev,true,source,source.address,keyword,extended,,,Source network address.
-8.7.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.7.0-dev,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.7.0-dev,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.7.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
-8.7.0-dev,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source.
-8.7.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
-8.7.0-dev,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
-8.7.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.7.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.7.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
-8.7.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.7.0-dev,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.7.0-dev,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
-8.7.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.7.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
-8.7.0-dev,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.7.0-dev,true,source,source.ip,ip,core,,,IP address of the source.
-8.7.0-dev,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
-8.7.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip
-8.7.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port
-8.7.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
-8.7.0-dev,true,source,source.port,long,core,,,Port of the source.
-8.7.0-dev,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-8.7.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.7.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.7.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.7.0-dev,true,source,source.user.email,keyword,extended,,,User email address.
-8.7.0-dev,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.7.0-dev,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.7.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.7.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group.
-8.7.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.7.0-dev,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.7.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
-8.7.0-dev,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event.
-8.7.0-dev,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event.
-8.7.0-dev,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.7.0-dev,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.7.0-dev,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.7.0-dev,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
-8.7.0-dev,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
-8.7.0-dev,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.7.0-dev,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.7.0-dev,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.7.0-dev,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
-8.7.0-dev,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name.
-8.7.0-dev,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code.
-8.7.0-dev,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.7.0-dev,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.7.0-dev,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name.
-8.7.0-dev,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.7.0-dev,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.7.0-dev,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code.
-8.7.0-dev,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.7.0-dev,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name.
-8.7.0-dev,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.7.0-dev,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
-8.7.0-dev,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-8.7.0-dev,true,threat,threat.enrichments.indicator.marking.tlp.version,keyword,extended,,2.0,Indicator TLP version
-8.7.0-dev,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
-8.7.0-dev,true,threat,threat.enrichments.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
-8.7.0-dev,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
-8.7.0-dev,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
-8.7.0-dev,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
-8.7.0-dev,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.7.0-dev,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.7.0-dev,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.7.0-dev,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.7.0-dev,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.7.0-dev,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.7.0-dev,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
-8.7.0-dev,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics
-8.7.0-dev,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed
-8.7.0-dev,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
-8.7.0-dev,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.7.0-dev,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.7.0-dev,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.7.0-dev,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.7.0-dev,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.7.0-dev,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.7.0-dev,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.7.0-dev,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request.
-8.7.0-dev,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.7.0-dev,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
-8.7.0-dev,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request.
-8.7.0-dev,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.7.0-dev,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
-8.7.0-dev,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.7.0-dev,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.7.0-dev,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request.
-8.7.0-dev,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.7.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.7.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.7.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.7.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.7.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.7.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.7.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.7.0-dev,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.7.0-dev,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.7.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.7.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.7.0-dev,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.7.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.7.0-dev,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.7.0-dev,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.7.0-dev,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.7.0-dev,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.7.0-dev,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.7.0-dev,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.7.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.7.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.7.0-dev,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.7.0-dev,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.7.0-dev,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value
-8.7.0-dev,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field
-8.7.0-dev,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier
-8.7.0-dev,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index
-8.7.0-dev,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05T17:00:58.326Z,Date of match
-8.7.0-dev,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match
-8.7.0-dev,true,threat,threat.feed.dashboard_id,keyword,extended,,5ba16340-72e6-11eb-a3e3-b3cc7c78a70f,Feed dashboard ID.
-8.7.0-dev,true,threat,threat.feed.description,keyword,extended,,Threat feed from the AlienVault Open Threat eXchange network.,Description of the threat feed.
-8.7.0-dev,true,threat,threat.feed.name,keyword,extended,,AlienVault OTX,Name of the threat feed.
-8.7.0-dev,true,threat,threat.feed.reference,keyword,extended,,https://otx.alienvault.com,Reference for the threat feed.
-8.7.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
-8.7.0-dev,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group.
-8.7.0-dev,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group.
-8.7.0-dev,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group.
-8.7.0-dev,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group.
-8.7.0-dev,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.7.0-dev,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.7.0-dev,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.7.0-dev,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
-8.7.0-dev,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
-8.7.0-dev,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
-8.7.0-dev,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed.
-8.7.0-dev,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.7.0-dev,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.7.0-dev,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.7.0-dev,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.7.0-dev,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.7.0-dev,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.7.0-dev,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.7.0-dev,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.7.0-dev,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.7.0-dev,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.7.0-dev,true,threat,threat.indicator.file.created,date,extended,,,File creation time.
-8.7.0-dev,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.7.0-dev,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
-8.7.0-dev,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.7.0-dev,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.7.0-dev,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.7.0-dev,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.7.0-dev,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.7.0-dev,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
-8.7.0-dev,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.7.0-dev,true,threat,threat.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.7.0-dev,true,threat,threat.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.7.0-dev,true,threat,threat.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.7.0-dev,true,threat,threat.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.7.0-dev,true,threat,threat.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.7.0-dev,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.7.0-dev,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.7.0-dev,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.7.0-dev,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.7.0-dev,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.7.0-dev,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.7.0-dev,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.7.0-dev,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.7.0-dev,true,threat,threat.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.7.0-dev,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.7.0-dev,true,threat,threat.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev,true,threat,threat.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.7.0-dev,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.7.0-dev,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.7.0-dev,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.7.0-dev,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.7.0-dev,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.7.0-dev,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.7.0-dev,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.7.0-dev,true,threat,threat.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.7.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.7.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.7.0-dev,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
-8.7.0-dev,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.7.0-dev,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.7.0-dev,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.7.0-dev,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.7.0-dev,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.7.0-dev,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.7.0-dev,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.7.0-dev,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
-8.7.0-dev,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
-8.7.0-dev,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.7.0-dev,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.7.0-dev,true,threat,threat.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.7.0-dev,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.7.0-dev,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.7.0-dev,true,threat,threat.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.7.0-dev,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.7.0-dev,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.7.0-dev,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.7.0-dev,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified.
-8.7.0-dev,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.7.0-dev,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username.
-8.7.0-dev,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.7.0-dev,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.7.0-dev,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.7.0-dev,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.7.0-dev,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.7.0-dev,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.7.0-dev,true,threat,threat.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.7.0-dev,true,threat,threat.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.7.0-dev,true,threat,threat.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.7.0-dev,true,threat,threat.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.7.0-dev,true,threat,threat.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.7.0-dev,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.7.0-dev,true,threat,threat.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.7.0-dev,true,threat,threat.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.7.0-dev,true,threat,threat.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev,true,threat,threat.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.7.0-dev,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.7.0-dev,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.7.0-dev,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.7.0-dev,true,threat,threat.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
-8.7.0-dev,true,threat,threat.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.7.0-dev,true,threat,threat.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
-8.7.0-dev,true,threat,threat.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.7.0-dev,true,threat,threat.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.7.0-dev,true,threat,threat.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.7.0-dev,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes.
-8.7.0-dev,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
-8.7.0-dev,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.7.0-dev,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.7.0-dev,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.7.0-dev,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.7.0-dev,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.7.0-dev,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.7.0-dev,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.7.0-dev,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.7.0-dev,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.7.0-dev,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.7.0-dev,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.7.0-dev,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.7.0-dev,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.7.0-dev,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.7.0-dev,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.7.0-dev,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.7.0-dev,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.7.0-dev,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.7.0-dev,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.7.0-dev,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.7.0-dev,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.7.0-dev,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.7.0-dev,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.7.0-dev,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.7.0-dev,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.7.0-dev,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.7.0-dev,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.7.0-dev,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
-8.7.0-dev,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name.
-8.7.0-dev,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code.
-8.7.0-dev,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.7.0-dev,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.7.0-dev,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name.
-8.7.0-dev,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.7.0-dev,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.7.0-dev,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code.
-8.7.0-dev,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.7.0-dev,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name.
-8.7.0-dev,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.7.0-dev,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
-8.7.0-dev,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-8.7.0-dev,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
-8.7.0-dev,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
-8.7.0-dev,true,threat,threat.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
-8.7.0-dev,true,threat,threat.indicator.port,long,extended,,443,Indicator port
-8.7.0-dev,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
-8.7.0-dev,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
-8.7.0-dev,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.7.0-dev,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.7.0-dev,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.7.0-dev,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.7.0-dev,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.7.0-dev,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.7.0-dev,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
-8.7.0-dev,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics
-8.7.0-dev,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed
-8.7.0-dev,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
-8.7.0-dev,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.7.0-dev,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.7.0-dev,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.7.0-dev,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.7.0-dev,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.7.0-dev,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.7.0-dev,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.7.0-dev,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request.
-8.7.0-dev,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.7.0-dev,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
-8.7.0-dev,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request.
-8.7.0-dev,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.7.0-dev,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
-8.7.0-dev,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.7.0-dev,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.7.0-dev,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request.
-8.7.0-dev,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.7.0-dev,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.7.0-dev,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.7.0-dev,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.7.0-dev,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.7.0-dev,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.7.0-dev,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.7.0-dev,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.7.0-dev,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.7.0-dev,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.7.0-dev,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.7.0-dev,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.7.0-dev,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.7.0-dev,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.7.0-dev,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.7.0-dev,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.7.0-dev,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.7.0-dev,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.7.0-dev,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.7.0-dev,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.7.0-dev,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.7.0-dev,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.7.0-dev,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.7.0-dev,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.7.0-dev,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software
-8.7.0-dev,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software
-8.7.0-dev,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software.
-8.7.0-dev,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software.
-8.7.0-dev,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL.
-8.7.0-dev,true,threat,threat.software.type,keyword,extended,,Tool,Software type.
-8.7.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
-8.7.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
-8.7.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
-8.7.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
-8.7.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
-8.7.0-dev,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name.
-8.7.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
-8.7.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
-8.7.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
-8.7.0-dev,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
-8.7.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
-8.7.0-dev,true,threat,threat.threat.indicator.marking.tlp.version,keyword,extended,,2.0,Indicator TLP version
-8.7.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
-8.7.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
-8.7.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
-8.7.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
-8.7.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
-8.7.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
-8.7.0-dev,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
-8.7.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
-8.7.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
-8.7.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
-8.7.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
-8.7.0-dev,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
-8.7.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
-8.7.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.7.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.7.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.7.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.7.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.7.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.7.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.7.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.7.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.7.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.7.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.7.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.7.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.7.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.7.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.7.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.7.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.7.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.7.0-dev,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.7.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.7.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.7.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.7.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.7.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.7.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
-8.7.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
-8.7.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
-8.7.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
-8.7.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
-8.7.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
-8.7.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
-8.7.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
-8.7.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
-8.7.0-dev,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
-8.7.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
-8.7.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
-8.7.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
-8.7.0-dev,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
-8.7.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.7.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.7.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.7.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.7.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.7.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.7.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.7.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.7.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.7.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.7.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.7.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.7.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.7.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.7.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.7.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.7.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.7.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.7.0-dev,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.7.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.7.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.7.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.7.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.7.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.7.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
-8.7.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
-8.7.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
-8.7.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
-8.7.0-dev,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.7.0-dev,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.7.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.7.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.7.0-dev,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.7.0-dev,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.7.0-dev,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.7.0-dev,true,url,url.password,keyword,extended,,,Password of the request.
-8.7.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.7.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
-8.7.0-dev,true,url,url.query,keyword,extended,,,Query string of the request.
-8.7.0-dev,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.7.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
-8.7.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.7.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.7.0-dev,true,url,url.username,keyword,extended,,,Username of the request.
-8.7.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.7.0-dev,true,user,user.changes.email,keyword,extended,,,User email address.
-8.7.0-dev,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.7.0-dev,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.7.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.7.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
-8.7.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.7.0-dev,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.7.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.7.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.7.0-dev,true,user,user.effective.email,keyword,extended,,,User email address.
-8.7.0-dev,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.7.0-dev,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.7.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.7.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
-8.7.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.7.0-dev,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.7.0-dev,true,user,user.email,keyword,extended,,,User email address.
-8.7.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.7.0-dev,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.7.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.7.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group.
-8.7.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.7.0-dev,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.7.0-dev,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.7.0-dev,true,user,user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.7.0-dev,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.7.0-dev,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.7.0-dev,true,user,user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-8.7.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.7.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.7.0-dev,true,user,user.target.email,keyword,extended,,,User email address.
-8.7.0-dev,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.7.0-dev,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.7.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.7.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.7.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group.
-8.7.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.7.0-dev,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.7.0-dev,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.7.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.7.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
-8.7.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
-8.7.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-8.7.0-dev,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-8.7.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.7.0-dev,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.7.0-dev,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.7.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.7.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.7.0-dev,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.7.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.7.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-8.7.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.7.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
-8.7.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
-8.7.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
-8.7.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-8.7.0-dev,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-8.7.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
-8.7.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
-8.7.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
-8.7.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
-8.7.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
-8.7.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
-8.7.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
-8.7.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
-8.7.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
-8.7.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
+8.8.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
+8.8.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
+8.8.0-dev,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer.
+8.8.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
+8.8.0-dev,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
+8.8.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
+8.8.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
+8.8.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
+8.8.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
+8.8.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
+8.8.0-dev,true,client,client.address,keyword,extended,,,Client network address.
+8.8.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.8.0-dev,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.8.0-dev,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.8.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
+8.8.0-dev,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client.
+8.8.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
+8.8.0-dev,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
+8.8.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.8.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.8.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
+8.8.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.8.0-dev,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.8.0-dev,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
+8.8.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.8.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
+8.8.0-dev,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.8.0-dev,true,client,client.ip,ip,core,,,IP address of the client.
+8.8.0-dev,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
+8.8.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
+8.8.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port
+8.8.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
+8.8.0-dev,true,client,client.port,long,core,,,Port of the client.
+8.8.0-dev,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
+8.8.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.8.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.8.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.8.0-dev,true,client,client.user.email,keyword,extended,,,User email address.
+8.8.0-dev,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.8.0-dev,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.8.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.8.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group.
+8.8.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.8.0-dev,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.8.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.8.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.8.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.8.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.8.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
+8.8.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.8.0-dev,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.8.0-dev,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.8.0-dev,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.8.0-dev,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.8.0-dev,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine.
+8.8.0-dev,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.8.0-dev,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id.
+8.8.0-dev,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name.
+8.8.0-dev,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider.
+8.8.0-dev,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.8.0-dev,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name.
+8.8.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
+8.8.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
+8.8.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
+8.8.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.8.0-dev,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name.
+8.8.0-dev,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.8.0-dev,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.8.0-dev,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.8.0-dev,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.8.0-dev,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine.
+8.8.0-dev,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.8.0-dev,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id.
+8.8.0-dev,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name.
+8.8.0-dev,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider.
+8.8.0-dev,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.8.0-dev,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name.
+8.8.0-dev,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
+8.8.0-dev,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
+8.8.0-dev,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
+8.8.0-dev,true,container,container.id,keyword,core,,,Unique container id.
+8.8.0-dev,true,container,container.image.hash.all,keyword,extended,array,[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26],An array of digests of the image the container was built on.
+8.8.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
+8.8.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags.
+8.8.0-dev,true,container,container.labels,object,extended,,,Image labels.
+8.8.0-dev,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1."
+8.8.0-dev,true,container,container.name,keyword,extended,,,Container name.
+8.8.0-dev,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
+8.8.0-dev,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+8.8.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
+8.8.0-dev,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
+8.8.0-dev,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
+8.8.0-dev,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
+8.8.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address.
+8.8.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.8.0-dev,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.8.0-dev,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.8.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
+8.8.0-dev,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination.
+8.8.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
+8.8.0-dev,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
+8.8.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.8.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.8.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
+8.8.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.8.0-dev,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.8.0-dev,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
+8.8.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.8.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
+8.8.0-dev,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.8.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination.
+8.8.0-dev,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
+8.8.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
+8.8.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
+8.8.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
+8.8.0-dev,true,destination,destination.port,long,core,,,Port of the destination.
+8.8.0-dev,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
+8.8.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.8.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.8.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.8.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address.
+8.8.0-dev,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.8.0-dev,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.8.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.8.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
+8.8.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.8.0-dev,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.8.0-dev,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device.
+8.8.0-dev,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer.
+8.8.0-dev,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model.
+8.8.0-dev,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model.
+8.8.0-dev,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.8.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.8.0-dev,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.8.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.8.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.8.0-dev,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.8.0-dev,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.8.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.8.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.8.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
+8.8.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
+8.8.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
+8.8.0-dev,true,dll,dll.hash.sha384,keyword,extended,,,SHA384 hash.
+8.8.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
+8.8.0-dev,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.8.0-dev,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash.
+8.8.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
+8.8.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
+8.8.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.8.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.8.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.8.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.8.0-dev,true,dll,dll.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.8.0-dev,true,dll,dll.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.8.0-dev,true,dll,dll.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.8.0-dev,true,dll,dll.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.8.0-dev,true,dll,dll.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.8.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.8.0-dev,true,dll,dll.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.8.0-dev,true,dll,dll.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.8.0-dev,true,dll,dll.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev,true,dll,dll.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.8.0-dev,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.8.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.8.0-dev,true,dll,dll.pe.sections,nested,extended,array,,Section information of the PE file.
+8.8.0-dev,true,dll,dll.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.8.0-dev,true,dll,dll.pe.sections.name,keyword,extended,,,PE Section List name.
+8.8.0-dev,true,dll,dll.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.8.0-dev,true,dll,dll.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.8.0-dev,true,dll,dll.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.8.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
+8.8.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
+8.8.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
+8.8.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
+8.8.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
+8.8.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
+8.8.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
+8.8.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
+8.8.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
+8.8.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
+8.8.0-dev,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
+8.8.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
+8.8.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
+8.8.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.8.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
+8.8.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
+8.8.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
+8.8.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
+8.8.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
+8.8.0-dev,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
+8.8.0-dev,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
+8.8.0-dev,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash.
+8.8.0-dev,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.8.0-dev,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.8.0-dev,true,email,email.attachments.file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.8.0-dev,true,email,email.attachments.file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.8.0-dev,true,email,email.attachments.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.8.0-dev,true,email,email.attachments.file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.8.0-dev,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file.
+8.8.0-dev,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file.
+8.8.0-dev,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size.
+8.8.0-dev,true,email,email.bcc.address,keyword,extended,array,bcc.user1@example.com,Email address of BCC recipient
+8.8.0-dev,true,email,email.cc.address,keyword,extended,array,cc.user1@example.com,Email address of CC recipient
+8.8.0-dev,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message.
+8.8.0-dev,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered.
+8.8.0-dev,true,email,email.direction,keyword,extended,,inbound,Direction of the message.
+8.8.0-dev,true,email,email.from.address,keyword,extended,array,sender@example.com,The sender's email address.
+8.8.0-dev,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source.
+8.8.0-dev,true,email,email.message_id,wildcard,extended,,81ce15$8r2j59@mail01.example.com,Value from the Message-ID header.
+8.8.0-dev,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed.
+8.8.0-dev,true,email,email.reply_to.address,keyword,extended,array,reply.here@example.com,Address replies should be delivered to.
+8.8.0-dev,true,email,email.sender.address,keyword,extended,,,Address of the message sender.
+8.8.0-dev,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message.
+8.8.0-dev,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
+8.8.0-dev,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient
+8.8.0-dev,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
+8.8.0-dev,true,error,error.code,keyword,core,,,Error code describing the error.
+8.8.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error.
+8.8.0-dev,true,error,error.message,match_only_text,core,,,Error message.
+8.8.0-dev,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
+8.8.0-dev,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text.
+8.8.0-dev,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
+8.8.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
+8.8.0-dev,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field.
+8.8.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
+8.8.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event.
+8.8.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
+8.8.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
+8.8.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
+8.8.0-dev,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed.
+8.8.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
+8.8.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
+8.8.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
+8.8.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
+8.8.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
+8.8.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
+8.8.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
+8.8.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event.
+8.8.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
+8.8.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
+8.8.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
+8.8.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
+8.8.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event.
+8.8.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event.
+8.8.0-dev,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed.
+8.8.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone.
+8.8.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
+8.8.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
+8.8.0-dev,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function.
+8.8.0-dev,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution.
+8.8.0-dev,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function.
+8.8.0-dev,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function.
+8.8.0-dev,true,faas,faas.trigger,nested,extended,,,Details about the function trigger.
+8.8.0-dev,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc."
+8.8.0-dev,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution.
+8.8.0-dev,true,faas,faas.version,keyword,extended,,123,The version of a serverless function.
+8.8.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed.
+8.8.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.8.0-dev,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.8.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.8.0-dev,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.8.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.8.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.8.0-dev,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.8.0-dev,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.8.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.8.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.8.0-dev,true,file,file.created,date,extended,,,File creation time.
+8.8.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.8.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
+8.8.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.8.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.8.0-dev,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.8.0-dev,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.8.0-dev,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.8.0-dev,true,file,file.elf.creation_date,date,extended,,,Build or compile date.
+8.8.0-dev,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.8.0-dev,true,file,file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.8.0-dev,true,file,file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.8.0-dev,true,file,file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.8.0-dev,true,file,file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.8.0-dev,true,file,file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.8.0-dev,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.8.0-dev,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.8.0-dev,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.8.0-dev,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.8.0-dev,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.8.0-dev,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.8.0-dev,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.8.0-dev,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.8.0-dev,true,file,file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.8.0-dev,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.8.0-dev,true,file,file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev,true,file,file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.8.0-dev,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.8.0-dev,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.8.0-dev,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.8.0-dev,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.8.0-dev,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.8.0-dev,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.8.0-dev,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.8.0-dev,true,file,file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.8.0-dev,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.8.0-dev,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.8.0-dev,true,file,file.elf.segments,nested,extended,array,,ELF object segment list.
+8.8.0-dev,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.8.0-dev,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.8.0-dev,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.8.0-dev,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.8.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.8.0-dev,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.8.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.8.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
+8.8.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
+8.8.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.8.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.8.0-dev,true,file,file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.8.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.8.0-dev,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.8.0-dev,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.8.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.8.0-dev,true,file,file.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+8.8.0-dev,true,file,file.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.8.0-dev,true,file,file.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.8.0-dev,true,file,file.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.8.0-dev,true,file,file.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.8.0-dev,true,file,file.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+8.8.0-dev,true,file,file.macho.imports,flattened,extended,array,,List of imported element names and types.
+8.8.0-dev,true,file,file.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev,true,file,file.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev,true,file,file.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+8.8.0-dev,true,file,file.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.8.0-dev,true,file,file.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+8.8.0-dev,true,file,file.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+8.8.0-dev,true,file,file.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.8.0-dev,true,file,file.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+8.8.0-dev,true,file,file.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+8.8.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.8.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.8.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified.
+8.8.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.8.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username.
+8.8.0-dev,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.8.0-dev,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.8.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.8.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.8.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.8.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.8.0-dev,true,file,file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.8.0-dev,true,file,file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.8.0-dev,true,file,file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.8.0-dev,true,file,file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.8.0-dev,true,file,file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.8.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.8.0-dev,true,file,file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.8.0-dev,true,file,file.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.8.0-dev,true,file,file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev,true,file,file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.8.0-dev,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.8.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.8.0-dev,true,file,file.pe.sections,nested,extended,array,,Section information of the PE file.
+8.8.0-dev,true,file,file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.8.0-dev,true,file,file.pe.sections.name,keyword,extended,,,PE Section List name.
+8.8.0-dev,true,file,file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.8.0-dev,true,file,file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.8.0-dev,true,file,file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.8.0-dev,true,file,file.size,long,extended,,16384,File size in bytes.
+8.8.0-dev,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
+8.8.0-dev,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.8.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.8.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.8.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.8.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.8.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.8.0-dev,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.8.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.8.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.8.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.8.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.8.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.8.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.8.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.8.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.8.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.8.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.8.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.8.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.8.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.8.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.8.0-dev,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.8.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.8.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.8.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.8.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.8.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.8.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.8.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev,true,group,group.name,keyword,extended,,,Name of the group.
+8.8.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
+8.8.0-dev,true,host,host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id
+8.8.0-dev,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
+8.8.0-dev,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
+8.8.0-dev,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
+8.8.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
+8.8.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
+8.8.0-dev,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
+8.8.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.8.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.8.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
+8.8.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.8.0-dev,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.8.0-dev,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
+8.8.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.8.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
+8.8.0-dev,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.8.0-dev,true,host,host.hostname,keyword,core,,,Hostname of the host.
+8.8.0-dev,true,host,host.id,keyword,core,,,Unique host id.
+8.8.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses.
+8.8.0-dev,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
+8.8.0-dev,true,host,host.name,keyword,core,,,Name of the host.
+8.8.0-dev,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
+8.8.0-dev,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
+8.8.0-dev,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+8.8.0-dev,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
+8.8.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.8.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.8.0-dev,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.8.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.8.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.8.0-dev,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.8.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.8.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+8.8.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.8.0-dev,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode
+8.8.0-dev,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.8.0-dev,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.8.0-dev,true,host,host.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.8.0-dev,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.8.0-dev,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.8.0-dev,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+8.8.0-dev,true,host,host.type,keyword,core,,,Type of host.
+8.8.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
+8.8.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
+8.8.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
+8.8.0-dev,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body.
+8.8.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
+8.8.0-dev,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
+8.8.0-dev,true,http,http.request.method,keyword,extended,,POST,HTTP request method.
+8.8.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
+8.8.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
+8.8.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
+8.8.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
+8.8.0-dev,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body.
+8.8.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
+8.8.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
+8.8.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
+8.8.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version.
+8.8.0-dev,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
+8.8.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event.
+8.8.0-dev,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
+8.8.0-dev,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event.
+8.8.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
+8.8.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
+8.8.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata
+8.8.0-dev,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message.
+8.8.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
+8.8.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
+8.8.0-dev,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message.
+8.8.0-dev,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message.
+8.8.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
+8.8.0-dev,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message.
+8.8.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
+8.8.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
+8.8.0-dev,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages.
+8.8.0-dev,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version.
+8.8.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name.
+8.8.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
+8.8.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
+8.8.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
+8.8.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
+8.8.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
+8.8.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information
+8.8.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.8.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.8.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
+8.8.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
+8.8.0-dev,true,network,network.protocol,keyword,core,,http,Application protocol name.
+8.8.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
+8.8.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
+8.8.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.8.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.8.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information
+8.8.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
+8.8.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
+8.8.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
+8.8.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.8.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.8.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
+8.8.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
+8.8.0-dev,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code.
+8.8.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.8.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.8.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
+8.8.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.8.0-dev,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.8.0-dev,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code.
+8.8.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.8.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
+8.8.0-dev,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.8.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
+8.8.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information
+8.8.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
+8.8.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
+8.8.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
+8.8.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.8.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.8.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
+8.8.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
+8.8.0-dev,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer.
+8.8.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
+8.8.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.8.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.8.0-dev,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.8.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.8.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.8.0-dev,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.8.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.8.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+8.8.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.8.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
+8.8.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
+8.8.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
+8.8.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
+8.8.0-dev,true,observer,observer.version,keyword,core,,,Observer version.
+8.8.0-dev,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action
+8.8.0-dev,true,orchestrator,orchestrator.cluster.id,keyword,extended,,,Unique ID of the cluster.
+8.8.0-dev,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster.
+8.8.0-dev,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster.
+8.8.0-dev,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster.
+8.8.0-dev,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place.
+8.8.0-dev,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups).
+8.8.0-dev,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon.
+8.8.0-dev,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed.
+8.8.0-dev,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon.
+8.8.0-dev,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed.
+8.8.0-dev,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon.
+8.8.0-dev,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)."
+8.8.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
+8.8.0-dev,true,organization,organization.name,keyword,extended,,,Organization name.
+8.8.0-dev,true,organization,organization.name.text,match_only_text,extended,,,Organization name.
+8.8.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
+8.8.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
+8.8.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
+8.8.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
+8.8.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
+8.8.0-dev,true,package,package.installed,date,extended,,,Time when package was installed.
+8.8.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
+8.8.0-dev,true,package,package.name,keyword,extended,,go,Package name
+8.8.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
+8.8.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
+8.8.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes.
+8.8.0-dev,true,package,package.type,keyword,extended,,rpm,Package type
+8.8.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version
+8.8.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.8.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array.
+8.8.0-dev,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.8.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.8.0-dev,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.8.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.8.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.8.0-dev,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.8.0-dev,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.8.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.8.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.8.0-dev,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.8.0-dev,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.8.0-dev,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.8.0-dev,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.8.0-dev,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.8.0-dev,true,process,process.elf.creation_date,date,extended,,,Build or compile date.
+8.8.0-dev,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.8.0-dev,true,process,process.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.8.0-dev,true,process,process.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.8.0-dev,true,process,process.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.8.0-dev,true,process,process.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.8.0-dev,true,process,process.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.8.0-dev,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.8.0-dev,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.8.0-dev,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.8.0-dev,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.8.0-dev,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.8.0-dev,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.8.0-dev,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.8.0-dev,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.8.0-dev,true,process,process.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.8.0-dev,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.8.0-dev,true,process,process.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev,true,process,process.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.8.0-dev,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.8.0-dev,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.8.0-dev,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.8.0-dev,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.8.0-dev,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.8.0-dev,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.8.0-dev,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.8.0-dev,true,process,process.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.8.0-dev,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.8.0-dev,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.8.0-dev,true,process,process.elf.segments,nested,extended,array,,ELF object segment list.
+8.8.0-dev,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.8.0-dev,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.8.0-dev,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.8.0-dev,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.8.0-dev,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+8.8.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.8.0-dev,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.8.0-dev,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array.
+8.8.0-dev,true,process,process.entry_leader.attested_groups.name,keyword,extended,,,Name of the group.
+8.8.0-dev,true,process,process.entry_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev,true,process,process.entry_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,process,process.entry_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.8.0-dev,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.8.0-dev,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.8.0-dev,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
+8.8.0-dev,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
+8.8.0-dev,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.8.0-dev,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.8.0-dev,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group.
+8.8.0-dev,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.8.0-dev,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name.
+8.8.0-dev,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name.
+8.8.0-dev,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.8.0-dev,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id.
+8.8.0-dev,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.8.0-dev,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id.
+8.8.0-dev,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.8.0-dev,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.8.0-dev,true,process,process.entry_leader.pid,long,core,,4242,Process id.
+8.8.0-dev,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group.
+8.8.0-dev,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,process,process.entry_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+8.8.0-dev,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group.
+8.8.0-dev,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,process,process.entry_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.8.0-dev,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.8.0-dev,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device.
+8.8.0-dev,true,process,process.entry_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.8.0-dev,true,process,process.entry_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.8.0-dev,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.8.0-dev,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.8.0-dev,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
+8.8.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.8.0-dev,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.8.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process.
+8.8.0-dev,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.8.0-dev,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array.
+8.8.0-dev,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.8.0-dev,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.8.0-dev,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.8.0-dev,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.8.0-dev,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.8.0-dev,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group.
+8.8.0-dev,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.8.0-dev,true,process,process.group_leader.name,keyword,extended,,ssh,Process name.
+8.8.0-dev,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name.
+8.8.0-dev,true,process,process.group_leader.pid,long,core,,4242,Process id.
+8.8.0-dev,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group.
+8.8.0-dev,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,process,process.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+8.8.0-dev,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group.
+8.8.0-dev,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,process,process.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.8.0-dev,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.8.0-dev,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device.
+8.8.0-dev,true,process,process.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.8.0-dev,true,process,process.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.8.0-dev,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.8.0-dev,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.8.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
+8.8.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
+8.8.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
+8.8.0-dev,true,process,process.hash.sha384,keyword,extended,,,SHA384 hash.
+8.8.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
+8.8.0-dev,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.8.0-dev,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash.
+8.8.0-dev,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.8.0-dev,true,process,process.io,object,extended,,,A chunk of input or output (IO) from a single process.
+8.8.0-dev,true,process,process.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
+8.8.0-dev,true,process,process.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
+8.8.0-dev,true,process,process.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
+8.8.0-dev,true,process,process.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
+8.8.0-dev,true,process,process.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
+8.8.0-dev,true,process,process.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
+8.8.0-dev,true,process,process.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
+8.8.0-dev,true,process,process.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
+8.8.0-dev,true,process,process.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+8.8.0-dev,true,process,process.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.8.0-dev,true,process,process.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.8.0-dev,true,process,process.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.8.0-dev,true,process,process.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.8.0-dev,true,process,process.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+8.8.0-dev,true,process,process.macho.imports,flattened,extended,array,,List of imported element names and types.
+8.8.0-dev,true,process,process.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev,true,process,process.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev,true,process,process.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+8.8.0-dev,true,process,process.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.8.0-dev,true,process,process.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+8.8.0-dev,true,process,process.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+8.8.0-dev,true,process,process.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.8.0-dev,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+8.8.0-dev,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+8.8.0-dev,true,process,process.name,keyword,extended,,ssh,Process name.
+8.8.0-dev,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
+8.8.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.8.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
+8.8.0-dev,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.8.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.8.0-dev,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.8.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.8.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.8.0-dev,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.8.0-dev,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.8.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.8.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.8.0-dev,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.8.0-dev,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.8.0-dev,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.8.0-dev,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.8.0-dev,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.8.0-dev,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date.
+8.8.0-dev,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.8.0-dev,true,process,process.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.8.0-dev,true,process,process.parent.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.8.0-dev,true,process,process.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.8.0-dev,true,process,process.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.8.0-dev,true,process,process.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.8.0-dev,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.8.0-dev,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.8.0-dev,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.8.0-dev,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.8.0-dev,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.8.0-dev,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.8.0-dev,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.8.0-dev,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.8.0-dev,true,process,process.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.8.0-dev,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.8.0-dev,true,process,process.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev,true,process,process.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.8.0-dev,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.8.0-dev,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.8.0-dev,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.8.0-dev,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.8.0-dev,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.8.0-dev,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.8.0-dev,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.8.0-dev,true,process,process.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.8.0-dev,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.8.0-dev,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.8.0-dev,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list.
+8.8.0-dev,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.8.0-dev,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.8.0-dev,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.8.0-dev,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.8.0-dev,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+8.8.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.8.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.8.0-dev,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.8.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
+8.8.0-dev,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev,true,process,process.parent.group.name,keyword,extended,,,Name of the group.
+8.8.0-dev,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.8.0-dev,true,process,process.parent.group_leader.pid,long,core,,4242,Process id.
+8.8.0-dev,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.8.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
+8.8.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
+8.8.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
+8.8.0-dev,true,process,process.parent.hash.sha384,keyword,extended,,,SHA384 hash.
+8.8.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
+8.8.0-dev,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.8.0-dev,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash.
+8.8.0-dev,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.8.0-dev,true,process,process.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+8.8.0-dev,true,process,process.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.8.0-dev,true,process,process.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.8.0-dev,true,process,process.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.8.0-dev,true,process,process.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.8.0-dev,true,process,process.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+8.8.0-dev,true,process,process.parent.macho.imports,flattened,extended,array,,List of imported element names and types.
+8.8.0-dev,true,process,process.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev,true,process,process.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev,true,process,process.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+8.8.0-dev,true,process,process.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.8.0-dev,true,process,process.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+8.8.0-dev,true,process,process.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+8.8.0-dev,true,process,process.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.8.0-dev,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+8.8.0-dev,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+8.8.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name.
+8.8.0-dev,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
+8.8.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.8.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.8.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.8.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.8.0-dev,true,process,process.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.8.0-dev,true,process,process.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.8.0-dev,true,process,process.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.8.0-dev,true,process,process.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.8.0-dev,true,process,process.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.8.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.8.0-dev,true,process,process.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.8.0-dev,true,process,process.parent.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.8.0-dev,true,process,process.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev,true,process,process.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.8.0-dev,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.8.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.8.0-dev,true,process,process.parent.pe.sections,nested,extended,array,,Section information of the PE file.
+8.8.0-dev,true,process,process.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.8.0-dev,true,process,process.parent.pe.sections.name,keyword,extended,,,PE Section List name.
+8.8.0-dev,true,process,process.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.8.0-dev,true,process,process.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.8.0-dev,true,process,process.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.8.0-dev,true,process,process.parent.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
+8.8.0-dev,true,process,process.parent.pid,long,core,,4242,Process id.
+8.8.0-dev,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group.
+8.8.0-dev,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,process,process.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group.
+8.8.0-dev,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,process,process.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.8.0-dev,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.8.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
+8.8.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
+8.8.0-dev,true,process,process.parent.title,keyword,extended,,,Process title.
+8.8.0-dev,true,process,process.parent.title.text,match_only_text,extended,,,Process title.
+8.8.0-dev,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device.
+8.8.0-dev,true,process,process.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.8.0-dev,true,process,process.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.8.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
+8.8.0-dev,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.8.0-dev,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.8.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.8.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.8.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.8.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.8.0-dev,true,process,process.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.8.0-dev,true,process,process.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.8.0-dev,true,process,process.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.8.0-dev,true,process,process.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.8.0-dev,true,process,process.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.8.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.8.0-dev,true,process,process.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.8.0-dev,true,process,process.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.8.0-dev,true,process,process.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev,true,process,process.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.8.0-dev,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.8.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.8.0-dev,true,process,process.pe.sections,nested,extended,array,,Section information of the PE file.
+8.8.0-dev,true,process,process.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.8.0-dev,true,process,process.pe.sections.name,keyword,extended,,,PE Section List name.
+8.8.0-dev,true,process,process.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.8.0-dev,true,process,process.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.8.0-dev,true,process,process.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.8.0-dev,true,process,process.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
+8.8.0-dev,true,process,process.pid,long,core,,4242,Process id.
+8.8.0-dev,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.8.0-dev,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array.
+8.8.0-dev,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.8.0-dev,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.8.0-dev,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev,true,process,process.real_group.name,keyword,extended,,,Name of the group.
+8.8.0-dev,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,process,process.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev,true,process,process.saved_group.name,keyword,extended,,,Name of the group.
+8.8.0-dev,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,process,process.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.8.0-dev,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array.
+8.8.0-dev,true,process,process.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.8.0-dev,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.8.0-dev,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.8.0-dev,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.8.0-dev,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.8.0-dev,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group.
+8.8.0-dev,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.8.0-dev,true,process,process.session_leader.name,keyword,extended,,ssh,Process name.
+8.8.0-dev,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name.
+8.8.0-dev,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.8.0-dev,true,process,process.session_leader.parent.pid,long,core,,4242,Process id.
+8.8.0-dev,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.8.0-dev,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id.
+8.8.0-dev,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.8.0-dev,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.8.0-dev,true,process,process.session_leader.pid,long,core,,4242,Process id.
+8.8.0-dev,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group.
+8.8.0-dev,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,process,process.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+8.8.0-dev,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group.
+8.8.0-dev,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,process,process.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.8.0-dev,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.8.0-dev,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device.
+8.8.0-dev,true,process,process.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.8.0-dev,true,process,process.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.8.0-dev,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.8.0-dev,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.8.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.8.0-dev,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.8.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID.
+8.8.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
+8.8.0-dev,true,process,process.title,keyword,extended,,,Process title.
+8.8.0-dev,true,process,process.title.text,match_only_text,extended,,,Process title.
+8.8.0-dev,true,process,process.tty,object,extended,,,Information about the controlling TTY device.
+8.8.0-dev,true,process,process.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.8.0-dev,true,process,process.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.8.0-dev,true,process,process.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
+8.8.0-dev,true,process,process.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
+8.8.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
+8.8.0-dev,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.8.0-dev,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.8.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.8.0-dev,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.8.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.8.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.8.0-dev,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.8.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.8.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
+8.8.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
+8.8.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
+8.8.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
+8.8.0-dev,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event.
+8.8.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
+8.8.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
+8.8.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
+8.8.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID
+8.8.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
+8.8.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
+8.8.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
+8.8.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
+8.8.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
+8.8.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version
+8.8.0-dev,true,server,server.address,keyword,extended,,,Server network address.
+8.8.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.8.0-dev,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.8.0-dev,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.8.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
+8.8.0-dev,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server.
+8.8.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
+8.8.0-dev,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
+8.8.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.8.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.8.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
+8.8.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.8.0-dev,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.8.0-dev,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
+8.8.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.8.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
+8.8.0-dev,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.8.0-dev,true,server,server.ip,ip,core,,,IP address of the server.
+8.8.0-dev,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
+8.8.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip
+8.8.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port
+8.8.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
+8.8.0-dev,true,server,server.port,long,core,,,Port of the server.
+8.8.0-dev,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
+8.8.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.8.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.8.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.8.0-dev,true,server,server.user.email,keyword,extended,,,User email address.
+8.8.0-dev,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.8.0-dev,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.8.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.8.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group.
+8.8.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.8.0-dev,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.8.0-dev,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.8.0-dev,true,service,service.environment,keyword,extended,,production,Environment of the service.
+8.8.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.8.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.8.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.8.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.8.0-dev,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.8.0-dev,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+8.8.0-dev,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.8.0-dev,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
+8.8.0-dev,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.8.0-dev,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.8.0-dev,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.8.0-dev,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.8.0-dev,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.8.0-dev,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+8.8.0-dev,true,service,service.origin.state,keyword,core,,,Current state of the service.
+8.8.0-dev,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service.
+8.8.0-dev,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service.
+8.8.0-dev,true,service,service.state,keyword,core,,,Current state of the service.
+8.8.0-dev,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.8.0-dev,true,service,service.target.environment,keyword,extended,,production,Environment of the service.
+8.8.0-dev,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.8.0-dev,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.8.0-dev,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.8.0-dev,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.8.0-dev,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.8.0-dev,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+8.8.0-dev,true,service,service.target.state,keyword,core,,,Current state of the service.
+8.8.0-dev,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service.
+8.8.0-dev,true,service,service.target.version,keyword,core,,3.2.4,Version of the service.
+8.8.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
+8.8.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service.
+8.8.0-dev,true,source,source.address,keyword,extended,,,Source network address.
+8.8.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.8.0-dev,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.8.0-dev,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.8.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
+8.8.0-dev,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source.
+8.8.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
+8.8.0-dev,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
+8.8.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.8.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.8.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
+8.8.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.8.0-dev,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.8.0-dev,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
+8.8.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.8.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
+8.8.0-dev,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.8.0-dev,true,source,source.ip,ip,core,,,IP address of the source.
+8.8.0-dev,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
+8.8.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip
+8.8.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port
+8.8.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
+8.8.0-dev,true,source,source.port,long,core,,,Port of the source.
+8.8.0-dev,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+8.8.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.8.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.8.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.8.0-dev,true,source,source.user.email,keyword,extended,,,User email address.
+8.8.0-dev,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.8.0-dev,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.8.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.8.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group.
+8.8.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.8.0-dev,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.8.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
+8.8.0-dev,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event.
+8.8.0-dev,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event.
+8.8.0-dev,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.8.0-dev,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.8.0-dev,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.8.0-dev,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
+8.8.0-dev,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
+8.8.0-dev,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.8.0-dev,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.8.0-dev,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.8.0-dev,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
+8.8.0-dev,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name.
+8.8.0-dev,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code.
+8.8.0-dev,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.8.0-dev,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.8.0-dev,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name.
+8.8.0-dev,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.8.0-dev,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.8.0-dev,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code.
+8.8.0-dev,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.8.0-dev,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name.
+8.8.0-dev,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.8.0-dev,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
+8.8.0-dev,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
+8.8.0-dev,true,threat,threat.enrichments.indicator.marking.tlp.version,keyword,extended,,2.0,Indicator TLP version
+8.8.0-dev,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
+8.8.0-dev,true,threat,threat.enrichments.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
+8.8.0-dev,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
+8.8.0-dev,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
+8.8.0-dev,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
+8.8.0-dev,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.8.0-dev,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.8.0-dev,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.8.0-dev,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.8.0-dev,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.8.0-dev,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.8.0-dev,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
+8.8.0-dev,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics
+8.8.0-dev,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed
+8.8.0-dev,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
+8.8.0-dev,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.8.0-dev,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.8.0-dev,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.8.0-dev,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.8.0-dev,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.8.0-dev,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.8.0-dev,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.8.0-dev,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request.
+8.8.0-dev,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.8.0-dev,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
+8.8.0-dev,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request.
+8.8.0-dev,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.8.0-dev,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
+8.8.0-dev,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.8.0-dev,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.8.0-dev,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request.
+8.8.0-dev,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.8.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.8.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.8.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.8.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.8.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.8.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.8.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.8.0-dev,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.8.0-dev,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.8.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.8.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.8.0-dev,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.8.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.8.0-dev,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.8.0-dev,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.8.0-dev,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.8.0-dev,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.8.0-dev,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.8.0-dev,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.8.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.8.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.8.0-dev,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.8.0-dev,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.8.0-dev,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value
+8.8.0-dev,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field
+8.8.0-dev,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier
+8.8.0-dev,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index
+8.8.0-dev,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05T17:00:58.326Z,Date of match
+8.8.0-dev,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match
+8.8.0-dev,true,threat,threat.feed.dashboard_id,keyword,extended,,5ba16340-72e6-11eb-a3e3-b3cc7c78a70f,Feed dashboard ID.
+8.8.0-dev,true,threat,threat.feed.description,keyword,extended,,Threat feed from the AlienVault Open Threat eXchange network.,Description of the threat feed.
+8.8.0-dev,true,threat,threat.feed.name,keyword,extended,,AlienVault OTX,Name of the threat feed.
+8.8.0-dev,true,threat,threat.feed.reference,keyword,extended,,https://otx.alienvault.com,Reference for the threat feed.
+8.8.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
+8.8.0-dev,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group.
+8.8.0-dev,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group.
+8.8.0-dev,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group.
+8.8.0-dev,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group.
+8.8.0-dev,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.8.0-dev,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.8.0-dev,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.8.0-dev,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
+8.8.0-dev,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
+8.8.0-dev,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
+8.8.0-dev,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed.
+8.8.0-dev,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.8.0-dev,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.8.0-dev,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.8.0-dev,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.8.0-dev,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.8.0-dev,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.8.0-dev,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.8.0-dev,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.8.0-dev,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.8.0-dev,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.8.0-dev,true,threat,threat.indicator.file.created,date,extended,,,File creation time.
+8.8.0-dev,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.8.0-dev,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
+8.8.0-dev,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.8.0-dev,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.8.0-dev,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.8.0-dev,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.8.0-dev,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.8.0-dev,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
+8.8.0-dev,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.8.0-dev,true,threat,threat.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.8.0-dev,true,threat,threat.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.8.0-dev,true,threat,threat.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.8.0-dev,true,threat,threat.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.8.0-dev,true,threat,threat.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.8.0-dev,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.8.0-dev,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.8.0-dev,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.8.0-dev,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.8.0-dev,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.8.0-dev,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.8.0-dev,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.8.0-dev,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.8.0-dev,true,threat,threat.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.8.0-dev,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.8.0-dev,true,threat,threat.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev,true,threat,threat.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.8.0-dev,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.8.0-dev,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.8.0-dev,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.8.0-dev,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.8.0-dev,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.8.0-dev,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.8.0-dev,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.8.0-dev,true,threat,threat.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.8.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.8.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.8.0-dev,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
+8.8.0-dev,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.8.0-dev,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.8.0-dev,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.8.0-dev,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.8.0-dev,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.8.0-dev,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.8.0-dev,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.8.0-dev,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
+8.8.0-dev,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
+8.8.0-dev,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.8.0-dev,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.8.0-dev,true,threat,threat.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.8.0-dev,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.8.0-dev,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.8.0-dev,true,threat,threat.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.8.0-dev,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.8.0-dev,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.8.0-dev,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.8.0-dev,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified.
+8.8.0-dev,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.8.0-dev,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username.
+8.8.0-dev,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.8.0-dev,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.8.0-dev,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.8.0-dev,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.8.0-dev,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.8.0-dev,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.8.0-dev,true,threat,threat.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.8.0-dev,true,threat,threat.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.8.0-dev,true,threat,threat.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.8.0-dev,true,threat,threat.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.8.0-dev,true,threat,threat.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.8.0-dev,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.8.0-dev,true,threat,threat.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.8.0-dev,true,threat,threat.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.8.0-dev,true,threat,threat.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev,true,threat,threat.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.8.0-dev,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.8.0-dev,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.8.0-dev,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.8.0-dev,true,threat,threat.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
+8.8.0-dev,true,threat,threat.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.8.0-dev,true,threat,threat.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
+8.8.0-dev,true,threat,threat.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.8.0-dev,true,threat,threat.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.8.0-dev,true,threat,threat.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.8.0-dev,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes.
+8.8.0-dev,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
+8.8.0-dev,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.8.0-dev,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.8.0-dev,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.8.0-dev,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.8.0-dev,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.8.0-dev,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.8.0-dev,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.8.0-dev,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.8.0-dev,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.8.0-dev,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.8.0-dev,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.8.0-dev,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.8.0-dev,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.8.0-dev,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.8.0-dev,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.8.0-dev,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.8.0-dev,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.8.0-dev,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.8.0-dev,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.8.0-dev,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.8.0-dev,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.8.0-dev,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.8.0-dev,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.8.0-dev,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.8.0-dev,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.8.0-dev,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.8.0-dev,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.8.0-dev,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
+8.8.0-dev,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name.
+8.8.0-dev,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code.
+8.8.0-dev,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.8.0-dev,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.8.0-dev,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name.
+8.8.0-dev,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.8.0-dev,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.8.0-dev,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code.
+8.8.0-dev,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.8.0-dev,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name.
+8.8.0-dev,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.8.0-dev,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
+8.8.0-dev,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
+8.8.0-dev,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
+8.8.0-dev,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
+8.8.0-dev,true,threat,threat.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
+8.8.0-dev,true,threat,threat.indicator.port,long,extended,,443,Indicator port
+8.8.0-dev,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
+8.8.0-dev,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
+8.8.0-dev,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.8.0-dev,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.8.0-dev,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.8.0-dev,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.8.0-dev,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.8.0-dev,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.8.0-dev,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
+8.8.0-dev,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics
+8.8.0-dev,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed
+8.8.0-dev,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
+8.8.0-dev,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.8.0-dev,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.8.0-dev,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.8.0-dev,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.8.0-dev,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.8.0-dev,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.8.0-dev,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.8.0-dev,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request.
+8.8.0-dev,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.8.0-dev,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
+8.8.0-dev,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request.
+8.8.0-dev,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.8.0-dev,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
+8.8.0-dev,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.8.0-dev,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.8.0-dev,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request.
+8.8.0-dev,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.8.0-dev,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.8.0-dev,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.8.0-dev,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.8.0-dev,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.8.0-dev,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.8.0-dev,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.8.0-dev,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.8.0-dev,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.8.0-dev,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.8.0-dev,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.8.0-dev,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.8.0-dev,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.8.0-dev,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.8.0-dev,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.8.0-dev,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.8.0-dev,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.8.0-dev,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.8.0-dev,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.8.0-dev,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.8.0-dev,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.8.0-dev,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.8.0-dev,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.8.0-dev,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.8.0-dev,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software
+8.8.0-dev,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software
+8.8.0-dev,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software.
+8.8.0-dev,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software.
+8.8.0-dev,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL.
+8.8.0-dev,true,threat,threat.software.type,keyword,extended,,Tool,Software type.
+8.8.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
+8.8.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
+8.8.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
+8.8.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
+8.8.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
+8.8.0-dev,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name.
+8.8.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
+8.8.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
+8.8.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
+8.8.0-dev,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
+8.8.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
+8.8.0-dev,true,threat,threat.threat.indicator.marking.tlp.version,keyword,extended,,2.0,Indicator TLP version
+8.8.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
+8.8.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
+8.8.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
+8.8.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
+8.8.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
+8.8.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
+8.8.0-dev,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
+8.8.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
+8.8.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
+8.8.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
+8.8.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
+8.8.0-dev,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
+8.8.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
+8.8.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.8.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.8.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.8.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.8.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.8.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.8.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.8.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.8.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.8.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.8.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.8.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.8.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.8.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.8.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.8.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.8.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.8.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.8.0-dev,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.8.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.8.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.8.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.8.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.8.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.8.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
+8.8.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
+8.8.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
+8.8.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
+8.8.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
+8.8.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
+8.8.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
+8.8.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
+8.8.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
+8.8.0-dev,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
+8.8.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
+8.8.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
+8.8.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
+8.8.0-dev,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
+8.8.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.8.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.8.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.8.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.8.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.8.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.8.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.8.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.8.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.8.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.8.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.8.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.8.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.8.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.8.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.8.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.8.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.8.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.8.0-dev,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.8.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.8.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.8.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.8.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.8.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.8.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
+8.8.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
+8.8.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
+8.8.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
+8.8.0-dev,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.8.0-dev,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.8.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.8.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.8.0-dev,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.8.0-dev,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.8.0-dev,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.8.0-dev,true,url,url.password,keyword,extended,,,Password of the request.
+8.8.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.8.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
+8.8.0-dev,true,url,url.query,keyword,extended,,,Query string of the request.
+8.8.0-dev,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.8.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
+8.8.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.8.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.8.0-dev,true,url,url.username,keyword,extended,,,Username of the request.
+8.8.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.8.0-dev,true,user,user.changes.email,keyword,extended,,,User email address.
+8.8.0-dev,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.8.0-dev,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.8.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.8.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
+8.8.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.8.0-dev,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.8.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.8.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.8.0-dev,true,user,user.effective.email,keyword,extended,,,User email address.
+8.8.0-dev,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.8.0-dev,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.8.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.8.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
+8.8.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.8.0-dev,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.8.0-dev,true,user,user.email,keyword,extended,,,User email address.
+8.8.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.8.0-dev,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.8.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.8.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group.
+8.8.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.8.0-dev,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.8.0-dev,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.8.0-dev,true,user,user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.8.0-dev,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.8.0-dev,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.8.0-dev,true,user,user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+8.8.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.8.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.8.0-dev,true,user,user.target.email,keyword,extended,,,User email address.
+8.8.0-dev,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.8.0-dev,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.8.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.8.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.8.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group.
+8.8.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.8.0-dev,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.8.0-dev,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.8.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.8.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
+8.8.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
+8.8.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+8.8.0-dev,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+8.8.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.8.0-dev,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.8.0-dev,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.8.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.8.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.8.0-dev,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.8.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.8.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+8.8.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.8.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
+8.8.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
+8.8.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
+8.8.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+8.8.0-dev,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+8.8.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
+8.8.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
+8.8.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
+8.8.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
+8.8.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
+8.8.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
+8.8.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
+8.8.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
+8.8.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
+8.8.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
diff --git a/generated/elasticsearch/composable/component/agent.json b/generated/elasticsearch/composable/component/agent.json
index 388846677b..9562999a35 100644
--- a/generated/elasticsearch/composable/component/agent.json
+++ b/generated/elasticsearch/composable/component/agent.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html",
-    "ecs_version": "8.7.0-dev"
+    "ecs_version": "8.8.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/base.json b/generated/elasticsearch/composable/component/base.json
index a050b99f03..c70e57ab84 100644
--- a/generated/elasticsearch/composable/component/base.json
+++ b/generated/elasticsearch/composable/component/base.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
-    "ecs_version": "8.7.0-dev"
+    "ecs_version": "8.8.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/client.json b/generated/elasticsearch/composable/component/client.json
index 18f0c5e7f4..f1f7362a50 100644
--- a/generated/elasticsearch/composable/component/client.json
+++ b/generated/elasticsearch/composable/component/client.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-client.html",
-    "ecs_version": "8.7.0-dev"
+    "ecs_version": "8.8.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/cloud.json b/generated/elasticsearch/composable/component/cloud.json
index ca1ce8cf95..f4fcfd54b6 100644
--- a/generated/elasticsearch/composable/component/cloud.json
+++ b/generated/elasticsearch/composable/component/cloud.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cloud.html",
-    "ecs_version": "8.7.0-dev"
+    "ecs_version": "8.8.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/container.json b/generated/elasticsearch/composable/component/container.json
index ca49696763..bf41c0c011 100644
--- a/generated/elasticsearch/composable/component/container.json
+++ b/generated/elasticsearch/composable/component/container.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-container.html",
-    "ecs_version": "8.7.0-dev"
+    "ecs_version": "8.8.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/data_stream.json b/generated/elasticsearch/composable/component/data_stream.json
index 6d9f0eaf1a..31cf73d3de 100644
--- a/generated/elasticsearch/composable/component/data_stream.json
+++ b/generated/elasticsearch/composable/component/data_stream.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-data_stream.html",
-    "ecs_version": "8.7.0-dev"
+    "ecs_version": "8.8.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/destination.json b/generated/elasticsearch/composable/component/destination.json
index 5e2167ce83..d0ff99e731 100644
--- a/generated/elasticsearch/composable/component/destination.json
+++ b/generated/elasticsearch/composable/component/destination.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-destination.html",
-    "ecs_version": "8.7.0-dev"
+    "ecs_version": "8.8.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/device.json b/generated/elasticsearch/composable/component/device.json
index 8e947e0f5c..ade22b0278 100644
--- a/generated/elasticsearch/composable/component/device.json
+++ b/generated/elasticsearch/composable/component/device.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-device.html",
-    "ecs_version": "8.7.0-dev"
+    "ecs_version": "8.8.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/dll.json b/generated/elasticsearch/composable/component/dll.json
index 7b1f7da1b7..f3fda29390 100644
--- a/generated/elasticsearch/composable/component/dll.json
+++ b/generated/elasticsearch/composable/component/dll.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dll.html",
-    "ecs_version": "8.7.0-dev"
+    "ecs_version": "8.8.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/dns.json b/generated/elasticsearch/composable/component/dns.json
index 9fdd14492f..e1f38329ca 100644
--- a/generated/elasticsearch/composable/component/dns.json
+++ b/generated/elasticsearch/composable/component/dns.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html",
-    "ecs_version": "8.7.0-dev"
+    "ecs_version": "8.8.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/ecs.json b/generated/elasticsearch/composable/component/ecs.json
index 64d1227cd5..0e1fd139aa 100644
--- a/generated/elasticsearch/composable/component/ecs.json
+++ b/generated/elasticsearch/composable/component/ecs.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html",
-    "ecs_version": "8.7.0-dev"
+    "ecs_version": "8.8.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/email.json b/generated/elasticsearch/composable/component/email.json
index 9ca6eb2f3a..0add614215 100644
--- a/generated/elasticsearch/composable/component/email.json
+++ b/generated/elasticsearch/composable/component/email.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-email.html",
-    "ecs_version": "8.7.0-dev"
+    "ecs_version": "8.8.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/error.json b/generated/elasticsearch/composable/component/error.json
index f1d804aed3..b5dcdbf02b 100644
--- a/generated/elasticsearch/composable/component/error.json
+++ b/generated/elasticsearch/composable/component/error.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-error.html",
-    "ecs_version": "8.7.0-dev"
+    "ecs_version": "8.8.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/event.json b/generated/elasticsearch/composable/component/event.json
index 018ad19f9b..178698907d 100644
--- a/generated/elasticsearch/composable/component/event.json
+++ b/generated/elasticsearch/composable/component/event.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html",
-    "ecs_version": "8.7.0-dev"
+    "ecs_version": "8.8.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/faas.json b/generated/elasticsearch/composable/component/faas.json
index cc92b3125d..6b23dea34e 100644
--- a/generated/elasticsearch/composable/component/faas.json
+++ b/generated/elasticsearch/composable/component/faas.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-faas.html",
-    "ecs_version": "8.7.0-dev"
+    "ecs_version": "8.8.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/file.json b/generated/elasticsearch/composable/component/file.json
index 32845366bb..77a7b5537c 100644
--- a/generated/elasticsearch/composable/component/file.json
+++ b/generated/elasticsearch/composable/component/file.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html",
-    "ecs_version": "8.7.0-dev"
+    "ecs_version": "8.8.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/group.json b/generated/elasticsearch/composable/component/group.json
index 8716a36676..08d511cc4b 100644
--- a/generated/elasticsearch/composable/component/group.json
+++ b/generated/elasticsearch/composable/component/group.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-group.html",
-    "ecs_version": "8.7.0-dev"
+    "ecs_version": "8.8.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/host.json b/generated/elasticsearch/composable/component/host.json
index 9ef352ba8d..fa3a9049b6 100644
--- a/generated/elasticsearch/composable/component/host.json
+++ b/generated/elasticsearch/composable/component/host.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-host.html",
-    "ecs_version": "8.7.0-dev"
+    "ecs_version": "8.8.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/http.json b/generated/elasticsearch/composable/component/http.json
index 678f35320c..5c25e34645 100644
--- a/generated/elasticsearch/composable/component/http.json
+++ b/generated/elasticsearch/composable/component/http.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-http.html",
-    "ecs_version": "8.7.0-dev"
+    "ecs_version": "8.8.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/log.json b/generated/elasticsearch/composable/component/log.json
index 0c629e6029..ed03cb3148 100644
--- a/generated/elasticsearch/composable/component/log.json
+++ b/generated/elasticsearch/composable/component/log.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-log.html",
-    "ecs_version": "8.7.0-dev"
+    "ecs_version": "8.8.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/network.json b/generated/elasticsearch/composable/component/network.json
index b0fe219653..fb1a01358d 100644
--- a/generated/elasticsearch/composable/component/network.json
+++ b/generated/elasticsearch/composable/component/network.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html",
-    "ecs_version": "8.7.0-dev"
+    "ecs_version": "8.8.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/observer.json b/generated/elasticsearch/composable/component/observer.json
index 76eaf84e0a..f5309feffe 100644
--- a/generated/elasticsearch/composable/component/observer.json
+++ b/generated/elasticsearch/composable/component/observer.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html",
-    "ecs_version": "8.7.0-dev"
+    "ecs_version": "8.8.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/orchestrator.json b/generated/elasticsearch/composable/component/orchestrator.json
index 6e2d09449d..ed20a55b2f 100644
--- a/generated/elasticsearch/composable/component/orchestrator.json
+++ b/generated/elasticsearch/composable/component/orchestrator.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-orchestrator.html",
-    "ecs_version": "8.7.0-dev"
+    "ecs_version": "8.8.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/organization.json b/generated/elasticsearch/composable/component/organization.json
index f680d37b02..42013419ad 100644
--- a/generated/elasticsearch/composable/component/organization.json
+++ b/generated/elasticsearch/composable/component/organization.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-organization.html",
-    "ecs_version": "8.7.0-dev"
+    "ecs_version": "8.8.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/package.json b/generated/elasticsearch/composable/component/package.json
index 165b9a3b06..dc46f7a4c4 100644
--- a/generated/elasticsearch/composable/component/package.json
+++ b/generated/elasticsearch/composable/component/package.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-package.html",
-    "ecs_version": "8.7.0-dev"
+    "ecs_version": "8.8.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/process.json b/generated/elasticsearch/composable/component/process.json
index 6db5e13354..b2b3b2f9aa 100644
--- a/generated/elasticsearch/composable/component/process.json
+++ b/generated/elasticsearch/composable/component/process.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-process.html",
-    "ecs_version": "8.7.0-dev"
+    "ecs_version": "8.8.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/registry.json b/generated/elasticsearch/composable/component/registry.json
index af2f70b950..1dd6a56297 100644
--- a/generated/elasticsearch/composable/component/registry.json
+++ b/generated/elasticsearch/composable/component/registry.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-registry.html",
-    "ecs_version": "8.7.0-dev"
+    "ecs_version": "8.8.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/related.json b/generated/elasticsearch/composable/component/related.json
index 106e995d97..bc9591b3d0 100644
--- a/generated/elasticsearch/composable/component/related.json
+++ b/generated/elasticsearch/composable/component/related.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-related.html",
-    "ecs_version": "8.7.0-dev"
+    "ecs_version": "8.8.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/rule.json b/generated/elasticsearch/composable/component/rule.json
index cc8de9ba28..da7656e533 100644
--- a/generated/elasticsearch/composable/component/rule.json
+++ b/generated/elasticsearch/composable/component/rule.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-rule.html",
-    "ecs_version": "8.7.0-dev"
+    "ecs_version": "8.8.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/server.json b/generated/elasticsearch/composable/component/server.json
index 8e1702686b..1c4d5b0421 100644
--- a/generated/elasticsearch/composable/component/server.json
+++ b/generated/elasticsearch/composable/component/server.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-server.html",
-    "ecs_version": "8.7.0-dev"
+    "ecs_version": "8.8.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/service.json b/generated/elasticsearch/composable/component/service.json
index 0cef95e32f..39633ba104 100644
--- a/generated/elasticsearch/composable/component/service.json
+++ b/generated/elasticsearch/composable/component/service.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-service.html",
-    "ecs_version": "8.7.0-dev"
+    "ecs_version": "8.8.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/source.json b/generated/elasticsearch/composable/component/source.json
index 6bdeff848b..a06e61048e 100644
--- a/generated/elasticsearch/composable/component/source.json
+++ b/generated/elasticsearch/composable/component/source.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-source.html",
-    "ecs_version": "8.7.0-dev"
+    "ecs_version": "8.8.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/threat.json b/generated/elasticsearch/composable/component/threat.json
index 17aede99ce..380262aa5c 100644
--- a/generated/elasticsearch/composable/component/threat.json
+++ b/generated/elasticsearch/composable/component/threat.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-threat.html",
-    "ecs_version": "8.7.0-dev"
+    "ecs_version": "8.8.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/tls.json b/generated/elasticsearch/composable/component/tls.json
index b8027b94bb..82ff39f4bd 100644
--- a/generated/elasticsearch/composable/component/tls.json
+++ b/generated/elasticsearch/composable/component/tls.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tls.html",
-    "ecs_version": "8.7.0-dev"
+    "ecs_version": "8.8.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/tracing.json b/generated/elasticsearch/composable/component/tracing.json
index 5d7e79749e..8c17ba0a07 100644
--- a/generated/elasticsearch/composable/component/tracing.json
+++ b/generated/elasticsearch/composable/component/tracing.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tracing.html",
-    "ecs_version": "8.7.0-dev"
+    "ecs_version": "8.8.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/url.json b/generated/elasticsearch/composable/component/url.json
index 3e665593b0..4974e21209 100644
--- a/generated/elasticsearch/composable/component/url.json
+++ b/generated/elasticsearch/composable/component/url.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-url.html",
-    "ecs_version": "8.7.0-dev"
+    "ecs_version": "8.8.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/user.json b/generated/elasticsearch/composable/component/user.json
index b5c348c9ab..ebda098c2f 100644
--- a/generated/elasticsearch/composable/component/user.json
+++ b/generated/elasticsearch/composable/component/user.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user.html",
-    "ecs_version": "8.7.0-dev"
+    "ecs_version": "8.8.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/user_agent.json b/generated/elasticsearch/composable/component/user_agent.json
index b9891a921b..a0bd6537cc 100644
--- a/generated/elasticsearch/composable/component/user_agent.json
+++ b/generated/elasticsearch/composable/component/user_agent.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html",
-    "ecs_version": "8.7.0-dev"
+    "ecs_version": "8.8.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/vulnerability.json b/generated/elasticsearch/composable/component/vulnerability.json
index 033a756778..3a3ad83d5b 100644
--- a/generated/elasticsearch/composable/component/vulnerability.json
+++ b/generated/elasticsearch/composable/component/vulnerability.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html",
-    "ecs_version": "8.7.0-dev"
+    "ecs_version": "8.8.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/template.json b/generated/elasticsearch/composable/template.json
index 50a185ec6a..357b9f0051 100644
--- a/generated/elasticsearch/composable/template.json
+++ b/generated/elasticsearch/composable/template.json
@@ -1,48 +1,48 @@
 {
   "_meta": {
     "description": "Sample composable template that includes all ECS fields",
-    "ecs_version": "8.7.0-dev"
+    "ecs_version": "8.8.0-dev"
   },
   "composed_of": [
-    "ecs_8.7.0-dev_base",
-    "ecs_8.7.0-dev_agent",
-    "ecs_8.7.0-dev_client",
-    "ecs_8.7.0-dev_cloud",
-    "ecs_8.7.0-dev_container",
-    "ecs_8.7.0-dev_data_stream",
-    "ecs_8.7.0-dev_destination",
-    "ecs_8.7.0-dev_device",
-    "ecs_8.7.0-dev_dll",
-    "ecs_8.7.0-dev_dns",
-    "ecs_8.7.0-dev_ecs",
-    "ecs_8.7.0-dev_email",
-    "ecs_8.7.0-dev_error",
-    "ecs_8.7.0-dev_event",
-    "ecs_8.7.0-dev_faas",
-    "ecs_8.7.0-dev_file",
-    "ecs_8.7.0-dev_group",
-    "ecs_8.7.0-dev_host",
-    "ecs_8.7.0-dev_http",
-    "ecs_8.7.0-dev_log",
-    "ecs_8.7.0-dev_network",
-    "ecs_8.7.0-dev_observer",
-    "ecs_8.7.0-dev_orchestrator",
-    "ecs_8.7.0-dev_organization",
-    "ecs_8.7.0-dev_package",
-    "ecs_8.7.0-dev_process",
-    "ecs_8.7.0-dev_registry",
-    "ecs_8.7.0-dev_related",
-    "ecs_8.7.0-dev_rule",
-    "ecs_8.7.0-dev_server",
-    "ecs_8.7.0-dev_service",
-    "ecs_8.7.0-dev_source",
-    "ecs_8.7.0-dev_threat",
-    "ecs_8.7.0-dev_tls",
-    "ecs_8.7.0-dev_tracing",
-    "ecs_8.7.0-dev_url",
-    "ecs_8.7.0-dev_user_agent",
-    "ecs_8.7.0-dev_user",
-    "ecs_8.7.0-dev_vulnerability"
+    "ecs_8.8.0-dev_base",
+    "ecs_8.8.0-dev_agent",
+    "ecs_8.8.0-dev_client",
+    "ecs_8.8.0-dev_cloud",
+    "ecs_8.8.0-dev_container",
+    "ecs_8.8.0-dev_data_stream",
+    "ecs_8.8.0-dev_destination",
+    "ecs_8.8.0-dev_device",
+    "ecs_8.8.0-dev_dll",
+    "ecs_8.8.0-dev_dns",
+    "ecs_8.8.0-dev_ecs",
+    "ecs_8.8.0-dev_email",
+    "ecs_8.8.0-dev_error",
+    "ecs_8.8.0-dev_event",
+    "ecs_8.8.0-dev_faas",
+    "ecs_8.8.0-dev_file",
+    "ecs_8.8.0-dev_group",
+    "ecs_8.8.0-dev_host",
+    "ecs_8.8.0-dev_http",
+    "ecs_8.8.0-dev_log",
+    "ecs_8.8.0-dev_network",
+    "ecs_8.8.0-dev_observer",
+    "ecs_8.8.0-dev_orchestrator",
+    "ecs_8.8.0-dev_organization",
+    "ecs_8.8.0-dev_package",
+    "ecs_8.8.0-dev_process",
+    "ecs_8.8.0-dev_registry",
+    "ecs_8.8.0-dev_related",
+    "ecs_8.8.0-dev_rule",
+    "ecs_8.8.0-dev_server",
+    "ecs_8.8.0-dev_service",
+    "ecs_8.8.0-dev_source",
+    "ecs_8.8.0-dev_threat",
+    "ecs_8.8.0-dev_tls",
+    "ecs_8.8.0-dev_tracing",
+    "ecs_8.8.0-dev_url",
+    "ecs_8.8.0-dev_user_agent",
+    "ecs_8.8.0-dev_user",
+    "ecs_8.8.0-dev_vulnerability"
   ],
   "index_patterns": [
     "try-ecs-*"
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index 3f0ce2703d..4ef1ed71dc 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -4,7 +4,7 @@
   ],
   "mappings": {
     "_meta": {
-      "version": "8.7.0-dev"
+      "version": "8.8.0-dev"
     },
     "date_detection": false,
     "dynamic_templates": [
diff --git a/version b/version
index e595c16db2..4cc4170fef 100644
--- a/version
+++ b/version
@@ -1 +1 @@
-8.7.0-dev
+8.8.0-dev

From e1ec34449ca18174bf43d030ba245a0e44ab0af2 Mon Sep 17 00:00:00 2001
From: Marc Guasch <marc-gr@users.noreply.github.com>
Date: Wed, 18 Jan 2023 15:22:34 +0100
Subject: [PATCH 066/186] 8.7 SFF add release notes placeholder (#2141)

---
 docs/release-notes/8.7.asciidoc   | 4 ++++
 docs/release-notes/index.asciidoc | 2 ++
 2 files changed, 6 insertions(+)
 create mode 100644 docs/release-notes/8.7.asciidoc

diff --git a/docs/release-notes/8.7.asciidoc b/docs/release-notes/8.7.asciidoc
new file mode 100644
index 0000000000..5b5c8d7017
--- /dev/null
+++ b/docs/release-notes/8.7.asciidoc
@@ -0,0 +1,4 @@
+[[ecs-release-notes-8.7.0]]
+=== 8.7.0
+
+coming[8.7.0]
diff --git a/docs/release-notes/index.asciidoc b/docs/release-notes/index.asciidoc
index 4f8e1c8106..639e767bdd 100644
--- a/docs/release-notes/index.asciidoc
+++ b/docs/release-notes/index.asciidoc
@@ -3,6 +3,7 @@
 
 This section summarizes the changes in each release.
 
+* <<ecs-release-notes-8.7.0, {ecs} version 8.7.0>>
 * <<ecs-release-notes-8.6.0, {ecs} version 8.6.0>>
 * <<ecs-release-notes-8.5.2, {ecs} version 8.5.2>>
 * <<ecs-release-notes-8.5.1, {ecs} version 8.5.1>>
@@ -21,6 +22,7 @@ This section summarizes the changes in each release.
 :issue: https://github.com/elastic/ecs/issues/
 :pull: https://github.com/elastic/ecs/pull/
 
+include::8.7.asciidoc[]
 include::8.6.asciidoc[]
 include::8.5.2.asciidoc[]
 include::8.5.1.asciidoc[]

From 12616870c28c9cf0349528d5d10cd94ce3bebf00 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 18 Jan 2023 15:27:34 -0600
Subject: [PATCH 067/186] Bump gitpython from 3.1.27 to 3.1.30 in /scripts
 (#2139)

* Bump gitpython from 3.1.27 to 3.1.30 in /scripts

Bumps [gitpython](https://github.com/gitpython-developers/GitPython) from 3.1.27 to 3.1.30.
- [Release notes](https://github.com/gitpython-developers/GitPython/releases)
- [Changelog](https://github.com/gitpython-developers/GitPython/blob/main/CHANGES)
- [Commits](https://github.com/gitpython-developers/GitPython/compare/3.1.27...3.1.30)

---
updated-dependencies:
- dependency-name: gitpython
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

* updating changelog

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Eric Beahan <eric.beahan@elastic.co>
---
 CHANGELOG.next.md        | 2 ++
 scripts/requirements.txt | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 8bca2e43be..dd0f2ec720 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -35,6 +35,8 @@ Thanks, you're awesome :-) -->
 
 #### Improvements
 
+* Bump `gitpython` from `3.1.27` to `3.1.30` in `/scripts`. #2139
+
 #### Deprecated
 
 <!-- All empty sections:
diff --git a/scripts/requirements.txt b/scripts/requirements.txt
index ffd2875537..f09efd0e0e 100644
--- a/scripts/requirements.txt
+++ b/scripts/requirements.txt
@@ -2,6 +2,6 @@ pip
 # License: MIT
 PyYAML==6.0
 # License: BSD
-gitpython==3.1.27
+gitpython==3.1.30
 # License: BSD
 Jinja2==3.0.3

From 0444e871961055ff50065493c4c1f18e43eb2044 Mon Sep 17 00:00:00 2001
From: Marc Guasch <marc-gr@users.noreply.github.com>
Date: Mon, 23 Jan 2023 15:16:49 +0100
Subject: [PATCH 068/186] Cut 8.7 SFF changelog (#2144) (#2145)

* Cut 8.7 SFF changelog

* Remove empty sections

* Fix PR number
---
 CHANGELOG.next.md | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index dd0f2ec720..1505447e66 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -14,14 +14,9 @@ Thanks, you're awesome :-) -->
 
 #### Bugfixes
 
-* remove duplicated `client.domain` definition #212
-
 #### Added
 
-* adding `name` field to `threat.indicator` #2121
-
 #### Improvements
-* Updated usage docs to include `threat.indicator.url.domain` and changed `indicator.marking.tlp` and `indicator.enrichments.marking.tlp` from "WHITE" to "CLEAR" to align with TLP 2.0. #2124
 
 #### Deprecated
 
@@ -39,6 +34,21 @@ Thanks, you're awesome :-) -->
 
 #### Deprecated
 
+## 8.7.0 (Soft Feature Freeze)
+
+#### Bugfixes
+
+* remove duplicated `client.domain` definition #2120
+
+#### Added
+
+* adding `name` field to `threat.indicator` #2121
+
+#### Improvements
+
+* Updated usage docs to include `threat.indicator.url.domain` and changed `indicator.marking.tlp` and `indicator.enrichments.marking.tlp` from "WHITE" to "CLEAR" to align with TLP 2.0. #2124
+
+
 <!-- All empty sections:
 
 ## Unreleased

From 98309b94829cda9bc0b0353507107fee30bec2b6 Mon Sep 17 00:00:00 2001
From: Marc Guasch <marc-gr@users.noreply.github.com>
Date: Mon, 23 Jan 2023 15:36:00 +0100
Subject: [PATCH 069/186] Add 8.7 to .backportrc.json (#2146)

---
 .backportrc.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.backportrc.json b/.backportrc.json
index 2a29126cc1..0903268e48 100644
--- a/.backportrc.json
+++ b/.backportrc.json
@@ -2,6 +2,7 @@
   "upstream": "elastic/ecs",
   "branches": [
     { "name": "main", "checked": true },
+    "8.7",
     "8.6",
     "8.5",
     "8.4",

From 1794cfb26f4f3942207ba05a854cca77bf814dd2 Mon Sep 17 00:00:00 2001
From: Karl Godard <kg@cmd.com>
Date: Wed, 25 Jan 2023 13:23:08 -0800
Subject: [PATCH 070/186] [8.7] Description for host.name updated (FQDN issue)
 (#2122)

* Description for host.name updated

* build artifacts

* changelog updated

* moved changelog entry to 8.7

Co-authored-by: Karl Godard <karlgodard@elastic.co>
Co-authored-by: Eric Beahan <eric.beahan@elastic.co>
---
 CHANGELOG.next.md                           | 1 +
 docs/fields/field-details.asciidoc          | 2 +-
 experimental/generated/beats/fields.ecs.yml | 6 +++---
 experimental/generated/ecs/ecs_flat.yml     | 5 +++--
 experimental/generated/ecs/ecs_nested.yml   | 6 +++---
 generated/beats/fields.ecs.yml              | 6 +++---
 generated/ecs/ecs_flat.yml                  | 5 +++--
 generated/ecs/ecs_nested.yml                | 6 +++---
 schemas/host.yml                            | 7 +++----
 9 files changed, 23 insertions(+), 21 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 1505447e66..ae99bd76f4 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -47,6 +47,7 @@ Thanks, you're awesome :-) -->
 #### Improvements
 
 * Updated usage docs to include `threat.indicator.url.domain` and changed `indicator.marking.tlp` and `indicator.enrichments.marking.tlp` from "WHITE" to "CLEAR" to align with TLP 2.0. #2124
+* description for `host.name` definition updated to encourage use of FDQN #2122
 
 
 <!-- All empty sections:
diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index 9e59a7882e..e62c6fa213 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -5145,7 +5145,7 @@ example: `["00-00-5E-00-53-23", "00-00-5E-00-53-24"]`
 
 a| Name of the host.
 
-It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
+It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host.
 
 type: keyword
 
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index ed0babf839..200f0510c9 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -4066,9 +4066,9 @@
       ignore_above: 1024
       description: 'Name of the host.
 
-        It can contain what `hostname` returns on Unix systems, the fully qualified
-        domain name, or a name specified by the user. The sender decides which value
-        to use.'
+        It can contain what hostname returns on Unix systems, the fully qualified
+        domain name (FQDN), or a name specified by the user. The recommended value
+        is the lowercase FQDN of the host.'
     - name: network.egress.bytes
       level: extended
       type: long
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 602bf2e5db..8760da8d66 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -5814,8 +5814,9 @@ host.name:
   dashed_name: host-name
   description: 'Name of the host.
 
-    It can contain what `hostname` returns on Unix systems, the fully qualified domain
-    name, or a name specified by the user. The sender decides which value to use.'
+    It can contain what hostname returns on Unix systems, the fully qualified domain
+    name (FQDN), or a name specified by the user. The recommended value is the lowercase
+    FQDN of the host.'
   flat_name: host.name
   ignore_above: 1024
   level: core
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 95671d36fb..9d49aca473 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -7217,9 +7217,9 @@ host:
       dashed_name: host-name
       description: 'Name of the host.
 
-        It can contain what `hostname` returns on Unix systems, the fully qualified
-        domain name, or a name specified by the user. The sender decides which value
-        to use.'
+        It can contain what hostname returns on Unix systems, the fully qualified
+        domain name (FQDN), or a name specified by the user. The recommended value
+        is the lowercase FQDN of the host.'
       flat_name: host.name
       ignore_above: 1024
       level: core
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index f09dc4cc4b..f35072fb83 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -4016,9 +4016,9 @@
       ignore_above: 1024
       description: 'Name of the host.
 
-        It can contain what `hostname` returns on Unix systems, the fully qualified
-        domain name, or a name specified by the user. The sender decides which value
-        to use.'
+        It can contain what hostname returns on Unix systems, the fully qualified
+        domain name (FQDN), or a name specified by the user. The recommended value
+        is the lowercase FQDN of the host.'
     - name: network.egress.bytes
       level: extended
       type: long
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 495d263b6b..213111250e 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -5745,8 +5745,9 @@ host.name:
   dashed_name: host-name
   description: 'Name of the host.
 
-    It can contain what `hostname` returns on Unix systems, the fully qualified domain
-    name, or a name specified by the user. The sender decides which value to use.'
+    It can contain what hostname returns on Unix systems, the fully qualified domain
+    name (FQDN), or a name specified by the user. The recommended value is the lowercase
+    FQDN of the host.'
   flat_name: host.name
   ignore_above: 1024
   level: core
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index dd9dc82791..021257cc6c 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -7137,9 +7137,9 @@ host:
       dashed_name: host-name
       description: 'Name of the host.
 
-        It can contain what `hostname` returns on Unix systems, the fully qualified
-        domain name, or a name specified by the user. The sender decides which value
-        to use.'
+        It can contain what hostname returns on Unix systems, the fully qualified
+        domain name (FQDN), or a name specified by the user. The recommended value
+        is the lowercase FQDN of the host.'
       flat_name: host.name
       ignore_above: 1024
       level: core
diff --git a/schemas/host.yml b/schemas/host.yml
index aa39675389..9b7373ad1e 100644
--- a/schemas/host.yml
+++ b/schemas/host.yml
@@ -27,7 +27,6 @@
     Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.
   type: group
   fields:
-
     - name: hostname
       level: core
       type: keyword
@@ -44,9 +43,9 @@
       description: >
         Name of the host.
 
-        It can contain what `hostname` returns on Unix systems, the fully
-        qualified domain name, or a name specified by the user. The sender
-        decides which value to use.
+        It can contain what hostname returns on Unix systems, the fully
+        qualified domain name (FQDN), or a name specified by the user.
+        The recommended value is the lowercase FQDN of the host.
 
     - name: id
       level: core

From 08237fef9161449f4a96abd61d56d2ee29f4108c Mon Sep 17 00:00:00 2001
From: Christophe Alladoum
 <85187342+calladoum-elastic@users.noreply.github.com>
Date: Wed, 1 Feb 2023 14:50:46 -0800
Subject: [PATCH 071/186] Add the `api` value to `event.category` (#2147)

* Adding `api` to `event.category`

* better phrasing for description, added a few extra expected types
---
 CHANGELOG.next.md                         |  2 ++
 docs/fields/field-details.asciidoc        |  2 +-
 docs/fields/field-values.asciidoc         | 13 +++++++++++++
 experimental/generated/ecs/ecs_flat.yml   | 18 ++++++++++++++++++
 experimental/generated/ecs/ecs_nested.yml | 18 ++++++++++++++++++
 generated/ecs/ecs_flat.yml                | 18 ++++++++++++++++++
 generated/ecs/ecs_nested.yml              | 18 ++++++++++++++++++
 schemas/event.yml                         | 18 ++++++++++++++++++
 8 files changed, 106 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index ae99bd76f4..1a83f1cebe 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -16,6 +16,8 @@ Thanks, you're awesome :-) -->
 
 #### Added
 
+* adding `api` option to `event.category` #2147
+
 #### Improvements
 
 #### Deprecated
diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index e62c6fa213..d26a560dc4 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -3389,7 +3389,7 @@ Note: this field should contain an array of values.
 
 *Important*: The field value must be one of the following:
 
-authentication, configuration, database, driver, email, file, host, iam, intrusion_detection, malware, network, package, process, registry, session, threat, vulnerability, web
+api, authentication, configuration, database, driver, email, file, host, iam, intrusion_detection, malware, network, package, process, registry, session, threat, vulnerability, web
 
 To learn more about when to use which value, visit the page
 <<ecs-allowed-values-event-category,allowed values for event.category>>
diff --git a/docs/fields/field-values.asciidoc b/docs/fields/field-values.asciidoc
index 3e784a7279..a9d9837e36 100644
--- a/docs/fields/field-values.asciidoc
+++ b/docs/fields/field-values.asciidoc
@@ -132,6 +132,7 @@ This field is an array. This will allow proper categorization of some events tha
 
 *Allowed Values*
 
+* <<ecs-event-category-api,api>>
 * <<ecs-event-category-authentication,authentication>>
 * <<ecs-event-category-configuration,configuration>>
 * <<ecs-event-category-database,database>>
@@ -151,6 +152,18 @@ This field is an array. This will allow proper categorization of some events tha
 * <<ecs-event-category-vulnerability,vulnerability>>
 * <<ecs-event-category-web,web>>
 
+[float]
+[[ecs-event-category-api]]
+==== api
+
+Events in this category annotate API calls that occured on a system. Typical sources for those events could be from the Operating System level through the native libraries (for example Windows Win32, Linux libc, etc.), or managed sources of events (such as ETW, syslog), but can also include network protocols (such as SOAP, RPC, Websocket, REST, etc.)
+
+
+*Expected event types for category api:*
+
+access, admin, allowed, change, creation, deletion, denied, end, info, start, user
+
+
 [float]
 [[ecs-event-category-authentication]]
 ==== authentication
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 8760da8d66..44382102be 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -2944,6 +2944,24 @@ event.agent_id_status:
   type: keyword
 event.category:
   allowed_values:
+  - description: Events in this category annotate API calls that occured on a system.
+      Typical sources for those events could be from the Operating System level through
+      the native libraries (for example Windows Win32, Linux libc, etc.), or managed
+      sources of events (such as ETW, syslog), but can also include network protocols
+      (such as SOAP, RPC, Websocket, REST, etc.)
+    expected_event_types:
+    - access
+    - admin
+    - allowed
+    - change
+    - creation
+    - deletion
+    - denied
+    - end
+    - info
+    - start
+    - user
+    name: api
   - description: Events in this category are related to the challenge and response
       process in which credentials are supplied and verified to allow the creation
       of a session. Common sources for these logs are Windows event logs and ssh logs.
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 9d49aca473..0c6c88fa4f 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -3936,6 +3936,24 @@ event:
       type: keyword
     event.category:
       allowed_values:
+      - description: Events in this category annotate API calls that occured on a
+          system. Typical sources for those events could be from the Operating System
+          level through the native libraries (for example Windows Win32, Linux libc,
+          etc.), or managed sources of events (such as ETW, syslog), but can also
+          include network protocols (such as SOAP, RPC, Websocket, REST, etc.)
+        expected_event_types:
+        - access
+        - admin
+        - allowed
+        - change
+        - creation
+        - deletion
+        - denied
+        - end
+        - info
+        - start
+        - user
+        name: api
       - description: Events in this category are related to the challenge and response
           process in which credentials are supplied and verified to allow the creation
           of a session. Common sources for these logs are Windows event logs and ssh
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 213111250e..947ff0f043 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -2875,6 +2875,24 @@ event.agent_id_status:
   type: keyword
 event.category:
   allowed_values:
+  - description: Events in this category annotate API calls that occured on a system.
+      Typical sources for those events could be from the Operating System level through
+      the native libraries (for example Windows Win32, Linux libc, etc.), or managed
+      sources of events (such as ETW, syslog), but can also include network protocols
+      (such as SOAP, RPC, Websocket, REST, etc.)
+    expected_event_types:
+    - access
+    - admin
+    - allowed
+    - change
+    - creation
+    - deletion
+    - denied
+    - end
+    - info
+    - start
+    - user
+    name: api
   - description: Events in this category are related to the challenge and response
       process in which credentials are supplied and verified to allow the creation
       of a session. Common sources for these logs are Windows event logs and ssh logs.
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 021257cc6c..11cc60f9a3 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -3856,6 +3856,24 @@ event:
       type: keyword
     event.category:
       allowed_values:
+      - description: Events in this category annotate API calls that occured on a
+          system. Typical sources for those events could be from the Operating System
+          level through the native libraries (for example Windows Win32, Linux libc,
+          etc.), or managed sources of events (such as ETW, syslog), but can also
+          include network protocols (such as SOAP, RPC, Websocket, REST, etc.)
+        expected_event_types:
+        - access
+        - admin
+        - allowed
+        - change
+        - creation
+        - deletion
+        - denied
+        - end
+        - info
+        - start
+        - user
+        name: api
       - description: Events in this category are related to the challenge and response
           process in which credentials are supplied and verified to allow the creation
           of a session. Common sources for these logs are Windows event logs and ssh
diff --git a/schemas/event.yml b/schemas/event.yml
index 497d4e9898..765a250661 100644
--- a/schemas/event.yml
+++ b/schemas/event.yml
@@ -156,6 +156,24 @@
       normalize:
         - array
       allowed_values:
+        - name: api
+          description: >
+            Events in this category annotate API calls that occured on a system. Typical sources
+            for those events could be from the Operating System level through the native libraries
+            (for example Windows Win32, Linux libc, etc.), or managed sources of events (such as ETW,
+            syslog), but can also include network protocols (such as SOAP, RPC, Websocket, REST, etc.)
+          expected_event_types:
+            - access
+            - admin
+            - allowed
+            - change
+            - creation
+            - deletion
+            - denied
+            - end
+            - info
+            - start
+            - user
         - name: authentication
           description: >
             Events in this category are related to the challenge and response process

From ccee622c618f6b8ae28e5725271b822d9d925948 Mon Sep 17 00:00:00 2001
From: "Kylie (Geller) Meli" <kylie.geller@elastic.co>
Date: Thu, 2 Feb 2023 16:21:13 -0500
Subject: [PATCH 072/186] [main] Tlp patch #2156

---
 CHANGELOG.next.md                             |  7 +++
 docs/fields/field-details.asciidoc            | 59 +++++++++++++------
 experimental/generated/beats/fields.ecs.yml   | 23 +++++---
 experimental/generated/csv/fields.csv         |  5 +-
 experimental/generated/ecs/ecs_flat.yml       | 46 ++++++++++-----
 experimental/generated/ecs/ecs_nested.yml     | 46 ++++++++++-----
 .../composable/component/threat.json          | 36 ++++-------
 .../elasticsearch/legacy/template.json        | 36 ++++-------
 generated/beats/fields.ecs.yml                | 23 +++++---
 generated/csv/fields.csv                      |  5 +-
 generated/ecs/ecs_flat.yml                    | 46 ++++++++++-----
 generated/ecs/ecs_nested.yml                  | 46 ++++++++++-----
 .../composable/component/threat.json          | 36 ++++-------
 generated/elasticsearch/legacy/template.json  | 36 ++++-------
 schemas/threat.yml                            |  4 +-
 15 files changed, 255 insertions(+), 199 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 1a83f1cebe..5c0ee29b14 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -51,6 +51,13 @@ Thanks, you're awesome :-) -->
 * Updated usage docs to include `threat.indicator.url.domain` and changed `indicator.marking.tlp` and `indicator.enrichments.marking.tlp` from "WHITE" to "CLEAR" to align with TLP 2.0. #2124
 * description for `host.name` definition updated to encourage use of FDQN #2122
 
+## 8.6.1
+
+### Schema Changes
+
+#### Bugfixes
+
+* Fixing `tlp_version` and `tlp` field for threat. #2156
 
 <!-- All empty sections:
 
diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index d26a560dc4..55da09ba4b 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -10369,9 +10369,34 @@ example: `2020-11-05T17:25:47.000Z`
 
 // ===============================================================
 
+|
+[[field-threat-enrichments-indicator-marking-tlp]]
+<<field-threat-enrichments-indicator-marking-tlp, threat.enrichments.indicator.marking.tlp>>
+
+a| Traffic Light Protocol sharing markings.
+
+Expected values for this field:
+
+* `WHITE`
+* `CLEAR`
+* `GREEN`
+* `AMBER`
+* `AMBER+STRICT`
+* `RED`
+
+type: keyword
+
+
+
+example: `CLEAR`
+
+| extended
+
+// ===============================================================
+
 |
 [[field-threat-enrichments-indicator-marking-tlp-version]]
-<<field-threat-enrichments-indicator-marking-tlp-version, threat.enrichments.indicator.marking.tlp.version>>
+<<field-threat-enrichments-indicator-marking-tlp-version, threat.enrichments.indicator.marking.tlp_version>>
 
 a| Traffic Light Protocol version.
 
@@ -10927,6 +10952,22 @@ example: `CLEAR`
 
 // ===============================================================
 
+|
+[[field-threat-indicator-marking-tlp-version]]
+<<field-threat-indicator-marking-tlp-version, threat.indicator.marking.tlp_version>>
+
+a| Traffic Light Protocol version.
+
+type: keyword
+
+
+
+example: `2.0`
+
+| extended
+
+// ===============================================================
+
 |
 [[field-threat-indicator-modified-at]]
 <<field-threat-indicator-modified-at, threat.indicator.modified_at>>
@@ -11404,22 +11445,6 @@ example: `https://attack.mitre.org/techniques/T1059/001/`
 
 // ===============================================================
 
-|
-[[field-threat-threat-indicator-marking-tlp-version]]
-<<field-threat-threat-indicator-marking-tlp-version, threat.threat.indicator.marking.tlp.version>>
-
-a| Traffic Light Protocol version.
-
-type: keyword
-
-
-
-example: `2.0`
-
-| extended
-
-// ===============================================================
-
 |=====
 
 [discrete]
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 200f0510c9..fd9af811d3 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -10848,7 +10848,14 @@
         this indicator.
       example: '2020-11-05T17:25:47.000Z'
       default_field: false
-    - name: enrichments.indicator.marking.tlp.version
+    - name: enrichments.indicator.marking.tlp
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Traffic Light Protocol sharing markings.
+      example: CLEAR
+      default_field: false
+    - name: enrichments.indicator.marking.tlp_version
       level: extended
       type: keyword
       ignore_above: 1024
@@ -12452,6 +12459,13 @@
       description: Traffic Light Protocol sharing markings.
       example: CLEAR
       default_field: false
+    - name: indicator.marking.tlp_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Traffic Light Protocol version.
+      example: 2.0
+      default_field: false
     - name: indicator.modified_at
       level: extended
       type: date
@@ -13014,13 +13028,6 @@
         \ use a MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
       example: https://attack.mitre.org/techniques/T1059/001/
       default_field: false
-    - name: threat.indicator.marking.tlp.version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Traffic Light Protocol version.
-      example: 2.0
-      default_field: false
   - name: tls
     title: TLS
     group: 2
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index bd492d3b4f..e9e979dd47 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -1269,7 +1269,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.8.0-dev+exp,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
 8.8.0-dev+exp,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
 8.8.0-dev+exp,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp.version,keyword,extended,,2.0,Indicator TLP version
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
+8.8.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
 8.8.0-dev+exp,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
 8.8.0-dev+exp,true,threat,threat.enrichments.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
 8.8.0-dev+exp,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
@@ -1486,6 +1487,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.8.0-dev+exp,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
 8.8.0-dev+exp,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
 8.8.0-dev+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
+8.8.0-dev+exp,true,threat,threat.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
 8.8.0-dev+exp,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
 8.8.0-dev+exp,true,threat,threat.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
 8.8.0-dev+exp,true,threat,threat.indicator.port,long,extended,,443,Indicator port
@@ -1558,7 +1560,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.8.0-dev+exp,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
 8.8.0-dev+exp,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
 8.8.0-dev+exp,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
-8.8.0-dev+exp,true,threat,threat.threat.indicator.marking.tlp.version,keyword,extended,,2.0,Indicator TLP version
 8.8.0-dev+exp,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
 8.8.0-dev+exp,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
 8.8.0-dev+exp,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 44382102be..86a3f53dee 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -16017,14 +16017,32 @@ threat.enrichments.indicator.last_seen:
   normalize: []
   short: Date/time indicator was last reported.
   type: date
-threat.enrichments.indicator.marking.tlp.version:
+threat.enrichments.indicator.marking.tlp:
+  dashed_name: threat-enrichments-indicator-marking-tlp
+  description: Traffic Light Protocol sharing markings.
+  example: CLEAR
+  expected_values:
+  - WHITE
+  - CLEAR
+  - GREEN
+  - AMBER
+  - AMBER+STRICT
+  - RED
+  flat_name: threat.enrichments.indicator.marking.tlp
+  ignore_above: 1024
+  level: extended
+  name: enrichments.indicator.marking.tlp
+  normalize: []
+  short: Indicator TLP marking
+  type: keyword
+threat.enrichments.indicator.marking.tlp_version:
   dashed_name: threat-enrichments-indicator-marking-tlp-version
   description: Traffic Light Protocol version.
   example: 2.0
-  flat_name: threat.enrichments.indicator.marking.tlp.version
+  flat_name: threat.enrichments.indicator.marking.tlp_version
   ignore_above: 1024
   level: extended
-  name: enrichments.indicator.marking.tlp.version
+  name: enrichments.indicator.marking.tlp_version
   normalize: []
   short: Indicator TLP version
   type: keyword
@@ -18736,6 +18754,17 @@ threat.indicator.marking.tlp:
   normalize: []
   short: Indicator TLP marking
   type: keyword
+threat.indicator.marking.tlp_version:
+  dashed_name: threat-indicator-marking-tlp-version
+  description: Traffic Light Protocol version.
+  example: 2.0
+  flat_name: threat.indicator.marking.tlp_version
+  ignore_above: 1024
+  level: extended
+  name: indicator.marking.tlp_version
+  normalize: []
+  short: Indicator TLP version
+  type: keyword
 threat.indicator.modified_at:
   dashed_name: threat-indicator-modified-at
   description: The date and time when intelligence source last modified information
@@ -19691,17 +19720,6 @@ threat.technique.subtechnique.reference:
   - array
   short: Threat subtechnique URL reference.
   type: keyword
-threat.threat.indicator.marking.tlp.version:
-  dashed_name: threat-threat-indicator-marking-tlp-version
-  description: Traffic Light Protocol version.
-  example: 2.0
-  flat_name: threat.threat.indicator.marking.tlp.version
-  ignore_above: 1024
-  level: extended
-  name: threat.indicator.marking.tlp.version
-  normalize: []
-  short: Indicator TLP version
-  type: keyword
 tls.cipher:
   dashed_name: tls-cipher
   description: String indicating the cipher used during the current connection.
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 0c6c88fa4f..8730030db0 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -18685,14 +18685,32 @@ threat:
       normalize: []
       short: Date/time indicator was last reported.
       type: date
-    threat.enrichments.indicator.marking.tlp.version:
+    threat.enrichments.indicator.marking.tlp:
+      dashed_name: threat-enrichments-indicator-marking-tlp
+      description: Traffic Light Protocol sharing markings.
+      example: CLEAR
+      expected_values:
+      - WHITE
+      - CLEAR
+      - GREEN
+      - AMBER
+      - AMBER+STRICT
+      - RED
+      flat_name: threat.enrichments.indicator.marking.tlp
+      ignore_above: 1024
+      level: extended
+      name: enrichments.indicator.marking.tlp
+      normalize: []
+      short: Indicator TLP marking
+      type: keyword
+    threat.enrichments.indicator.marking.tlp_version:
       dashed_name: threat-enrichments-indicator-marking-tlp-version
       description: Traffic Light Protocol version.
       example: 2.0
-      flat_name: threat.enrichments.indicator.marking.tlp.version
+      flat_name: threat.enrichments.indicator.marking.tlp_version
       ignore_above: 1024
       level: extended
-      name: enrichments.indicator.marking.tlp.version
+      name: enrichments.indicator.marking.tlp_version
       normalize: []
       short: Indicator TLP version
       type: keyword
@@ -21410,6 +21428,17 @@ threat:
       normalize: []
       short: Indicator TLP marking
       type: keyword
+    threat.indicator.marking.tlp_version:
+      dashed_name: threat-indicator-marking-tlp-version
+      description: Traffic Light Protocol version.
+      example: 2.0
+      flat_name: threat.indicator.marking.tlp_version
+      ignore_above: 1024
+      level: extended
+      name: indicator.marking.tlp_version
+      normalize: []
+      short: Indicator TLP version
+      type: keyword
     threat.indicator.modified_at:
       dashed_name: threat-indicator-modified-at
       description: The date and time when intelligence source last modified information
@@ -22368,17 +22397,6 @@ threat:
       - array
       short: Threat subtechnique URL reference.
       type: keyword
-    threat.threat.indicator.marking.tlp.version:
-      dashed_name: threat-threat-indicator-marking-tlp-version
-      description: Traffic Light Protocol version.
-      example: 2.0
-      flat_name: threat.threat.indicator.marking.tlp.version
-      ignore_above: 1024
-      level: extended
-      name: threat.indicator.marking.tlp.version
-      normalize: []
-      short: Indicator TLP version
-      type: keyword
   group: 2
   name: threat
   nestings:
diff --git a/experimental/generated/elasticsearch/composable/component/threat.json b/experimental/generated/elasticsearch/composable/component/threat.json
index fed4b48b73..e5ac8003ff 100644
--- a/experimental/generated/elasticsearch/composable/component/threat.json
+++ b/experimental/generated/elasticsearch/composable/component/threat.json
@@ -610,12 +610,12 @@
                     "marking": {
                       "properties": {
                         "tlp": {
-                          "properties": {
-                            "version": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "tlp_version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
                         }
                       }
                     },
@@ -1533,6 +1533,10 @@
                     "tlp": {
                       "ignore_above": 1024,
                       "type": "keyword"
+                    },
+                    "tlp_version": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
                     }
                   }
                 },
@@ -1858,26 +1862,6 @@
                   }
                 }
               }
-            },
-            "threat": {
-              "properties": {
-                "indicator": {
-                  "properties": {
-                    "marking": {
-                      "properties": {
-                        "tlp": {
-                          "properties": {
-                            "version": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        }
-                      }
-                    }
-                  }
-                }
-              }
             }
           }
         }
diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json
index f48aa37e07..77464c3831 100644
--- a/experimental/generated/elasticsearch/legacy/template.json
+++ b/experimental/generated/elasticsearch/legacy/template.json
@@ -5747,12 +5747,12 @@
                   "marking": {
                     "properties": {
                       "tlp": {
-                        "properties": {
-                          "version": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "tlp_version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
                       }
                     }
                   },
@@ -6670,6 +6670,10 @@
                   "tlp": {
                     "ignore_above": 1024,
                     "type": "keyword"
+                  },
+                  "tlp_version": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
                   }
                 }
               },
@@ -6995,26 +6999,6 @@
                 }
               }
             }
-          },
-          "threat": {
-            "properties": {
-              "indicator": {
-                "properties": {
-                  "marking": {
-                    "properties": {
-                      "tlp": {
-                        "properties": {
-                          "version": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      }
-                    }
-                  }
-                }
-              }
-            }
           }
         }
       },
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index f35072fb83..377cdecab7 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -10798,7 +10798,14 @@
         this indicator.
       example: '2020-11-05T17:25:47.000Z'
       default_field: false
-    - name: enrichments.indicator.marking.tlp.version
+    - name: enrichments.indicator.marking.tlp
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Traffic Light Protocol sharing markings.
+      example: CLEAR
+      default_field: false
+    - name: enrichments.indicator.marking.tlp_version
       level: extended
       type: keyword
       ignore_above: 1024
@@ -12402,6 +12409,13 @@
       description: Traffic Light Protocol sharing markings.
       example: CLEAR
       default_field: false
+    - name: indicator.marking.tlp_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Traffic Light Protocol version.
+      example: 2.0
+      default_field: false
     - name: indicator.modified_at
       level: extended
       type: date
@@ -12964,13 +12978,6 @@
         \ use a MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
       example: https://attack.mitre.org/techniques/T1059/001/
       default_field: false
-    - name: threat.indicator.marking.tlp.version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Traffic Light Protocol version.
-      example: 2.0
-      default_field: false
   - name: tls
     title: TLS
     group: 2
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index f73eefbf84..52d2ced1df 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -1262,7 +1262,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.8.0-dev,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
 8.8.0-dev,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
 8.8.0-dev,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-8.8.0-dev,true,threat,threat.enrichments.indicator.marking.tlp.version,keyword,extended,,2.0,Indicator TLP version
+8.8.0-dev,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
+8.8.0-dev,true,threat,threat.enrichments.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
 8.8.0-dev,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
 8.8.0-dev,true,threat,threat.enrichments.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
 8.8.0-dev,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
@@ -1479,6 +1480,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.8.0-dev,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
 8.8.0-dev,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
 8.8.0-dev,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
+8.8.0-dev,true,threat,threat.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
 8.8.0-dev,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
 8.8.0-dev,true,threat,threat.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
 8.8.0-dev,true,threat,threat.indicator.port,long,extended,,443,Indicator port
@@ -1551,7 +1553,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.8.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
 8.8.0-dev,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
 8.8.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
-8.8.0-dev,true,threat,threat.threat.indicator.marking.tlp.version,keyword,extended,,2.0,Indicator TLP version
 8.8.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
 8.8.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
 8.8.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 947ff0f043..bf315beb1c 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -15948,14 +15948,32 @@ threat.enrichments.indicator.last_seen:
   normalize: []
   short: Date/time indicator was last reported.
   type: date
-threat.enrichments.indicator.marking.tlp.version:
+threat.enrichments.indicator.marking.tlp:
+  dashed_name: threat-enrichments-indicator-marking-tlp
+  description: Traffic Light Protocol sharing markings.
+  example: CLEAR
+  expected_values:
+  - WHITE
+  - CLEAR
+  - GREEN
+  - AMBER
+  - AMBER+STRICT
+  - RED
+  flat_name: threat.enrichments.indicator.marking.tlp
+  ignore_above: 1024
+  level: extended
+  name: enrichments.indicator.marking.tlp
+  normalize: []
+  short: Indicator TLP marking
+  type: keyword
+threat.enrichments.indicator.marking.tlp_version:
   dashed_name: threat-enrichments-indicator-marking-tlp-version
   description: Traffic Light Protocol version.
   example: 2.0
-  flat_name: threat.enrichments.indicator.marking.tlp.version
+  flat_name: threat.enrichments.indicator.marking.tlp_version
   ignore_above: 1024
   level: extended
-  name: enrichments.indicator.marking.tlp.version
+  name: enrichments.indicator.marking.tlp_version
   normalize: []
   short: Indicator TLP version
   type: keyword
@@ -18667,6 +18685,17 @@ threat.indicator.marking.tlp:
   normalize: []
   short: Indicator TLP marking
   type: keyword
+threat.indicator.marking.tlp_version:
+  dashed_name: threat-indicator-marking-tlp-version
+  description: Traffic Light Protocol version.
+  example: 2.0
+  flat_name: threat.indicator.marking.tlp_version
+  ignore_above: 1024
+  level: extended
+  name: indicator.marking.tlp_version
+  normalize: []
+  short: Indicator TLP version
+  type: keyword
 threat.indicator.modified_at:
   dashed_name: threat-indicator-modified-at
   description: The date and time when intelligence source last modified information
@@ -19622,17 +19651,6 @@ threat.technique.subtechnique.reference:
   - array
   short: Threat subtechnique URL reference.
   type: keyword
-threat.threat.indicator.marking.tlp.version:
-  dashed_name: threat-threat-indicator-marking-tlp-version
-  description: Traffic Light Protocol version.
-  example: 2.0
-  flat_name: threat.threat.indicator.marking.tlp.version
-  ignore_above: 1024
-  level: extended
-  name: threat.indicator.marking.tlp.version
-  normalize: []
-  short: Indicator TLP version
-  type: keyword
 tls.cipher:
   dashed_name: tls-cipher
   description: String indicating the cipher used during the current connection.
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 11cc60f9a3..9e498aec5b 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -18605,14 +18605,32 @@ threat:
       normalize: []
       short: Date/time indicator was last reported.
       type: date
-    threat.enrichments.indicator.marking.tlp.version:
+    threat.enrichments.indicator.marking.tlp:
+      dashed_name: threat-enrichments-indicator-marking-tlp
+      description: Traffic Light Protocol sharing markings.
+      example: CLEAR
+      expected_values:
+      - WHITE
+      - CLEAR
+      - GREEN
+      - AMBER
+      - AMBER+STRICT
+      - RED
+      flat_name: threat.enrichments.indicator.marking.tlp
+      ignore_above: 1024
+      level: extended
+      name: enrichments.indicator.marking.tlp
+      normalize: []
+      short: Indicator TLP marking
+      type: keyword
+    threat.enrichments.indicator.marking.tlp_version:
       dashed_name: threat-enrichments-indicator-marking-tlp-version
       description: Traffic Light Protocol version.
       example: 2.0
-      flat_name: threat.enrichments.indicator.marking.tlp.version
+      flat_name: threat.enrichments.indicator.marking.tlp_version
       ignore_above: 1024
       level: extended
-      name: enrichments.indicator.marking.tlp.version
+      name: enrichments.indicator.marking.tlp_version
       normalize: []
       short: Indicator TLP version
       type: keyword
@@ -21330,6 +21348,17 @@ threat:
       normalize: []
       short: Indicator TLP marking
       type: keyword
+    threat.indicator.marking.tlp_version:
+      dashed_name: threat-indicator-marking-tlp-version
+      description: Traffic Light Protocol version.
+      example: 2.0
+      flat_name: threat.indicator.marking.tlp_version
+      ignore_above: 1024
+      level: extended
+      name: indicator.marking.tlp_version
+      normalize: []
+      short: Indicator TLP version
+      type: keyword
     threat.indicator.modified_at:
       dashed_name: threat-indicator-modified-at
       description: The date and time when intelligence source last modified information
@@ -22288,17 +22317,6 @@ threat:
       - array
       short: Threat subtechnique URL reference.
       type: keyword
-    threat.threat.indicator.marking.tlp.version:
-      dashed_name: threat-threat-indicator-marking-tlp-version
-      description: Traffic Light Protocol version.
-      example: 2.0
-      flat_name: threat.threat.indicator.marking.tlp.version
-      ignore_above: 1024
-      level: extended
-      name: threat.indicator.marking.tlp.version
-      normalize: []
-      short: Indicator TLP version
-      type: keyword
   group: 2
   name: threat
   nestings:
diff --git a/generated/elasticsearch/composable/component/threat.json b/generated/elasticsearch/composable/component/threat.json
index 380262aa5c..ffbba799c7 100644
--- a/generated/elasticsearch/composable/component/threat.json
+++ b/generated/elasticsearch/composable/component/threat.json
@@ -610,12 +610,12 @@
                     "marking": {
                       "properties": {
                         "tlp": {
-                          "properties": {
-                            "version": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "tlp_version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
                         }
                       }
                     },
@@ -1533,6 +1533,10 @@
                     "tlp": {
                       "ignore_above": 1024,
                       "type": "keyword"
+                    },
+                    "tlp_version": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
                     }
                   }
                 },
@@ -1858,26 +1862,6 @@
                   }
                 }
               }
-            },
-            "threat": {
-              "properties": {
-                "indicator": {
-                  "properties": {
-                    "marking": {
-                      "properties": {
-                        "tlp": {
-                          "properties": {
-                            "version": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        }
-                      }
-                    }
-                  }
-                }
-              }
             }
           }
         }
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index 4ef1ed71dc..a196ba4b76 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -5705,12 +5705,12 @@
                   "marking": {
                     "properties": {
                       "tlp": {
-                        "properties": {
-                          "version": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "tlp_version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
                       }
                     }
                   },
@@ -6628,6 +6628,10 @@
                   "tlp": {
                     "ignore_above": 1024,
                     "type": "keyword"
+                  },
+                  "tlp_version": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
                   }
                 }
               },
@@ -6953,26 +6957,6 @@
                 }
               }
             }
-          },
-          "threat": {
-            "properties": {
-              "indicator": {
-                "properties": {
-                  "marking": {
-                    "properties": {
-                      "tlp": {
-                        "properties": {
-                          "version": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      }
-                    }
-                  }
-                }
-              }
-            }
           }
         }
       },
diff --git a/schemas/threat.yml b/schemas/threat.yml
index d5cffb5809..26c1018e11 100644
--- a/schemas/threat.yml
+++ b/schemas/threat.yml
@@ -195,7 +195,7 @@
         - RED
       example: CLEAR
 
-    - name: enrichments.indicator.marking.tlp.version
+    - name: enrichments.indicator.marking.tlp_version
       level: extended
       type: keyword
       short: Indicator TLP version
@@ -508,7 +508,7 @@
         - RED
       example: CLEAR
 
-    - name: threat.indicator.marking.tlp.version
+    - name: indicator.marking.tlp_version
       level: extended
       type: keyword
       short: Indicator TLP version

From 76cdf21010108cbea67e32807896bfce87f3e08e Mon Sep 17 00:00:00 2001
From: "Kylie (Geller) Meli" <kylie.geller@elastic.co>
Date: Thu, 2 Feb 2023 16:52:36 -0500
Subject: [PATCH 073/186] [main] 8.6.1 changelog #2162

---
 CHANGELOG.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 85158d5589..51c57685ea 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,14 @@
 # CHANGELOG
 All notable changes to this project will be documented in this file based on the [Keep a Changelog](http://keepachangelog.com/) Standard. This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [8.6.1](https://github.com/elastic/ecs/compare/v8.6.0...v8.6.1)
+
+### Schema Changes
+
+#### Bugfixes
+
+* Fixing `tlp_version` and `tlp` field for threat. #2156
+
 ## [8.6.0](https://github.com/elastic/ecs/compare/v8.5.2...v8.6.0)
 
 ### Schema Changes

From c6872adb215960f09abdb85ac121b21a2d791a58 Mon Sep 17 00:00:00 2001
From: "Kylie (Geller) Meli" <kylie.geller@elastic.co>
Date: Thu, 2 Feb 2023 17:13:33 -0500
Subject: [PATCH 074/186] [main] 8.6.1 release notes #2164

---
 docs/release-notes/8.6.1.asciidoc | 12 ++++++++++++
 docs/release-notes/index.asciidoc |  2 ++
 2 files changed, 14 insertions(+)
 create mode 100644 docs/release-notes/8.6.1.asciidoc

diff --git a/docs/release-notes/8.6.1.asciidoc b/docs/release-notes/8.6.1.asciidoc
new file mode 100644
index 0000000000..21870063a5
--- /dev/null
+++ b/docs/release-notes/8.6.1.asciidoc
@@ -0,0 +1,12 @@
+[[ecs-release-notes-8.6.1]]
+=== 8.6.1
+
+[[schema-changes-8.6.1]]
+[float]
+==== Schema changes
+
+[[schema-bugfixes-8.6.1]]
+[float]
+===== Bugfixes
+
+* Fixing `tlp_version` and `tlp` field for threat. {ecs_pull}2156[#2156]
diff --git a/docs/release-notes/index.asciidoc b/docs/release-notes/index.asciidoc
index 639e767bdd..771a81cd02 100644
--- a/docs/release-notes/index.asciidoc
+++ b/docs/release-notes/index.asciidoc
@@ -4,6 +4,7 @@
 This section summarizes the changes in each release.
 
 * <<ecs-release-notes-8.7.0, {ecs} version 8.7.0>>
+* <<ecs-release-notes-8.6.1, {ecs} version 8.6.1>>
 * <<ecs-release-notes-8.6.0, {ecs} version 8.6.0>>
 * <<ecs-release-notes-8.5.2, {ecs} version 8.5.2>>
 * <<ecs-release-notes-8.5.1, {ecs} version 8.5.1>>
@@ -23,6 +24,7 @@ This section summarizes the changes in each release.
 :pull: https://github.com/elastic/ecs/pull/
 
 include::8.7.asciidoc[]
+include::8.6.1.asciidoc[]
 include::8.6.asciidoc[]
 include::8.5.2.asciidoc[]
 include::8.5.1.asciidoc[]

From d6c7c79d4fd4240f75613c64409ed2439aca6ad6 Mon Sep 17 00:00:00 2001
From: Michelle Bennett <39916526+softengchick@users.noreply.github.com>
Date: Wed, 8 Feb 2023 05:17:03 -0600
Subject: [PATCH 075/186] Adding library category to the schema (#2154)

* Adding library category to the schema

* Change log

* revert accidental commit

* Correct gitignore

* ignore from main to correct line endings, etc

* make / make test / git add / commit / push

* Update CHANGELOG.next.md

---------

Co-authored-by: mo <jonathan.molinatto@elastic.co>
Co-authored-by: Kylie Geller <kylie.geller@elastic.co>
Co-authored-by: Marc Guasch <marc-gr@users.noreply.github.com>
---
 CHANGELOG.next.md                         |  1 +
 docs/fields/field-details.asciidoc        |  2 +-
 docs/fields/field-values.asciidoc         | 13 +++++++++++++
 experimental/generated/ecs/ecs_flat.yml   |  7 +++++++
 experimental/generated/ecs/ecs_nested.yml |  7 +++++++
 generated/ecs/ecs_flat.yml                |  7 +++++++
 generated/ecs/ecs_nested.yml              |  7 +++++++
 schemas/event.yml                         |  7 +++++++
 8 files changed, 50 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 5c0ee29b14..cb97279ef2 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -45,6 +45,7 @@ Thanks, you're awesome :-) -->
 #### Added
 
 * adding `name` field to `threat.indicator` #2121
+* adding `library` option to `event.category` #2154
 
 #### Improvements
 
diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index 55da09ba4b..2ad84cbb5b 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -3389,7 +3389,7 @@ Note: this field should contain an array of values.
 
 *Important*: The field value must be one of the following:
 
-api, authentication, configuration, database, driver, email, file, host, iam, intrusion_detection, malware, network, package, process, registry, session, threat, vulnerability, web
+api, authentication, configuration, database, driver, email, file, host, iam, intrusion_detection, library, malware, network, package, process, registry, session, threat, vulnerability, web
 
 To learn more about when to use which value, visit the page
 <<ecs-allowed-values-event-category,allowed values for event.category>>
diff --git a/docs/fields/field-values.asciidoc b/docs/fields/field-values.asciidoc
index a9d9837e36..3027b87c01 100644
--- a/docs/fields/field-values.asciidoc
+++ b/docs/fields/field-values.asciidoc
@@ -142,6 +142,7 @@ This field is an array. This will allow proper categorization of some events tha
 * <<ecs-event-category-host,host>>
 * <<ecs-event-category-iam,iam>>
 * <<ecs-event-category-intrusion_detection,intrusion_detection>>
+* <<ecs-event-category-library,library>>
 * <<ecs-event-category-malware,malware>>
 * <<ecs-event-category-network,network>>
 * <<ecs-event-category-package,package>>
@@ -282,6 +283,18 @@ Relating to intrusion detections from IDS/IPS systems and functions, both networ
 allowed, denied, info
 
 
+[float]
+[[ecs-event-category-library]]
+==== library
+
+Events in this category refer to the loading of a library, such as (dll / so / dynlib), into a process. Use this category to visualize and analyze library loading related activity on hosts.  Keep in mind that driver related activity will be captured under the "driver" category above.
+
+
+*Expected event types for category library:*
+
+start
+
+
 [float]
 [[ecs-event-category-malware]]
 ==== malware
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 86a3f53dee..cefedf2246 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -3064,6 +3064,13 @@ event.category:
     - denied
     - info
     name: intrusion_detection
+  - description: Events in this category refer to the loading of a library, such as
+      (dll / so / dynlib), into a process. Use this category to visualize and analyze
+      library loading related activity on hosts.  Keep in mind that driver related
+      activity will be captured under the "driver" category above.
+    expected_event_types:
+    - start
+    name: library
   - description: Malware detection events and alerts. Use this category to visualize
       and analyze malware detections from EDR/EPP systems such as Elastic Endpoint
       Security, Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS systems
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 8730030db0..a07b20d01c 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -4056,6 +4056,13 @@ event:
         - denied
         - info
         name: intrusion_detection
+      - description: Events in this category refer to the loading of a library, such
+          as (dll / so / dynlib), into a process. Use this category to visualize and
+          analyze library loading related activity on hosts.  Keep in mind that driver
+          related activity will be captured under the "driver" category above.
+        expected_event_types:
+        - start
+        name: library
       - description: Malware detection events and alerts. Use this category to visualize
           and analyze malware detections from EDR/EPP systems such as Elastic Endpoint
           Security, Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index bf315beb1c..d16cb491d7 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -2995,6 +2995,13 @@ event.category:
     - denied
     - info
     name: intrusion_detection
+  - description: Events in this category refer to the loading of a library, such as
+      (dll / so / dynlib), into a process. Use this category to visualize and analyze
+      library loading related activity on hosts.  Keep in mind that driver related
+      activity will be captured under the "driver" category above.
+    expected_event_types:
+    - start
+    name: library
   - description: Malware detection events and alerts. Use this category to visualize
       and analyze malware detections from EDR/EPP systems such as Elastic Endpoint
       Security, Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS systems
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 9e498aec5b..19800a8c22 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -3976,6 +3976,13 @@ event:
         - denied
         - info
         name: intrusion_detection
+      - description: Events in this category refer to the loading of a library, such
+          as (dll / so / dynlib), into a process. Use this category to visualize and
+          analyze library loading related activity on hosts.  Keep in mind that driver
+          related activity will be captured under the "driver" category above.
+        expected_event_types:
+        - start
+        name: library
       - description: Malware detection events and alerts. Use this category to visualize
           and analyze malware detections from EDR/EPP systems such as Elastic Endpoint
           Security, Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS
diff --git a/schemas/event.yml b/schemas/event.yml
index 765a250661..7082a7c2fd 100644
--- a/schemas/event.yml
+++ b/schemas/event.yml
@@ -283,6 +283,13 @@
             - allowed
             - denied
             - info
+        - name: library
+          description: >
+            Events in this category refer to the loading of a library, such as (dll / so / dynlib), into a process.
+            Use this category to visualize and analyze library loading related activity on
+            hosts.  Keep in mind that driver related activity will be captured under the "driver" category above.
+          expected_event_types:
+            - start
         - name: malware
           description: >
             Malware detection events and alerts. Use this category to visualize and analyze

From 864b5ad9889231252d7ff20dc7a7dff94add7c54 Mon Sep 17 00:00:00 2001
From: Marc Guasch <marc-gr@users.noreply.github.com>
Date: Wed, 8 Feb 2023 15:54:26 +0100
Subject: [PATCH 076/186] [main][forward-port][8.7-hff] Prepare changelog for
 8.7 HFF (#2167) (#2169)

* [8.7] Prepare changelog for 8.7 HFF (#2167)

* [8.7] Prepare changelog for 8.7 HFF

* Update CHANGELOG.next.md

* Update CHANGELOG.next.md
---
 CHANGELOG.next.md | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index cb97279ef2..89c0c61886 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -16,8 +16,6 @@ Thanks, you're awesome :-) -->
 
 #### Added
 
-* adding `api` option to `event.category` #2147
-
 #### Improvements
 
 #### Deprecated
@@ -36,7 +34,9 @@ Thanks, you're awesome :-) -->
 
 #### Deprecated
 
-## 8.7.0 (Soft Feature Freeze)
+## 8.7.0 (Hard Feature Freeze)
+
+### Schema Changes
 
 #### Bugfixes
 
@@ -45,20 +45,19 @@ Thanks, you're awesome :-) -->
 #### Added
 
 * adding `name` field to `threat.indicator` #2121
+* adding `api` option to `event.category` #2147
 * adding `library` option to `event.category` #2154
 
 #### Improvements
 
-* Updated usage docs to include `threat.indicator.url.domain` and changed `indicator.marking.tlp` and `indicator.enrichments.marking.tlp` from "WHITE" to "CLEAR" to align with TLP 2.0. #2124
 * description for `host.name` definition updated to encourage use of FDQN #2122
 
-## 8.6.1
-
-### Schema Changes
+### Tooling and Artifact Changes
 
-#### Bugfixes
+#### Improvements
 
-* Fixing `tlp_version` and `tlp` field for threat. #2156
+* Updated usage docs to include `threat.indicator.url.domain` and changed `indicator.marking.tlp` and `indicator.enrichments.marking.tlp` from "WHITE" to "CLEAR" to align with TLP 2.0. #2124
+* Bump `gitpython` from `3.1.27` to `3.1.30` in `/scripts`. #2139
 
 <!-- All empty sections:
 

From 3abe9e45e9668b450a7ebe10962ae1488a4cd5ee Mon Sep 17 00:00:00 2001
From: dawei-wang <dawei-wang@users.noreply.github.com>
Date: Mon, 13 Feb 2023 06:05:32 -0800
Subject: [PATCH 077/186] Fix typo (#2170)

---
 docs/fields/field-details.asciidoc          | 2 +-
 experimental/generated/beats/fields.ecs.yml | 2 +-
 experimental/generated/ecs/ecs_flat.yml     | 2 +-
 experimental/generated/ecs/ecs_nested.yml   | 2 +-
 generated/beats/fields.ecs.yml              | 2 +-
 generated/ecs/ecs_flat.yml                  | 2 +-
 generated/ecs/ecs_nested.yml                | 2 +-
 schemas/device.yml                          | 2 +-
 8 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index 2ad84cbb5b..4efa309cf4 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -1613,7 +1613,7 @@ beta::[ These fields are in beta and are subject to change.]
 [[field-device-id]]
 <<field-device-id, device.id>>
 
-a| The unique identifier of a device. The identifier must not change across application sessions but stay fixex for an instance of a (mobile) device. 
+a| The unique identifier of a device. The identifier must not change across application sessions but stay fixed for an instance of a (mobile) device. 
 
 On iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor). On Android, this value must be equal to the Firebase Installation ID or a globally unique UUID which is persisted across sessions in your application.
 
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index fd9af811d3..6d567340b7 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -1304,7 +1304,7 @@
       type: keyword
       ignore_above: 1024
       description: "The unique identifier of a device. The identifier must not change\
-        \ across application sessions but stay fixex for an instance of a (mobile)\
+        \ across application sessions but stay fixed for an instance of a (mobile)\
         \ device. \nOn iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor).\
         \ On Android, this value must be equal to the Firebase Installation ID or\
         \ a globally unique UUID which is persisted across sessions in your application.\n\
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index cefedf2246..32fd4675df 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -1703,7 +1703,7 @@ destination.user.roles:
 device.id:
   dashed_name: device-id
   description: "The unique identifier of a device. The identifier must not change\
-    \ across application sessions but stay fixex for an instance of a (mobile) device.\
+    \ across application sessions but stay fixed for an instance of a (mobile) device.\
     \ \nOn iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor).\
     \ On Android, this value must be equal to the Firebase Installation ID or a globally\
     \ unique UUID which is persisted across sessions in your application.\nFor GDPR\
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index a07b20d01c..0fcfdd791f 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -2155,7 +2155,7 @@ device:
     device.id:
       dashed_name: device-id
       description: "The unique identifier of a device. The identifier must not change\
-        \ across application sessions but stay fixex for an instance of a (mobile)\
+        \ across application sessions but stay fixed for an instance of a (mobile)\
         \ device. \nOn iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor).\
         \ On Android, this value must be equal to the Firebase Installation ID or\
         \ a globally unique UUID which is persisted across sessions in your application.\n\
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 377cdecab7..4c977c8c3a 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -1254,7 +1254,7 @@
       type: keyword
       ignore_above: 1024
       description: "The unique identifier of a device. The identifier must not change\
-        \ across application sessions but stay fixex for an instance of a (mobile)\
+        \ across application sessions but stay fixed for an instance of a (mobile)\
         \ device. \nOn iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor).\
         \ On Android, this value must be equal to the Firebase Installation ID or\
         \ a globally unique UUID which is persisted across sessions in your application.\n\
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index d16cb491d7..5a4a00a320 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -1634,7 +1634,7 @@ destination.user.roles:
 device.id:
   dashed_name: device-id
   description: "The unique identifier of a device. The identifier must not change\
-    \ across application sessions but stay fixex for an instance of a (mobile) device.\
+    \ across application sessions but stay fixed for an instance of a (mobile) device.\
     \ \nOn iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor).\
     \ On Android, this value must be equal to the Firebase Installation ID or a globally\
     \ unique UUID which is persisted across sessions in your application.\nFor GDPR\
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 19800a8c22..e36ffaac26 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -2075,7 +2075,7 @@ device:
     device.id:
       dashed_name: device-id
       description: "The unique identifier of a device. The identifier must not change\
-        \ across application sessions but stay fixex for an instance of a (mobile)\
+        \ across application sessions but stay fixed for an instance of a (mobile)\
         \ device. \nOn iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor).\
         \ On Android, this value must be equal to the Firebase Installation ID or\
         \ a globally unique UUID which is persisted across sessions in your application.\n\
diff --git a/schemas/device.yml b/schemas/device.yml
index 7ef2e19172..9e9e7613d6 100644
--- a/schemas/device.yml
+++ b/schemas/device.yml
@@ -19,7 +19,7 @@
       type: keyword
       short: The unique identifier of a device. 
       description: >
-        The unique identifier of a device. The identifier must not change across application sessions but stay fixex for an instance of a (mobile) device. 
+        The unique identifier of a device. The identifier must not change across application sessions but stay fixed for an instance of a (mobile) device. 
 
         On iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor).
         On Android, this value must be equal to the Firebase Installation ID or a globally unique UUID which is persisted across sessions in your application.

From 6d00e90c162ad1d934b0e12450c91a5b1e4d928e Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Thu, 23 Feb 2023 11:13:45 -0600
Subject: [PATCH 078/186] Permit `event.type: access` for `event.category:
 file` events (#2174)

* permit event.type:access for event.category: file

* changelog
---
 CHANGELOG.next.md                         | 2 ++
 docs/fields/field-values.asciidoc         | 2 +-
 experimental/generated/ecs/ecs_flat.yml   | 1 +
 experimental/generated/ecs/ecs_nested.yml | 1 +
 generated/ecs/ecs_flat.yml                | 1 +
 generated/ecs/ecs_nested.yml              | 1 +
 schemas/event.yml                         | 1 +
 7 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 89c0c61886..7201389a44 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -16,6 +16,8 @@ Thanks, you're awesome :-) -->
 
 #### Added
 
+* Add `access` as an allowed type for `event.type: file`. #2174
+
 #### Improvements
 
 #### Deprecated
diff --git a/docs/fields/field-values.asciidoc b/docs/fields/field-values.asciidoc
index 3027b87c01..4c1788368e 100644
--- a/docs/fields/field-values.asciidoc
+++ b/docs/fields/field-values.asciidoc
@@ -240,7 +240,7 @@ Relating to a set of information that has been created on, or has existed on a f
 
 *Expected event types for category file:*
 
-change, creation, deletion, info
+access, change, creation, deletion, info
 
 
 [float]
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 32fd4675df..1c7b03bb28 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -3022,6 +3022,7 @@ event.category:
       from both host-based and network-based sources. An example source of a network-based
       detection of a file transfer would be the Zeek file.log.
     expected_event_types:
+    - access
     - change
     - creation
     - deletion
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 0fcfdd791f..444e2d1493 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -4014,6 +4014,7 @@ event:
           can come from both host-based and network-based sources. An example source
           of a network-based detection of a file transfer would be the Zeek file.log.
         expected_event_types:
+        - access
         - change
         - creation
         - deletion
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 5a4a00a320..41eeb653e9 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -2953,6 +2953,7 @@ event.category:
       from both host-based and network-based sources. An example source of a network-based
       detection of a file transfer would be the Zeek file.log.
     expected_event_types:
+    - access
     - change
     - creation
     - deletion
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index e36ffaac26..4d9a65a010 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -3934,6 +3934,7 @@ event:
           can come from both host-based and network-based sources. An example source
           of a network-based detection of a file transfer would be the Zeek file.log.
         expected_event_types:
+        - access
         - change
         - creation
         - deletion
diff --git a/schemas/event.yml b/schemas/event.yml
index 7082a7c2fd..f17c4b45c0 100644
--- a/schemas/event.yml
+++ b/schemas/event.yml
@@ -239,6 +239,7 @@
             from both host-based and network-based sources. An example source of a network-based
             detection of a file transfer would be the Zeek file.log.
           expected_event_types:
+            - access
             - change
             - creation
             - deletion

From 68f90ffcb75dd24e56a4895010e01babf86f3416 Mon Sep 17 00:00:00 2001
From: Ralph Meijer <ralphm@ik.nu>
Date: Tue, 28 Feb 2023 19:17:34 +0100
Subject: [PATCH 079/186] Mapping parameters (#2084)

---
 CHANGELOG.next.md                 |  2 +
 scripts/generators/es_template.py |  5 +++
 scripts/tests/test_es_template.py | 63 +++++++++++++++++++++++++++++++
 3 files changed, 70 insertions(+)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 7201389a44..5564a50461 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -30,6 +30,8 @@ Thanks, you're awesome :-) -->
 
 #### Added
 
+* Add `parameters` property for field definitions, to provide any mapping parameter. #2084
+
 #### Improvements
 
 * Bump `gitpython` from `3.1.27` to `3.1.30` in `/scripts`. #2139
diff --git a/scripts/generators/es_template.py b/scripts/generators/es_template.py
index 555892cef1..1a3b25c31f 100644
--- a/scripts/generators/es_template.py
+++ b/scripts/generators/es_template.py
@@ -211,8 +211,13 @@ def entry_for(field: Field) -> Dict:
                     ecs_helpers.dict_copy_existing_keys(mf, mf_entry, ['normalizer', 'ignore_above'])
                 elif mf_type == 'text':
                     ecs_helpers.dict_copy_existing_keys(mf, mf_entry, ['norms', 'analyzer'])
+                if 'parameters' in mf:
+                    mf_entry.update(mf['parameters'])
                 field_entry['fields'][mf['name']] = mf_entry
 
+        if 'parameters' in field:
+            field_entry.update(field['parameters'])
+
     except KeyError as ex:
         print("Exception {} occurred for field {}".format(ex, field))
         raise ex
diff --git a/scripts/tests/test_es_template.py b/scripts/tests/test_es_template.py
index f4034c37c4..56f7a27072 100644
--- a/scripts/tests/test_es_template.py
+++ b/scripts/tests/test_es_template.py
@@ -174,6 +174,69 @@ def test_constant_keyword_no_value(self):
         exp = {'type': 'constant_keyword'}
         self.assertEqual(es_template.entry_for(test_map), exp)
 
+    def test_parameters(self):
+        test_map = {
+            'name': 'field_with_parameters',
+            'type': 'date',
+            'parameters': {
+                'format': 'strict_date_optional_time||epoch_seconds',
+            }
+        }
+
+        exp = {
+            'type': 'date',
+            'format': 'strict_date_optional_time||epoch_seconds'
+        }
+        self.assertEqual(es_template.entry_for(test_map), exp)
+
+    def test_multi_fields(self):
+        test_map = {
+            'name': 'field_with_multi_fields',
+            'type': 'keyword',
+            'multi_fields': [
+                {
+                    'name': 'text',
+                    'type': 'match_only_text'
+                }
+            ]
+        }
+
+        exp = {
+            'type': 'keyword',
+            'fields': {
+                'text': {
+                    'type': 'match_only_text'
+                }
+            }
+        }
+        self.assertEqual(es_template.entry_for(test_map), exp)
+
+    def test_multi_fields_parameters(self):
+        test_map = {
+            'name': 'field_with_multi_fields_with_parameters',
+            'type': 'keyword',
+            'multi_fields': [
+                {
+                    'name': 'text',
+                    'type': 'match_only_text',
+                    'parameters': {
+                        'analyzer': 'english'
+                    }
+                }
+            ]
+        }
+
+        exp = {
+            'type': 'keyword',
+            'fields': {
+                'text': {
+                    'type': 'match_only_text',
+                    'analyzer': 'english'
+                }
+            }
+        }
+        self.assertEqual(es_template.entry_for(test_map), exp)
+
     def test_component_composable_template_name(self):
         version = "1.8"
         test_map = {

From d5d48c9df23075c589db5623e3656c99b0fc8b48 Mon Sep 17 00:00:00 2001
From: Nicolas Ruflin <spam@ruflin.com>
Date: Wed, 1 Mar 2023 19:55:33 +0100
Subject: [PATCH 080/186] [RFC] host metrics (#2129)

* [RFC] host metrics

This RFC adds a proposal to bring host metrics to ECS. These metrics should build the foundation to deliver a minimal set of metrics related to a host. The current list looks as following:

* host.cpu.system.norm.pct
* host.cpu.user.norm.pct
* host.fsstats.total_size.used (in bytes)
* host.fsstats.total_size.total (in bytes)
* host.fsstats.total_size.used.pct
* host.load.norm.1
* host.load.norm.5
* host.load.norm.15
* host.memory.actual.used.bytes
* host.memory.actual.used.pct
* host.memory.total
* host.network.egress.bytes
* host.network.ingress.bytes

One of the main challenges around this RFC is if we should prefix with `host.*` or `system.*`. See some more details in the RFC itself. It would be great to hear opinions around it.

* add load metrics

* add note around windows

* add memory metrics

* add network metrics

* fix network metrics prefix

* add additional links to RFC

* add PR number to rfc

* add missing fields and list of reviewers

* Update rfcs/text/0037-host-metrics.md

Co-authored-by: Eric Beahan <ebeahan@gmail.com>

* Update rfcs/text/0037-host-metrics.md

Co-authored-by: Eric Beahan <ebeahan@gmail.com>

* cleanup based on reviews

* add concern around host.cpu.usage

* set date for stage 0

---------

Co-authored-by: Eric Beahan <eric.beahan@elastic.co>
---
 rfcs/text/0037-host-metrics.md | 164 ++++++++++++++++++++++++++++
 rfcs/text/0037/host.yml        | 193 +++++++++++++++++++++++++++++++++
 2 files changed, 357 insertions(+)
 create mode 100644 rfcs/text/0037-host-metrics.md
 create mode 100644 rfcs/text/0037/host.yml

diff --git a/rfcs/text/0037-host-metrics.md b/rfcs/text/0037-host-metrics.md
new file mode 100644
index 0000000000..33a9cfe3f7
--- /dev/null
+++ b/rfcs/text/0037-host-metrics.md
@@ -0,0 +1,164 @@
+# 0037: Host metrics
+<!-- Leave this ID at 0000. The ECS team will assign a unique, contiguous RFC number upon merging the initial stage of this RFC. -->
+
+- Stage: **0 (strawman)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
+- Date: **2023-03-01** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
+
+<!--
+As you work on your RFC, use the "Stage N" comments to guide you in what you should focus on, for the stage you're targeting.
+Feel free to remove these comments as you go along.
+-->
+
+<!--
+Stage 0: Provide a high level summary of the premise of these changes. Briefly describe the nature, purpose, and impact of the changes. ~2-5 sentences.
+-->
+
+<!--
+Stage 1: If the changes include field additions or modifications, please create a folder titled as the RFC number under rfcs/text/. This will be where proposed schema changes as standalone YAML files or extended example mappings and larger source documents will go as the RFC is iterated upon.
+-->
+
+<!--
+Stage X: Provide a brief explanation of why the proposal is being marked as abandoned. This is useful context for anyone revisiting this proposal or considering similar changes later on.
+-->
+
+## Fields
+
+The following high level metrics should be per host to indicate its health:
+
+* CPU used (in %) and load
+* Memory used (in %, used, total)
+* Disk usage (in %)  and io -> summary
+* Network (traffic in / out)
+
+
+This translates to the following metrics. The goal is to have as few as possible.
+
+* host.cpu.system.norm.pct
+* host.cpu.user.norm.pct
+* host.fsstats.total_size.used (in bytes)
+* host.fsstats.total_size.total (in bytes)
+* host.fsstats.total_size.used.pct
+* host.load.norm.1
+* host.load.norm.5
+* host.load.norm.15
+* host.memory.actual.used.bytes
+* host.memory.actual.used.pct
+* host.memory.total
+* host.network.egress.bytes
+* host.network.ingress.bytes
+
+
+cgroup metrics were left out of the proposal by design and might be added later on. More details around cgroups can be found in the [cgroup RFC](https://github.com/elastic/ecs/pull/1627).
+
+<!--
+Stage 1: Describe at a high level how this change affects fields. Include new or updated yml field definitions for all of the essential fields in this draft. While not exhaustive, the fields documented here should be comprehensive enough to deeply evaluate the technical considerations of this change. The goal here is to validate the technical details for all essential fields and to provide a basis for adding experimental field definitions to the schema. Use GitHub code blocks with yml syntax formatting, and add them to the corresponding RFC folder.
+-->
+
+<!--
+Stage 2: Add or update all remaining field definitions. The list should now be exhaustive. The goal here is to validate the technical details of all remaining fields and to provide a basis for releasing these field definitions as beta in the schema. Use GitHub code blocks with yml syntax formatting, and add them to the corresponding RFC folder.
+-->
+
+## Usage
+
+These metrics can be used to give a quick overview on how a specific host is doing. Some examples:
+
+* A agent is running on a host and reports metrics about some services running on it. These metrics are shipped in addition to show how the host is doing.
+* A user is looking at service metrics delivered by APM. These metrics are used to show how the host the service is running on is doing.
+
+In the context if usage, it is also important what is NOT part of the fields by design:
+
+* Process metrics: Details around process metrics. For this, detailed collection around processes must be enabled
+* Cgroup metrics: cgroup metrics might follow at a later stage
+
+<!--
+Stage 1: Describe at a high-level how these field changes will be used in practice. Real world examples are encouraged. The goal here is to understand how people would leverage these fields to gain insights or solve problems. ~1-3 paragraphs.
+-->
+
+## Source data
+
+The source of this data comes from monitoring a host like a Linux machine, laptop or a k8s node. The can come delivered through different shippers like Elastic Agent system metrics inputs, apm agents, prometheus node exporter and other host metric collectors.
+
+<!--
+Stage 1: Provide a high-level description of example sources of data. This does not yet need to be a concrete example of a source document, but instead can simply describe a potential source (e.g. nginx access log). This will ultimately be fleshed out to include literal source examples in a future stage. The goal here is to identify practical sources for these fields in the real world. ~1-3 sentences or unordered list.
+-->
+
+<!--
+Stage 2: Included a real world example source document. Ideally this example comes from the source(s) identified in stage 1. If not, it should replace them. The goal here is to validate the utility of these field changes in the context of a real world example. Format with the source name as a ### header and the example document in a GitHub code block with json formatting, or if on the larger side, add them to the corresponding RFC folder.
+-->
+
+<!--
+Stage 3: Add more real world example source documents so we have at least 2 total, but ideally 3. Format as described in stage 2.
+-->
+
+## Scope of impact
+
+Currently Elastic Agent and metricbeat ship data host/system metrics under the `system.*` prefix. This would change it to `host.*`. One of the reasons for this is that some metrics for network already exist under this prefix in ECS so conflicts can be prevented. Another advantage is that some of these fields might use newer field types like `gauge` and `counter` delivered by TSDB in Elasticsearch which is possible without a breaking change.
+
+<!--
+Stage 2: Identifies scope of impact of changes. Are breaking changes required? Should deprecation strategies be adopted? Will significant refactoring be involved? Break the impact down into:
+ * Ingestion mechanisms (e.g. beats/logstash)
+ * Usage mechanisms (e.g. Kibana applications, detections)
+ * ECS project (e.g. docs, tooling)
+The goal here is to research and understand the impact of these changes on users in the community and development teams across Elastic. 2-5 sentences each.
+-->
+
+## Concerns
+
+
+* One of the concerns is it needs to be figured out how to migrate to the new fields with the existing shippers.
+* Not all metrics might be available on all operating systems. How will we deal with this limitation?
+* [host.cpu.usage](https://github.com/elastic/ecs/blob/main/schemas/host.yml#L122) already exist, how do the new fields relate to it.
+<!--
+Stage 1: Identify potential concerns, implementation challenges, or complexity. Spend some time on this. Play devil's advocate. Try to identify the sort of non-obvious challenges that tend to surface later. The goal here is to surface risks early, allow everyone the time to work through them, and ultimately document resolution for posterity's sake.
+-->
+
+<!--
+Stage 2: Document new concerns or resolutions to previously listed concerns. It's not critical that all concerns have resolutions at this point, but it would be helpful if resolutions were taking shape for the most significant concerns.
+-->
+
+<!--
+Stage 3: Document resolutions for all existing concerns. Any new concerns should be documented along with their resolution. The goal here is to eliminate risk of churn and instability by ensuring all concerns have been addressed.
+-->
+
+## People
+
+The following are the people that consulted on the contents of this RFC.
+
+* @ruflin | author
+* @andrewkroh | reviewer
+* @felixbarny | reviewer
+* @gizas | reviewer
+* @lalit-satapathy | reviewer
+* @neptunian | reviewer
+* @tommyers-elastic | reviewer
+
+<!--
+Who will be or has been consulted on the contents of this RFC? Identify authorship and sponsorship, and optionally identify the nature of involvement of others. Link to GitHub aliases where possible. This list will likely change or grow stage after stage.
+
+e.g.:
+-->
+
+
+## References
+
+<!-- Insert any links appropriate to this RFC in this section. -->
+
+* [Schema for metrics in ECS](https://github.com/elastic/ecs/issues/474)
+* [Otel host metrics](https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/receiver/hostmetricsreceiver/README.md)
+* [ECS cgroup rfc](https://github.com/elastic/ecs/blob/main/rfcs/text/0028-cgroups.md)
+* [Prometheus Node Exporter](https://prometheus.io/docs/guides/node-exporter/)
+* [APM System metrics fields](https://www.elastic.co/guide/en/apm/server/current/exported-fields-system.html)
+* [APM Agent system metrics fields](https://www.elastic.co/guide/en/apm/agent/java/current/metrics.html#metrics-system)
+* [APM addition of Cgroup metrics](https://github.com/elastic/apm/issues/368)
+* [Host metrics used in Inventory view of Kibana](https://www.elastic.co/guide/en/observability/master/host-metrics.html) ([related queries](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/common/inventory_models/host/metrics/snapshot))
+
+### RFC Pull Requests
+
+<!-- An RFC should link to the PRs for each of it stage advancements. -->
+
+* Stage 0: https://github.com/elastic/ecs/pull/2129
+
+<!--
+* Stage 1: https://github.com/elastic/ecs/pull/NNN
+...
+-->
diff --git a/rfcs/text/0037/host.yml b/rfcs/text/0037/host.yml
new file mode 100644
index 0000000000..45b9ef2784
--- /dev/null
+++ b/rfcs/text/0037/host.yml
@@ -0,0 +1,193 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+---
+
+### Overview ###
+# 
+# The following metrics give an overview on the current state of a host. On a high level it collects
+# the following data:
+#
+# * CPU used (in %) and load
+# * Memory used (in %, used, total)
+# * Disk usage (in %)  and io -> summary
+# * Network (traffic in / out)
+#
+# This translates to the detailed metric list below.
+
+
+### CPU ###
+
+# The CPU metrics must indicate under how much load the system is. 
+#
+# The two metrics collected are normalized percentage of system and user CPU usage. 
+# Normalised means to 100% even if there are multiple cores.
+#
+# Idle can be calculated based on the delivered values if needed.
+
+- name: host.cpu.system.norm.pct
+  type: double
+  # Support this requires an Elasticsearch version on 8.6 or newer
+  time_series_metric: gauge
+  description: >
+    The normalised percentage of CPU time spent in kernel space.
+
+- name: host.cpu.user.norm.pct
+  type: double
+  time_series_metric: gauge
+  description: >
+    The normalised percentage of CPU time spent in user space.
+
+### Disk io ###
+
+# Disk io metrics describe the disk operations.
+# 
+# These are overall metrics applying to all disks of a host.
+# 
+# Existing `host.disk.read.bytes` and `host.disk.write.bytes` values 
+# [from ECS](https://www.elastic.co/guide/en/ecs/current/ecs-host.html)  were skipped here in purpose.
+#
+# TODO: Other potential metrics:
+# * CPU time spent in IO wait to be able to tell when you are waiting on the disk or some other IO device.
+
+
+- name: host.diskio.io.ops
+  type: long
+  time_series_metric: gauge
+  description: >
+    The total number of I/Os in progress.
+
+- name: host.diskio.io.time
+  type: long
+  time_series_metric: gauge
+  description: >
+    The total number of of milliseconds spent doing I/Os.
+
+
+### File system stats ###
+
+# The file system metrics indicate how full the disks are.
+# 
+# If there are multiple file systems, this is a summary of all the file systems.
+
+  # TODO: Discuss if it should be `fsstat` or `fsstats` (plural)
+- name: host.fsstats.total_size.used
+  type: long
+  format: bytes
+  time_series_metric: gauge
+  description: >
+    Total disk space used in bytes.
+
+- name: host.fsstats.total_size.total
+  type: long
+  format: bytes
+  time_series_metric: gauge
+  description: >
+    Total size of disks in bytes.
+
+  # TODO: Name discussion needed as `.pct` would conflict with keyword / object
+  # In case `subobject: false` is used, this would work.
+- name: host.fsstats.total_size.used.pct
+  type: long
+  format: bytes
+  time_series_metric: gauge
+  description: >
+    Percentage of disk space used.
+
+
+
+### Load ###
+
+# These are the normalised load metrics for a host.
+# 
+# The values are normalised by the number of cores available on the machine. If 4 cores are available, the values are devided by 4.
+#
+# These metrics might not be available on windows.
+#
+# Same metrics with a system.* prefix are collected by metricbeat: https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-system-load.html
+#
+# DISCUSS: what should we do with these values around windows?
+
+- name: host.load.norm.1
+  type: double
+  # Support this requires an Elasticsearch version on 8.6 or newer
+  time_series_metric: gauge
+  description: >
+    Load on the host for the last minute divided by the number of cores.
+
+- name: host.load.norm.5
+  type: double
+  time_series_metric: gauge
+  description: >
+    Load on the host for the five minutes divided by the number of cores.
+
+- name: host.load.norm.15
+  type: double
+  time_series_metric: gauge
+  description: >
+    Load on the host for the fifteen minutes divided by the number of cores.
+
+
+### Memory ###
+
+# Memory metrics for the host
+#
+# Same metrics with a system.* prefix are collected by metricbeat: https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-system-memory.html
+
+  # TODO: There seems to be some ambiguity around this metric?
+- name: host.memory.actual.used.bytes
+  type: long
+  time_series_metric: gauge
+  description: >
+    Actual used memory in bytes. It represents the difference between the total and the available memory. 
+    The available memory depends on the OS.
+
+- name: host.memory.actual.used.pct
+  type: double
+  time_series_metric: gauge
+  description: >
+    The percentage of actual used memory.
+
+- name: host.memory.total
+  type: long
+  time_series_metric: gauge
+  description: >
+    Total memory available on the host machine.
+
+
+### Network ###
+
+# Network egress and ingress metrics.
+#
+# The following are 2 existing ECS metrics found under https://www.elastic.co/guide/en/ecs/current/ecs-host.html
+
+- name: host.network.egress.bytes
+  type: long
+  level: extended
+  short: The number of bytes sent on all network interfaces of a host.
+  time_series_metric: gauge # This part is new
+  description: >
+    The number of bytes (gauge) sent out on all network interfaces by the
+    host since the last metric collection.
+
+- name: host.network.egress.packets
+  type: long
+  level: extended
+  time_series_metric: gauge # This part is new
+  short: The number of packets sent on all network interfaces of a host.
+  description: >
+    The number of packets (gauge) sent out on all network interfaces by the
+    host since the last metric collection.
\ No newline at end of file

From a16655a4f9e8bc7dfb6945c6760370e707b3511a Mon Sep 17 00:00:00 2001
From: lgestc <11671118+lgestc@users.noreply.github.com>
Date: Tue, 28 Mar 2023 15:17:33 +0200
Subject: [PATCH 081/186] Trigger elastic/ecs-typescript workflow after
 ecs-release is published (#2182)

* Trigger generate.yml workflow after ecs-release is published

* Update .github/workflows/build_ecs_typescript.yml

Co-authored-by: Eric Beahan <eric.beahan@elastic.co>

---------

Co-authored-by: Eric Beahan <eric.beahan@elastic.co>
---
 .github/workflows/build_ecs_typescript.yml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 .github/workflows/build_ecs_typescript.yml

diff --git a/.github/workflows/build_ecs_typescript.yml b/.github/workflows/build_ecs_typescript.yml
new file mode 100644
index 0000000000..49a8d00c4f
--- /dev/null
+++ b/.github/workflows/build_ecs_typescript.yml
@@ -0,0 +1,20 @@
+name: Build ecs-typescript and create updated definitions PR
+on:
+  release:
+    types: [published]
+
+jobs:
+  notify:
+    runs-on: ubuntu-latest
+
+    steps:
+      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+      - name: Trigger workflow on ecs-typescript
+        run: |
+          curl -L \
+          -X POST \
+          -H "Accept: application/vnd.github+json" \
+          -H "Authorization: Bearer ${{ secrets.ECS_TYPESCRIPT_REPO_TRIGGER_KEY }}" \
+          -H "X-GitHub-Api-Version: 2022-11-28" \
+            https://api.github.com/repos/elastic/ecs-typescript/actions/workflows/generate.yml/dispatches \
+          -d '{"ref":"main","inputs":{"ecsRef":"${{ env.RELEASE_VERSION }}"}}'

From d8ebcab238a06bc34cd5420e8497e504f8e00770 Mon Sep 17 00:00:00 2001
From: Marc Guasch <marc-gr@users.noreply.github.com>
Date: Thu, 30 Mar 2023 14:58:45 +0200
Subject: [PATCH 082/186] Move 8.7.0 entries from CHANGELOG.next.md to
 CHANGELOG.md (#2184) (#2187)

---
 CHANGELOG.md      | 25 +++++++++++++++++++++++++
 CHANGELOG.next.md | 25 -------------------------
 2 files changed, 25 insertions(+), 25 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 51c57685ea..8c3af96c00 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,31 @@
 # CHANGELOG
 All notable changes to this project will be documented in this file based on the [Keep a Changelog](http://keepachangelog.com/) Standard. This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [8.7.0](https://github.com/elastic/ecs/compare/v8.6.1...v8.7.0)
+
+### Schema Changes
+
+#### Bugfixes
+
+* remove duplicated `client.domain` definition #2120
+
+#### Added
+
+* adding `name` field to `threat.indicator` #2121
+* adding `api` option to `event.category` #2147
+* adding `library` option to `event.category` #2154
+
+#### Improvements
+
+* description for `host.name` definition updated to encourage use of FDQN #2122
+
+### Tooling and Artifact Changes
+
+#### Improvements
+
+* Updated usage docs to include `threat.indicator.url.domain` and changed `indicator.marking.tlp` and `indicator.enrichments.marking.tlp` from "WHITE" to "CLEAR" to align with TLP 2.0. #2124
+* Bump `gitpython` from `3.1.27` to `3.1.30` in `/scripts`. #2139
+
 ## [8.6.1](https://github.com/elastic/ecs/compare/v8.6.0...v8.6.1)
 
 ### Schema Changes
diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 5564a50461..9ef7a7775c 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -38,31 +38,6 @@ Thanks, you're awesome :-) -->
 
 #### Deprecated
 
-## 8.7.0 (Hard Feature Freeze)
-
-### Schema Changes
-
-#### Bugfixes
-
-* remove duplicated `client.domain` definition #2120
-
-#### Added
-
-* adding `name` field to `threat.indicator` #2121
-* adding `api` option to `event.category` #2147
-* adding `library` option to `event.category` #2154
-
-#### Improvements
-
-* description for `host.name` definition updated to encourage use of FDQN #2122
-
-### Tooling and Artifact Changes
-
-#### Improvements
-
-* Updated usage docs to include `threat.indicator.url.domain` and changed `indicator.marking.tlp` and `indicator.enrichments.marking.tlp` from "WHITE" to "CLEAR" to align with TLP 2.0. #2124
-* Bump `gitpython` from `3.1.27` to `3.1.30` in `/scripts`. #2139
-
 <!-- All empty sections:
 
 ## Unreleased

From 554eaf548bf05c1be698518c74c0c7ac0f31e5e4 Mon Sep 17 00:00:00 2001
From: Marc Guasch <marc-gr@users.noreply.github.com>
Date: Thu, 30 Mar 2023 15:14:41 +0200
Subject: [PATCH 083/186] [8.7.0 release] Add 8.7.0 release notes (#2185)
 (#2188)

* Add 8.7.0 release notes

* Format links
---
 docs/release-notes/8.7.asciidoc | 35 ++++++++++++++++++++++++++++++++-
 1 file changed, 34 insertions(+), 1 deletion(-)

diff --git a/docs/release-notes/8.7.asciidoc b/docs/release-notes/8.7.asciidoc
index 5b5c8d7017..44a8ee64fe 100644
--- a/docs/release-notes/8.7.asciidoc
+++ b/docs/release-notes/8.7.asciidoc
@@ -1,4 +1,37 @@
 [[ecs-release-notes-8.7.0]]
 === 8.7.0
 
-coming[8.7.0]
+[[schema-changes-8.7.0]]
+[float]
+==== Schema changes
+
+[[schema-bugfixes-8.7.0]]
+[float]
+===== Bugfixes
+
+* Remove duplicated `client.domain` definition {ecs_pull}2120[#2120]
+
+[[schema-added-8.7.0]]
+[float]
+===== Added
+
+* Adding `name` field to `threat.indicator` {ecs_pull}2121[#2121]
+* Adding `api` option to `event.category` {ecs_pull}2147[#2147]
+* Adding `library` option to `event.category` {ecs_pull}2154[#2154]
+
+[[schema-improvements-8.7.0]]
+[float]
+===== Improvements
+
+* Description for `host.name` definition updated to encourage use of FDQN {ecs_pull}2122[#2122]
+
+[[tooling-changes-8.7.0]]
+[float]
+==== Tooling and artifact changes
+
+[[tooling-improvements-8.7.0]]
+[float]
+===== Improvements
+
+* Updated usage docs to include `threat.indicator.url.domain` and changed `indicator.marking.tlp` and `indicator.enrichments.marking.tlp` from "WHITE" to "CLEAR" to align with TLP 2.0. {ecs_pull}2124[#2124]
+* Bump `gitpython` from `3.1.27` to `3.1.30` in `/scripts`. {ecs_pull}2139[#2139]

From 11272288656fbe8668a4eaba58c954843f587b89 Mon Sep 17 00:00:00 2001
From: Taylor Swanson <90622908+taylor-swanson@users.noreply.github.com>
Date: Fri, 31 Mar 2023 15:31:28 -0500
Subject: [PATCH 084/186] [RFC] Extend event.kind allowed values with asset
 (#2178)

* [RFC] Extend event.kind allowed values with asset

* Update with PR number, other fixes

* Review comments

* Move to stage 2, add scope of impact and concerns sections

* Update description

* set date for stage 2 proposal

---------

Co-authored-by: Eric Beahan <eric.beahan@elastic.co>
---
 rfcs/text/0038-event-kind-asset.md | 164 +++++++++++++++++++++++++++++
 rfcs/text/0038/event.yml           |  50 +++++++++
 2 files changed, 214 insertions(+)
 create mode 100644 rfcs/text/0038-event-kind-asset.md
 create mode 100644 rfcs/text/0038/event.yml

diff --git a/rfcs/text/0038-event-kind-asset.md b/rfcs/text/0038-event-kind-asset.md
new file mode 100644
index 0000000000..c5caf01a47
--- /dev/null
+++ b/rfcs/text/0038-event-kind-asset.md
@@ -0,0 +1,164 @@
+# 0038: Extend event.kind allowed values with asset
+<!-- Leave this ID at 0000. The ECS team will assign a unique, contiguous RFC number upon merging the initial stage of this RFC. -->
+
+- Stage: **2 (Candidate)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
+- Date: **2023-03-31** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
+
+<!--
+As you work on your RFC, use the "Stage N" comments to guide you in what you should focus on, for the stage you're targeting.
+Feel free to remove these comments as you go along.
+-->
+
+<!--
+Stage 0: Provide a high level summary of the premise of these changes. Briefly describe the nature, purpose, and impact of the changes. ~2-5 sentences.
+-->
+
+<!--
+Stage 1: If the changes include field additions or modifications, please create a folder titled as the RFC number under rfcs/text/. This will be where proposed schema changes as standalone YAML files or extended example mappings and larger source documents will go as the RFC is iterated upon.
+-->
+
+<!--
+Stage X: Provide a brief explanation of why the proposal is being marked as abandoned. This is useful context for anyone revisiting this proposal or considering similar changes later on.
+-->
+
+## Fields
+
+This RFC proposes extending the list of allowed values for `event.kind` with an additional value, `asset`.
+
+<!--
+Stage 1: Describe at a high level how this change affects fields. Include new or updated yml field definitions for all of the essential fields in this draft. While not exhaustive, the fields documented here should be comprehensive enough to deeply evaluate the technical considerations of this change. The goal here is to validate the technical details for all essential fields and to provide a basis for adding experimental field definitions to the schema. Use GitHub code blocks with yml syntax formatting, and add them to the corresponding RFC folder.
+-->
+
+<!--
+Stage 2: Add or update all remaining field definitions. The list should now be exhaustive. The goal here is to validate the technical details of all remaining fields and to provide a basis for releasing these field definitions as beta in the schema. Use GitHub code blocks with yml syntax formatting, and add them to the corresponding RFC folder.
+-->
+
+## Usage
+
+We want to represent a catalog of assets where each document represents some type of user or device entity. The `event.kind` field with `asset` value will be used to identity these types of documents. It has also been proposed that we combine this with other fields to have a more exact definition. For example, a user document may have these event fields specified:
+
+* `event.kind: asset`
+* `event.category: [iam]`
+* `event.type: [user, info]`
+
+<!--
+Stage 1: Describe at a high-level how these field changes will be used in practice. Real world examples are encouraged. The goal here is to understand how people would leverage these fields to gain insights or solve problems. ~1-3 paragraphs.
+-->
+
+## Source data
+
+An example of a user entity document, with `event.kind: asset`:
+
+```json
+{
+            "input": {
+                "type": "entity-analytics"
+            },
+            "@timestamp": "2023-02-23T20:03:17.489Z",
+            "event": {
+                "agent_id_status": "verified",
+                "ingested": "2023-02-23T20:03:18Z",
+                "provider": "Azure AD",
+                "kind": "asset",
+                "action": "user-discovered",
+                "category": [
+                    "iam"
+                ],
+                "type": [
+                    "user",
+                    "info"
+                ],
+                "dataset": "entityanalytics_azure.users"
+            },
+            "user": {
+                "full_name": "Test User",
+                "phone": [
+                    "1235559999"
+                ],
+                "name": [
+                    "test.user@example.com"
+                ],
+                "id": "b3e92fd4-0269-49ae-8a26-812e952bb7ad",
+                "email": "test.user@example.com"
+            },
+            "labels": {
+                "identity_source": "entity-analytics-entityanalytics_azure.users-c1745610-d9a4-437f-a8f8-82ab45ace54a"
+            }
+        }
+```
+
+<!--
+Stage 1: Provide a high-level description of example sources of data. This does not yet need to be a concrete example of a source document, but instead can simply describe a potential source (e.g. nginx access log). This will ultimately be fleshed out to include literal source examples in a future stage. The goal here is to identify practical sources for these fields in the real world. ~1-3 sentences or unordered list.
+-->
+
+<!--
+Stage 2: Included a real world example source document. Ideally this example comes from the source(s) identified in stage 1. If not, it should replace them. The goal here is to validate the utility of these field changes in the context of a real world example. Format with the source name as a ### header and the example document in a GitHub code block with json formatting, or if on the larger side, add them to the corresponding RFC folder.
+-->
+
+<!--
+Stage 3: Add more real world example source documents so we have at least 2 total, but ideally 3. Format as described in stage 2.
+-->
+
+## Scope of impact
+
+<!--
+Stage 2: Identifies scope of impact of changes. Are breaking changes required? Should deprecation strategies be adopted? Will significant refactoring be involved? Break the impact down into:
+ * Ingestion mechanisms (e.g. beats/logstash)
+ * Usage mechanisms (e.g. Kibana applications, detections)
+ * ECS project (e.g. docs, tooling)
+The goal here is to research and understand the impact of these changes on users in the community and development teams across Elastic. 2-5 sentences each.
+-->
+
+We expect to use the `asset` value within the security solution consistently across asset management, external asset integrations, and persisting related metadata. This field may be further leveraged in o11y topology work as they also are exploring ways to extend the asset.* fields within ECS.
+
+## Concerns
+
+<!--
+Stage 1: Identify potential concerns, implementation challenges, or complexity. Spend some time on this. Play devil's advocate. Try to identify the sort of non-obvious challenges that tend to surface later. The goal here is to surface risks early, allow everyone the time to work through them, and ultimately document resolution for posterity's sake.
+-->
+
+<!--
+Stage 2: Document new concerns or resolutions to previously listed concerns. It's not critical that all concerns have resolutions at this point, but it would be helpful if resolutions were taking shape for the most significant concerns.
+-->
+
+<!--
+Stage 3: Document resolutions for all existing concerns. Any new concerns should be documented along with their resolution. The goal here is to eliminate risk of churn and instability by ensuring all concerns have been addressed.
+-->
+
+There are no breaking changes identified. There are no other concerns to note at this time.
+
+## People
+
+The following are the people that consulted on the contents of this RFC.
+
+* @taylor-swanson | author
+* @SourinPaul | sponsor
+* @MikePaquette | sponsor
+
+<!--
+Who will be or has been consulted on the contents of this RFC? Identify authorship and sponsorship, and optionally identify the nature of involvement of others. Link to GitHub aliases where possible. This list will likely change or grow stage after stage.
+
+e.g.:
+
+* @Yasmina | author
+* @Monique | sponsor
+* @EunJung | subject matter expert
+* @JaneDoe | grammar, spelling, prose
+* @Mariana
+-->
+
+
+## References
+
+<!-- Insert any links appropriate to this RFC in this section. -->
+
+### RFC Pull Requests
+
+<!-- An RFC should link to the PRs for each of it stage advancements. -->
+
+* Stage 0-2: https://github.com/elastic/ecs/pull/2178
+
+<!--
+* Stage 1: https://github.com/elastic/ecs/pull/NNN
+...
+-->
diff --git a/rfcs/text/0038/event.yml b/rfcs/text/0038/event.yml
new file mode 100644
index 0000000000..35e1df734c
--- /dev/null
+++ b/rfcs/text/0038/event.yml
@@ -0,0 +1,50 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+---
+- name: event
+  title: Event
+  group: 2
+  short: Fields breaking down the event details.
+  description: >
+    The event fields are ... # Omitted for brevity
+  type: group
+
+  fields:
+    - name: kind
+      level: core
+      type: keyword
+      short: The kind of the event. The highest categorization field in the hierarchy.
+      description: >
+        This is one of four ECS ... # Omitted for brevity
+      example: alert
+      allowed_values:
+        - name: asset
+          description: >
+            This value indicates events whose primary purpose is to store an inventory of
+            assets/entities and their attributes. Assets/entities are objects (such as
+            users and hosts) that are expected to be subjects of detailed analysis within
+            the system.
+
+            Examples include lists of user identities or accounts ingested from directory
+            services such as Active Directory (AD), inventory of hosts pulled from
+            configuration management databases (CMDB), and lists of cloud storage buckets
+            pulled from cloud provider API's.
+
+            This value is used by Elastic Security for asset management solutions.
+            `event.kind: asset` is not used for normal system events or logs that are coming
+            from an asset/entity, nor is it used for system events or logs coming from a
+            directory or CMDB system.

From 261a873fcb24ceb9e1a37f40d12905549197579c Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Mon, 10 Apr 2023 08:23:19 -0500
Subject: [PATCH 085/186] RFC 0038: Add `event.kind: asset` - stage 2 changes
 (#2191)

* add event.kind:asset as beta category

* artifacts

* changelog

* fix typo
---
 CHANGELOG.next.md                         |  1 +
 docs/fields/field-details.asciidoc        |  2 +-
 docs/fields/field-values.asciidoc         | 15 +++++++++++++++
 experimental/generated/ecs/ecs_flat.yml   | 16 ++++++++++++++++
 experimental/generated/ecs/ecs_nested.yml | 16 ++++++++++++++++
 generated/ecs/ecs_flat.yml                | 16 ++++++++++++++++
 generated/ecs/ecs_nested.yml              | 16 ++++++++++++++++
 schemas/event.yml                         | 18 ++++++++++++++++++
 8 files changed, 99 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 9ef7a7775c..1c0548fd67 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -17,6 +17,7 @@ Thanks, you're awesome :-) -->
 #### Added
 
 * Add `access` as an allowed type for `event.type: file`. #2174
+* Add `event.kind: asset` as a beta category. #2191
 
 #### Improvements
 
diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index 4efa309cf4..6c78f2919a 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -3562,7 +3562,7 @@ type: keyword
 
 *Important*: The field value must be one of the following:
 
-alert, enrichment, event, metric, state, pipeline_error, signal
+alert, asset, enrichment, event, metric, state, pipeline_error, signal
 
 To learn more about when to use which value, visit the page
 <<ecs-allowed-values-event-kind,allowed values for event.kind>>
diff --git a/docs/fields/field-values.asciidoc b/docs/fields/field-values.asciidoc
index 4c1788368e..11356f66b2 100644
--- a/docs/fields/field-values.asciidoc
+++ b/docs/fields/field-values.asciidoc
@@ -40,6 +40,7 @@ The value of this field can be used to inform how these kinds of events should b
 *Allowed Values*
 
 * <<ecs-event-kind-alert,alert>>
+* <<ecs-event-kind-asset,asset>>
 * <<ecs-event-kind-enrichment,enrichment>>
 * <<ecs-event-kind-event,event>>
 * <<ecs-event-kind-metric,metric>>
@@ -59,6 +60,20 @@ This value is not used by Elastic solutions for alert documents that are created
 
 
 
+[float]
+[[ecs-event-kind-asset]]
+==== asset
+
+beta:[ This event categorization value is beta and subject to change. ]
+
+This value indicates events whose primary purpose is to store an inventory of assets/entities and their attributes. Assets/entities are objects (such as users and hosts) that are expected to be subjects of detailed analysis within the system.
+
+Examples include lists of user identities or accounts ingested from directory services such as Active Directory (AD), inventory of hosts pulled from configuration management databases (CMDB), and lists of cloud storage buckets pulled from cloud provider APIs.
+
+This value is used by Elastic Security for asset management solutions. `event.kind: asset` is not used for normal system events or logs that are coming from an asset/entity, nor is it used for system events or logs coming from a directory or CMDB system.
+
+
+
 [float]
 [[ecs-event-kind-enrichment]]
 ==== enrichment
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 1c7b03bb28..bff6b1f9b1 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -3305,6 +3305,22 @@ event.kind:
       This value is not used by Elastic solutions for alert documents that are created
       by rules executing within the Kibana alerting framework.'
     name: alert
+  - beta: This event categorization value is beta and subject to change.
+    description: 'This value indicates events whose primary purpose is to store an
+      inventory of assets/entities and their attributes. Assets/entities are objects
+      (such as users and hosts) that are expected to be subjects of detailed analysis
+      within the system.
+
+      Examples include lists of user identities or accounts ingested from directory
+      services such as Active Directory (AD), inventory of hosts pulled from configuration
+      management databases (CMDB), and lists of cloud storage buckets pulled from
+      cloud provider APIs.
+
+      This value is used by Elastic Security for asset management solutions. `event.kind:
+      asset` is not used for normal system events or logs that are coming from an
+      asset/entity, nor is it used for system events or logs coming from a directory
+      or CMDB system.'
+    name: asset
   - description: 'The `enrichment` value indicates an event collected to provide additional
       context, often to other events.
 
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 444e2d1493..ac4d22cc35 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -4302,6 +4302,22 @@ event:
           This value is not used by Elastic solutions for alert documents that are
           created by rules executing within the Kibana alerting framework.'
         name: alert
+      - beta: This event categorization value is beta and subject to change.
+        description: 'This value indicates events whose primary purpose is to store
+          an inventory of assets/entities and their attributes. Assets/entities are
+          objects (such as users and hosts) that are expected to be subjects of detailed
+          analysis within the system.
+
+          Examples include lists of user identities or accounts ingested from directory
+          services such as Active Directory (AD), inventory of hosts pulled from configuration
+          management databases (CMDB), and lists of cloud storage buckets pulled from
+          cloud provider APIs.
+
+          This value is used by Elastic Security for asset management solutions. `event.kind:
+          asset` is not used for normal system events or logs that are coming from
+          an asset/entity, nor is it used for system events or logs coming from a
+          directory or CMDB system.'
+        name: asset
       - description: 'The `enrichment` value indicates an event collected to provide
           additional context, often to other events.
 
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 41eeb653e9..2507051061 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -3236,6 +3236,22 @@ event.kind:
       This value is not used by Elastic solutions for alert documents that are created
       by rules executing within the Kibana alerting framework.'
     name: alert
+  - beta: This event categorization value is beta and subject to change.
+    description: 'This value indicates events whose primary purpose is to store an
+      inventory of assets/entities and their attributes. Assets/entities are objects
+      (such as users and hosts) that are expected to be subjects of detailed analysis
+      within the system.
+
+      Examples include lists of user identities or accounts ingested from directory
+      services such as Active Directory (AD), inventory of hosts pulled from configuration
+      management databases (CMDB), and lists of cloud storage buckets pulled from
+      cloud provider APIs.
+
+      This value is used by Elastic Security for asset management solutions. `event.kind:
+      asset` is not used for normal system events or logs that are coming from an
+      asset/entity, nor is it used for system events or logs coming from a directory
+      or CMDB system.'
+    name: asset
   - description: 'The `enrichment` value indicates an event collected to provide additional
       context, often to other events.
 
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 4d9a65a010..14aebf51de 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -4222,6 +4222,22 @@ event:
           This value is not used by Elastic solutions for alert documents that are
           created by rules executing within the Kibana alerting framework.'
         name: alert
+      - beta: This event categorization value is beta and subject to change.
+        description: 'This value indicates events whose primary purpose is to store
+          an inventory of assets/entities and their attributes. Assets/entities are
+          objects (such as users and hosts) that are expected to be subjects of detailed
+          analysis within the system.
+
+          Examples include lists of user identities or accounts ingested from directory
+          services such as Active Directory (AD), inventory of hosts pulled from configuration
+          management databases (CMDB), and lists of cloud storage buckets pulled from
+          cloud provider APIs.
+
+          This value is used by Elastic Security for asset management solutions. `event.kind:
+          asset` is not used for normal system events or logs that are coming from
+          an asset/entity, nor is it used for system events or logs coming from a
+          directory or CMDB system.'
+        name: asset
       - description: 'The `enrichment` value indicates an event collected to provide
           additional context, often to other events.
 
diff --git a/schemas/event.yml b/schemas/event.yml
index f17c4b45c0..20ae8c756d 100644
--- a/schemas/event.yml
+++ b/schemas/event.yml
@@ -83,6 +83,24 @@
 
             This value is not used by Elastic solutions for alert documents
             that are created by rules executing within the Kibana alerting framework.
+        - name: asset
+          description: >
+            This value indicates events whose primary purpose is to store an inventory of
+            assets/entities and their attributes. Assets/entities are objects (such as
+            users and hosts) that are expected to be subjects of detailed analysis within
+            the system.
+
+            Examples include lists of user identities or accounts ingested from directory
+            services such as Active Directory (AD), inventory of hosts pulled from
+            configuration management databases (CMDB), and lists of cloud storage buckets
+            pulled from cloud provider APIs.
+
+            This value is used by Elastic Security for asset management solutions.
+            `event.kind: asset` is not used for normal system events or logs that are coming
+            from an asset/entity, nor is it used for system events or logs coming from a
+            directory or CMDB system.
+          beta: >
+            This event categorization value is beta and subject to change.
         - name: enrichment
           description: >
             The `enrichment` value indicates an event collected to provide additional

From a1c9ef882ac027987361705a267fcc14fc33f95d Mon Sep 17 00:00:00 2001
From: Agi K Thomas <101976829+agithomas@users.noreply.github.com>
Date: Tue, 11 Apr 2023 20:01:20 +0530
Subject: [PATCH 086/186] [RFC] Stage 0 - TSDB Dimensions (#2172)

* [RFC] Stage 0 - TSDB Dimensions

* Updated the name of the RFC

* Updated the example in RFC

* Updated the pull request URL in the document

* Update rfcs/0000-tsdb-dimensions.md

* Update rfcs/0000-tsdb-dimensions.md

* Added additional reviewer

* Updated from host.hostname to host.name

* Removed newlines

* Updated information of every dimension fields based on the final list

* Kept the dimension field tagging right after the type declaration

* set RFC # and advancement date for stage 0

* fixing date to reflect actual merge date

---------

Co-authored-by: Eric Beahan <eric.beahan@elastic.co>
---
 rfcs/text/0039-tsdb-dimensions.md | 333 ++++++++++++++++++++++++++++++
 1 file changed, 333 insertions(+)
 create mode 100644 rfcs/text/0039-tsdb-dimensions.md

diff --git a/rfcs/text/0039-tsdb-dimensions.md b/rfcs/text/0039-tsdb-dimensions.md
new file mode 100644
index 0000000000..a600eb2c99
--- /dev/null
+++ b/rfcs/text/0039-tsdb-dimensions.md
@@ -0,0 +1,333 @@
+# 0039: TSDB Dimensions
+<!-- Leave this ID at 0000. The ECS team will assign a unique, contiguous RFC number upon merging the initial stage of this RFC. -->
+
+- Stage: **0 (strawperson)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
+- Date: **2023-04-11** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
+
+<!--
+As you work on your RFC, use the "Stage N" comments to guide you in what you should focus on, for the stage you're targeting.
+Feel free to remove these comments as you go along.
+-->
+
+<!--
+Stage 0: Provide a high level summary of the premise of these changes. Briefly describe the nature, purpose, and impact of the changes. ~2-5 sentences.
+-->
+
+<!--
+Stage 1: If the changes include field additions or modifications, please create a folder titled as the RFC number under rfcs/text/. This will be where proposed schema changes as standalone YAML files or extended example mappings and larger source documents will go as the RFC is iterated upon.
+-->
+
+<!--
+Stage X: Provide a brief explanation of why the proposal is being marked as abandoned. This is useful context for anyone revisiting this proposal or considering similar changes later on.
+-->
+
+## Fields
+
+This RFC proposes the annotating of certain ecs fields as `dimension`. This change is proposed to take the advantage of using `TSDB` offered by the elasticsearch without impacting the data injection.
+
+Annotating field as `dimension` is one of the important step in the process of TSDB adoption. Failing to annotate adequate number of fields as `dimension` when `TSDB` is enabled may lead to data loss. A large majority of fields that must be annotated as `dimension` fields are ecs fields. Presently, the Integration (Service Integration, Cloud Native, etc ) developers are expected to annotate ecs fields as `dimensions` in integration configuration. To avoid the duplicatation in configuration, minimize data loss probability, the RFC is proposed. `dimension` field takes two values - `true` and `false`.
+
+
+Changes to :service mapping
+
+```yaml
+---
+- name: service
+  title: Service
+  group: 2
+  short: Fields describing the service for or from which the data was collected.
+  description: >
+    The service fields describe the service for or from which the data was collected.
+
+    These fields help you find and correlate logs for a specific
+    service and version.
+  footnote: >
+    The service fields may be self-nested under service.origin.* and service.target.*
+    to describe origin or target services in the context of incoming or outgoing requests,
+    respectively.
+    However, the fieldsets service.origin.* and service.target.* must not be confused with
+    the root service fieldset that is used to describe the actual service under observation.
+    The fieldset service.origin.* may only be used in the context of incoming requests or
+    events to describe the originating service of the request. The fieldset service.target.*
+    may only be used in the context of outgoing requests or events to describe the target
+    service of the request.
+  reusable:
+    top_level: true
+    expected:
+      - at: service
+        as: origin
+        beta: Reusing the `service` fields in this location is currently considered beta.
+        short_override: Describes the origin service in case of an incoming request or event.
+      - at: service
+        as: target
+        beta: Reusing the `service` fields in this location is currently considered beta.
+        short_override: Describes the target service in case of an outgoing request or event.
+  type: group
+  fields:
+
+    - name: address
+      level: extended
+      type: keyword
+      dimension: true
+      short: Address of this service.
+      description: >
+        Address where data about this service was collected from.
+
+        This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets).
+      example: 172.26.0.2:5432
+
+```
+Changes to host mapping
+
+```yaml
+---
+- name: host
+  title: Host
+  group: 2
+  short: Fields describing the relevant computing instance.
+  description: >
+    A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which
+    the event happened, or from which the measurement was taken.
+    Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.
+  type: group
+  fields:
+    - name: name
+      level: core
+      type: keyword
+      dimension: true
+      short: Name of the host.
+      description: >
+        Name of the host.
+        It can contain what hostname returns on Unix systems, the fully
+        qualified domain name (FQDN), or a name specified by the user.
+        The recommended value is the lowercase FQDN of the host.
+
+```
+Changes to agent mapping
+
+```yaml
+---
+- name: agent
+  title: Agent
+  group: 2
+  short: Fields about the monitoring agent.
+  description: >
+    The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host.
+
+    Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken.
+  footnote: >
+    Examples: In the case of Beats for logs, the agent.name is filebeat. For APM, it is the
+    agent running in the app/service. The agent information does not change if
+    data is sent through queuing systems like Kafka, Redis, or processing systems
+    such as Logstash or APM Server.
+  type: group
+  fields:
+
+    - name: id
+      level: core
+      type: keyword
+      dimension: true
+      short: Unique identifier of this agent.
+      description: >
+        Unique identifier of this agent (if one exists).
+
+        Example: For Beats this would be beat.id.
+      example: 8a4f500d
+```
+
+Changes to cloud mapping
+
+```yaml
+---
+- name: cloud
+  title: Cloud
+  group: 2
+  short: Fields about the cloud resource.
+  description: >
+    Fields related to the cloud or infrastructure the events
+    are coming from.
+  footnote: >
+    Examples: If Metricbeat is running on an EC2 host and fetches data from its
+    host, the cloud info contains the data about this machine. If Metricbeat
+    runs on a remote machine outside the cloud and fetches data from a service
+    running in the cloud, the field contains cloud data from the machine the
+    service is running on.
+    The cloud fields may be self-nested under cloud.origin.* and cloud.target.*
+    to describe origin or target service's cloud information in the context of
+    incoming or outgoing requests, respectively. However, the fieldsets
+    cloud.origin.* and cloud.target.* must not be confused with the root cloud
+    fieldset that is used to describe the cloud context of the actual service
+    under observation. The fieldset cloud.origin.* may only be used in the
+    context of incoming requests or events to provide the originating service's
+    cloud information. The fieldset cloud.target.* may only be used in the
+    context of outgoing requests or events to describe the target service's
+    cloud information.
+  reusable:
+    top_level: true
+    expected:
+      - at: cloud
+        as: origin
+        beta: Reusing the `cloud` fields in this location is currently considered beta.
+        short_override: Provides the cloud information of the origin entity in case of an incoming request or event.
+      - at: cloud
+        as: target
+        beta: Reusing the `cloud` fields in this location is currently considered beta.
+        short_override: Provides the cloud information of the target entity in case of an outgoing request or event.
+  type: group
+  fields:
+    - name: project.id
+      level: extended
+      type: keyword
+      dimension: true
+      example: my-project
+      short: The cloud project id.
+      description: >
+        The cloud project identifier.
+        Examples: Google Cloud Project id, Azure Project id.
+
+
+    - name: instance.id
+      level: extended
+      type: keyword
+      dimension: true
+      example: i-1234567890abcdef0
+      description: >
+        Instance ID of the host machine.
+
+    - name: provider
+      level: extended
+      example: aws
+      type: keyword
+      dimension: true
+      short: Name of the cloud provider.
+      description: >
+        Name of the cloud provider. Example values are aws, azure, gcp, or
+        digitalocean.
+```
+
+Changes to container mapping
+
+```yaml
+---
+- name: container
+  title: Container
+  group: 2
+  short: Fields describing the container that generated this event.
+  description: >
+    Container fields are used for meta information about the specific container
+    that is the source of information.
+    These fields help correlate data based containers from any runtime.
+  type: group
+  fields:
+    - name: id
+      level: core
+      type: keyword
+      dimension: true
+      description: >
+        Unique container id.
+```
+<!--
+Stage 1: Describe at a high level how this change affects fields. Include new or updated yml field definitions for all of the essential fields in this draft. While not exhaustive, the fields documented here should be comprehensive enough to deeply evaluate the technical considerations of this change. The goal here is to validate the technical details for all essential fields and to provide a basis for adding experimental field definitions to the schema. Use GitHub code blocks with yml syntax formatting, and add them to the corresponding RFC folder.
+-->
+
+<!--
+Stage 2: Add or update all remaining field definitions. The list should now be exhaustive. The goal here is to validate the technical details of all remaining fields and to provide a basis for releasing these field definitions as beta in the schema. Use GitHub code blocks with yml syntax formatting, and add them to the corresponding RFC folder.
+-->
+
+## Usage
+
+<!--
+Stage 1: Describe at a high-level how these field changes will be used in practice. Real world examples are encouraged. The goal here is to understand how people would leverage these fields to gain insights or solve problems. ~1-3 paragraphs.
+-->
+
+Integration package development is the key beneficiary of this change. The fields of the document that are received from an integration receives a field mapping. If and when TSDB benefits are to be utilised, along with the field mapping with a metric type, at least one of the fields  must receive `dimension: true` annotation.
+
+Example of field mapping in integrations with the field enabled as a dimension field.
+```yaml
+---
+- name: wait_class
+  type: keyword
+  dimension: true
+  description: Every wait event belongs to a class of wait event.
+
+```
+## Source data
+
+The source of this data comes from monitoring a host like a Linux machine, laptop or a k8s node. The can come delivered through different shippers like Elastic Agent system metrics inputs, apm agents, prometheus node exporter and other host metric collectors.
+<!--
+Stage 1: Provide a high-level description of example sources of data. This does not yet need to be a concrete example of a source document, but instead can simply describe a potential source (e.g. nginx access log). This will ultimately be fleshed out to include literal source examples in a future stage. The goal here is to identify practical sources for these fields in the real world. ~1-3 sentences or unordered list.
+-->
+
+<!--
+Stage 2: Included a real world example source document. Ideally this example comes from the source(s) identified in stage 1. If not, it should replace them. The goal here is to validate the utility of these field changes in the context of a real world example. Format with the source name as a ### header and the example document in a GitHub code block with json formatting, or if on the larger side, add them to the corresponding RFC folder.
+-->
+
+<!--
+Stage 3: Add more real world example source documents so we have at least 2 total, but ideally 3. Format as described in stage 2.
+-->
+
+## Scope of impact
+
+<!--
+Stage 2: Identifies scope of impact of changes. Are breaking changes required? Should deprecation strategies be adopted? Will significant refactoring be involved? Break the impact down into:
+ * Ingestion mechanisms (e.g. beats/logstash)
+ * Usage mechanisms (e.g. Kibana applications, detections)
+ * ECS project (e.g. docs, tooling)
+The goal here is to research and understand the impact of these changes on users in the community and development teams across Elastic. 2-5 sentences each.
+-->
+
+## Concerns
+
+No concerns are known as of now. Presence of the `dimension:true` does not impact functionality. Elastic Stack version 8.7 is essential for this.
+<!--
+Stage 1: Identify potential concerns, implementation challenges, or complexity. Spend some time on this. Play devil's advocate. Try to identify the sort of non-obvious challenges that tend to surface later. The goal here is to surface risks early, allow everyone the time to work through them, and ultimately document resolution for posterity's sake.
+-->
+
+<!--
+Stage 2: Document new concerns or resolutions to previously listed concerns. It's not critical that all concerns have resolutions at this point, but it would be helpful if resolutions were taking shape for the most significant concerns.
+-->
+
+<!--
+Stage 3: Document resolutions for all existing concerns. Any new concerns should be documented along with their resolution. The goal here is to eliminate risk of churn and instability by ensuring all concerns have been addressed.
+-->
+
+## People
+
+The following are the people that consulted on the contents of this RFC.
+
+* @agithomas | author
+* @ruflin | subject matter expert
+* @lalit-satapathy | reviewer
+* @martijnvg | reviewer
+<!--
+Who will be or has been consulted on the contents of this RFC? Identify authorship and sponsorship, and optionally identify the nature of involvement of others. Link to GitHub aliases where possible. This list will likely change or grow stage after stage.
+
+e.g.:
+
+* @Yasmina | author
+* @Monique | sponsor
+* @EunJung | subject matter expert
+* @JaneDoe | grammar, spelling, prose
+* @Mariana
+-->
+
+
+## References
+
+* [TSDB Design Document](https://github.com/elastic/elasticsearch-adrs/blob/master/analytics/tsdb/tsdb-design.md)
+* [Oracle Package Pull Request for TSDB Migraiton](https://github.com/elastic/integrations/pull/4966)
+
+<!-- Insert any links appropriate to this RFC in this section. -->
+
+### RFC Pull Requests
+
+<!-- An RFC should link to the PRs for each of it stage advancements. -->
+
+* Stage 0: https://github.com/elastic/ecs/pull/2172
+
+<!--
+* Stage 1: https://github.com/elastic/ecs/pull/NNN
+...
+-->

From ea6c0bb1196ef8790a44f28773f52909b904eacf Mon Sep 17 00:00:00 2001
From: Kylie Meli <kylie.geller@elastic.co>
Date: Tue, 25 Apr 2023 11:04:33 -0400
Subject: [PATCH 087/186] Bumping version to 8.9.0-dev for 8.8 FF (#2197)

---
 docs/fields/fields.asciidoc                   |    2 +-
 docs/index.asciidoc                           |    2 +-
 experimental/generated/beats/fields.ecs.yml   |    2 +-
 experimental/generated/csv/fields.csv         | 3476 ++++++++---------
 .../composable/component/agent.json           |    2 +-
 .../composable/component/base.json            |    2 +-
 .../composable/component/cgroup.json          |    2 +-
 .../composable/component/client.json          |    2 +-
 .../composable/component/cloud.json           |    2 +-
 .../composable/component/container.json       |    2 +-
 .../composable/component/data_stream.json     |    2 +-
 .../composable/component/destination.json     |    2 +-
 .../composable/component/device.json          |    2 +-
 .../composable/component/dll.json             |    2 +-
 .../composable/component/dns.json             |    2 +-
 .../composable/component/ecs.json             |    2 +-
 .../composable/component/email.json           |    2 +-
 .../composable/component/error.json           |    2 +-
 .../composable/component/event.json           |    2 +-
 .../composable/component/faas.json            |    2 +-
 .../composable/component/file.json            |    2 +-
 .../composable/component/group.json           |    2 +-
 .../composable/component/host.json            |    2 +-
 .../composable/component/http.json            |    2 +-
 .../composable/component/log.json             |    2 +-
 .../composable/component/network.json         |    2 +-
 .../composable/component/observer.json        |    2 +-
 .../composable/component/orchestrator.json    |    2 +-
 .../composable/component/organization.json    |    2 +-
 .../composable/component/package.json         |    2 +-
 .../composable/component/process.json         |    2 +-
 .../composable/component/registry.json        |    2 +-
 .../composable/component/related.json         |    2 +-
 .../composable/component/rule.json            |    2 +-
 .../composable/component/server.json          |    2 +-
 .../composable/component/service.json         |    2 +-
 .../composable/component/source.json          |    2 +-
 .../composable/component/threat.json          |    2 +-
 .../composable/component/tls.json             |    2 +-
 .../composable/component/tracing.json         |    2 +-
 .../composable/component/url.json             |    2 +-
 .../composable/component/user.json            |    2 +-
 .../composable/component/user_agent.json      |    2 +-
 .../composable/component/vulnerability.json   |    2 +-
 .../elasticsearch/composable/template.json    |   82 +-
 .../elasticsearch/legacy/template.json        |    2 +-
 generated/beats/fields.ecs.yml                |    2 +-
 generated/csv/fields.csv                      | 3462 ++++++++--------
 .../composable/component/agent.json           |    2 +-
 .../composable/component/base.json            |    2 +-
 .../composable/component/client.json          |    2 +-
 .../composable/component/cloud.json           |    2 +-
 .../composable/component/container.json       |    2 +-
 .../composable/component/data_stream.json     |    2 +-
 .../composable/component/destination.json     |    2 +-
 .../composable/component/device.json          |    2 +-
 .../composable/component/dll.json             |    2 +-
 .../composable/component/dns.json             |    2 +-
 .../composable/component/ecs.json             |    2 +-
 .../composable/component/email.json           |    2 +-
 .../composable/component/error.json           |    2 +-
 .../composable/component/event.json           |    2 +-
 .../composable/component/faas.json            |    2 +-
 .../composable/component/file.json            |    2 +-
 .../composable/component/group.json           |    2 +-
 .../composable/component/host.json            |    2 +-
 .../composable/component/http.json            |    2 +-
 .../composable/component/log.json             |    2 +-
 .../composable/component/network.json         |    2 +-
 .../composable/component/observer.json        |    2 +-
 .../composable/component/orchestrator.json    |    2 +-
 .../composable/component/organization.json    |    2 +-
 .../composable/component/package.json         |    2 +-
 .../composable/component/process.json         |    2 +-
 .../composable/component/registry.json        |    2 +-
 .../composable/component/related.json         |    2 +-
 .../composable/component/rule.json            |    2 +-
 .../composable/component/server.json          |    2 +-
 .../composable/component/service.json         |    2 +-
 .../composable/component/source.json          |    2 +-
 .../composable/component/threat.json          |    2 +-
 .../composable/component/tls.json             |    2 +-
 .../composable/component/tracing.json         |    2 +-
 .../composable/component/url.json             |    2 +-
 .../composable/component/user.json            |    2 +-
 .../composable/component/user_agent.json      |    2 +-
 .../composable/component/vulnerability.json   |    2 +-
 .../elasticsearch/composable/template.json    |   80 +-
 generated/elasticsearch/legacy/template.json  |    2 +-
 version                                       |    2 +-
 90 files changed, 3636 insertions(+), 3636 deletions(-)

diff --git a/docs/fields/fields.asciidoc b/docs/fields/fields.asciidoc
index a968563dfa..0fef5fa1e1 100644
--- a/docs/fields/fields.asciidoc
+++ b/docs/fields/fields.asciidoc
@@ -1,7 +1,7 @@
 [[ecs-field-reference]]
 == {ecs} Field Reference
 
-This is the documentation of ECS version 8.8.0-dev.
+This is the documentation of ECS version 8.9.0-dev.
 
 ECS defines multiple groups of related fields. They are called "field sets".
 The <<ecs-base,Base>> field set is the only one whose fields are defined
diff --git a/docs/index.asciidoc b/docs/index.asciidoc
index b892ce24bd..30d36104ca 100644
--- a/docs/index.asciidoc
+++ b/docs/index.asciidoc
@@ -13,7 +13,7 @@ include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
 [[ecs-reference]]
 == Overview
 
-This is the documentation of ECS version 8.8.0-dev.
+This is the documentation of ECS version 8.9.0-dev.
 
 [float]
 === What is ECS?
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 6d567340b7..5401c30f08 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -1,5 +1,5 @@
 # WARNING! Do not edit this file directly, it was generated by the ECS project,
-# based on ECS version 8.8.0-dev+exp.
+# based on ECS version 8.9.0-dev+exp.
 # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields.
 
 - key: ecs
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index e9e979dd47..ecbb826a0c 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -1,1739 +1,1739 @@
 ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
-8.8.0-dev+exp,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
-8.8.0-dev+exp,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
-8.8.0-dev+exp,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer.
-8.8.0-dev+exp,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
-8.8.0-dev+exp,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
-8.8.0-dev+exp,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
-8.8.0-dev+exp,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
-8.8.0-dev+exp,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
-8.8.0-dev+exp,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
-8.8.0-dev+exp,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
-8.8.0-dev+exp,true,cgroup,cgroup.cpu.periods,long,extended,,454839343,Number of period intervals that have elapsed.
-8.8.0-dev+exp,true,cgroup,cgroup.cpu.throttled.us,long,extended,,15000,Microseconds of CPU throttled time.
-8.8.0-dev+exp,true,cgroup,cgroup.cpu.usage,scaled_float,extended,,,"CPU usage, normalized by the CPU count."
-8.8.0-dev+exp,true,cgroup,cgroup.memory.limit,long,extended,,256,Memory limit within the cgroup.
-8.8.0-dev+exp,true,cgroup,cgroup.memory.swap.usage,long,extended,,5600,The amount of cgroup memory in swap.
-8.8.0-dev+exp,true,cgroup,cgroup.memory.usage,long,extended,,25600,Memory usage in bytes
-8.8.0-dev+exp,true,cgroup,cgroup.version,long,extended,,,The cgroup version linked to the metrics
-8.8.0-dev+exp,true,client,client.address,keyword,extended,,,Client network address.
-8.8.0-dev+exp,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.8.0-dev+exp,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.8.0-dev+exp,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.8.0-dev+exp,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
-8.8.0-dev+exp,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client.
-8.8.0-dev+exp,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
-8.8.0-dev+exp,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
-8.8.0-dev+exp,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.8.0-dev+exp,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.8.0-dev+exp,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
-8.8.0-dev+exp,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.8.0-dev+exp,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.8.0-dev+exp,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
-8.8.0-dev+exp,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.8.0-dev+exp,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
-8.8.0-dev+exp,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.8.0-dev+exp,true,client,client.ip,ip,core,,,IP address of the client.
-8.8.0-dev+exp,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
-8.8.0-dev+exp,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
-8.8.0-dev+exp,true,client,client.nat.port,long,extended,,,Client NAT port
-8.8.0-dev+exp,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
-8.8.0-dev+exp,true,client,client.port,long,core,,,Port of the client.
-8.8.0-dev+exp,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
-8.8.0-dev+exp,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.8.0-dev+exp,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.8.0-dev+exp,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.8.0-dev+exp,true,client,client.user.email,keyword,extended,,,User email address.
-8.8.0-dev+exp,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.8.0-dev+exp,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.8.0-dev+exp,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.8.0-dev+exp,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev+exp,true,client,client.user.group.name,keyword,extended,,,Name of the group.
-8.8.0-dev+exp,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.8.0-dev+exp,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev+exp,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.8.0-dev+exp,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.8.0-dev+exp,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.8.0-dev+exp,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.8.0-dev+exp,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.8.0-dev+exp,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
-8.8.0-dev+exp,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.8.0-dev+exp,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.8.0-dev+exp,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.8.0-dev+exp,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.8.0-dev+exp,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.8.0-dev+exp,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine.
-8.8.0-dev+exp,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.8.0-dev+exp,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id.
-8.8.0-dev+exp,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name.
-8.8.0-dev+exp,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider.
-8.8.0-dev+exp,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.8.0-dev+exp,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name.
-8.8.0-dev+exp,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
-8.8.0-dev+exp,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
-8.8.0-dev+exp,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
-8.8.0-dev+exp,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.8.0-dev+exp,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name.
-8.8.0-dev+exp,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.8.0-dev+exp,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.8.0-dev+exp,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.8.0-dev+exp,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.8.0-dev+exp,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine.
-8.8.0-dev+exp,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.8.0-dev+exp,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id.
-8.8.0-dev+exp,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name.
-8.8.0-dev+exp,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider.
-8.8.0-dev+exp,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.8.0-dev+exp,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name.
-8.8.0-dev+exp,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
-8.8.0-dev+exp,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
-8.8.0-dev+exp,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
-8.8.0-dev+exp,true,container,container.id,keyword,core,,,Unique container id.
-8.8.0-dev+exp,true,container,container.image.hash.all,keyword,extended,array,[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26],An array of digests of the image the container was built on.
-8.8.0-dev+exp,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
-8.8.0-dev+exp,true,container,container.image.tag,keyword,extended,array,,Container image tags.
-8.8.0-dev+exp,true,container,container.labels,object,extended,,,Image labels.
-8.8.0-dev+exp,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1."
-8.8.0-dev+exp,true,container,container.name,keyword,extended,,,Container name.
-8.8.0-dev+exp,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
-8.8.0-dev+exp,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
-8.8.0-dev+exp,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
-8.8.0-dev+exp,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
-8.8.0-dev+exp,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
-8.8.0-dev+exp,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
-8.8.0-dev+exp,true,destination,destination.address,keyword,extended,,,Destination network address.
-8.8.0-dev+exp,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.8.0-dev+exp,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.8.0-dev+exp,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.8.0-dev+exp,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
-8.8.0-dev+exp,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination.
-8.8.0-dev+exp,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
-8.8.0-dev+exp,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
-8.8.0-dev+exp,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.8.0-dev+exp,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.8.0-dev+exp,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
-8.8.0-dev+exp,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.8.0-dev+exp,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.8.0-dev+exp,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
-8.8.0-dev+exp,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.8.0-dev+exp,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
-8.8.0-dev+exp,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.8.0-dev+exp,true,destination,destination.ip,ip,core,,,IP address of the destination.
-8.8.0-dev+exp,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
-8.8.0-dev+exp,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
-8.8.0-dev+exp,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
-8.8.0-dev+exp,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
-8.8.0-dev+exp,true,destination,destination.port,long,core,,,Port of the destination.
-8.8.0-dev+exp,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
-8.8.0-dev+exp,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.8.0-dev+exp,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.8.0-dev+exp,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.8.0-dev+exp,true,destination,destination.user.email,keyword,extended,,,User email address.
-8.8.0-dev+exp,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.8.0-dev+exp,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.8.0-dev+exp,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.8.0-dev+exp,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev+exp,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
-8.8.0-dev+exp,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.8.0-dev+exp,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev+exp,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.8.0-dev+exp,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device.
-8.8.0-dev+exp,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer.
-8.8.0-dev+exp,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model.
-8.8.0-dev+exp,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model.
-8.8.0-dev+exp,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.8.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.8.0-dev+exp,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.8.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.8.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.8.0-dev+exp,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.8.0-dev+exp,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.8.0-dev+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.8.0-dev+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.8.0-dev+exp,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
-8.8.0-dev+exp,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
-8.8.0-dev+exp,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
-8.8.0-dev+exp,true,dll,dll.hash.sha384,keyword,extended,,,SHA384 hash.
-8.8.0-dev+exp,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
-8.8.0-dev+exp,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.8.0-dev+exp,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash.
-8.8.0-dev+exp,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
-8.8.0-dev+exp,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
-8.8.0-dev+exp,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.8.0-dev+exp,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.8.0-dev+exp,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.8.0-dev+exp,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.8.0-dev+exp,true,dll,dll.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.8.0-dev+exp,true,dll,dll.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.8.0-dev+exp,true,dll,dll.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.8.0-dev+exp,true,dll,dll.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.8.0-dev+exp,true,dll,dll.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.8.0-dev+exp,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.8.0-dev+exp,true,dll,dll.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.8.0-dev+exp,true,dll,dll.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.8.0-dev+exp,true,dll,dll.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev+exp,true,dll,dll.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev+exp,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.8.0-dev+exp,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.8.0-dev+exp,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.8.0-dev+exp,true,dll,dll.pe.sections,nested,extended,array,,Section information of the PE file.
-8.8.0-dev+exp,true,dll,dll.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.8.0-dev+exp,true,dll,dll.pe.sections.name,keyword,extended,,,PE Section List name.
-8.8.0-dev+exp,true,dll,dll.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.8.0-dev+exp,true,dll,dll.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.8.0-dev+exp,true,dll,dll.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.8.0-dev+exp,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
-8.8.0-dev+exp,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
-8.8.0-dev+exp,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
-8.8.0-dev+exp,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
-8.8.0-dev+exp,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
-8.8.0-dev+exp,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
-8.8.0-dev+exp,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
-8.8.0-dev+exp,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
-8.8.0-dev+exp,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
-8.8.0-dev+exp,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
-8.8.0-dev+exp,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
-8.8.0-dev+exp,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
-8.8.0-dev+exp,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
-8.8.0-dev+exp,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.8.0-dev+exp,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
-8.8.0-dev+exp,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
-8.8.0-dev+exp,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
-8.8.0-dev+exp,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
-8.8.0-dev+exp,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
-8.8.0-dev+exp,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
-8.8.0-dev+exp,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
-8.8.0-dev+exp,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash.
-8.8.0-dev+exp,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.8.0-dev+exp,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.8.0-dev+exp,true,email,email.attachments.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.8.0-dev+exp,true,email,email.attachments.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.8.0-dev+exp,true,email,email.attachments.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.8.0-dev+exp,true,email,email.attachments.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.8.0-dev+exp,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file.
-8.8.0-dev+exp,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file.
-8.8.0-dev+exp,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size.
-8.8.0-dev+exp,true,email,email.bcc.address,keyword,extended,array,bcc.user1@example.com,Email address of BCC recipient
-8.8.0-dev+exp,true,email,email.cc.address,keyword,extended,array,cc.user1@example.com,Email address of CC recipient
-8.8.0-dev+exp,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message.
-8.8.0-dev+exp,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered.
-8.8.0-dev+exp,true,email,email.direction,keyword,extended,,inbound,Direction of the message.
-8.8.0-dev+exp,true,email,email.from.address,keyword,extended,array,sender@example.com,The sender's email address.
-8.8.0-dev+exp,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source.
-8.8.0-dev+exp,true,email,email.message_id,wildcard,extended,,81ce15$8r2j59@mail01.example.com,Value from the Message-ID header.
-8.8.0-dev+exp,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed.
-8.8.0-dev+exp,true,email,email.reply_to.address,keyword,extended,array,reply.here@example.com,Address replies should be delivered to.
-8.8.0-dev+exp,true,email,email.sender.address,keyword,extended,,,Address of the message sender.
-8.8.0-dev+exp,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message.
-8.8.0-dev+exp,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
-8.8.0-dev+exp,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient
-8.8.0-dev+exp,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
-8.8.0-dev+exp,true,error,error.code,keyword,core,,,Error code describing the error.
-8.8.0-dev+exp,true,error,error.id,keyword,core,,,Unique identifier for the error.
-8.8.0-dev+exp,true,error,error.message,match_only_text,core,,,Error message.
-8.8.0-dev+exp,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
-8.8.0-dev+exp,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text.
-8.8.0-dev+exp,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
-8.8.0-dev+exp,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
-8.8.0-dev+exp,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field.
-8.8.0-dev+exp,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
-8.8.0-dev+exp,true,event,event.code,keyword,extended,,4648,Identification code for this event.
-8.8.0-dev+exp,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
-8.8.0-dev+exp,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
-8.8.0-dev+exp,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
-8.8.0-dev+exp,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed.
-8.8.0-dev+exp,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
-8.8.0-dev+exp,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
-8.8.0-dev+exp,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
-8.8.0-dev+exp,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
-8.8.0-dev+exp,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
-8.8.0-dev+exp,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
-8.8.0-dev+exp,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
-8.8.0-dev+exp,true,event,event.provider,keyword,extended,,kernel,Source of the event.
-8.8.0-dev+exp,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
-8.8.0-dev+exp,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
-8.8.0-dev+exp,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
-8.8.0-dev+exp,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
-8.8.0-dev+exp,true,event,event.sequence,long,extended,,,Sequence number of the event.
-8.8.0-dev+exp,true,event,event.severity,long,core,,7,Numeric severity of the event.
-8.8.0-dev+exp,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed.
-8.8.0-dev+exp,true,event,event.timezone,keyword,extended,,,Event time zone.
-8.8.0-dev+exp,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
-8.8.0-dev+exp,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
-8.8.0-dev+exp,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function.
-8.8.0-dev+exp,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution.
-8.8.0-dev+exp,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function.
-8.8.0-dev+exp,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function.
-8.8.0-dev+exp,true,faas,faas.trigger,nested,extended,,,Details about the function trigger.
-8.8.0-dev+exp,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc."
-8.8.0-dev+exp,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution.
-8.8.0-dev+exp,true,faas,faas.version,keyword,extended,,123,The version of a serverless function.
-8.8.0-dev+exp,true,file,file.accessed,date,extended,,,Last time the file was accessed.
-8.8.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.8.0-dev+exp,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.8.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.8.0-dev+exp,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.8.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.8.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.8.0-dev+exp,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.8.0-dev+exp,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.8.0-dev+exp,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.8.0-dev+exp,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.8.0-dev+exp,true,file,file.created,date,extended,,,File creation time.
-8.8.0-dev+exp,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.8.0-dev+exp,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
-8.8.0-dev+exp,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.8.0-dev+exp,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.8.0-dev+exp,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.8.0-dev+exp,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.8.0-dev+exp,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.8.0-dev+exp,true,file,file.elf.creation_date,date,extended,,,Build or compile date.
-8.8.0-dev+exp,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.8.0-dev+exp,true,file,file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.8.0-dev+exp,true,file,file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.8.0-dev+exp,true,file,file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.8.0-dev+exp,true,file,file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.8.0-dev+exp,true,file,file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.8.0-dev+exp,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.8.0-dev+exp,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.8.0-dev+exp,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.8.0-dev+exp,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.8.0-dev+exp,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.8.0-dev+exp,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.8.0-dev+exp,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.8.0-dev+exp,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.8.0-dev+exp,true,file,file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.8.0-dev+exp,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.8.0-dev+exp,true,file,file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev+exp,true,file,file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev+exp,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.8.0-dev+exp,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.8.0-dev+exp,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.8.0-dev+exp,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.8.0-dev+exp,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.8.0-dev+exp,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.8.0-dev+exp,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.8.0-dev+exp,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.8.0-dev+exp,true,file,file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.8.0-dev+exp,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.8.0-dev+exp,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.8.0-dev+exp,true,file,file.elf.segments,nested,extended,array,,ELF object segment list.
-8.8.0-dev+exp,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.8.0-dev+exp,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.8.0-dev+exp,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.8.0-dev+exp,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.8.0-dev+exp,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.8.0-dev+exp,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.8.0-dev+exp,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.8.0-dev+exp,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
-8.8.0-dev+exp,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
-8.8.0-dev+exp,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.8.0-dev+exp,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.8.0-dev+exp,true,file,file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.8.0-dev+exp,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.8.0-dev+exp,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.8.0-dev+exp,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.8.0-dev+exp,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.8.0-dev+exp,true,file,file.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-8.8.0-dev+exp,true,file,file.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.8.0-dev+exp,true,file,file.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.8.0-dev+exp,true,file,file.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.8.0-dev+exp,true,file,file.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.8.0-dev+exp,true,file,file.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-8.8.0-dev+exp,true,file,file.macho.imports,flattened,extended,array,,List of imported element names and types.
-8.8.0-dev+exp,true,file,file.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev+exp,true,file,file.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev+exp,true,file,file.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-8.8.0-dev+exp,true,file,file.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.8.0-dev+exp,true,file,file.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-8.8.0-dev+exp,true,file,file.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-8.8.0-dev+exp,true,file,file.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.8.0-dev+exp,true,file,file.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-8.8.0-dev+exp,true,file,file.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-8.8.0-dev+exp,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.8.0-dev+exp,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.8.0-dev+exp,true,file,file.mtime,date,extended,,,Last time the file content was modified.
-8.8.0-dev+exp,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.8.0-dev+exp,true,file,file.owner,keyword,extended,,alice,File owner's username.
-8.8.0-dev+exp,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.8.0-dev+exp,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.8.0-dev+exp,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.8.0-dev+exp,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.8.0-dev+exp,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.8.0-dev+exp,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.8.0-dev+exp,true,file,file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.8.0-dev+exp,true,file,file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.8.0-dev+exp,true,file,file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.8.0-dev+exp,true,file,file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.8.0-dev+exp,true,file,file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.8.0-dev+exp,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.8.0-dev+exp,true,file,file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.8.0-dev+exp,true,file,file.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.8.0-dev+exp,true,file,file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev+exp,true,file,file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev+exp,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.8.0-dev+exp,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.8.0-dev+exp,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.8.0-dev+exp,true,file,file.pe.sections,nested,extended,array,,Section information of the PE file.
-8.8.0-dev+exp,true,file,file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.8.0-dev+exp,true,file,file.pe.sections.name,keyword,extended,,,PE Section List name.
-8.8.0-dev+exp,true,file,file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.8.0-dev+exp,true,file,file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.8.0-dev+exp,true,file,file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.8.0-dev+exp,true,file,file.size,long,extended,,16384,File size in bytes.
-8.8.0-dev+exp,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
-8.8.0-dev+exp,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.8.0-dev+exp,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.8.0-dev+exp,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.8.0-dev+exp,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.8.0-dev+exp,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.8.0-dev+exp,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.8.0-dev+exp,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.8.0-dev+exp,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.8.0-dev+exp,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.8.0-dev+exp,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.8.0-dev+exp,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.8.0-dev+exp,true,file,file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.8.0-dev+exp,true,file,file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.8.0-dev+exp,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.8.0-dev+exp,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.8.0-dev+exp,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.8.0-dev+exp,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.8.0-dev+exp,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.8.0-dev+exp,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.8.0-dev+exp,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.8.0-dev+exp,true,file,file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.8.0-dev+exp,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.8.0-dev+exp,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.8.0-dev+exp,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.8.0-dev+exp,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.8.0-dev+exp,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.8.0-dev+exp,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.8.0-dev+exp,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.8.0-dev+exp,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev+exp,true,group,group.name,keyword,extended,,,Name of the group.
-8.8.0-dev+exp,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
-8.8.0-dev+exp,true,host,host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id
-8.8.0-dev+exp,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
-8.8.0-dev+exp,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
-8.8.0-dev+exp,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
-8.8.0-dev+exp,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
-8.8.0-dev+exp,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
-8.8.0-dev+exp,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
-8.8.0-dev+exp,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.8.0-dev+exp,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.8.0-dev+exp,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
-8.8.0-dev+exp,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.8.0-dev+exp,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.8.0-dev+exp,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
-8.8.0-dev+exp,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.8.0-dev+exp,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
-8.8.0-dev+exp,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.8.0-dev+exp,true,host,host.hostname,keyword,core,,,Hostname of the host.
-8.8.0-dev+exp,true,host,host.id,keyword,core,,,Unique host id.
-8.8.0-dev+exp,true,host,host.ip,ip,core,array,,Host ip addresses.
-8.8.0-dev+exp,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
-8.8.0-dev+exp,true,host,host.name,keyword,core,,,Name of the host.
-8.8.0-dev+exp,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
-8.8.0-dev+exp,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
-8.8.0-dev+exp,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
-8.8.0-dev+exp,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
-8.8.0-dev+exp,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.8.0-dev+exp,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.8.0-dev+exp,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.8.0-dev+exp,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.8.0-dev+exp,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.8.0-dev+exp,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.8.0-dev+exp,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.8.0-dev+exp,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-8.8.0-dev+exp,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.8.0-dev+exp,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode
-8.8.0-dev+exp,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.8.0-dev+exp,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.8.0-dev+exp,true,host,host.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.8.0-dev+exp,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.8.0-dev+exp,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.8.0-dev+exp,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-8.8.0-dev+exp,true,host,host.type,keyword,core,,,Type of host.
-8.8.0-dev+exp,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
-8.8.0-dev+exp,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
-8.8.0-dev+exp,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
-8.8.0-dev+exp,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body.
-8.8.0-dev+exp,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
-8.8.0-dev+exp,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
-8.8.0-dev+exp,true,http,http.request.method,keyword,extended,,POST,HTTP request method.
-8.8.0-dev+exp,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
-8.8.0-dev+exp,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
-8.8.0-dev+exp,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
-8.8.0-dev+exp,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
-8.8.0-dev+exp,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body.
-8.8.0-dev+exp,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
-8.8.0-dev+exp,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
-8.8.0-dev+exp,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
-8.8.0-dev+exp,true,http,http.version,keyword,extended,,1.1,HTTP version.
-8.8.0-dev+exp,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
-8.8.0-dev+exp,true,log,log.level,keyword,core,,error,Log level of the log event.
-8.8.0-dev+exp,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
-8.8.0-dev+exp,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event.
-8.8.0-dev+exp,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
-8.8.0-dev+exp,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
-8.8.0-dev+exp,true,log,log.syslog,object,extended,,,Syslog metadata
-8.8.0-dev+exp,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message.
-8.8.0-dev+exp,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
-8.8.0-dev+exp,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
-8.8.0-dev+exp,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message.
-8.8.0-dev+exp,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message.
-8.8.0-dev+exp,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
-8.8.0-dev+exp,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message.
-8.8.0-dev+exp,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
-8.8.0-dev+exp,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
-8.8.0-dev+exp,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages.
-8.8.0-dev+exp,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version.
-8.8.0-dev+exp,true,network,network.application,keyword,extended,,aim,Application level protocol name.
-8.8.0-dev+exp,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
-8.8.0-dev+exp,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
-8.8.0-dev+exp,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
-8.8.0-dev+exp,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
-8.8.0-dev+exp,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
-8.8.0-dev+exp,true,network,network.inner,object,extended,,,Inner VLAN tag information
-8.8.0-dev+exp,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.8.0-dev+exp,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.8.0-dev+exp,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
-8.8.0-dev+exp,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
-8.8.0-dev+exp,true,network,network.protocol,keyword,core,,http,Application protocol name.
-8.8.0-dev+exp,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
-8.8.0-dev+exp,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
-8.8.0-dev+exp,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.8.0-dev+exp,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.8.0-dev+exp,true,observer,observer.egress,object,extended,,,Object field for egress information
-8.8.0-dev+exp,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
-8.8.0-dev+exp,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
-8.8.0-dev+exp,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
-8.8.0-dev+exp,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.8.0-dev+exp,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.8.0-dev+exp,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
-8.8.0-dev+exp,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
-8.8.0-dev+exp,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code.
-8.8.0-dev+exp,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.8.0-dev+exp,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.8.0-dev+exp,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
-8.8.0-dev+exp,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.8.0-dev+exp,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.8.0-dev+exp,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code.
-8.8.0-dev+exp,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.8.0-dev+exp,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
-8.8.0-dev+exp,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.8.0-dev+exp,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
-8.8.0-dev+exp,true,observer,observer.ingress,object,extended,,,Object field for ingress information
-8.8.0-dev+exp,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
-8.8.0-dev+exp,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
-8.8.0-dev+exp,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
-8.8.0-dev+exp,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.8.0-dev+exp,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.8.0-dev+exp,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
-8.8.0-dev+exp,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
-8.8.0-dev+exp,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer.
-8.8.0-dev+exp,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
-8.8.0-dev+exp,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.8.0-dev+exp,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.8.0-dev+exp,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.8.0-dev+exp,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.8.0-dev+exp,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.8.0-dev+exp,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.8.0-dev+exp,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.8.0-dev+exp,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-8.8.0-dev+exp,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.8.0-dev+exp,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
-8.8.0-dev+exp,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
-8.8.0-dev+exp,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
-8.8.0-dev+exp,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
-8.8.0-dev+exp,true,observer,observer.version,keyword,core,,,Observer version.
-8.8.0-dev+exp,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action
-8.8.0-dev+exp,true,orchestrator,orchestrator.cluster.id,keyword,extended,,,Unique ID of the cluster.
-8.8.0-dev+exp,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster.
-8.8.0-dev+exp,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster.
-8.8.0-dev+exp,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster.
-8.8.0-dev+exp,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place.
-8.8.0-dev+exp,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups).
-8.8.0-dev+exp,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon.
-8.8.0-dev+exp,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed.
-8.8.0-dev+exp,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon.
-8.8.0-dev+exp,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed.
-8.8.0-dev+exp,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon.
-8.8.0-dev+exp,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)."
-8.8.0-dev+exp,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
-8.8.0-dev+exp,true,organization,organization.name,keyword,extended,,,Organization name.
-8.8.0-dev+exp,true,organization,organization.name.text,match_only_text,extended,,,Organization name.
-8.8.0-dev+exp,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
-8.8.0-dev+exp,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
-8.8.0-dev+exp,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
-8.8.0-dev+exp,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
-8.8.0-dev+exp,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
-8.8.0-dev+exp,true,package,package.installed,date,extended,,,Time when package was installed.
-8.8.0-dev+exp,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
-8.8.0-dev+exp,true,package,package.name,keyword,extended,,go,Package name
-8.8.0-dev+exp,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
-8.8.0-dev+exp,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
-8.8.0-dev+exp,true,package,package.size,long,extended,,62231,Package size in bytes.
-8.8.0-dev+exp,true,package,package.type,keyword,extended,,rpm,Package type
-8.8.0-dev+exp,true,package,package.version,keyword,extended,,1.12.9,Package version
-8.8.0-dev+exp,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.8.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array.
-8.8.0-dev+exp,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.8.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.8.0-dev+exp,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.8.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.8.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.8.0-dev+exp,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.8.0-dev+exp,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.8.0-dev+exp,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.8.0-dev+exp,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.8.0-dev+exp,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.8.0-dev+exp,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.8.0-dev+exp,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.8.0-dev+exp,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.8.0-dev+exp,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.8.0-dev+exp,true,process,process.elf.creation_date,date,extended,,,Build or compile date.
-8.8.0-dev+exp,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.8.0-dev+exp,true,process,process.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.8.0-dev+exp,true,process,process.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.8.0-dev+exp,true,process,process.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.8.0-dev+exp,true,process,process.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.8.0-dev+exp,true,process,process.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.8.0-dev+exp,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.8.0-dev+exp,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.8.0-dev+exp,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.8.0-dev+exp,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.8.0-dev+exp,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.8.0-dev+exp,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.8.0-dev+exp,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.8.0-dev+exp,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.8.0-dev+exp,true,process,process.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.8.0-dev+exp,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.8.0-dev+exp,true,process,process.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev+exp,true,process,process.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev+exp,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.8.0-dev+exp,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.8.0-dev+exp,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.8.0-dev+exp,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.8.0-dev+exp,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.8.0-dev+exp,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.8.0-dev+exp,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.8.0-dev+exp,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.8.0-dev+exp,true,process,process.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.8.0-dev+exp,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.8.0-dev+exp,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.8.0-dev+exp,true,process,process.elf.segments,nested,extended,array,,ELF object segment list.
-8.8.0-dev+exp,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.8.0-dev+exp,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.8.0-dev+exp,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.8.0-dev+exp,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.8.0-dev+exp,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-8.8.0-dev+exp,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.8.0-dev+exp,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.8.0-dev+exp,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array.
-8.8.0-dev+exp,true,process,process.entry_leader.attested_groups.name,keyword,extended,,,Name of the group.
-8.8.0-dev+exp,true,process,process.entry_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev+exp,true,process,process.entry_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,process,process.entry_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.8.0-dev+exp,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.8.0-dev+exp,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.8.0-dev+exp,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
-8.8.0-dev+exp,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
-8.8.0-dev+exp,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.8.0-dev+exp,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.8.0-dev+exp,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev+exp,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group.
-8.8.0-dev+exp,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.8.0-dev+exp,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name.
-8.8.0-dev+exp,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.8.0-dev+exp,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.8.0-dev+exp,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id.
-8.8.0-dev+exp,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.8.0-dev+exp,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id.
-8.8.0-dev+exp,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.8.0-dev+exp,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.8.0-dev+exp,true,process,process.entry_leader.pid,long,core,,4242,Process id.
-8.8.0-dev+exp,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev+exp,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group.
-8.8.0-dev+exp,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev+exp,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,process,process.entry_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.8.0-dev+exp,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev+exp,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.8.0-dev+exp,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev+exp,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,process,process.entry_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.8.0-dev+exp,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev+exp,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.8.0-dev+exp,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.8.0-dev+exp,true,process,process.entry_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.8.0-dev+exp,true,process,process.entry_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.8.0-dev+exp,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev+exp,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.8.0-dev+exp,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.8.0-dev+exp,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
-8.8.0-dev+exp,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.8.0-dev+exp,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.8.0-dev+exp,true,process,process.exit_code,long,extended,,137,The exit code of the process.
-8.8.0-dev+exp,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.8.0-dev+exp,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array.
-8.8.0-dev+exp,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.8.0-dev+exp,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.8.0-dev+exp,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.8.0-dev+exp,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.8.0-dev+exp,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.8.0-dev+exp,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev+exp,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group.
-8.8.0-dev+exp,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.8.0-dev+exp,true,process,process.group_leader.name,keyword,extended,,ssh,Process name.
-8.8.0-dev+exp,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.8.0-dev+exp,true,process,process.group_leader.pid,long,core,,4242,Process id.
-8.8.0-dev+exp,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev+exp,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group.
-8.8.0-dev+exp,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev+exp,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,process,process.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.8.0-dev+exp,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev+exp,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.8.0-dev+exp,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev+exp,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,process,process.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.8.0-dev+exp,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev+exp,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.8.0-dev+exp,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.8.0-dev+exp,true,process,process.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.8.0-dev+exp,true,process,process.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.8.0-dev+exp,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev+exp,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.8.0-dev+exp,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.8.0-dev+exp,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
-8.8.0-dev+exp,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
-8.8.0-dev+exp,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
-8.8.0-dev+exp,true,process,process.hash.sha384,keyword,extended,,,SHA384 hash.
-8.8.0-dev+exp,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
-8.8.0-dev+exp,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.8.0-dev+exp,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash.
-8.8.0-dev+exp,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.8.0-dev+exp,true,process,process.io,object,extended,,,A chunk of input or output (IO) from a single process.
-8.8.0-dev+exp,true,process,process.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
-8.8.0-dev+exp,true,process,process.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
-8.8.0-dev+exp,true,process,process.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
-8.8.0-dev+exp,true,process,process.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
-8.8.0-dev+exp,true,process,process.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
-8.8.0-dev+exp,true,process,process.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
-8.8.0-dev+exp,true,process,process.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
-8.8.0-dev+exp,true,process,process.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
-8.8.0-dev+exp,true,process,process.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-8.8.0-dev+exp,true,process,process.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.8.0-dev+exp,true,process,process.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.8.0-dev+exp,true,process,process.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.8.0-dev+exp,true,process,process.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.8.0-dev+exp,true,process,process.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-8.8.0-dev+exp,true,process,process.macho.imports,flattened,extended,array,,List of imported element names and types.
-8.8.0-dev+exp,true,process,process.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev+exp,true,process,process.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev+exp,true,process,process.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-8.8.0-dev+exp,true,process,process.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.8.0-dev+exp,true,process,process.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-8.8.0-dev+exp,true,process,process.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-8.8.0-dev+exp,true,process,process.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.8.0-dev+exp,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-8.8.0-dev+exp,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-8.8.0-dev+exp,true,process,process.name,keyword,extended,,ssh,Process name.
-8.8.0-dev+exp,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
-8.8.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.8.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
-8.8.0-dev+exp,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.8.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.8.0-dev+exp,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.8.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.8.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.8.0-dev+exp,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.8.0-dev+exp,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.8.0-dev+exp,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.8.0-dev+exp,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.8.0-dev+exp,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.8.0-dev+exp,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.8.0-dev+exp,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.8.0-dev+exp,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.8.0-dev+exp,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.8.0-dev+exp,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date.
-8.8.0-dev+exp,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.8.0-dev+exp,true,process,process.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.8.0-dev+exp,true,process,process.parent.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.8.0-dev+exp,true,process,process.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.8.0-dev+exp,true,process,process.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.8.0-dev+exp,true,process,process.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.8.0-dev+exp,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.8.0-dev+exp,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.8.0-dev+exp,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.8.0-dev+exp,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.8.0-dev+exp,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.8.0-dev+exp,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.8.0-dev+exp,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.8.0-dev+exp,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.8.0-dev+exp,true,process,process.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.8.0-dev+exp,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.8.0-dev+exp,true,process,process.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev+exp,true,process,process.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev+exp,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.8.0-dev+exp,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.8.0-dev+exp,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.8.0-dev+exp,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.8.0-dev+exp,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.8.0-dev+exp,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.8.0-dev+exp,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.8.0-dev+exp,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.8.0-dev+exp,true,process,process.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.8.0-dev+exp,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.8.0-dev+exp,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.8.0-dev+exp,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list.
-8.8.0-dev+exp,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.8.0-dev+exp,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.8.0-dev+exp,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.8.0-dev+exp,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.8.0-dev+exp,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-8.8.0-dev+exp,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.8.0-dev+exp,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.8.0-dev+exp,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.8.0-dev+exp,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
-8.8.0-dev+exp,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev+exp,true,process,process.parent.group.name,keyword,extended,,,Name of the group.
-8.8.0-dev+exp,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.8.0-dev+exp,true,process,process.parent.group_leader.pid,long,core,,4242,Process id.
-8.8.0-dev+exp,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.8.0-dev+exp,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
-8.8.0-dev+exp,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
-8.8.0-dev+exp,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
-8.8.0-dev+exp,true,process,process.parent.hash.sha384,keyword,extended,,,SHA384 hash.
-8.8.0-dev+exp,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
-8.8.0-dev+exp,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.8.0-dev+exp,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash.
-8.8.0-dev+exp,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.8.0-dev+exp,true,process,process.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-8.8.0-dev+exp,true,process,process.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.8.0-dev+exp,true,process,process.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.8.0-dev+exp,true,process,process.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.8.0-dev+exp,true,process,process.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.8.0-dev+exp,true,process,process.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-8.8.0-dev+exp,true,process,process.parent.macho.imports,flattened,extended,array,,List of imported element names and types.
-8.8.0-dev+exp,true,process,process.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev+exp,true,process,process.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev+exp,true,process,process.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-8.8.0-dev+exp,true,process,process.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.8.0-dev+exp,true,process,process.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-8.8.0-dev+exp,true,process,process.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-8.8.0-dev+exp,true,process,process.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.8.0-dev+exp,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-8.8.0-dev+exp,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-8.8.0-dev+exp,true,process,process.parent.name,keyword,extended,,ssh,Process name.
-8.8.0-dev+exp,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
-8.8.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.8.0-dev+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.8.0-dev+exp,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.8.0-dev+exp,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.8.0-dev+exp,true,process,process.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.8.0-dev+exp,true,process,process.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.8.0-dev+exp,true,process,process.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.8.0-dev+exp,true,process,process.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.8.0-dev+exp,true,process,process.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.8.0-dev+exp,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.8.0-dev+exp,true,process,process.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.8.0-dev+exp,true,process,process.parent.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.8.0-dev+exp,true,process,process.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev+exp,true,process,process.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev+exp,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.8.0-dev+exp,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.8.0-dev+exp,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.8.0-dev+exp,true,process,process.parent.pe.sections,nested,extended,array,,Section information of the PE file.
-8.8.0-dev+exp,true,process,process.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.8.0-dev+exp,true,process,process.parent.pe.sections.name,keyword,extended,,,PE Section List name.
-8.8.0-dev+exp,true,process,process.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.8.0-dev+exp,true,process,process.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.8.0-dev+exp,true,process,process.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.8.0-dev+exp,true,process,process.parent.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
-8.8.0-dev+exp,true,process,process.parent.pid,long,core,,4242,Process id.
-8.8.0-dev+exp,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev+exp,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group.
-8.8.0-dev+exp,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev+exp,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,process,process.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev+exp,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group.
-8.8.0-dev+exp,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev+exp,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,process,process.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.8.0-dev+exp,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev+exp,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.8.0-dev+exp,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
-8.8.0-dev+exp,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
-8.8.0-dev+exp,true,process,process.parent.title,keyword,extended,,,Process title.
-8.8.0-dev+exp,true,process,process.parent.title.text,match_only_text,extended,,,Process title.
-8.8.0-dev+exp,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device.
-8.8.0-dev+exp,true,process,process.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.8.0-dev+exp,true,process,process.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.8.0-dev+exp,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
-8.8.0-dev+exp,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev+exp,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.8.0-dev+exp,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.8.0-dev+exp,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.8.0-dev+exp,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.8.0-dev+exp,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.8.0-dev+exp,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.8.0-dev+exp,true,process,process.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.8.0-dev+exp,true,process,process.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.8.0-dev+exp,true,process,process.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.8.0-dev+exp,true,process,process.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.8.0-dev+exp,true,process,process.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.8.0-dev+exp,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.8.0-dev+exp,true,process,process.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.8.0-dev+exp,true,process,process.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.8.0-dev+exp,true,process,process.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev+exp,true,process,process.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev+exp,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.8.0-dev+exp,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.8.0-dev+exp,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.8.0-dev+exp,true,process,process.pe.sections,nested,extended,array,,Section information of the PE file.
-8.8.0-dev+exp,true,process,process.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.8.0-dev+exp,true,process,process.pe.sections.name,keyword,extended,,,PE Section List name.
-8.8.0-dev+exp,true,process,process.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.8.0-dev+exp,true,process,process.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.8.0-dev+exp,true,process,process.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.8.0-dev+exp,true,process,process.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
-8.8.0-dev+exp,true,process,process.pid,long,core,,4242,Process id.
-8.8.0-dev+exp,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.8.0-dev+exp,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array.
-8.8.0-dev+exp,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.8.0-dev+exp,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.8.0-dev+exp,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev+exp,true,process,process.real_group.name,keyword,extended,,,Name of the group.
-8.8.0-dev+exp,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev+exp,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,process,process.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev+exp,true,process,process.saved_group.name,keyword,extended,,,Name of the group.
-8.8.0-dev+exp,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev+exp,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,process,process.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.8.0-dev+exp,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array.
-8.8.0-dev+exp,true,process,process.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.8.0-dev+exp,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.8.0-dev+exp,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.8.0-dev+exp,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.8.0-dev+exp,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.8.0-dev+exp,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev+exp,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group.
-8.8.0-dev+exp,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.8.0-dev+exp,true,process,process.session_leader.name,keyword,extended,,ssh,Process name.
-8.8.0-dev+exp,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.8.0-dev+exp,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.8.0-dev+exp,true,process,process.session_leader.parent.pid,long,core,,4242,Process id.
-8.8.0-dev+exp,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.8.0-dev+exp,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id.
-8.8.0-dev+exp,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.8.0-dev+exp,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.8.0-dev+exp,true,process,process.session_leader.pid,long,core,,4242,Process id.
-8.8.0-dev+exp,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev+exp,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group.
-8.8.0-dev+exp,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev+exp,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,process,process.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.8.0-dev+exp,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev+exp,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.8.0-dev+exp,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev+exp,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,process,process.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.8.0-dev+exp,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev+exp,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.8.0-dev+exp,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.8.0-dev+exp,true,process,process.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.8.0-dev+exp,true,process,process.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.8.0-dev+exp,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev+exp,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.8.0-dev+exp,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.8.0-dev+exp,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.8.0-dev+exp,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev+exp,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.8.0-dev+exp,true,process,process.thread.id,long,extended,,4242,Thread ID.
-8.8.0-dev+exp,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
-8.8.0-dev+exp,true,process,process.title,keyword,extended,,,Process title.
-8.8.0-dev+exp,true,process,process.title.text,match_only_text,extended,,,Process title.
-8.8.0-dev+exp,true,process,process.tty,object,extended,,,Information about the controlling TTY device.
-8.8.0-dev+exp,true,process,process.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.8.0-dev+exp,true,process,process.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.8.0-dev+exp,true,process,process.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
-8.8.0-dev+exp,true,process,process.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
-8.8.0-dev+exp,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
-8.8.0-dev+exp,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev+exp,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.8.0-dev+exp,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.8.0-dev+exp,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.8.0-dev+exp,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.8.0-dev+exp,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.8.0-dev+exp,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.8.0-dev+exp,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.8.0-dev+exp,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.8.0-dev+exp,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
-8.8.0-dev+exp,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
-8.8.0-dev+exp,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
-8.8.0-dev+exp,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
-8.8.0-dev+exp,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event.
-8.8.0-dev+exp,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
-8.8.0-dev+exp,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
-8.8.0-dev+exp,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
-8.8.0-dev+exp,true,rule,rule.id,keyword,extended,,101,Rule ID
-8.8.0-dev+exp,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
-8.8.0-dev+exp,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
-8.8.0-dev+exp,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
-8.8.0-dev+exp,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
-8.8.0-dev+exp,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
-8.8.0-dev+exp,true,rule,rule.version,keyword,extended,,1.1,Rule version
-8.8.0-dev+exp,true,server,server.address,keyword,extended,,,Server network address.
-8.8.0-dev+exp,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.8.0-dev+exp,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.8.0-dev+exp,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.8.0-dev+exp,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
-8.8.0-dev+exp,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server.
-8.8.0-dev+exp,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
-8.8.0-dev+exp,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
-8.8.0-dev+exp,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.8.0-dev+exp,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.8.0-dev+exp,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
-8.8.0-dev+exp,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.8.0-dev+exp,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.8.0-dev+exp,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
-8.8.0-dev+exp,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.8.0-dev+exp,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
-8.8.0-dev+exp,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.8.0-dev+exp,true,server,server.ip,ip,core,,,IP address of the server.
-8.8.0-dev+exp,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
-8.8.0-dev+exp,true,server,server.nat.ip,ip,extended,,,Server NAT ip
-8.8.0-dev+exp,true,server,server.nat.port,long,extended,,,Server NAT port
-8.8.0-dev+exp,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
-8.8.0-dev+exp,true,server,server.port,long,core,,,Port of the server.
-8.8.0-dev+exp,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
-8.8.0-dev+exp,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.8.0-dev+exp,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.8.0-dev+exp,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.8.0-dev+exp,true,server,server.user.email,keyword,extended,,,User email address.
-8.8.0-dev+exp,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.8.0-dev+exp,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.8.0-dev+exp,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.8.0-dev+exp,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev+exp,true,server,server.user.group.name,keyword,extended,,,Name of the group.
-8.8.0-dev+exp,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.8.0-dev+exp,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev+exp,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.8.0-dev+exp,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.8.0-dev+exp,true,service,service.environment,keyword,extended,,production,Environment of the service.
-8.8.0-dev+exp,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.8.0-dev+exp,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.8.0-dev+exp,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.8.0-dev+exp,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.8.0-dev+exp,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.8.0-dev+exp,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.8.0-dev+exp,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.8.0-dev+exp,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
-8.8.0-dev+exp,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.8.0-dev+exp,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.8.0-dev+exp,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.8.0-dev+exp,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.8.0-dev+exp,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.8.0-dev+exp,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.8.0-dev+exp,true,service,service.origin.state,keyword,core,,,Current state of the service.
-8.8.0-dev+exp,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service.
-8.8.0-dev+exp,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service.
-8.8.0-dev+exp,true,service,service.state,keyword,core,,,Current state of the service.
-8.8.0-dev+exp,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.8.0-dev+exp,true,service,service.target.environment,keyword,extended,,production,Environment of the service.
-8.8.0-dev+exp,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.8.0-dev+exp,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.8.0-dev+exp,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.8.0-dev+exp,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.8.0-dev+exp,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.8.0-dev+exp,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.8.0-dev+exp,true,service,service.target.state,keyword,core,,,Current state of the service.
-8.8.0-dev+exp,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service.
-8.8.0-dev+exp,true,service,service.target.version,keyword,core,,3.2.4,Version of the service.
-8.8.0-dev+exp,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
-8.8.0-dev+exp,true,service,service.version,keyword,core,,3.2.4,Version of the service.
-8.8.0-dev+exp,true,source,source.address,keyword,extended,,,Source network address.
-8.8.0-dev+exp,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.8.0-dev+exp,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.8.0-dev+exp,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.8.0-dev+exp,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
-8.8.0-dev+exp,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source.
-8.8.0-dev+exp,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
-8.8.0-dev+exp,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
-8.8.0-dev+exp,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.8.0-dev+exp,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.8.0-dev+exp,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
-8.8.0-dev+exp,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.8.0-dev+exp,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.8.0-dev+exp,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
-8.8.0-dev+exp,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.8.0-dev+exp,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
-8.8.0-dev+exp,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.8.0-dev+exp,true,source,source.ip,ip,core,,,IP address of the source.
-8.8.0-dev+exp,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
-8.8.0-dev+exp,true,source,source.nat.ip,ip,extended,,,Source NAT ip
-8.8.0-dev+exp,true,source,source.nat.port,long,extended,,,Source NAT port
-8.8.0-dev+exp,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
-8.8.0-dev+exp,true,source,source.port,long,core,,,Port of the source.
-8.8.0-dev+exp,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-8.8.0-dev+exp,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.8.0-dev+exp,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.8.0-dev+exp,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.8.0-dev+exp,true,source,source.user.email,keyword,extended,,,User email address.
-8.8.0-dev+exp,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.8.0-dev+exp,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.8.0-dev+exp,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.8.0-dev+exp,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev+exp,true,source,source.user.group.name,keyword,extended,,,Name of the group.
-8.8.0-dev+exp,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.8.0-dev+exp,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev+exp,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.8.0-dev+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
-8.8.0-dev+exp,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.8.0-dev+exp,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.8.0-dev+exp,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.8.0-dev+exp,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.8.0-dev+exp,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value
-8.8.0-dev+exp,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field
-8.8.0-dev+exp,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier
-8.8.0-dev+exp,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index
-8.8.0-dev+exp,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05T17:00:58.326Z,Date of match
-8.8.0-dev+exp,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match
-8.8.0-dev+exp,true,threat,threat.feed.dashboard_id,keyword,extended,,5ba16340-72e6-11eb-a3e3-b3cc7c78a70f,Feed dashboard ID.
-8.8.0-dev+exp,true,threat,threat.feed.description,keyword,extended,,Threat feed from the AlienVault Open Threat eXchange network.,Description of the threat feed.
-8.8.0-dev+exp,true,threat,threat.feed.name,keyword,extended,,AlienVault OTX,Name of the threat feed.
-8.8.0-dev+exp,true,threat,threat.feed.reference,keyword,extended,,https://otx.alienvault.com,Reference for the threat feed.
-8.8.0-dev+exp,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
-8.8.0-dev+exp,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group.
-8.8.0-dev+exp,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group.
-8.8.0-dev+exp,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group.
-8.8.0-dev+exp,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group.
-8.8.0-dev+exp,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.8.0-dev+exp,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.8.0-dev+exp,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.8.0-dev+exp,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
-8.8.0-dev+exp,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
-8.8.0-dev+exp,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
-8.8.0-dev+exp,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed.
-8.8.0-dev+exp,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.8.0-dev+exp,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.8.0-dev+exp,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.8.0-dev+exp,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.8.0-dev+exp,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.8.0-dev+exp,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.8.0-dev+exp,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.8.0-dev+exp,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.8.0-dev+exp,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.8.0-dev+exp,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.8.0-dev+exp,true,threat,threat.indicator.file.created,date,extended,,,File creation time.
-8.8.0-dev+exp,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.8.0-dev+exp,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
-8.8.0-dev+exp,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.8.0-dev+exp,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.8.0-dev+exp,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.8.0-dev+exp,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.8.0-dev+exp,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.8.0-dev+exp,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
-8.8.0-dev+exp,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.8.0-dev+exp,true,threat,threat.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.8.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.8.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.8.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.8.0-dev+exp,true,threat,threat.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.8.0-dev+exp,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.8.0-dev+exp,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.8.0-dev+exp,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.8.0-dev+exp,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.8.0-dev+exp,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.8.0-dev+exp,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.8.0-dev+exp,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.8.0-dev+exp,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.8.0-dev+exp,true,threat,threat.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.8.0-dev+exp,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.8.0-dev+exp,true,threat,threat.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev+exp,true,threat,threat.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev+exp,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.8.0-dev+exp,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.8.0-dev+exp,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.8.0-dev+exp,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.8.0-dev+exp,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.8.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.8.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.8.0-dev+exp,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.8.0-dev+exp,true,threat,threat.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.8.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.8.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.8.0-dev+exp,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
-8.8.0-dev+exp,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.8.0-dev+exp,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.8.0-dev+exp,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.8.0-dev+exp,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.8.0-dev+exp,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.8.0-dev+exp,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.8.0-dev+exp,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.8.0-dev+exp,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
-8.8.0-dev+exp,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
-8.8.0-dev+exp,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.8.0-dev+exp,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.8.0-dev+exp,true,threat,threat.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.8.0-dev+exp,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.8.0-dev+exp,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.8.0-dev+exp,true,threat,threat.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.8.0-dev+exp,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.8.0-dev+exp,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.8.0-dev+exp,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.8.0-dev+exp,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified.
-8.8.0-dev+exp,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.8.0-dev+exp,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username.
-8.8.0-dev+exp,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.8.0-dev+exp,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.8.0-dev+exp,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.8.0-dev+exp,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.8.0-dev+exp,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.8.0-dev+exp,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.8.0-dev+exp,true,threat,threat.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.8.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.8.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.8.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.8.0-dev+exp,true,threat,threat.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.8.0-dev+exp,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.8.0-dev+exp,true,threat,threat.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.8.0-dev+exp,true,threat,threat.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.8.0-dev+exp,true,threat,threat.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev+exp,true,threat,threat.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev+exp,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.8.0-dev+exp,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.8.0-dev+exp,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.8.0-dev+exp,true,threat,threat.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
-8.8.0-dev+exp,true,threat,threat.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.8.0-dev+exp,true,threat,threat.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
-8.8.0-dev+exp,true,threat,threat.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.8.0-dev+exp,true,threat,threat.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.8.0-dev+exp,true,threat,threat.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.8.0-dev+exp,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes.
-8.8.0-dev+exp,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
-8.8.0-dev+exp,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.8.0-dev+exp,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.8.0-dev+exp,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.8.0-dev+exp,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.8.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.8.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.8.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.8.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.8.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.8.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.8.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.8.0-dev+exp,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.8.0-dev+exp,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.8.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.8.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.8.0-dev+exp,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.8.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.8.0-dev+exp,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.8.0-dev+exp,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.8.0-dev+exp,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.8.0-dev+exp,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.8.0-dev+exp,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.8.0-dev+exp,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.8.0-dev+exp,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.8.0-dev+exp,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.8.0-dev+exp,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.8.0-dev+exp,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.8.0-dev+exp,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
-8.8.0-dev+exp,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name.
-8.8.0-dev+exp,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code.
-8.8.0-dev+exp,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.8.0-dev+exp,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.8.0-dev+exp,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name.
-8.8.0-dev+exp,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.8.0-dev+exp,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.8.0-dev+exp,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code.
-8.8.0-dev+exp,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.8.0-dev+exp,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name.
-8.8.0-dev+exp,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.8.0-dev+exp,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
-8.8.0-dev+exp,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-8.8.0-dev+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
-8.8.0-dev+exp,true,threat,threat.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
-8.8.0-dev+exp,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
-8.8.0-dev+exp,true,threat,threat.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
-8.8.0-dev+exp,true,threat,threat.indicator.port,long,extended,,443,Indicator port
-8.8.0-dev+exp,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
-8.8.0-dev+exp,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
-8.8.0-dev+exp,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.8.0-dev+exp,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.8.0-dev+exp,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.8.0-dev+exp,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.8.0-dev+exp,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.8.0-dev+exp,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.8.0-dev+exp,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
-8.8.0-dev+exp,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics
-8.8.0-dev+exp,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed
-8.8.0-dev+exp,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
-8.8.0-dev+exp,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.8.0-dev+exp,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.8.0-dev+exp,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.8.0-dev+exp,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.8.0-dev+exp,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.8.0-dev+exp,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.8.0-dev+exp,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.8.0-dev+exp,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request.
-8.8.0-dev+exp,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.8.0-dev+exp,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
-8.8.0-dev+exp,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request.
-8.8.0-dev+exp,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.8.0-dev+exp,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
-8.8.0-dev+exp,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.8.0-dev+exp,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.8.0-dev+exp,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request.
-8.8.0-dev+exp,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.8.0-dev+exp,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.8.0-dev+exp,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.8.0-dev+exp,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.8.0-dev+exp,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.8.0-dev+exp,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.8.0-dev+exp,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.8.0-dev+exp,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.8.0-dev+exp,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.8.0-dev+exp,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.8.0-dev+exp,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.8.0-dev+exp,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.8.0-dev+exp,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.8.0-dev+exp,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.8.0-dev+exp,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.8.0-dev+exp,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.8.0-dev+exp,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.8.0-dev+exp,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.8.0-dev+exp,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.8.0-dev+exp,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.8.0-dev+exp,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.8.0-dev+exp,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.8.0-dev+exp,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.8.0-dev+exp,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.8.0-dev+exp,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software
-8.8.0-dev+exp,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software
-8.8.0-dev+exp,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software.
-8.8.0-dev+exp,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software.
-8.8.0-dev+exp,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL.
-8.8.0-dev+exp,true,threat,threat.software.type,keyword,extended,,Tool,Software type.
-8.8.0-dev+exp,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
-8.8.0-dev+exp,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
-8.8.0-dev+exp,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
-8.8.0-dev+exp,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
-8.8.0-dev+exp,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
-8.8.0-dev+exp,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name.
-8.8.0-dev+exp,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
-8.8.0-dev+exp,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
-8.8.0-dev+exp,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
-8.8.0-dev+exp,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
-8.8.0-dev+exp,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
-8.8.0-dev+exp,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
-8.8.0-dev+exp,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
-8.8.0-dev+exp,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
-8.8.0-dev+exp,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
-8.8.0-dev+exp,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
-8.8.0-dev+exp,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
-8.8.0-dev+exp,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
-8.8.0-dev+exp,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
-8.8.0-dev+exp,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
-8.8.0-dev+exp,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
-8.8.0-dev+exp,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
-8.8.0-dev+exp,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
-8.8.0-dev+exp,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
-8.8.0-dev+exp,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.8.0-dev+exp,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.8.0-dev+exp,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.8.0-dev+exp,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.8.0-dev+exp,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.8.0-dev+exp,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.8.0-dev+exp,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.8.0-dev+exp,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.8.0-dev+exp,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.8.0-dev+exp,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.8.0-dev+exp,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.8.0-dev+exp,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.8.0-dev+exp,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.8.0-dev+exp,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.8.0-dev+exp,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.8.0-dev+exp,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.8.0-dev+exp,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.8.0-dev+exp,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.8.0-dev+exp,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.8.0-dev+exp,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.8.0-dev+exp,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.8.0-dev+exp,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.8.0-dev+exp,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.8.0-dev+exp,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.8.0-dev+exp,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
-8.8.0-dev+exp,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
-8.8.0-dev+exp,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
-8.8.0-dev+exp,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
-8.8.0-dev+exp,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
-8.8.0-dev+exp,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
-8.8.0-dev+exp,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
-8.8.0-dev+exp,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
-8.8.0-dev+exp,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
-8.8.0-dev+exp,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
-8.8.0-dev+exp,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
-8.8.0-dev+exp,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
-8.8.0-dev+exp,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
-8.8.0-dev+exp,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
-8.8.0-dev+exp,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.8.0-dev+exp,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.8.0-dev+exp,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.8.0-dev+exp,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.8.0-dev+exp,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.8.0-dev+exp,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.8.0-dev+exp,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.8.0-dev+exp,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.8.0-dev+exp,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.8.0-dev+exp,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.8.0-dev+exp,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.8.0-dev+exp,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.8.0-dev+exp,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.8.0-dev+exp,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.8.0-dev+exp,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.8.0-dev+exp,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.8.0-dev+exp,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.8.0-dev+exp,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.8.0-dev+exp,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.8.0-dev+exp,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.8.0-dev+exp,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.8.0-dev+exp,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.8.0-dev+exp,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.8.0-dev+exp,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.8.0-dev+exp,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
-8.8.0-dev+exp,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
-8.8.0-dev+exp,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
-8.8.0-dev+exp,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
-8.8.0-dev+exp,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.8.0-dev+exp,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.8.0-dev+exp,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.8.0-dev+exp,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.8.0-dev+exp,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.8.0-dev+exp,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.8.0-dev+exp,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.8.0-dev+exp,true,url,url.password,keyword,extended,,,Password of the request.
-8.8.0-dev+exp,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.8.0-dev+exp,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
-8.8.0-dev+exp,true,url,url.query,keyword,extended,,,Query string of the request.
-8.8.0-dev+exp,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.8.0-dev+exp,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
-8.8.0-dev+exp,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.8.0-dev+exp,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.8.0-dev+exp,true,url,url.username,keyword,extended,,,Username of the request.
-8.8.0-dev+exp,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.8.0-dev+exp,true,user,user.changes.email,keyword,extended,,,User email address.
-8.8.0-dev+exp,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.8.0-dev+exp,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.8.0-dev+exp,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.8.0-dev+exp,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev+exp,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
-8.8.0-dev+exp,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.8.0-dev+exp,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev+exp,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.8.0-dev+exp,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.8.0-dev+exp,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.8.0-dev+exp,true,user,user.effective.email,keyword,extended,,,User email address.
-8.8.0-dev+exp,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.8.0-dev+exp,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.8.0-dev+exp,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.8.0-dev+exp,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev+exp,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
-8.8.0-dev+exp,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.8.0-dev+exp,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev+exp,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.8.0-dev+exp,true,user,user.email,keyword,extended,,,User email address.
-8.8.0-dev+exp,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.8.0-dev+exp,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.8.0-dev+exp,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.8.0-dev+exp,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev+exp,true,user,user.group.name,keyword,extended,,,Name of the group.
-8.8.0-dev+exp,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.8.0-dev+exp,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev+exp,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.8.0-dev+exp,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.8.0-dev+exp,true,user,user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.8.0-dev+exp,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.8.0-dev+exp,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.8.0-dev+exp,true,user,user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-8.8.0-dev+exp,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.8.0-dev+exp,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.8.0-dev+exp,true,user,user.target.email,keyword,extended,,,User email address.
-8.8.0-dev+exp,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.8.0-dev+exp,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.8.0-dev+exp,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.8.0-dev+exp,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev+exp,true,user,user.target.group.name,keyword,extended,,,Name of the group.
-8.8.0-dev+exp,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.8.0-dev+exp,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev+exp,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev+exp,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.8.0-dev+exp,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
-8.8.0-dev+exp,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
-8.8.0-dev+exp,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-8.8.0-dev+exp,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-8.8.0-dev+exp,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.8.0-dev+exp,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.8.0-dev+exp,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.8.0-dev+exp,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.8.0-dev+exp,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.8.0-dev+exp,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.8.0-dev+exp,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.8.0-dev+exp,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-8.8.0-dev+exp,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.8.0-dev+exp,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
-8.8.0-dev+exp,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
-8.8.0-dev+exp,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
-8.8.0-dev+exp,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-8.8.0-dev+exp,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-8.8.0-dev+exp,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
-8.8.0-dev+exp,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
-8.8.0-dev+exp,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
-8.8.0-dev+exp,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
-8.8.0-dev+exp,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
-8.8.0-dev+exp,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
-8.8.0-dev+exp,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
-8.8.0-dev+exp,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
-8.8.0-dev+exp,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
-8.8.0-dev+exp,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
+8.9.0-dev+exp,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
+8.9.0-dev+exp,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
+8.9.0-dev+exp,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer.
+8.9.0-dev+exp,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
+8.9.0-dev+exp,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
+8.9.0-dev+exp,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
+8.9.0-dev+exp,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
+8.9.0-dev+exp,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
+8.9.0-dev+exp,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
+8.9.0-dev+exp,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
+8.9.0-dev+exp,true,cgroup,cgroup.cpu.periods,long,extended,,454839343,Number of period intervals that have elapsed.
+8.9.0-dev+exp,true,cgroup,cgroup.cpu.throttled.us,long,extended,,15000,Microseconds of CPU throttled time.
+8.9.0-dev+exp,true,cgroup,cgroup.cpu.usage,scaled_float,extended,,,"CPU usage, normalized by the CPU count."
+8.9.0-dev+exp,true,cgroup,cgroup.memory.limit,long,extended,,256,Memory limit within the cgroup.
+8.9.0-dev+exp,true,cgroup,cgroup.memory.swap.usage,long,extended,,5600,The amount of cgroup memory in swap.
+8.9.0-dev+exp,true,cgroup,cgroup.memory.usage,long,extended,,25600,Memory usage in bytes
+8.9.0-dev+exp,true,cgroup,cgroup.version,long,extended,,,The cgroup version linked to the metrics
+8.9.0-dev+exp,true,client,client.address,keyword,extended,,,Client network address.
+8.9.0-dev+exp,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.9.0-dev+exp,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.9.0-dev+exp,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.9.0-dev+exp,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
+8.9.0-dev+exp,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client.
+8.9.0-dev+exp,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
+8.9.0-dev+exp,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
+8.9.0-dev+exp,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.9.0-dev+exp,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.9.0-dev+exp,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
+8.9.0-dev+exp,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.9.0-dev+exp,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.9.0-dev+exp,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
+8.9.0-dev+exp,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.9.0-dev+exp,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
+8.9.0-dev+exp,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.9.0-dev+exp,true,client,client.ip,ip,core,,,IP address of the client.
+8.9.0-dev+exp,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
+8.9.0-dev+exp,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
+8.9.0-dev+exp,true,client,client.nat.port,long,extended,,,Client NAT port
+8.9.0-dev+exp,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
+8.9.0-dev+exp,true,client,client.port,long,core,,,Port of the client.
+8.9.0-dev+exp,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
+8.9.0-dev+exp,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.9.0-dev+exp,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.9.0-dev+exp,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.9.0-dev+exp,true,client,client.user.email,keyword,extended,,,User email address.
+8.9.0-dev+exp,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.9.0-dev+exp,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.9.0-dev+exp,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.9.0-dev+exp,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev+exp,true,client,client.user.group.name,keyword,extended,,,Name of the group.
+8.9.0-dev+exp,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.9.0-dev+exp,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev+exp,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.9.0-dev+exp,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.9.0-dev+exp,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.9.0-dev+exp,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.9.0-dev+exp,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.9.0-dev+exp,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
+8.9.0-dev+exp,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.9.0-dev+exp,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.9.0-dev+exp,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.9.0-dev+exp,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.9.0-dev+exp,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.9.0-dev+exp,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine.
+8.9.0-dev+exp,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.9.0-dev+exp,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id.
+8.9.0-dev+exp,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name.
+8.9.0-dev+exp,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider.
+8.9.0-dev+exp,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.9.0-dev+exp,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name.
+8.9.0-dev+exp,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
+8.9.0-dev+exp,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
+8.9.0-dev+exp,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
+8.9.0-dev+exp,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.9.0-dev+exp,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name.
+8.9.0-dev+exp,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.9.0-dev+exp,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.9.0-dev+exp,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.9.0-dev+exp,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.9.0-dev+exp,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine.
+8.9.0-dev+exp,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.9.0-dev+exp,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id.
+8.9.0-dev+exp,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name.
+8.9.0-dev+exp,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider.
+8.9.0-dev+exp,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.9.0-dev+exp,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name.
+8.9.0-dev+exp,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
+8.9.0-dev+exp,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
+8.9.0-dev+exp,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
+8.9.0-dev+exp,true,container,container.id,keyword,core,,,Unique container id.
+8.9.0-dev+exp,true,container,container.image.hash.all,keyword,extended,array,[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26],An array of digests of the image the container was built on.
+8.9.0-dev+exp,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
+8.9.0-dev+exp,true,container,container.image.tag,keyword,extended,array,,Container image tags.
+8.9.0-dev+exp,true,container,container.labels,object,extended,,,Image labels.
+8.9.0-dev+exp,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1."
+8.9.0-dev+exp,true,container,container.name,keyword,extended,,,Container name.
+8.9.0-dev+exp,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
+8.9.0-dev+exp,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+8.9.0-dev+exp,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
+8.9.0-dev+exp,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
+8.9.0-dev+exp,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
+8.9.0-dev+exp,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
+8.9.0-dev+exp,true,destination,destination.address,keyword,extended,,,Destination network address.
+8.9.0-dev+exp,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.9.0-dev+exp,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.9.0-dev+exp,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.9.0-dev+exp,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
+8.9.0-dev+exp,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination.
+8.9.0-dev+exp,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
+8.9.0-dev+exp,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
+8.9.0-dev+exp,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.9.0-dev+exp,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.9.0-dev+exp,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
+8.9.0-dev+exp,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.9.0-dev+exp,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.9.0-dev+exp,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
+8.9.0-dev+exp,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.9.0-dev+exp,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
+8.9.0-dev+exp,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.9.0-dev+exp,true,destination,destination.ip,ip,core,,,IP address of the destination.
+8.9.0-dev+exp,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
+8.9.0-dev+exp,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
+8.9.0-dev+exp,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
+8.9.0-dev+exp,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
+8.9.0-dev+exp,true,destination,destination.port,long,core,,,Port of the destination.
+8.9.0-dev+exp,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
+8.9.0-dev+exp,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.9.0-dev+exp,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.9.0-dev+exp,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.9.0-dev+exp,true,destination,destination.user.email,keyword,extended,,,User email address.
+8.9.0-dev+exp,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.9.0-dev+exp,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.9.0-dev+exp,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.9.0-dev+exp,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev+exp,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
+8.9.0-dev+exp,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.9.0-dev+exp,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev+exp,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.9.0-dev+exp,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device.
+8.9.0-dev+exp,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer.
+8.9.0-dev+exp,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model.
+8.9.0-dev+exp,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model.
+8.9.0-dev+exp,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.9.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.9.0-dev+exp,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.9.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.9.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.9.0-dev+exp,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.9.0-dev+exp,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.9.0-dev+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.9.0-dev+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.9.0-dev+exp,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
+8.9.0-dev+exp,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
+8.9.0-dev+exp,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
+8.9.0-dev+exp,true,dll,dll.hash.sha384,keyword,extended,,,SHA384 hash.
+8.9.0-dev+exp,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
+8.9.0-dev+exp,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.9.0-dev+exp,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash.
+8.9.0-dev+exp,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
+8.9.0-dev+exp,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
+8.9.0-dev+exp,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.9.0-dev+exp,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.9.0-dev+exp,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.9.0-dev+exp,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.9.0-dev+exp,true,dll,dll.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.9.0-dev+exp,true,dll,dll.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.9.0-dev+exp,true,dll,dll.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.9.0-dev+exp,true,dll,dll.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.9.0-dev+exp,true,dll,dll.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.9.0-dev+exp,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.9.0-dev+exp,true,dll,dll.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.9.0-dev+exp,true,dll,dll.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.9.0-dev+exp,true,dll,dll.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev+exp,true,dll,dll.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev+exp,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.9.0-dev+exp,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.9.0-dev+exp,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.9.0-dev+exp,true,dll,dll.pe.sections,nested,extended,array,,Section information of the PE file.
+8.9.0-dev+exp,true,dll,dll.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.9.0-dev+exp,true,dll,dll.pe.sections.name,keyword,extended,,,PE Section List name.
+8.9.0-dev+exp,true,dll,dll.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.9.0-dev+exp,true,dll,dll.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.9.0-dev+exp,true,dll,dll.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.9.0-dev+exp,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
+8.9.0-dev+exp,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
+8.9.0-dev+exp,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
+8.9.0-dev+exp,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
+8.9.0-dev+exp,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
+8.9.0-dev+exp,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
+8.9.0-dev+exp,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
+8.9.0-dev+exp,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
+8.9.0-dev+exp,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
+8.9.0-dev+exp,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
+8.9.0-dev+exp,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
+8.9.0-dev+exp,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
+8.9.0-dev+exp,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
+8.9.0-dev+exp,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.9.0-dev+exp,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
+8.9.0-dev+exp,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
+8.9.0-dev+exp,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
+8.9.0-dev+exp,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
+8.9.0-dev+exp,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
+8.9.0-dev+exp,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
+8.9.0-dev+exp,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
+8.9.0-dev+exp,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash.
+8.9.0-dev+exp,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.9.0-dev+exp,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.9.0-dev+exp,true,email,email.attachments.file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.9.0-dev+exp,true,email,email.attachments.file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.9.0-dev+exp,true,email,email.attachments.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.9.0-dev+exp,true,email,email.attachments.file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.9.0-dev+exp,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file.
+8.9.0-dev+exp,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file.
+8.9.0-dev+exp,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size.
+8.9.0-dev+exp,true,email,email.bcc.address,keyword,extended,array,bcc.user1@example.com,Email address of BCC recipient
+8.9.0-dev+exp,true,email,email.cc.address,keyword,extended,array,cc.user1@example.com,Email address of CC recipient
+8.9.0-dev+exp,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message.
+8.9.0-dev+exp,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered.
+8.9.0-dev+exp,true,email,email.direction,keyword,extended,,inbound,Direction of the message.
+8.9.0-dev+exp,true,email,email.from.address,keyword,extended,array,sender@example.com,The sender's email address.
+8.9.0-dev+exp,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source.
+8.9.0-dev+exp,true,email,email.message_id,wildcard,extended,,81ce15$8r2j59@mail01.example.com,Value from the Message-ID header.
+8.9.0-dev+exp,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed.
+8.9.0-dev+exp,true,email,email.reply_to.address,keyword,extended,array,reply.here@example.com,Address replies should be delivered to.
+8.9.0-dev+exp,true,email,email.sender.address,keyword,extended,,,Address of the message sender.
+8.9.0-dev+exp,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message.
+8.9.0-dev+exp,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
+8.9.0-dev+exp,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient
+8.9.0-dev+exp,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
+8.9.0-dev+exp,true,error,error.code,keyword,core,,,Error code describing the error.
+8.9.0-dev+exp,true,error,error.id,keyword,core,,,Unique identifier for the error.
+8.9.0-dev+exp,true,error,error.message,match_only_text,core,,,Error message.
+8.9.0-dev+exp,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
+8.9.0-dev+exp,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text.
+8.9.0-dev+exp,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
+8.9.0-dev+exp,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
+8.9.0-dev+exp,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field.
+8.9.0-dev+exp,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
+8.9.0-dev+exp,true,event,event.code,keyword,extended,,4648,Identification code for this event.
+8.9.0-dev+exp,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
+8.9.0-dev+exp,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
+8.9.0-dev+exp,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
+8.9.0-dev+exp,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed.
+8.9.0-dev+exp,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
+8.9.0-dev+exp,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
+8.9.0-dev+exp,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
+8.9.0-dev+exp,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
+8.9.0-dev+exp,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
+8.9.0-dev+exp,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
+8.9.0-dev+exp,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
+8.9.0-dev+exp,true,event,event.provider,keyword,extended,,kernel,Source of the event.
+8.9.0-dev+exp,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
+8.9.0-dev+exp,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
+8.9.0-dev+exp,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
+8.9.0-dev+exp,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
+8.9.0-dev+exp,true,event,event.sequence,long,extended,,,Sequence number of the event.
+8.9.0-dev+exp,true,event,event.severity,long,core,,7,Numeric severity of the event.
+8.9.0-dev+exp,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed.
+8.9.0-dev+exp,true,event,event.timezone,keyword,extended,,,Event time zone.
+8.9.0-dev+exp,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
+8.9.0-dev+exp,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
+8.9.0-dev+exp,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function.
+8.9.0-dev+exp,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution.
+8.9.0-dev+exp,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function.
+8.9.0-dev+exp,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function.
+8.9.0-dev+exp,true,faas,faas.trigger,nested,extended,,,Details about the function trigger.
+8.9.0-dev+exp,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc."
+8.9.0-dev+exp,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution.
+8.9.0-dev+exp,true,faas,faas.version,keyword,extended,,123,The version of a serverless function.
+8.9.0-dev+exp,true,file,file.accessed,date,extended,,,Last time the file was accessed.
+8.9.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.9.0-dev+exp,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.9.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.9.0-dev+exp,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.9.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.9.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.9.0-dev+exp,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.9.0-dev+exp,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.9.0-dev+exp,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.9.0-dev+exp,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.9.0-dev+exp,true,file,file.created,date,extended,,,File creation time.
+8.9.0-dev+exp,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.9.0-dev+exp,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
+8.9.0-dev+exp,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.9.0-dev+exp,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.9.0-dev+exp,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.9.0-dev+exp,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.9.0-dev+exp,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.9.0-dev+exp,true,file,file.elf.creation_date,date,extended,,,Build or compile date.
+8.9.0-dev+exp,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.9.0-dev+exp,true,file,file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.9.0-dev+exp,true,file,file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.9.0-dev+exp,true,file,file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.9.0-dev+exp,true,file,file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.9.0-dev+exp,true,file,file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.9.0-dev+exp,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.9.0-dev+exp,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.9.0-dev+exp,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.9.0-dev+exp,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.9.0-dev+exp,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.9.0-dev+exp,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.9.0-dev+exp,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.9.0-dev+exp,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.9.0-dev+exp,true,file,file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.9.0-dev+exp,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.9.0-dev+exp,true,file,file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev+exp,true,file,file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev+exp,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.9.0-dev+exp,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.9.0-dev+exp,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.9.0-dev+exp,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.9.0-dev+exp,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.9.0-dev+exp,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.9.0-dev+exp,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.9.0-dev+exp,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.9.0-dev+exp,true,file,file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.9.0-dev+exp,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.9.0-dev+exp,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.9.0-dev+exp,true,file,file.elf.segments,nested,extended,array,,ELF object segment list.
+8.9.0-dev+exp,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.9.0-dev+exp,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.9.0-dev+exp,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.9.0-dev+exp,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.9.0-dev+exp,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.9.0-dev+exp,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.9.0-dev+exp,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.9.0-dev+exp,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
+8.9.0-dev+exp,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
+8.9.0-dev+exp,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.9.0-dev+exp,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.9.0-dev+exp,true,file,file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.9.0-dev+exp,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.9.0-dev+exp,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.9.0-dev+exp,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.9.0-dev+exp,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.9.0-dev+exp,true,file,file.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+8.9.0-dev+exp,true,file,file.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.9.0-dev+exp,true,file,file.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.9.0-dev+exp,true,file,file.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.9.0-dev+exp,true,file,file.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.9.0-dev+exp,true,file,file.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+8.9.0-dev+exp,true,file,file.macho.imports,flattened,extended,array,,List of imported element names and types.
+8.9.0-dev+exp,true,file,file.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev+exp,true,file,file.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev+exp,true,file,file.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+8.9.0-dev+exp,true,file,file.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.9.0-dev+exp,true,file,file.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+8.9.0-dev+exp,true,file,file.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+8.9.0-dev+exp,true,file,file.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.9.0-dev+exp,true,file,file.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+8.9.0-dev+exp,true,file,file.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+8.9.0-dev+exp,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.9.0-dev+exp,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.9.0-dev+exp,true,file,file.mtime,date,extended,,,Last time the file content was modified.
+8.9.0-dev+exp,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.9.0-dev+exp,true,file,file.owner,keyword,extended,,alice,File owner's username.
+8.9.0-dev+exp,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.9.0-dev+exp,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.9.0-dev+exp,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.9.0-dev+exp,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.9.0-dev+exp,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.9.0-dev+exp,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.9.0-dev+exp,true,file,file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.9.0-dev+exp,true,file,file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.9.0-dev+exp,true,file,file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.9.0-dev+exp,true,file,file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.9.0-dev+exp,true,file,file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.9.0-dev+exp,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.9.0-dev+exp,true,file,file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.9.0-dev+exp,true,file,file.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.9.0-dev+exp,true,file,file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev+exp,true,file,file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev+exp,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.9.0-dev+exp,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.9.0-dev+exp,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.9.0-dev+exp,true,file,file.pe.sections,nested,extended,array,,Section information of the PE file.
+8.9.0-dev+exp,true,file,file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.9.0-dev+exp,true,file,file.pe.sections.name,keyword,extended,,,PE Section List name.
+8.9.0-dev+exp,true,file,file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.9.0-dev+exp,true,file,file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.9.0-dev+exp,true,file,file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.9.0-dev+exp,true,file,file.size,long,extended,,16384,File size in bytes.
+8.9.0-dev+exp,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
+8.9.0-dev+exp,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.9.0-dev+exp,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.9.0-dev+exp,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.9.0-dev+exp,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.9.0-dev+exp,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.9.0-dev+exp,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.9.0-dev+exp,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.9.0-dev+exp,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.9.0-dev+exp,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.9.0-dev+exp,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.9.0-dev+exp,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.9.0-dev+exp,true,file,file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.9.0-dev+exp,true,file,file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.9.0-dev+exp,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.9.0-dev+exp,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.9.0-dev+exp,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.9.0-dev+exp,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.9.0-dev+exp,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.9.0-dev+exp,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.9.0-dev+exp,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.9.0-dev+exp,true,file,file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.9.0-dev+exp,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.9.0-dev+exp,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.9.0-dev+exp,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.9.0-dev+exp,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.9.0-dev+exp,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.9.0-dev+exp,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.9.0-dev+exp,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.9.0-dev+exp,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev+exp,true,group,group.name,keyword,extended,,,Name of the group.
+8.9.0-dev+exp,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
+8.9.0-dev+exp,true,host,host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id
+8.9.0-dev+exp,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
+8.9.0-dev+exp,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
+8.9.0-dev+exp,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
+8.9.0-dev+exp,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
+8.9.0-dev+exp,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
+8.9.0-dev+exp,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
+8.9.0-dev+exp,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.9.0-dev+exp,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.9.0-dev+exp,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
+8.9.0-dev+exp,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.9.0-dev+exp,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.9.0-dev+exp,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
+8.9.0-dev+exp,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.9.0-dev+exp,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
+8.9.0-dev+exp,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.9.0-dev+exp,true,host,host.hostname,keyword,core,,,Hostname of the host.
+8.9.0-dev+exp,true,host,host.id,keyword,core,,,Unique host id.
+8.9.0-dev+exp,true,host,host.ip,ip,core,array,,Host ip addresses.
+8.9.0-dev+exp,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
+8.9.0-dev+exp,true,host,host.name,keyword,core,,,Name of the host.
+8.9.0-dev+exp,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
+8.9.0-dev+exp,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
+8.9.0-dev+exp,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+8.9.0-dev+exp,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
+8.9.0-dev+exp,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.9.0-dev+exp,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.9.0-dev+exp,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.9.0-dev+exp,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.9.0-dev+exp,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.9.0-dev+exp,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.9.0-dev+exp,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.9.0-dev+exp,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+8.9.0-dev+exp,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.9.0-dev+exp,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode
+8.9.0-dev+exp,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.9.0-dev+exp,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.9.0-dev+exp,true,host,host.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.9.0-dev+exp,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.9.0-dev+exp,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.9.0-dev+exp,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+8.9.0-dev+exp,true,host,host.type,keyword,core,,,Type of host.
+8.9.0-dev+exp,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
+8.9.0-dev+exp,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
+8.9.0-dev+exp,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
+8.9.0-dev+exp,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body.
+8.9.0-dev+exp,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
+8.9.0-dev+exp,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
+8.9.0-dev+exp,true,http,http.request.method,keyword,extended,,POST,HTTP request method.
+8.9.0-dev+exp,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
+8.9.0-dev+exp,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
+8.9.0-dev+exp,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
+8.9.0-dev+exp,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
+8.9.0-dev+exp,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body.
+8.9.0-dev+exp,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
+8.9.0-dev+exp,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
+8.9.0-dev+exp,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
+8.9.0-dev+exp,true,http,http.version,keyword,extended,,1.1,HTTP version.
+8.9.0-dev+exp,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
+8.9.0-dev+exp,true,log,log.level,keyword,core,,error,Log level of the log event.
+8.9.0-dev+exp,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
+8.9.0-dev+exp,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event.
+8.9.0-dev+exp,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
+8.9.0-dev+exp,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
+8.9.0-dev+exp,true,log,log.syslog,object,extended,,,Syslog metadata
+8.9.0-dev+exp,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message.
+8.9.0-dev+exp,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
+8.9.0-dev+exp,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
+8.9.0-dev+exp,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message.
+8.9.0-dev+exp,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message.
+8.9.0-dev+exp,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
+8.9.0-dev+exp,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message.
+8.9.0-dev+exp,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
+8.9.0-dev+exp,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
+8.9.0-dev+exp,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages.
+8.9.0-dev+exp,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version.
+8.9.0-dev+exp,true,network,network.application,keyword,extended,,aim,Application level protocol name.
+8.9.0-dev+exp,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
+8.9.0-dev+exp,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
+8.9.0-dev+exp,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
+8.9.0-dev+exp,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
+8.9.0-dev+exp,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
+8.9.0-dev+exp,true,network,network.inner,object,extended,,,Inner VLAN tag information
+8.9.0-dev+exp,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.9.0-dev+exp,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.9.0-dev+exp,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
+8.9.0-dev+exp,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
+8.9.0-dev+exp,true,network,network.protocol,keyword,core,,http,Application protocol name.
+8.9.0-dev+exp,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
+8.9.0-dev+exp,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
+8.9.0-dev+exp,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.9.0-dev+exp,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.9.0-dev+exp,true,observer,observer.egress,object,extended,,,Object field for egress information
+8.9.0-dev+exp,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
+8.9.0-dev+exp,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
+8.9.0-dev+exp,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
+8.9.0-dev+exp,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.9.0-dev+exp,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.9.0-dev+exp,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
+8.9.0-dev+exp,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
+8.9.0-dev+exp,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code.
+8.9.0-dev+exp,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.9.0-dev+exp,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.9.0-dev+exp,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
+8.9.0-dev+exp,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.9.0-dev+exp,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.9.0-dev+exp,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code.
+8.9.0-dev+exp,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.9.0-dev+exp,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
+8.9.0-dev+exp,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.9.0-dev+exp,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
+8.9.0-dev+exp,true,observer,observer.ingress,object,extended,,,Object field for ingress information
+8.9.0-dev+exp,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
+8.9.0-dev+exp,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
+8.9.0-dev+exp,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
+8.9.0-dev+exp,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.9.0-dev+exp,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.9.0-dev+exp,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
+8.9.0-dev+exp,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
+8.9.0-dev+exp,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer.
+8.9.0-dev+exp,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
+8.9.0-dev+exp,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.9.0-dev+exp,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.9.0-dev+exp,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.9.0-dev+exp,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.9.0-dev+exp,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.9.0-dev+exp,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.9.0-dev+exp,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.9.0-dev+exp,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+8.9.0-dev+exp,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.9.0-dev+exp,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
+8.9.0-dev+exp,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
+8.9.0-dev+exp,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
+8.9.0-dev+exp,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
+8.9.0-dev+exp,true,observer,observer.version,keyword,core,,,Observer version.
+8.9.0-dev+exp,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action
+8.9.0-dev+exp,true,orchestrator,orchestrator.cluster.id,keyword,extended,,,Unique ID of the cluster.
+8.9.0-dev+exp,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster.
+8.9.0-dev+exp,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster.
+8.9.0-dev+exp,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster.
+8.9.0-dev+exp,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place.
+8.9.0-dev+exp,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups).
+8.9.0-dev+exp,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon.
+8.9.0-dev+exp,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed.
+8.9.0-dev+exp,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon.
+8.9.0-dev+exp,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed.
+8.9.0-dev+exp,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon.
+8.9.0-dev+exp,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)."
+8.9.0-dev+exp,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
+8.9.0-dev+exp,true,organization,organization.name,keyword,extended,,,Organization name.
+8.9.0-dev+exp,true,organization,organization.name.text,match_only_text,extended,,,Organization name.
+8.9.0-dev+exp,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
+8.9.0-dev+exp,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
+8.9.0-dev+exp,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
+8.9.0-dev+exp,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
+8.9.0-dev+exp,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
+8.9.0-dev+exp,true,package,package.installed,date,extended,,,Time when package was installed.
+8.9.0-dev+exp,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
+8.9.0-dev+exp,true,package,package.name,keyword,extended,,go,Package name
+8.9.0-dev+exp,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
+8.9.0-dev+exp,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
+8.9.0-dev+exp,true,package,package.size,long,extended,,62231,Package size in bytes.
+8.9.0-dev+exp,true,package,package.type,keyword,extended,,rpm,Package type
+8.9.0-dev+exp,true,package,package.version,keyword,extended,,1.12.9,Package version
+8.9.0-dev+exp,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.9.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array.
+8.9.0-dev+exp,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.9.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.9.0-dev+exp,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.9.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.9.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.9.0-dev+exp,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.9.0-dev+exp,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.9.0-dev+exp,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.9.0-dev+exp,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.9.0-dev+exp,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.9.0-dev+exp,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.9.0-dev+exp,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.9.0-dev+exp,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.9.0-dev+exp,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.9.0-dev+exp,true,process,process.elf.creation_date,date,extended,,,Build or compile date.
+8.9.0-dev+exp,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.9.0-dev+exp,true,process,process.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.9.0-dev+exp,true,process,process.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.9.0-dev+exp,true,process,process.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.9.0-dev+exp,true,process,process.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.9.0-dev+exp,true,process,process.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.9.0-dev+exp,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.9.0-dev+exp,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.9.0-dev+exp,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.9.0-dev+exp,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.9.0-dev+exp,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.9.0-dev+exp,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.9.0-dev+exp,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.9.0-dev+exp,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.9.0-dev+exp,true,process,process.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.9.0-dev+exp,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.9.0-dev+exp,true,process,process.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev+exp,true,process,process.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev+exp,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.9.0-dev+exp,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.9.0-dev+exp,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.9.0-dev+exp,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.9.0-dev+exp,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.9.0-dev+exp,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.9.0-dev+exp,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.9.0-dev+exp,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.9.0-dev+exp,true,process,process.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.9.0-dev+exp,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.9.0-dev+exp,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.9.0-dev+exp,true,process,process.elf.segments,nested,extended,array,,ELF object segment list.
+8.9.0-dev+exp,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.9.0-dev+exp,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.9.0-dev+exp,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.9.0-dev+exp,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.9.0-dev+exp,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+8.9.0-dev+exp,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.9.0-dev+exp,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.9.0-dev+exp,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array.
+8.9.0-dev+exp,true,process,process.entry_leader.attested_groups.name,keyword,extended,,,Name of the group.
+8.9.0-dev+exp,true,process,process.entry_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev+exp,true,process,process.entry_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,process,process.entry_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.9.0-dev+exp,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.9.0-dev+exp,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.9.0-dev+exp,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
+8.9.0-dev+exp,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
+8.9.0-dev+exp,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.9.0-dev+exp,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.9.0-dev+exp,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev+exp,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group.
+8.9.0-dev+exp,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.9.0-dev+exp,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name.
+8.9.0-dev+exp,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name.
+8.9.0-dev+exp,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.9.0-dev+exp,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id.
+8.9.0-dev+exp,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.9.0-dev+exp,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id.
+8.9.0-dev+exp,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.9.0-dev+exp,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.9.0-dev+exp,true,process,process.entry_leader.pid,long,core,,4242,Process id.
+8.9.0-dev+exp,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev+exp,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group.
+8.9.0-dev+exp,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev+exp,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,process,process.entry_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+8.9.0-dev+exp,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev+exp,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group.
+8.9.0-dev+exp,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev+exp,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,process,process.entry_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.9.0-dev+exp,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev+exp,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.9.0-dev+exp,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device.
+8.9.0-dev+exp,true,process,process.entry_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.9.0-dev+exp,true,process,process.entry_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.9.0-dev+exp,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev+exp,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.9.0-dev+exp,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.9.0-dev+exp,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
+8.9.0-dev+exp,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.9.0-dev+exp,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.9.0-dev+exp,true,process,process.exit_code,long,extended,,137,The exit code of the process.
+8.9.0-dev+exp,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.9.0-dev+exp,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array.
+8.9.0-dev+exp,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.9.0-dev+exp,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.9.0-dev+exp,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.9.0-dev+exp,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.9.0-dev+exp,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.9.0-dev+exp,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev+exp,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group.
+8.9.0-dev+exp,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.9.0-dev+exp,true,process,process.group_leader.name,keyword,extended,,ssh,Process name.
+8.9.0-dev+exp,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name.
+8.9.0-dev+exp,true,process,process.group_leader.pid,long,core,,4242,Process id.
+8.9.0-dev+exp,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev+exp,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group.
+8.9.0-dev+exp,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev+exp,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,process,process.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+8.9.0-dev+exp,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev+exp,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group.
+8.9.0-dev+exp,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev+exp,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,process,process.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.9.0-dev+exp,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev+exp,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.9.0-dev+exp,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device.
+8.9.0-dev+exp,true,process,process.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.9.0-dev+exp,true,process,process.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.9.0-dev+exp,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev+exp,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.9.0-dev+exp,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.9.0-dev+exp,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
+8.9.0-dev+exp,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
+8.9.0-dev+exp,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
+8.9.0-dev+exp,true,process,process.hash.sha384,keyword,extended,,,SHA384 hash.
+8.9.0-dev+exp,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
+8.9.0-dev+exp,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.9.0-dev+exp,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash.
+8.9.0-dev+exp,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.9.0-dev+exp,true,process,process.io,object,extended,,,A chunk of input or output (IO) from a single process.
+8.9.0-dev+exp,true,process,process.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
+8.9.0-dev+exp,true,process,process.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
+8.9.0-dev+exp,true,process,process.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
+8.9.0-dev+exp,true,process,process.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
+8.9.0-dev+exp,true,process,process.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
+8.9.0-dev+exp,true,process,process.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
+8.9.0-dev+exp,true,process,process.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
+8.9.0-dev+exp,true,process,process.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
+8.9.0-dev+exp,true,process,process.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+8.9.0-dev+exp,true,process,process.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.9.0-dev+exp,true,process,process.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.9.0-dev+exp,true,process,process.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.9.0-dev+exp,true,process,process.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.9.0-dev+exp,true,process,process.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+8.9.0-dev+exp,true,process,process.macho.imports,flattened,extended,array,,List of imported element names and types.
+8.9.0-dev+exp,true,process,process.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev+exp,true,process,process.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev+exp,true,process,process.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+8.9.0-dev+exp,true,process,process.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.9.0-dev+exp,true,process,process.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+8.9.0-dev+exp,true,process,process.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+8.9.0-dev+exp,true,process,process.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.9.0-dev+exp,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+8.9.0-dev+exp,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+8.9.0-dev+exp,true,process,process.name,keyword,extended,,ssh,Process name.
+8.9.0-dev+exp,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
+8.9.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.9.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
+8.9.0-dev+exp,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.9.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.9.0-dev+exp,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.9.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.9.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.9.0-dev+exp,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.9.0-dev+exp,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.9.0-dev+exp,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.9.0-dev+exp,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.9.0-dev+exp,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.9.0-dev+exp,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.9.0-dev+exp,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.9.0-dev+exp,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.9.0-dev+exp,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.9.0-dev+exp,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date.
+8.9.0-dev+exp,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.9.0-dev+exp,true,process,process.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.9.0-dev+exp,true,process,process.parent.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.9.0-dev+exp,true,process,process.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.9.0-dev+exp,true,process,process.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.9.0-dev+exp,true,process,process.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.9.0-dev+exp,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.9.0-dev+exp,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.9.0-dev+exp,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.9.0-dev+exp,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.9.0-dev+exp,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.9.0-dev+exp,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.9.0-dev+exp,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.9.0-dev+exp,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.9.0-dev+exp,true,process,process.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.9.0-dev+exp,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.9.0-dev+exp,true,process,process.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev+exp,true,process,process.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev+exp,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.9.0-dev+exp,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.9.0-dev+exp,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.9.0-dev+exp,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.9.0-dev+exp,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.9.0-dev+exp,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.9.0-dev+exp,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.9.0-dev+exp,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.9.0-dev+exp,true,process,process.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.9.0-dev+exp,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.9.0-dev+exp,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.9.0-dev+exp,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list.
+8.9.0-dev+exp,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.9.0-dev+exp,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.9.0-dev+exp,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.9.0-dev+exp,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.9.0-dev+exp,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+8.9.0-dev+exp,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.9.0-dev+exp,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.9.0-dev+exp,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.9.0-dev+exp,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
+8.9.0-dev+exp,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev+exp,true,process,process.parent.group.name,keyword,extended,,,Name of the group.
+8.9.0-dev+exp,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.9.0-dev+exp,true,process,process.parent.group_leader.pid,long,core,,4242,Process id.
+8.9.0-dev+exp,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.9.0-dev+exp,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
+8.9.0-dev+exp,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
+8.9.0-dev+exp,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
+8.9.0-dev+exp,true,process,process.parent.hash.sha384,keyword,extended,,,SHA384 hash.
+8.9.0-dev+exp,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
+8.9.0-dev+exp,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.9.0-dev+exp,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash.
+8.9.0-dev+exp,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.9.0-dev+exp,true,process,process.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+8.9.0-dev+exp,true,process,process.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.9.0-dev+exp,true,process,process.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.9.0-dev+exp,true,process,process.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.9.0-dev+exp,true,process,process.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.9.0-dev+exp,true,process,process.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+8.9.0-dev+exp,true,process,process.parent.macho.imports,flattened,extended,array,,List of imported element names and types.
+8.9.0-dev+exp,true,process,process.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev+exp,true,process,process.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev+exp,true,process,process.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+8.9.0-dev+exp,true,process,process.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.9.0-dev+exp,true,process,process.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+8.9.0-dev+exp,true,process,process.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+8.9.0-dev+exp,true,process,process.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.9.0-dev+exp,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+8.9.0-dev+exp,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+8.9.0-dev+exp,true,process,process.parent.name,keyword,extended,,ssh,Process name.
+8.9.0-dev+exp,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
+8.9.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.9.0-dev+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.9.0-dev+exp,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.9.0-dev+exp,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.9.0-dev+exp,true,process,process.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.9.0-dev+exp,true,process,process.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.9.0-dev+exp,true,process,process.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.9.0-dev+exp,true,process,process.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.9.0-dev+exp,true,process,process.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.9.0-dev+exp,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.9.0-dev+exp,true,process,process.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.9.0-dev+exp,true,process,process.parent.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.9.0-dev+exp,true,process,process.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev+exp,true,process,process.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev+exp,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.9.0-dev+exp,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.9.0-dev+exp,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.9.0-dev+exp,true,process,process.parent.pe.sections,nested,extended,array,,Section information of the PE file.
+8.9.0-dev+exp,true,process,process.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.9.0-dev+exp,true,process,process.parent.pe.sections.name,keyword,extended,,,PE Section List name.
+8.9.0-dev+exp,true,process,process.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.9.0-dev+exp,true,process,process.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.9.0-dev+exp,true,process,process.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.9.0-dev+exp,true,process,process.parent.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
+8.9.0-dev+exp,true,process,process.parent.pid,long,core,,4242,Process id.
+8.9.0-dev+exp,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev+exp,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group.
+8.9.0-dev+exp,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev+exp,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,process,process.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev+exp,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group.
+8.9.0-dev+exp,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev+exp,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,process,process.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.9.0-dev+exp,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev+exp,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.9.0-dev+exp,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
+8.9.0-dev+exp,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
+8.9.0-dev+exp,true,process,process.parent.title,keyword,extended,,,Process title.
+8.9.0-dev+exp,true,process,process.parent.title.text,match_only_text,extended,,,Process title.
+8.9.0-dev+exp,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device.
+8.9.0-dev+exp,true,process,process.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.9.0-dev+exp,true,process,process.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.9.0-dev+exp,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
+8.9.0-dev+exp,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev+exp,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.9.0-dev+exp,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.9.0-dev+exp,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.9.0-dev+exp,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.9.0-dev+exp,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.9.0-dev+exp,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.9.0-dev+exp,true,process,process.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.9.0-dev+exp,true,process,process.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.9.0-dev+exp,true,process,process.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.9.0-dev+exp,true,process,process.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.9.0-dev+exp,true,process,process.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.9.0-dev+exp,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.9.0-dev+exp,true,process,process.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.9.0-dev+exp,true,process,process.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.9.0-dev+exp,true,process,process.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev+exp,true,process,process.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev+exp,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.9.0-dev+exp,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.9.0-dev+exp,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.9.0-dev+exp,true,process,process.pe.sections,nested,extended,array,,Section information of the PE file.
+8.9.0-dev+exp,true,process,process.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.9.0-dev+exp,true,process,process.pe.sections.name,keyword,extended,,,PE Section List name.
+8.9.0-dev+exp,true,process,process.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.9.0-dev+exp,true,process,process.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.9.0-dev+exp,true,process,process.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.9.0-dev+exp,true,process,process.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
+8.9.0-dev+exp,true,process,process.pid,long,core,,4242,Process id.
+8.9.0-dev+exp,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.9.0-dev+exp,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array.
+8.9.0-dev+exp,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.9.0-dev+exp,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.9.0-dev+exp,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev+exp,true,process,process.real_group.name,keyword,extended,,,Name of the group.
+8.9.0-dev+exp,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev+exp,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,process,process.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev+exp,true,process,process.saved_group.name,keyword,extended,,,Name of the group.
+8.9.0-dev+exp,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev+exp,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,process,process.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.9.0-dev+exp,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array.
+8.9.0-dev+exp,true,process,process.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.9.0-dev+exp,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.9.0-dev+exp,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.9.0-dev+exp,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.9.0-dev+exp,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.9.0-dev+exp,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev+exp,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group.
+8.9.0-dev+exp,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.9.0-dev+exp,true,process,process.session_leader.name,keyword,extended,,ssh,Process name.
+8.9.0-dev+exp,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name.
+8.9.0-dev+exp,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.9.0-dev+exp,true,process,process.session_leader.parent.pid,long,core,,4242,Process id.
+8.9.0-dev+exp,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.9.0-dev+exp,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id.
+8.9.0-dev+exp,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.9.0-dev+exp,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.9.0-dev+exp,true,process,process.session_leader.pid,long,core,,4242,Process id.
+8.9.0-dev+exp,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev+exp,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group.
+8.9.0-dev+exp,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev+exp,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,process,process.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+8.9.0-dev+exp,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev+exp,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group.
+8.9.0-dev+exp,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev+exp,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,process,process.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.9.0-dev+exp,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev+exp,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.9.0-dev+exp,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device.
+8.9.0-dev+exp,true,process,process.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.9.0-dev+exp,true,process,process.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.9.0-dev+exp,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev+exp,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.9.0-dev+exp,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.9.0-dev+exp,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.9.0-dev+exp,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev+exp,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.9.0-dev+exp,true,process,process.thread.id,long,extended,,4242,Thread ID.
+8.9.0-dev+exp,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
+8.9.0-dev+exp,true,process,process.title,keyword,extended,,,Process title.
+8.9.0-dev+exp,true,process,process.title.text,match_only_text,extended,,,Process title.
+8.9.0-dev+exp,true,process,process.tty,object,extended,,,Information about the controlling TTY device.
+8.9.0-dev+exp,true,process,process.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.9.0-dev+exp,true,process,process.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.9.0-dev+exp,true,process,process.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
+8.9.0-dev+exp,true,process,process.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
+8.9.0-dev+exp,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
+8.9.0-dev+exp,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev+exp,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.9.0-dev+exp,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.9.0-dev+exp,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.9.0-dev+exp,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.9.0-dev+exp,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.9.0-dev+exp,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.9.0-dev+exp,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.9.0-dev+exp,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.9.0-dev+exp,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
+8.9.0-dev+exp,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
+8.9.0-dev+exp,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
+8.9.0-dev+exp,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
+8.9.0-dev+exp,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event.
+8.9.0-dev+exp,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
+8.9.0-dev+exp,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
+8.9.0-dev+exp,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
+8.9.0-dev+exp,true,rule,rule.id,keyword,extended,,101,Rule ID
+8.9.0-dev+exp,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
+8.9.0-dev+exp,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
+8.9.0-dev+exp,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
+8.9.0-dev+exp,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
+8.9.0-dev+exp,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
+8.9.0-dev+exp,true,rule,rule.version,keyword,extended,,1.1,Rule version
+8.9.0-dev+exp,true,server,server.address,keyword,extended,,,Server network address.
+8.9.0-dev+exp,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.9.0-dev+exp,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.9.0-dev+exp,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.9.0-dev+exp,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
+8.9.0-dev+exp,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server.
+8.9.0-dev+exp,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
+8.9.0-dev+exp,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
+8.9.0-dev+exp,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.9.0-dev+exp,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.9.0-dev+exp,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
+8.9.0-dev+exp,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.9.0-dev+exp,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.9.0-dev+exp,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
+8.9.0-dev+exp,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.9.0-dev+exp,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
+8.9.0-dev+exp,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.9.0-dev+exp,true,server,server.ip,ip,core,,,IP address of the server.
+8.9.0-dev+exp,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
+8.9.0-dev+exp,true,server,server.nat.ip,ip,extended,,,Server NAT ip
+8.9.0-dev+exp,true,server,server.nat.port,long,extended,,,Server NAT port
+8.9.0-dev+exp,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
+8.9.0-dev+exp,true,server,server.port,long,core,,,Port of the server.
+8.9.0-dev+exp,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
+8.9.0-dev+exp,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.9.0-dev+exp,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.9.0-dev+exp,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.9.0-dev+exp,true,server,server.user.email,keyword,extended,,,User email address.
+8.9.0-dev+exp,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.9.0-dev+exp,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.9.0-dev+exp,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.9.0-dev+exp,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev+exp,true,server,server.user.group.name,keyword,extended,,,Name of the group.
+8.9.0-dev+exp,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.9.0-dev+exp,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev+exp,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.9.0-dev+exp,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.9.0-dev+exp,true,service,service.environment,keyword,extended,,production,Environment of the service.
+8.9.0-dev+exp,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.9.0-dev+exp,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.9.0-dev+exp,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.9.0-dev+exp,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.9.0-dev+exp,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.9.0-dev+exp,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+8.9.0-dev+exp,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.9.0-dev+exp,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
+8.9.0-dev+exp,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.9.0-dev+exp,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.9.0-dev+exp,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.9.0-dev+exp,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.9.0-dev+exp,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.9.0-dev+exp,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+8.9.0-dev+exp,true,service,service.origin.state,keyword,core,,,Current state of the service.
+8.9.0-dev+exp,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service.
+8.9.0-dev+exp,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service.
+8.9.0-dev+exp,true,service,service.state,keyword,core,,,Current state of the service.
+8.9.0-dev+exp,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.9.0-dev+exp,true,service,service.target.environment,keyword,extended,,production,Environment of the service.
+8.9.0-dev+exp,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.9.0-dev+exp,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.9.0-dev+exp,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.9.0-dev+exp,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.9.0-dev+exp,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.9.0-dev+exp,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+8.9.0-dev+exp,true,service,service.target.state,keyword,core,,,Current state of the service.
+8.9.0-dev+exp,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service.
+8.9.0-dev+exp,true,service,service.target.version,keyword,core,,3.2.4,Version of the service.
+8.9.0-dev+exp,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
+8.9.0-dev+exp,true,service,service.version,keyword,core,,3.2.4,Version of the service.
+8.9.0-dev+exp,true,source,source.address,keyword,extended,,,Source network address.
+8.9.0-dev+exp,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.9.0-dev+exp,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.9.0-dev+exp,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.9.0-dev+exp,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
+8.9.0-dev+exp,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source.
+8.9.0-dev+exp,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
+8.9.0-dev+exp,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
+8.9.0-dev+exp,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.9.0-dev+exp,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.9.0-dev+exp,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
+8.9.0-dev+exp,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.9.0-dev+exp,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.9.0-dev+exp,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
+8.9.0-dev+exp,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.9.0-dev+exp,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
+8.9.0-dev+exp,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.9.0-dev+exp,true,source,source.ip,ip,core,,,IP address of the source.
+8.9.0-dev+exp,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
+8.9.0-dev+exp,true,source,source.nat.ip,ip,extended,,,Source NAT ip
+8.9.0-dev+exp,true,source,source.nat.port,long,extended,,,Source NAT port
+8.9.0-dev+exp,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
+8.9.0-dev+exp,true,source,source.port,long,core,,,Port of the source.
+8.9.0-dev+exp,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+8.9.0-dev+exp,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.9.0-dev+exp,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.9.0-dev+exp,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.9.0-dev+exp,true,source,source.user.email,keyword,extended,,,User email address.
+8.9.0-dev+exp,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.9.0-dev+exp,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.9.0-dev+exp,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.9.0-dev+exp,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev+exp,true,source,source.user.group.name,keyword,extended,,,Name of the group.
+8.9.0-dev+exp,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.9.0-dev+exp,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev+exp,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.9.0-dev+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
+8.9.0-dev+exp,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.9.0-dev+exp,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.9.0-dev+exp,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.9.0-dev+exp,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.9.0-dev+exp,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value
+8.9.0-dev+exp,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field
+8.9.0-dev+exp,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier
+8.9.0-dev+exp,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index
+8.9.0-dev+exp,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05T17:00:58.326Z,Date of match
+8.9.0-dev+exp,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match
+8.9.0-dev+exp,true,threat,threat.feed.dashboard_id,keyword,extended,,5ba16340-72e6-11eb-a3e3-b3cc7c78a70f,Feed dashboard ID.
+8.9.0-dev+exp,true,threat,threat.feed.description,keyword,extended,,Threat feed from the AlienVault Open Threat eXchange network.,Description of the threat feed.
+8.9.0-dev+exp,true,threat,threat.feed.name,keyword,extended,,AlienVault OTX,Name of the threat feed.
+8.9.0-dev+exp,true,threat,threat.feed.reference,keyword,extended,,https://otx.alienvault.com,Reference for the threat feed.
+8.9.0-dev+exp,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
+8.9.0-dev+exp,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group.
+8.9.0-dev+exp,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group.
+8.9.0-dev+exp,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group.
+8.9.0-dev+exp,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group.
+8.9.0-dev+exp,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.9.0-dev+exp,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.9.0-dev+exp,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.9.0-dev+exp,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
+8.9.0-dev+exp,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
+8.9.0-dev+exp,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
+8.9.0-dev+exp,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed.
+8.9.0-dev+exp,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.9.0-dev+exp,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.9.0-dev+exp,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.9.0-dev+exp,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.9.0-dev+exp,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.9.0-dev+exp,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.9.0-dev+exp,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.9.0-dev+exp,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.9.0-dev+exp,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.9.0-dev+exp,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.9.0-dev+exp,true,threat,threat.indicator.file.created,date,extended,,,File creation time.
+8.9.0-dev+exp,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.9.0-dev+exp,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
+8.9.0-dev+exp,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.9.0-dev+exp,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.9.0-dev+exp,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.9.0-dev+exp,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.9.0-dev+exp,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.9.0-dev+exp,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
+8.9.0-dev+exp,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.9.0-dev+exp,true,threat,threat.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.9.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.9.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.9.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.9.0-dev+exp,true,threat,threat.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.9.0-dev+exp,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.9.0-dev+exp,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.9.0-dev+exp,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.9.0-dev+exp,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.9.0-dev+exp,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.9.0-dev+exp,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.9.0-dev+exp,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.9.0-dev+exp,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.9.0-dev+exp,true,threat,threat.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.9.0-dev+exp,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.9.0-dev+exp,true,threat,threat.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev+exp,true,threat,threat.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev+exp,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.9.0-dev+exp,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.9.0-dev+exp,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.9.0-dev+exp,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.9.0-dev+exp,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.9.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.9.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.9.0-dev+exp,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.9.0-dev+exp,true,threat,threat.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.9.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.9.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.9.0-dev+exp,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
+8.9.0-dev+exp,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.9.0-dev+exp,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.9.0-dev+exp,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.9.0-dev+exp,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.9.0-dev+exp,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.9.0-dev+exp,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.9.0-dev+exp,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.9.0-dev+exp,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
+8.9.0-dev+exp,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
+8.9.0-dev+exp,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.9.0-dev+exp,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.9.0-dev+exp,true,threat,threat.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.9.0-dev+exp,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.9.0-dev+exp,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.9.0-dev+exp,true,threat,threat.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.9.0-dev+exp,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.9.0-dev+exp,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.9.0-dev+exp,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.9.0-dev+exp,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified.
+8.9.0-dev+exp,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.9.0-dev+exp,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username.
+8.9.0-dev+exp,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.9.0-dev+exp,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.9.0-dev+exp,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.9.0-dev+exp,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.9.0-dev+exp,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.9.0-dev+exp,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.9.0-dev+exp,true,threat,threat.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.9.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.9.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.9.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.9.0-dev+exp,true,threat,threat.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.9.0-dev+exp,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.9.0-dev+exp,true,threat,threat.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.9.0-dev+exp,true,threat,threat.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.9.0-dev+exp,true,threat,threat.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev+exp,true,threat,threat.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev+exp,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.9.0-dev+exp,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.9.0-dev+exp,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.9.0-dev+exp,true,threat,threat.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
+8.9.0-dev+exp,true,threat,threat.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.9.0-dev+exp,true,threat,threat.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
+8.9.0-dev+exp,true,threat,threat.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.9.0-dev+exp,true,threat,threat.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.9.0-dev+exp,true,threat,threat.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.9.0-dev+exp,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes.
+8.9.0-dev+exp,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
+8.9.0-dev+exp,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.9.0-dev+exp,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.9.0-dev+exp,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.9.0-dev+exp,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.9.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.9.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.9.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.9.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.9.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.9.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.9.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.9.0-dev+exp,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.9.0-dev+exp,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.9.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.9.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.9.0-dev+exp,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.9.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.9.0-dev+exp,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.9.0-dev+exp,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.9.0-dev+exp,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.9.0-dev+exp,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.9.0-dev+exp,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.9.0-dev+exp,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.9.0-dev+exp,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.9.0-dev+exp,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.9.0-dev+exp,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.9.0-dev+exp,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.9.0-dev+exp,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
+8.9.0-dev+exp,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name.
+8.9.0-dev+exp,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code.
+8.9.0-dev+exp,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.9.0-dev+exp,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.9.0-dev+exp,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name.
+8.9.0-dev+exp,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.9.0-dev+exp,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.9.0-dev+exp,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code.
+8.9.0-dev+exp,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.9.0-dev+exp,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name.
+8.9.0-dev+exp,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.9.0-dev+exp,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
+8.9.0-dev+exp,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
+8.9.0-dev+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
+8.9.0-dev+exp,true,threat,threat.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
+8.9.0-dev+exp,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
+8.9.0-dev+exp,true,threat,threat.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
+8.9.0-dev+exp,true,threat,threat.indicator.port,long,extended,,443,Indicator port
+8.9.0-dev+exp,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
+8.9.0-dev+exp,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
+8.9.0-dev+exp,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.9.0-dev+exp,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.9.0-dev+exp,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.9.0-dev+exp,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.9.0-dev+exp,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.9.0-dev+exp,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.9.0-dev+exp,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
+8.9.0-dev+exp,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics
+8.9.0-dev+exp,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed
+8.9.0-dev+exp,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
+8.9.0-dev+exp,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.9.0-dev+exp,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.9.0-dev+exp,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.9.0-dev+exp,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.9.0-dev+exp,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.9.0-dev+exp,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.9.0-dev+exp,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.9.0-dev+exp,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request.
+8.9.0-dev+exp,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.9.0-dev+exp,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
+8.9.0-dev+exp,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request.
+8.9.0-dev+exp,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.9.0-dev+exp,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
+8.9.0-dev+exp,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.9.0-dev+exp,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.9.0-dev+exp,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request.
+8.9.0-dev+exp,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.9.0-dev+exp,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.9.0-dev+exp,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.9.0-dev+exp,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.9.0-dev+exp,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.9.0-dev+exp,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.9.0-dev+exp,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.9.0-dev+exp,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.9.0-dev+exp,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.9.0-dev+exp,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.9.0-dev+exp,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.9.0-dev+exp,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.9.0-dev+exp,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.9.0-dev+exp,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.9.0-dev+exp,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.9.0-dev+exp,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.9.0-dev+exp,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.9.0-dev+exp,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.9.0-dev+exp,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.9.0-dev+exp,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.9.0-dev+exp,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.9.0-dev+exp,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.9.0-dev+exp,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.9.0-dev+exp,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.9.0-dev+exp,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software
+8.9.0-dev+exp,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software
+8.9.0-dev+exp,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software.
+8.9.0-dev+exp,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software.
+8.9.0-dev+exp,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL.
+8.9.0-dev+exp,true,threat,threat.software.type,keyword,extended,,Tool,Software type.
+8.9.0-dev+exp,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
+8.9.0-dev+exp,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
+8.9.0-dev+exp,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
+8.9.0-dev+exp,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
+8.9.0-dev+exp,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
+8.9.0-dev+exp,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name.
+8.9.0-dev+exp,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
+8.9.0-dev+exp,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
+8.9.0-dev+exp,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
+8.9.0-dev+exp,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
+8.9.0-dev+exp,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
+8.9.0-dev+exp,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
+8.9.0-dev+exp,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
+8.9.0-dev+exp,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
+8.9.0-dev+exp,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
+8.9.0-dev+exp,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
+8.9.0-dev+exp,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
+8.9.0-dev+exp,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
+8.9.0-dev+exp,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
+8.9.0-dev+exp,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
+8.9.0-dev+exp,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
+8.9.0-dev+exp,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
+8.9.0-dev+exp,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
+8.9.0-dev+exp,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
+8.9.0-dev+exp,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.9.0-dev+exp,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.9.0-dev+exp,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.9.0-dev+exp,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.9.0-dev+exp,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.9.0-dev+exp,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.9.0-dev+exp,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.9.0-dev+exp,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.9.0-dev+exp,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.9.0-dev+exp,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.9.0-dev+exp,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.9.0-dev+exp,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.9.0-dev+exp,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.9.0-dev+exp,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.9.0-dev+exp,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.9.0-dev+exp,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.9.0-dev+exp,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.9.0-dev+exp,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.9.0-dev+exp,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.9.0-dev+exp,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.9.0-dev+exp,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.9.0-dev+exp,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.9.0-dev+exp,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.9.0-dev+exp,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.9.0-dev+exp,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
+8.9.0-dev+exp,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
+8.9.0-dev+exp,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
+8.9.0-dev+exp,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
+8.9.0-dev+exp,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
+8.9.0-dev+exp,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
+8.9.0-dev+exp,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
+8.9.0-dev+exp,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
+8.9.0-dev+exp,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
+8.9.0-dev+exp,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
+8.9.0-dev+exp,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
+8.9.0-dev+exp,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
+8.9.0-dev+exp,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
+8.9.0-dev+exp,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
+8.9.0-dev+exp,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.9.0-dev+exp,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.9.0-dev+exp,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.9.0-dev+exp,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.9.0-dev+exp,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.9.0-dev+exp,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.9.0-dev+exp,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.9.0-dev+exp,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.9.0-dev+exp,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.9.0-dev+exp,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.9.0-dev+exp,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.9.0-dev+exp,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.9.0-dev+exp,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.9.0-dev+exp,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.9.0-dev+exp,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.9.0-dev+exp,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.9.0-dev+exp,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.9.0-dev+exp,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.9.0-dev+exp,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.9.0-dev+exp,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.9.0-dev+exp,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.9.0-dev+exp,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.9.0-dev+exp,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.9.0-dev+exp,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.9.0-dev+exp,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
+8.9.0-dev+exp,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
+8.9.0-dev+exp,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
+8.9.0-dev+exp,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
+8.9.0-dev+exp,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.9.0-dev+exp,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.9.0-dev+exp,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.9.0-dev+exp,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.9.0-dev+exp,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.9.0-dev+exp,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.9.0-dev+exp,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.9.0-dev+exp,true,url,url.password,keyword,extended,,,Password of the request.
+8.9.0-dev+exp,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.9.0-dev+exp,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
+8.9.0-dev+exp,true,url,url.query,keyword,extended,,,Query string of the request.
+8.9.0-dev+exp,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.9.0-dev+exp,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
+8.9.0-dev+exp,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.9.0-dev+exp,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.9.0-dev+exp,true,url,url.username,keyword,extended,,,Username of the request.
+8.9.0-dev+exp,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.9.0-dev+exp,true,user,user.changes.email,keyword,extended,,,User email address.
+8.9.0-dev+exp,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.9.0-dev+exp,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.9.0-dev+exp,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.9.0-dev+exp,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev+exp,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
+8.9.0-dev+exp,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.9.0-dev+exp,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev+exp,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.9.0-dev+exp,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.9.0-dev+exp,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.9.0-dev+exp,true,user,user.effective.email,keyword,extended,,,User email address.
+8.9.0-dev+exp,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.9.0-dev+exp,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.9.0-dev+exp,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.9.0-dev+exp,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev+exp,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
+8.9.0-dev+exp,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.9.0-dev+exp,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev+exp,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.9.0-dev+exp,true,user,user.email,keyword,extended,,,User email address.
+8.9.0-dev+exp,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.9.0-dev+exp,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.9.0-dev+exp,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.9.0-dev+exp,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev+exp,true,user,user.group.name,keyword,extended,,,Name of the group.
+8.9.0-dev+exp,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.9.0-dev+exp,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev+exp,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.9.0-dev+exp,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.9.0-dev+exp,true,user,user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.9.0-dev+exp,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.9.0-dev+exp,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.9.0-dev+exp,true,user,user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+8.9.0-dev+exp,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.9.0-dev+exp,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.9.0-dev+exp,true,user,user.target.email,keyword,extended,,,User email address.
+8.9.0-dev+exp,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.9.0-dev+exp,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.9.0-dev+exp,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.9.0-dev+exp,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev+exp,true,user,user.target.group.name,keyword,extended,,,Name of the group.
+8.9.0-dev+exp,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.9.0-dev+exp,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev+exp,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.9.0-dev+exp,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
+8.9.0-dev+exp,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
+8.9.0-dev+exp,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+8.9.0-dev+exp,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+8.9.0-dev+exp,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.9.0-dev+exp,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.9.0-dev+exp,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.9.0-dev+exp,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.9.0-dev+exp,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.9.0-dev+exp,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.9.0-dev+exp,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.9.0-dev+exp,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+8.9.0-dev+exp,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.9.0-dev+exp,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
+8.9.0-dev+exp,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
+8.9.0-dev+exp,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
+8.9.0-dev+exp,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+8.9.0-dev+exp,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+8.9.0-dev+exp,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
+8.9.0-dev+exp,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
+8.9.0-dev+exp,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
+8.9.0-dev+exp,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
+8.9.0-dev+exp,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
+8.9.0-dev+exp,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
+8.9.0-dev+exp,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
+8.9.0-dev+exp,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
+8.9.0-dev+exp,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
+8.9.0-dev+exp,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
diff --git a/experimental/generated/elasticsearch/composable/component/agent.json b/experimental/generated/elasticsearch/composable/component/agent.json
index e52b67ec44..400335649b 100644
--- a/experimental/generated/elasticsearch/composable/component/agent.json
+++ b/experimental/generated/elasticsearch/composable/component/agent.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html",
-    "ecs_version": "8.8.0-dev+exp"
+    "ecs_version": "8.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/base.json b/experimental/generated/elasticsearch/composable/component/base.json
index eb246c9ef7..c42f7bf007 100644
--- a/experimental/generated/elasticsearch/composable/component/base.json
+++ b/experimental/generated/elasticsearch/composable/component/base.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
-    "ecs_version": "8.8.0-dev+exp"
+    "ecs_version": "8.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/cgroup.json b/experimental/generated/elasticsearch/composable/component/cgroup.json
index 3aa21fad23..d764321de9 100644
--- a/experimental/generated/elasticsearch/composable/component/cgroup.json
+++ b/experimental/generated/elasticsearch/composable/component/cgroup.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cgroup.html",
-    "ecs_version": "8.8.0-dev+exp"
+    "ecs_version": "8.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/client.json b/experimental/generated/elasticsearch/composable/component/client.json
index df38ab9509..ff1fd3e8bb 100644
--- a/experimental/generated/elasticsearch/composable/component/client.json
+++ b/experimental/generated/elasticsearch/composable/component/client.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-client.html",
-    "ecs_version": "8.8.0-dev+exp"
+    "ecs_version": "8.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/cloud.json b/experimental/generated/elasticsearch/composable/component/cloud.json
index eef6083f19..076f971d31 100644
--- a/experimental/generated/elasticsearch/composable/component/cloud.json
+++ b/experimental/generated/elasticsearch/composable/component/cloud.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cloud.html",
-    "ecs_version": "8.8.0-dev+exp"
+    "ecs_version": "8.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/container.json b/experimental/generated/elasticsearch/composable/component/container.json
index f4fb7438fd..0ac4eac808 100644
--- a/experimental/generated/elasticsearch/composable/component/container.json
+++ b/experimental/generated/elasticsearch/composable/component/container.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-container.html",
-    "ecs_version": "8.8.0-dev+exp"
+    "ecs_version": "8.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/data_stream.json b/experimental/generated/elasticsearch/composable/component/data_stream.json
index 55ba0a77bf..8a41e1b0ea 100644
--- a/experimental/generated/elasticsearch/composable/component/data_stream.json
+++ b/experimental/generated/elasticsearch/composable/component/data_stream.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-data_stream.html",
-    "ecs_version": "8.8.0-dev+exp"
+    "ecs_version": "8.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/destination.json b/experimental/generated/elasticsearch/composable/component/destination.json
index a910cfbb91..90158fd329 100644
--- a/experimental/generated/elasticsearch/composable/component/destination.json
+++ b/experimental/generated/elasticsearch/composable/component/destination.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-destination.html",
-    "ecs_version": "8.8.0-dev+exp"
+    "ecs_version": "8.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/device.json b/experimental/generated/elasticsearch/composable/component/device.json
index 2a25ea990b..b951610169 100644
--- a/experimental/generated/elasticsearch/composable/component/device.json
+++ b/experimental/generated/elasticsearch/composable/component/device.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-device.html",
-    "ecs_version": "8.8.0-dev+exp"
+    "ecs_version": "8.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/dll.json b/experimental/generated/elasticsearch/composable/component/dll.json
index 5f7b494ded..efdf45bf8f 100644
--- a/experimental/generated/elasticsearch/composable/component/dll.json
+++ b/experimental/generated/elasticsearch/composable/component/dll.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dll.html",
-    "ecs_version": "8.8.0-dev+exp"
+    "ecs_version": "8.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/dns.json b/experimental/generated/elasticsearch/composable/component/dns.json
index 2c9fe7749e..153b7ff22b 100644
--- a/experimental/generated/elasticsearch/composable/component/dns.json
+++ b/experimental/generated/elasticsearch/composable/component/dns.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html",
-    "ecs_version": "8.8.0-dev+exp"
+    "ecs_version": "8.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/ecs.json b/experimental/generated/elasticsearch/composable/component/ecs.json
index c2fee4a8eb..945b28116c 100644
--- a/experimental/generated/elasticsearch/composable/component/ecs.json
+++ b/experimental/generated/elasticsearch/composable/component/ecs.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html",
-    "ecs_version": "8.8.0-dev+exp"
+    "ecs_version": "8.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/email.json b/experimental/generated/elasticsearch/composable/component/email.json
index b9ed2f5bf7..7cea6cb835 100644
--- a/experimental/generated/elasticsearch/composable/component/email.json
+++ b/experimental/generated/elasticsearch/composable/component/email.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-email.html",
-    "ecs_version": "8.8.0-dev+exp"
+    "ecs_version": "8.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/error.json b/experimental/generated/elasticsearch/composable/component/error.json
index fee88de784..e6621ceecb 100644
--- a/experimental/generated/elasticsearch/composable/component/error.json
+++ b/experimental/generated/elasticsearch/composable/component/error.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-error.html",
-    "ecs_version": "8.8.0-dev+exp"
+    "ecs_version": "8.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/event.json b/experimental/generated/elasticsearch/composable/component/event.json
index 385a7bffe9..7859fe68fc 100644
--- a/experimental/generated/elasticsearch/composable/component/event.json
+++ b/experimental/generated/elasticsearch/composable/component/event.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html",
-    "ecs_version": "8.8.0-dev+exp"
+    "ecs_version": "8.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/faas.json b/experimental/generated/elasticsearch/composable/component/faas.json
index cc3e8a54d0..f4910103f1 100644
--- a/experimental/generated/elasticsearch/composable/component/faas.json
+++ b/experimental/generated/elasticsearch/composable/component/faas.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-faas.html",
-    "ecs_version": "8.8.0-dev+exp"
+    "ecs_version": "8.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/file.json b/experimental/generated/elasticsearch/composable/component/file.json
index 52a0993bab..c7f12b791c 100644
--- a/experimental/generated/elasticsearch/composable/component/file.json
+++ b/experimental/generated/elasticsearch/composable/component/file.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html",
-    "ecs_version": "8.8.0-dev+exp"
+    "ecs_version": "8.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/group.json b/experimental/generated/elasticsearch/composable/component/group.json
index 59f118394a..e571b8fd56 100644
--- a/experimental/generated/elasticsearch/composable/component/group.json
+++ b/experimental/generated/elasticsearch/composable/component/group.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-group.html",
-    "ecs_version": "8.8.0-dev+exp"
+    "ecs_version": "8.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/host.json b/experimental/generated/elasticsearch/composable/component/host.json
index d6004161fc..9805c27de9 100644
--- a/experimental/generated/elasticsearch/composable/component/host.json
+++ b/experimental/generated/elasticsearch/composable/component/host.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-host.html",
-    "ecs_version": "8.8.0-dev+exp"
+    "ecs_version": "8.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/http.json b/experimental/generated/elasticsearch/composable/component/http.json
index eaebc7d394..57a5ab6d0e 100644
--- a/experimental/generated/elasticsearch/composable/component/http.json
+++ b/experimental/generated/elasticsearch/composable/component/http.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-http.html",
-    "ecs_version": "8.8.0-dev+exp"
+    "ecs_version": "8.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/log.json b/experimental/generated/elasticsearch/composable/component/log.json
index 568b809190..59944d63e1 100644
--- a/experimental/generated/elasticsearch/composable/component/log.json
+++ b/experimental/generated/elasticsearch/composable/component/log.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-log.html",
-    "ecs_version": "8.8.0-dev+exp"
+    "ecs_version": "8.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/network.json b/experimental/generated/elasticsearch/composable/component/network.json
index 0a4778d232..0bae4a2e61 100644
--- a/experimental/generated/elasticsearch/composable/component/network.json
+++ b/experimental/generated/elasticsearch/composable/component/network.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html",
-    "ecs_version": "8.8.0-dev+exp"
+    "ecs_version": "8.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/observer.json b/experimental/generated/elasticsearch/composable/component/observer.json
index e4ae0fd566..0c5e3a9df4 100644
--- a/experimental/generated/elasticsearch/composable/component/observer.json
+++ b/experimental/generated/elasticsearch/composable/component/observer.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html",
-    "ecs_version": "8.8.0-dev+exp"
+    "ecs_version": "8.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/orchestrator.json b/experimental/generated/elasticsearch/composable/component/orchestrator.json
index 60bdac6c72..d4a15c9456 100644
--- a/experimental/generated/elasticsearch/composable/component/orchestrator.json
+++ b/experimental/generated/elasticsearch/composable/component/orchestrator.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-orchestrator.html",
-    "ecs_version": "8.8.0-dev+exp"
+    "ecs_version": "8.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/organization.json b/experimental/generated/elasticsearch/composable/component/organization.json
index 0e60476ea0..c3a52d21ab 100644
--- a/experimental/generated/elasticsearch/composable/component/organization.json
+++ b/experimental/generated/elasticsearch/composable/component/organization.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-organization.html",
-    "ecs_version": "8.8.0-dev+exp"
+    "ecs_version": "8.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/package.json b/experimental/generated/elasticsearch/composable/component/package.json
index 5422c0eb77..d20fbdff5f 100644
--- a/experimental/generated/elasticsearch/composable/component/package.json
+++ b/experimental/generated/elasticsearch/composable/component/package.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-package.html",
-    "ecs_version": "8.8.0-dev+exp"
+    "ecs_version": "8.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/process.json b/experimental/generated/elasticsearch/composable/component/process.json
index ef143c5723..00c0d8dcce 100644
--- a/experimental/generated/elasticsearch/composable/component/process.json
+++ b/experimental/generated/elasticsearch/composable/component/process.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-process.html",
-    "ecs_version": "8.8.0-dev+exp"
+    "ecs_version": "8.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/registry.json b/experimental/generated/elasticsearch/composable/component/registry.json
index 758ed88085..cc4b0bd5e3 100644
--- a/experimental/generated/elasticsearch/composable/component/registry.json
+++ b/experimental/generated/elasticsearch/composable/component/registry.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-registry.html",
-    "ecs_version": "8.8.0-dev+exp"
+    "ecs_version": "8.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/related.json b/experimental/generated/elasticsearch/composable/component/related.json
index 3a340e2069..de13d8aef8 100644
--- a/experimental/generated/elasticsearch/composable/component/related.json
+++ b/experimental/generated/elasticsearch/composable/component/related.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-related.html",
-    "ecs_version": "8.8.0-dev+exp"
+    "ecs_version": "8.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/rule.json b/experimental/generated/elasticsearch/composable/component/rule.json
index 9d13e275f0..c40dd66416 100644
--- a/experimental/generated/elasticsearch/composable/component/rule.json
+++ b/experimental/generated/elasticsearch/composable/component/rule.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-rule.html",
-    "ecs_version": "8.8.0-dev+exp"
+    "ecs_version": "8.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/server.json b/experimental/generated/elasticsearch/composable/component/server.json
index d8488a404c..2ceda6687b 100644
--- a/experimental/generated/elasticsearch/composable/component/server.json
+++ b/experimental/generated/elasticsearch/composable/component/server.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-server.html",
-    "ecs_version": "8.8.0-dev+exp"
+    "ecs_version": "8.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/service.json b/experimental/generated/elasticsearch/composable/component/service.json
index 4317fd42f3..88d85c58a1 100644
--- a/experimental/generated/elasticsearch/composable/component/service.json
+++ b/experimental/generated/elasticsearch/composable/component/service.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-service.html",
-    "ecs_version": "8.8.0-dev+exp"
+    "ecs_version": "8.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/source.json b/experimental/generated/elasticsearch/composable/component/source.json
index 35ec5f5ddd..225cecfff5 100644
--- a/experimental/generated/elasticsearch/composable/component/source.json
+++ b/experimental/generated/elasticsearch/composable/component/source.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-source.html",
-    "ecs_version": "8.8.0-dev+exp"
+    "ecs_version": "8.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/threat.json b/experimental/generated/elasticsearch/composable/component/threat.json
index e5ac8003ff..d15aa1186f 100644
--- a/experimental/generated/elasticsearch/composable/component/threat.json
+++ b/experimental/generated/elasticsearch/composable/component/threat.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-threat.html",
-    "ecs_version": "8.8.0-dev+exp"
+    "ecs_version": "8.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/tls.json b/experimental/generated/elasticsearch/composable/component/tls.json
index 987dedd026..40008b12b4 100644
--- a/experimental/generated/elasticsearch/composable/component/tls.json
+++ b/experimental/generated/elasticsearch/composable/component/tls.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tls.html",
-    "ecs_version": "8.8.0-dev+exp"
+    "ecs_version": "8.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/tracing.json b/experimental/generated/elasticsearch/composable/component/tracing.json
index 74cebfc103..f0ccf8d906 100644
--- a/experimental/generated/elasticsearch/composable/component/tracing.json
+++ b/experimental/generated/elasticsearch/composable/component/tracing.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tracing.html",
-    "ecs_version": "8.8.0-dev+exp"
+    "ecs_version": "8.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/url.json b/experimental/generated/elasticsearch/composable/component/url.json
index 360f97cfdc..a1b0e899ab 100644
--- a/experimental/generated/elasticsearch/composable/component/url.json
+++ b/experimental/generated/elasticsearch/composable/component/url.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-url.html",
-    "ecs_version": "8.8.0-dev+exp"
+    "ecs_version": "8.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/user.json b/experimental/generated/elasticsearch/composable/component/user.json
index e34644ca9a..79f572a641 100644
--- a/experimental/generated/elasticsearch/composable/component/user.json
+++ b/experimental/generated/elasticsearch/composable/component/user.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user.html",
-    "ecs_version": "8.8.0-dev+exp"
+    "ecs_version": "8.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/user_agent.json b/experimental/generated/elasticsearch/composable/component/user_agent.json
index 20a9f5c9e8..af7a0ea9e9 100644
--- a/experimental/generated/elasticsearch/composable/component/user_agent.json
+++ b/experimental/generated/elasticsearch/composable/component/user_agent.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html",
-    "ecs_version": "8.8.0-dev+exp"
+    "ecs_version": "8.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/vulnerability.json b/experimental/generated/elasticsearch/composable/component/vulnerability.json
index 855879710c..f522d8de43 100644
--- a/experimental/generated/elasticsearch/composable/component/vulnerability.json
+++ b/experimental/generated/elasticsearch/composable/component/vulnerability.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html",
-    "ecs_version": "8.8.0-dev+exp"
+    "ecs_version": "8.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/template.json b/experimental/generated/elasticsearch/composable/template.json
index e99d177dfd..fcd1ba5dc4 100644
--- a/experimental/generated/elasticsearch/composable/template.json
+++ b/experimental/generated/elasticsearch/composable/template.json
@@ -1,49 +1,49 @@
 {
   "_meta": {
     "description": "Sample composable template that includes all ECS fields",
-    "ecs_version": "8.8.0-dev+exp"
+    "ecs_version": "8.9.0-dev+exp"
   },
   "composed_of": [
-    "ecs_8.8.0-dev-exp_cgroup",
-    "ecs_8.8.0-dev-exp_base",
-    "ecs_8.8.0-dev-exp_agent",
-    "ecs_8.8.0-dev-exp_client",
-    "ecs_8.8.0-dev-exp_cloud",
-    "ecs_8.8.0-dev-exp_container",
-    "ecs_8.8.0-dev-exp_data_stream",
-    "ecs_8.8.0-dev-exp_destination",
-    "ecs_8.8.0-dev-exp_device",
-    "ecs_8.8.0-dev-exp_dll",
-    "ecs_8.8.0-dev-exp_dns",
-    "ecs_8.8.0-dev-exp_ecs",
-    "ecs_8.8.0-dev-exp_email",
-    "ecs_8.8.0-dev-exp_error",
-    "ecs_8.8.0-dev-exp_event",
-    "ecs_8.8.0-dev-exp_faas",
-    "ecs_8.8.0-dev-exp_file",
-    "ecs_8.8.0-dev-exp_group",
-    "ecs_8.8.0-dev-exp_host",
-    "ecs_8.8.0-dev-exp_http",
-    "ecs_8.8.0-dev-exp_log",
-    "ecs_8.8.0-dev-exp_network",
-    "ecs_8.8.0-dev-exp_observer",
-    "ecs_8.8.0-dev-exp_orchestrator",
-    "ecs_8.8.0-dev-exp_organization",
-    "ecs_8.8.0-dev-exp_package",
-    "ecs_8.8.0-dev-exp_process",
-    "ecs_8.8.0-dev-exp_registry",
-    "ecs_8.8.0-dev-exp_related",
-    "ecs_8.8.0-dev-exp_rule",
-    "ecs_8.8.0-dev-exp_server",
-    "ecs_8.8.0-dev-exp_service",
-    "ecs_8.8.0-dev-exp_source",
-    "ecs_8.8.0-dev-exp_threat",
-    "ecs_8.8.0-dev-exp_tls",
-    "ecs_8.8.0-dev-exp_tracing",
-    "ecs_8.8.0-dev-exp_url",
-    "ecs_8.8.0-dev-exp_user_agent",
-    "ecs_8.8.0-dev-exp_user",
-    "ecs_8.8.0-dev-exp_vulnerability"
+    "ecs_8.9.0-dev-exp_cgroup",
+    "ecs_8.9.0-dev-exp_base",
+    "ecs_8.9.0-dev-exp_agent",
+    "ecs_8.9.0-dev-exp_client",
+    "ecs_8.9.0-dev-exp_cloud",
+    "ecs_8.9.0-dev-exp_container",
+    "ecs_8.9.0-dev-exp_data_stream",
+    "ecs_8.9.0-dev-exp_destination",
+    "ecs_8.9.0-dev-exp_device",
+    "ecs_8.9.0-dev-exp_dll",
+    "ecs_8.9.0-dev-exp_dns",
+    "ecs_8.9.0-dev-exp_ecs",
+    "ecs_8.9.0-dev-exp_email",
+    "ecs_8.9.0-dev-exp_error",
+    "ecs_8.9.0-dev-exp_event",
+    "ecs_8.9.0-dev-exp_faas",
+    "ecs_8.9.0-dev-exp_file",
+    "ecs_8.9.0-dev-exp_group",
+    "ecs_8.9.0-dev-exp_host",
+    "ecs_8.9.0-dev-exp_http",
+    "ecs_8.9.0-dev-exp_log",
+    "ecs_8.9.0-dev-exp_network",
+    "ecs_8.9.0-dev-exp_observer",
+    "ecs_8.9.0-dev-exp_orchestrator",
+    "ecs_8.9.0-dev-exp_organization",
+    "ecs_8.9.0-dev-exp_package",
+    "ecs_8.9.0-dev-exp_process",
+    "ecs_8.9.0-dev-exp_registry",
+    "ecs_8.9.0-dev-exp_related",
+    "ecs_8.9.0-dev-exp_rule",
+    "ecs_8.9.0-dev-exp_server",
+    "ecs_8.9.0-dev-exp_service",
+    "ecs_8.9.0-dev-exp_source",
+    "ecs_8.9.0-dev-exp_threat",
+    "ecs_8.9.0-dev-exp_tls",
+    "ecs_8.9.0-dev-exp_tracing",
+    "ecs_8.9.0-dev-exp_url",
+    "ecs_8.9.0-dev-exp_user_agent",
+    "ecs_8.9.0-dev-exp_user",
+    "ecs_8.9.0-dev-exp_vulnerability"
   ],
   "index_patterns": [
     "try-ecs-*"
diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json
index 77464c3831..4d6e6c25a0 100644
--- a/experimental/generated/elasticsearch/legacy/template.json
+++ b/experimental/generated/elasticsearch/legacy/template.json
@@ -4,7 +4,7 @@
   ],
   "mappings": {
     "_meta": {
-      "version": "8.8.0-dev+exp"
+      "version": "8.9.0-dev+exp"
     },
     "date_detection": false,
     "dynamic_templates": [
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 4c977c8c3a..464ffaf05d 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -1,5 +1,5 @@
 # WARNING! Do not edit this file directly, it was generated by the ECS project,
-# based on ECS version 8.8.0-dev.
+# based on ECS version 8.9.0-dev.
 # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields.
 
 - key: ecs
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index 52d2ced1df..c054bd227b 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -1,1732 +1,1732 @@
 ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
-8.8.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
-8.8.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
-8.8.0-dev,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer.
-8.8.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
-8.8.0-dev,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
-8.8.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
-8.8.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
-8.8.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
-8.8.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
-8.8.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
-8.8.0-dev,true,client,client.address,keyword,extended,,,Client network address.
-8.8.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.8.0-dev,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.8.0-dev,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.8.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
-8.8.0-dev,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client.
-8.8.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
-8.8.0-dev,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
-8.8.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.8.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.8.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
-8.8.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.8.0-dev,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.8.0-dev,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
-8.8.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.8.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
-8.8.0-dev,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.8.0-dev,true,client,client.ip,ip,core,,,IP address of the client.
-8.8.0-dev,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
-8.8.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
-8.8.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port
-8.8.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
-8.8.0-dev,true,client,client.port,long,core,,,Port of the client.
-8.8.0-dev,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
-8.8.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.8.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.8.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.8.0-dev,true,client,client.user.email,keyword,extended,,,User email address.
-8.8.0-dev,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.8.0-dev,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.8.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.8.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group.
-8.8.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.8.0-dev,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.8.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.8.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.8.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.8.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.8.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
-8.8.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.8.0-dev,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.8.0-dev,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.8.0-dev,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.8.0-dev,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.8.0-dev,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine.
-8.8.0-dev,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.8.0-dev,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id.
-8.8.0-dev,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name.
-8.8.0-dev,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider.
-8.8.0-dev,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.8.0-dev,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name.
-8.8.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
-8.8.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
-8.8.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
-8.8.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.8.0-dev,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name.
-8.8.0-dev,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.8.0-dev,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.8.0-dev,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.8.0-dev,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.8.0-dev,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine.
-8.8.0-dev,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.8.0-dev,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id.
-8.8.0-dev,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name.
-8.8.0-dev,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider.
-8.8.0-dev,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.8.0-dev,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name.
-8.8.0-dev,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
-8.8.0-dev,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
-8.8.0-dev,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
-8.8.0-dev,true,container,container.id,keyword,core,,,Unique container id.
-8.8.0-dev,true,container,container.image.hash.all,keyword,extended,array,[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26],An array of digests of the image the container was built on.
-8.8.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
-8.8.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags.
-8.8.0-dev,true,container,container.labels,object,extended,,,Image labels.
-8.8.0-dev,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1."
-8.8.0-dev,true,container,container.name,keyword,extended,,,Container name.
-8.8.0-dev,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
-8.8.0-dev,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
-8.8.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
-8.8.0-dev,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
-8.8.0-dev,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
-8.8.0-dev,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
-8.8.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address.
-8.8.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.8.0-dev,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.8.0-dev,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.8.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
-8.8.0-dev,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination.
-8.8.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
-8.8.0-dev,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
-8.8.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.8.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.8.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
-8.8.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.8.0-dev,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.8.0-dev,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
-8.8.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.8.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
-8.8.0-dev,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.8.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination.
-8.8.0-dev,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
-8.8.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
-8.8.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
-8.8.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
-8.8.0-dev,true,destination,destination.port,long,core,,,Port of the destination.
-8.8.0-dev,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
-8.8.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.8.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.8.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.8.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address.
-8.8.0-dev,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.8.0-dev,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.8.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.8.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
-8.8.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.8.0-dev,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.8.0-dev,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device.
-8.8.0-dev,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer.
-8.8.0-dev,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model.
-8.8.0-dev,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model.
-8.8.0-dev,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.8.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.8.0-dev,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.8.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.8.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.8.0-dev,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.8.0-dev,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.8.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.8.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.8.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
-8.8.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
-8.8.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
-8.8.0-dev,true,dll,dll.hash.sha384,keyword,extended,,,SHA384 hash.
-8.8.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
-8.8.0-dev,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.8.0-dev,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash.
-8.8.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
-8.8.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
-8.8.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.8.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.8.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.8.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.8.0-dev,true,dll,dll.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.8.0-dev,true,dll,dll.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.8.0-dev,true,dll,dll.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.8.0-dev,true,dll,dll.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.8.0-dev,true,dll,dll.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.8.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.8.0-dev,true,dll,dll.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.8.0-dev,true,dll,dll.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.8.0-dev,true,dll,dll.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev,true,dll,dll.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.8.0-dev,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.8.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.8.0-dev,true,dll,dll.pe.sections,nested,extended,array,,Section information of the PE file.
-8.8.0-dev,true,dll,dll.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.8.0-dev,true,dll,dll.pe.sections.name,keyword,extended,,,PE Section List name.
-8.8.0-dev,true,dll,dll.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.8.0-dev,true,dll,dll.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.8.0-dev,true,dll,dll.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.8.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
-8.8.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
-8.8.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
-8.8.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
-8.8.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
-8.8.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
-8.8.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
-8.8.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
-8.8.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
-8.8.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
-8.8.0-dev,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
-8.8.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
-8.8.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
-8.8.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.8.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
-8.8.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
-8.8.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
-8.8.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
-8.8.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
-8.8.0-dev,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
-8.8.0-dev,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
-8.8.0-dev,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash.
-8.8.0-dev,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.8.0-dev,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.8.0-dev,true,email,email.attachments.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.8.0-dev,true,email,email.attachments.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.8.0-dev,true,email,email.attachments.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.8.0-dev,true,email,email.attachments.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.8.0-dev,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file.
-8.8.0-dev,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file.
-8.8.0-dev,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size.
-8.8.0-dev,true,email,email.bcc.address,keyword,extended,array,bcc.user1@example.com,Email address of BCC recipient
-8.8.0-dev,true,email,email.cc.address,keyword,extended,array,cc.user1@example.com,Email address of CC recipient
-8.8.0-dev,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message.
-8.8.0-dev,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered.
-8.8.0-dev,true,email,email.direction,keyword,extended,,inbound,Direction of the message.
-8.8.0-dev,true,email,email.from.address,keyword,extended,array,sender@example.com,The sender's email address.
-8.8.0-dev,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source.
-8.8.0-dev,true,email,email.message_id,wildcard,extended,,81ce15$8r2j59@mail01.example.com,Value from the Message-ID header.
-8.8.0-dev,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed.
-8.8.0-dev,true,email,email.reply_to.address,keyword,extended,array,reply.here@example.com,Address replies should be delivered to.
-8.8.0-dev,true,email,email.sender.address,keyword,extended,,,Address of the message sender.
-8.8.0-dev,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message.
-8.8.0-dev,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
-8.8.0-dev,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient
-8.8.0-dev,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
-8.8.0-dev,true,error,error.code,keyword,core,,,Error code describing the error.
-8.8.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error.
-8.8.0-dev,true,error,error.message,match_only_text,core,,,Error message.
-8.8.0-dev,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
-8.8.0-dev,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text.
-8.8.0-dev,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
-8.8.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
-8.8.0-dev,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field.
-8.8.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
-8.8.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event.
-8.8.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
-8.8.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
-8.8.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
-8.8.0-dev,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed.
-8.8.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
-8.8.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
-8.8.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
-8.8.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
-8.8.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
-8.8.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
-8.8.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
-8.8.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event.
-8.8.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
-8.8.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
-8.8.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
-8.8.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
-8.8.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event.
-8.8.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event.
-8.8.0-dev,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed.
-8.8.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone.
-8.8.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
-8.8.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
-8.8.0-dev,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function.
-8.8.0-dev,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution.
-8.8.0-dev,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function.
-8.8.0-dev,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function.
-8.8.0-dev,true,faas,faas.trigger,nested,extended,,,Details about the function trigger.
-8.8.0-dev,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc."
-8.8.0-dev,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution.
-8.8.0-dev,true,faas,faas.version,keyword,extended,,123,The version of a serverless function.
-8.8.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed.
-8.8.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.8.0-dev,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.8.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.8.0-dev,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.8.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.8.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.8.0-dev,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.8.0-dev,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.8.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.8.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.8.0-dev,true,file,file.created,date,extended,,,File creation time.
-8.8.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.8.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
-8.8.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.8.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.8.0-dev,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.8.0-dev,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.8.0-dev,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.8.0-dev,true,file,file.elf.creation_date,date,extended,,,Build or compile date.
-8.8.0-dev,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.8.0-dev,true,file,file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.8.0-dev,true,file,file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.8.0-dev,true,file,file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.8.0-dev,true,file,file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.8.0-dev,true,file,file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.8.0-dev,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.8.0-dev,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.8.0-dev,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.8.0-dev,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.8.0-dev,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.8.0-dev,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.8.0-dev,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.8.0-dev,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.8.0-dev,true,file,file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.8.0-dev,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.8.0-dev,true,file,file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev,true,file,file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.8.0-dev,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.8.0-dev,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.8.0-dev,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.8.0-dev,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.8.0-dev,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.8.0-dev,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.8.0-dev,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.8.0-dev,true,file,file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.8.0-dev,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.8.0-dev,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.8.0-dev,true,file,file.elf.segments,nested,extended,array,,ELF object segment list.
-8.8.0-dev,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.8.0-dev,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.8.0-dev,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.8.0-dev,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.8.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.8.0-dev,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.8.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.8.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
-8.8.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
-8.8.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.8.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.8.0-dev,true,file,file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.8.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.8.0-dev,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.8.0-dev,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.8.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.8.0-dev,true,file,file.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-8.8.0-dev,true,file,file.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.8.0-dev,true,file,file.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.8.0-dev,true,file,file.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.8.0-dev,true,file,file.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.8.0-dev,true,file,file.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-8.8.0-dev,true,file,file.macho.imports,flattened,extended,array,,List of imported element names and types.
-8.8.0-dev,true,file,file.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev,true,file,file.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev,true,file,file.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-8.8.0-dev,true,file,file.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.8.0-dev,true,file,file.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-8.8.0-dev,true,file,file.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-8.8.0-dev,true,file,file.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.8.0-dev,true,file,file.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-8.8.0-dev,true,file,file.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-8.8.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.8.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.8.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified.
-8.8.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.8.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username.
-8.8.0-dev,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.8.0-dev,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.8.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.8.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.8.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.8.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.8.0-dev,true,file,file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.8.0-dev,true,file,file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.8.0-dev,true,file,file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.8.0-dev,true,file,file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.8.0-dev,true,file,file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.8.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.8.0-dev,true,file,file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.8.0-dev,true,file,file.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.8.0-dev,true,file,file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev,true,file,file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.8.0-dev,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.8.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.8.0-dev,true,file,file.pe.sections,nested,extended,array,,Section information of the PE file.
-8.8.0-dev,true,file,file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.8.0-dev,true,file,file.pe.sections.name,keyword,extended,,,PE Section List name.
-8.8.0-dev,true,file,file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.8.0-dev,true,file,file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.8.0-dev,true,file,file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.8.0-dev,true,file,file.size,long,extended,,16384,File size in bytes.
-8.8.0-dev,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
-8.8.0-dev,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.8.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.8.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.8.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.8.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.8.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.8.0-dev,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.8.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.8.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.8.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.8.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.8.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.8.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.8.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.8.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.8.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.8.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.8.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.8.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.8.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.8.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.8.0-dev,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.8.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.8.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.8.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.8.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.8.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.8.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.8.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev,true,group,group.name,keyword,extended,,,Name of the group.
-8.8.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
-8.8.0-dev,true,host,host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id
-8.8.0-dev,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
-8.8.0-dev,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
-8.8.0-dev,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
-8.8.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
-8.8.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
-8.8.0-dev,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
-8.8.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.8.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.8.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
-8.8.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.8.0-dev,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.8.0-dev,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
-8.8.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.8.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
-8.8.0-dev,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.8.0-dev,true,host,host.hostname,keyword,core,,,Hostname of the host.
-8.8.0-dev,true,host,host.id,keyword,core,,,Unique host id.
-8.8.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses.
-8.8.0-dev,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
-8.8.0-dev,true,host,host.name,keyword,core,,,Name of the host.
-8.8.0-dev,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
-8.8.0-dev,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
-8.8.0-dev,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
-8.8.0-dev,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
-8.8.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.8.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.8.0-dev,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.8.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.8.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.8.0-dev,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.8.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.8.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-8.8.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.8.0-dev,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode
-8.8.0-dev,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.8.0-dev,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.8.0-dev,true,host,host.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.8.0-dev,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.8.0-dev,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.8.0-dev,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-8.8.0-dev,true,host,host.type,keyword,core,,,Type of host.
-8.8.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
-8.8.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
-8.8.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
-8.8.0-dev,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body.
-8.8.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
-8.8.0-dev,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
-8.8.0-dev,true,http,http.request.method,keyword,extended,,POST,HTTP request method.
-8.8.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
-8.8.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
-8.8.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
-8.8.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
-8.8.0-dev,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body.
-8.8.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
-8.8.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
-8.8.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
-8.8.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version.
-8.8.0-dev,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
-8.8.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event.
-8.8.0-dev,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
-8.8.0-dev,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event.
-8.8.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
-8.8.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
-8.8.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata
-8.8.0-dev,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message.
-8.8.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
-8.8.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
-8.8.0-dev,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message.
-8.8.0-dev,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message.
-8.8.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
-8.8.0-dev,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message.
-8.8.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
-8.8.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
-8.8.0-dev,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages.
-8.8.0-dev,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version.
-8.8.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name.
-8.8.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
-8.8.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
-8.8.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
-8.8.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
-8.8.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
-8.8.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information
-8.8.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.8.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.8.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
-8.8.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
-8.8.0-dev,true,network,network.protocol,keyword,core,,http,Application protocol name.
-8.8.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
-8.8.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
-8.8.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.8.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.8.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information
-8.8.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
-8.8.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
-8.8.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
-8.8.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.8.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.8.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
-8.8.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
-8.8.0-dev,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code.
-8.8.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.8.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.8.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
-8.8.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.8.0-dev,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.8.0-dev,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code.
-8.8.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.8.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
-8.8.0-dev,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.8.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
-8.8.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information
-8.8.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
-8.8.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
-8.8.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
-8.8.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.8.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.8.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
-8.8.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
-8.8.0-dev,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer.
-8.8.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
-8.8.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.8.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.8.0-dev,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.8.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.8.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.8.0-dev,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.8.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.8.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-8.8.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.8.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
-8.8.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
-8.8.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
-8.8.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
-8.8.0-dev,true,observer,observer.version,keyword,core,,,Observer version.
-8.8.0-dev,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action
-8.8.0-dev,true,orchestrator,orchestrator.cluster.id,keyword,extended,,,Unique ID of the cluster.
-8.8.0-dev,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster.
-8.8.0-dev,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster.
-8.8.0-dev,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster.
-8.8.0-dev,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place.
-8.8.0-dev,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups).
-8.8.0-dev,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon.
-8.8.0-dev,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed.
-8.8.0-dev,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon.
-8.8.0-dev,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed.
-8.8.0-dev,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon.
-8.8.0-dev,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)."
-8.8.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
-8.8.0-dev,true,organization,organization.name,keyword,extended,,,Organization name.
-8.8.0-dev,true,organization,organization.name.text,match_only_text,extended,,,Organization name.
-8.8.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
-8.8.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
-8.8.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
-8.8.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
-8.8.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
-8.8.0-dev,true,package,package.installed,date,extended,,,Time when package was installed.
-8.8.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
-8.8.0-dev,true,package,package.name,keyword,extended,,go,Package name
-8.8.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
-8.8.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
-8.8.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes.
-8.8.0-dev,true,package,package.type,keyword,extended,,rpm,Package type
-8.8.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version
-8.8.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.8.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array.
-8.8.0-dev,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.8.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.8.0-dev,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.8.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.8.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.8.0-dev,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.8.0-dev,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.8.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.8.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.8.0-dev,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.8.0-dev,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.8.0-dev,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.8.0-dev,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.8.0-dev,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.8.0-dev,true,process,process.elf.creation_date,date,extended,,,Build or compile date.
-8.8.0-dev,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.8.0-dev,true,process,process.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.8.0-dev,true,process,process.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.8.0-dev,true,process,process.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.8.0-dev,true,process,process.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.8.0-dev,true,process,process.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.8.0-dev,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.8.0-dev,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.8.0-dev,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.8.0-dev,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.8.0-dev,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.8.0-dev,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.8.0-dev,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.8.0-dev,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.8.0-dev,true,process,process.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.8.0-dev,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.8.0-dev,true,process,process.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev,true,process,process.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.8.0-dev,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.8.0-dev,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.8.0-dev,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.8.0-dev,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.8.0-dev,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.8.0-dev,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.8.0-dev,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.8.0-dev,true,process,process.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.8.0-dev,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.8.0-dev,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.8.0-dev,true,process,process.elf.segments,nested,extended,array,,ELF object segment list.
-8.8.0-dev,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.8.0-dev,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.8.0-dev,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.8.0-dev,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.8.0-dev,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-8.8.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.8.0-dev,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.8.0-dev,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array.
-8.8.0-dev,true,process,process.entry_leader.attested_groups.name,keyword,extended,,,Name of the group.
-8.8.0-dev,true,process,process.entry_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev,true,process,process.entry_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,process,process.entry_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.8.0-dev,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.8.0-dev,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.8.0-dev,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
-8.8.0-dev,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
-8.8.0-dev,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.8.0-dev,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.8.0-dev,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group.
-8.8.0-dev,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.8.0-dev,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name.
-8.8.0-dev,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.8.0-dev,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.8.0-dev,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id.
-8.8.0-dev,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.8.0-dev,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id.
-8.8.0-dev,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.8.0-dev,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.8.0-dev,true,process,process.entry_leader.pid,long,core,,4242,Process id.
-8.8.0-dev,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group.
-8.8.0-dev,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,process,process.entry_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.8.0-dev,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.8.0-dev,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,process,process.entry_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.8.0-dev,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.8.0-dev,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.8.0-dev,true,process,process.entry_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.8.0-dev,true,process,process.entry_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.8.0-dev,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.8.0-dev,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.8.0-dev,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
-8.8.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.8.0-dev,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.8.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process.
-8.8.0-dev,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.8.0-dev,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array.
-8.8.0-dev,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.8.0-dev,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.8.0-dev,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.8.0-dev,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.8.0-dev,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.8.0-dev,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group.
-8.8.0-dev,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.8.0-dev,true,process,process.group_leader.name,keyword,extended,,ssh,Process name.
-8.8.0-dev,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.8.0-dev,true,process,process.group_leader.pid,long,core,,4242,Process id.
-8.8.0-dev,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group.
-8.8.0-dev,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,process,process.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.8.0-dev,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.8.0-dev,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,process,process.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.8.0-dev,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.8.0-dev,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.8.0-dev,true,process,process.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.8.0-dev,true,process,process.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.8.0-dev,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.8.0-dev,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.8.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
-8.8.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
-8.8.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
-8.8.0-dev,true,process,process.hash.sha384,keyword,extended,,,SHA384 hash.
-8.8.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
-8.8.0-dev,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.8.0-dev,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash.
-8.8.0-dev,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.8.0-dev,true,process,process.io,object,extended,,,A chunk of input or output (IO) from a single process.
-8.8.0-dev,true,process,process.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
-8.8.0-dev,true,process,process.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
-8.8.0-dev,true,process,process.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
-8.8.0-dev,true,process,process.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
-8.8.0-dev,true,process,process.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
-8.8.0-dev,true,process,process.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
-8.8.0-dev,true,process,process.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
-8.8.0-dev,true,process,process.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
-8.8.0-dev,true,process,process.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-8.8.0-dev,true,process,process.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.8.0-dev,true,process,process.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.8.0-dev,true,process,process.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.8.0-dev,true,process,process.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.8.0-dev,true,process,process.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-8.8.0-dev,true,process,process.macho.imports,flattened,extended,array,,List of imported element names and types.
-8.8.0-dev,true,process,process.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev,true,process,process.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev,true,process,process.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-8.8.0-dev,true,process,process.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.8.0-dev,true,process,process.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-8.8.0-dev,true,process,process.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-8.8.0-dev,true,process,process.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.8.0-dev,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-8.8.0-dev,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-8.8.0-dev,true,process,process.name,keyword,extended,,ssh,Process name.
-8.8.0-dev,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
-8.8.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.8.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
-8.8.0-dev,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.8.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.8.0-dev,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.8.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.8.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.8.0-dev,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.8.0-dev,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.8.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.8.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.8.0-dev,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.8.0-dev,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.8.0-dev,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.8.0-dev,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.8.0-dev,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.8.0-dev,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date.
-8.8.0-dev,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.8.0-dev,true,process,process.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.8.0-dev,true,process,process.parent.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.8.0-dev,true,process,process.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.8.0-dev,true,process,process.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.8.0-dev,true,process,process.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.8.0-dev,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.8.0-dev,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.8.0-dev,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.8.0-dev,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.8.0-dev,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.8.0-dev,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.8.0-dev,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.8.0-dev,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.8.0-dev,true,process,process.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.8.0-dev,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.8.0-dev,true,process,process.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev,true,process,process.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.8.0-dev,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.8.0-dev,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.8.0-dev,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.8.0-dev,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.8.0-dev,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.8.0-dev,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.8.0-dev,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.8.0-dev,true,process,process.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.8.0-dev,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.8.0-dev,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.8.0-dev,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list.
-8.8.0-dev,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.8.0-dev,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.8.0-dev,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.8.0-dev,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.8.0-dev,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-8.8.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.8.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.8.0-dev,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.8.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
-8.8.0-dev,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev,true,process,process.parent.group.name,keyword,extended,,,Name of the group.
-8.8.0-dev,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.8.0-dev,true,process,process.parent.group_leader.pid,long,core,,4242,Process id.
-8.8.0-dev,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.8.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
-8.8.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
-8.8.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
-8.8.0-dev,true,process,process.parent.hash.sha384,keyword,extended,,,SHA384 hash.
-8.8.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
-8.8.0-dev,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.8.0-dev,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash.
-8.8.0-dev,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.8.0-dev,true,process,process.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-8.8.0-dev,true,process,process.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.8.0-dev,true,process,process.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.8.0-dev,true,process,process.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.8.0-dev,true,process,process.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.8.0-dev,true,process,process.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-8.8.0-dev,true,process,process.parent.macho.imports,flattened,extended,array,,List of imported element names and types.
-8.8.0-dev,true,process,process.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev,true,process,process.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev,true,process,process.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-8.8.0-dev,true,process,process.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.8.0-dev,true,process,process.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-8.8.0-dev,true,process,process.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-8.8.0-dev,true,process,process.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.8.0-dev,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-8.8.0-dev,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-8.8.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name.
-8.8.0-dev,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
-8.8.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.8.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.8.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.8.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.8.0-dev,true,process,process.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.8.0-dev,true,process,process.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.8.0-dev,true,process,process.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.8.0-dev,true,process,process.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.8.0-dev,true,process,process.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.8.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.8.0-dev,true,process,process.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.8.0-dev,true,process,process.parent.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.8.0-dev,true,process,process.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev,true,process,process.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.8.0-dev,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.8.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.8.0-dev,true,process,process.parent.pe.sections,nested,extended,array,,Section information of the PE file.
-8.8.0-dev,true,process,process.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.8.0-dev,true,process,process.parent.pe.sections.name,keyword,extended,,,PE Section List name.
-8.8.0-dev,true,process,process.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.8.0-dev,true,process,process.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.8.0-dev,true,process,process.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.8.0-dev,true,process,process.parent.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
-8.8.0-dev,true,process,process.parent.pid,long,core,,4242,Process id.
-8.8.0-dev,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group.
-8.8.0-dev,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,process,process.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group.
-8.8.0-dev,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,process,process.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.8.0-dev,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.8.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
-8.8.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
-8.8.0-dev,true,process,process.parent.title,keyword,extended,,,Process title.
-8.8.0-dev,true,process,process.parent.title.text,match_only_text,extended,,,Process title.
-8.8.0-dev,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device.
-8.8.0-dev,true,process,process.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.8.0-dev,true,process,process.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.8.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
-8.8.0-dev,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.8.0-dev,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.8.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.8.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.8.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.8.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.8.0-dev,true,process,process.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.8.0-dev,true,process,process.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.8.0-dev,true,process,process.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.8.0-dev,true,process,process.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.8.0-dev,true,process,process.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.8.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.8.0-dev,true,process,process.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.8.0-dev,true,process,process.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.8.0-dev,true,process,process.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev,true,process,process.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.8.0-dev,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.8.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.8.0-dev,true,process,process.pe.sections,nested,extended,array,,Section information of the PE file.
-8.8.0-dev,true,process,process.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.8.0-dev,true,process,process.pe.sections.name,keyword,extended,,,PE Section List name.
-8.8.0-dev,true,process,process.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.8.0-dev,true,process,process.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.8.0-dev,true,process,process.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.8.0-dev,true,process,process.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
-8.8.0-dev,true,process,process.pid,long,core,,4242,Process id.
-8.8.0-dev,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.8.0-dev,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array.
-8.8.0-dev,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.8.0-dev,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.8.0-dev,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev,true,process,process.real_group.name,keyword,extended,,,Name of the group.
-8.8.0-dev,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,process,process.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev,true,process,process.saved_group.name,keyword,extended,,,Name of the group.
-8.8.0-dev,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,process,process.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.8.0-dev,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array.
-8.8.0-dev,true,process,process.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.8.0-dev,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.8.0-dev,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.8.0-dev,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.8.0-dev,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.8.0-dev,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group.
-8.8.0-dev,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.8.0-dev,true,process,process.session_leader.name,keyword,extended,,ssh,Process name.
-8.8.0-dev,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.8.0-dev,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.8.0-dev,true,process,process.session_leader.parent.pid,long,core,,4242,Process id.
-8.8.0-dev,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.8.0-dev,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id.
-8.8.0-dev,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.8.0-dev,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.8.0-dev,true,process,process.session_leader.pid,long,core,,4242,Process id.
-8.8.0-dev,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group.
-8.8.0-dev,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,process,process.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.8.0-dev,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.8.0-dev,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,process,process.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.8.0-dev,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.8.0-dev,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.8.0-dev,true,process,process.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.8.0-dev,true,process,process.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.8.0-dev,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.8.0-dev,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.8.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.8.0-dev,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.8.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID.
-8.8.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
-8.8.0-dev,true,process,process.title,keyword,extended,,,Process title.
-8.8.0-dev,true,process,process.title.text,match_only_text,extended,,,Process title.
-8.8.0-dev,true,process,process.tty,object,extended,,,Information about the controlling TTY device.
-8.8.0-dev,true,process,process.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.8.0-dev,true,process,process.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.8.0-dev,true,process,process.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
-8.8.0-dev,true,process,process.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
-8.8.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
-8.8.0-dev,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.8.0-dev,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.8.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.8.0-dev,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.8.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.8.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.8.0-dev,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.8.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.8.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
-8.8.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
-8.8.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
-8.8.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
-8.8.0-dev,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event.
-8.8.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
-8.8.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
-8.8.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
-8.8.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID
-8.8.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
-8.8.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
-8.8.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
-8.8.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
-8.8.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
-8.8.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version
-8.8.0-dev,true,server,server.address,keyword,extended,,,Server network address.
-8.8.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.8.0-dev,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.8.0-dev,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.8.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
-8.8.0-dev,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server.
-8.8.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
-8.8.0-dev,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
-8.8.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.8.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.8.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
-8.8.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.8.0-dev,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.8.0-dev,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
-8.8.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.8.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
-8.8.0-dev,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.8.0-dev,true,server,server.ip,ip,core,,,IP address of the server.
-8.8.0-dev,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
-8.8.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip
-8.8.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port
-8.8.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
-8.8.0-dev,true,server,server.port,long,core,,,Port of the server.
-8.8.0-dev,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
-8.8.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.8.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.8.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.8.0-dev,true,server,server.user.email,keyword,extended,,,User email address.
-8.8.0-dev,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.8.0-dev,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.8.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.8.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group.
-8.8.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.8.0-dev,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.8.0-dev,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.8.0-dev,true,service,service.environment,keyword,extended,,production,Environment of the service.
-8.8.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.8.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.8.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.8.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.8.0-dev,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.8.0-dev,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.8.0-dev,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.8.0-dev,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
-8.8.0-dev,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.8.0-dev,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.8.0-dev,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.8.0-dev,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.8.0-dev,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.8.0-dev,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.8.0-dev,true,service,service.origin.state,keyword,core,,,Current state of the service.
-8.8.0-dev,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service.
-8.8.0-dev,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service.
-8.8.0-dev,true,service,service.state,keyword,core,,,Current state of the service.
-8.8.0-dev,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.8.0-dev,true,service,service.target.environment,keyword,extended,,production,Environment of the service.
-8.8.0-dev,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.8.0-dev,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.8.0-dev,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.8.0-dev,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.8.0-dev,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.8.0-dev,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.8.0-dev,true,service,service.target.state,keyword,core,,,Current state of the service.
-8.8.0-dev,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service.
-8.8.0-dev,true,service,service.target.version,keyword,core,,3.2.4,Version of the service.
-8.8.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
-8.8.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service.
-8.8.0-dev,true,source,source.address,keyword,extended,,,Source network address.
-8.8.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.8.0-dev,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.8.0-dev,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.8.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
-8.8.0-dev,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source.
-8.8.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
-8.8.0-dev,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
-8.8.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.8.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.8.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
-8.8.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.8.0-dev,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.8.0-dev,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
-8.8.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.8.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
-8.8.0-dev,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.8.0-dev,true,source,source.ip,ip,core,,,IP address of the source.
-8.8.0-dev,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
-8.8.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip
-8.8.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port
-8.8.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
-8.8.0-dev,true,source,source.port,long,core,,,Port of the source.
-8.8.0-dev,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-8.8.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.8.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.8.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.8.0-dev,true,source,source.user.email,keyword,extended,,,User email address.
-8.8.0-dev,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.8.0-dev,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.8.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.8.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group.
-8.8.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.8.0-dev,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.8.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
-8.8.0-dev,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event.
-8.8.0-dev,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event.
-8.8.0-dev,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.8.0-dev,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.8.0-dev,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.8.0-dev,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
-8.8.0-dev,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
-8.8.0-dev,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.8.0-dev,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.8.0-dev,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.8.0-dev,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
-8.8.0-dev,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name.
-8.8.0-dev,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code.
-8.8.0-dev,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.8.0-dev,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.8.0-dev,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name.
-8.8.0-dev,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.8.0-dev,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.8.0-dev,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code.
-8.8.0-dev,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.8.0-dev,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name.
-8.8.0-dev,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.8.0-dev,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
-8.8.0-dev,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-8.8.0-dev,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
-8.8.0-dev,true,threat,threat.enrichments.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
-8.8.0-dev,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
-8.8.0-dev,true,threat,threat.enrichments.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
-8.8.0-dev,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
-8.8.0-dev,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
-8.8.0-dev,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
-8.8.0-dev,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.8.0-dev,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.8.0-dev,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.8.0-dev,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.8.0-dev,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.8.0-dev,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.8.0-dev,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
-8.8.0-dev,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics
-8.8.0-dev,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed
-8.8.0-dev,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
-8.8.0-dev,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.8.0-dev,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.8.0-dev,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.8.0-dev,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.8.0-dev,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.8.0-dev,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.8.0-dev,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.8.0-dev,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request.
-8.8.0-dev,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.8.0-dev,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
-8.8.0-dev,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request.
-8.8.0-dev,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.8.0-dev,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
-8.8.0-dev,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.8.0-dev,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.8.0-dev,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request.
-8.8.0-dev,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.8.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.8.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.8.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.8.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.8.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.8.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.8.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.8.0-dev,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.8.0-dev,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.8.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.8.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.8.0-dev,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.8.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.8.0-dev,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.8.0-dev,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.8.0-dev,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.8.0-dev,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.8.0-dev,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.8.0-dev,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.8.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.8.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.8.0-dev,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.8.0-dev,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.8.0-dev,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value
-8.8.0-dev,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field
-8.8.0-dev,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier
-8.8.0-dev,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index
-8.8.0-dev,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05T17:00:58.326Z,Date of match
-8.8.0-dev,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match
-8.8.0-dev,true,threat,threat.feed.dashboard_id,keyword,extended,,5ba16340-72e6-11eb-a3e3-b3cc7c78a70f,Feed dashboard ID.
-8.8.0-dev,true,threat,threat.feed.description,keyword,extended,,Threat feed from the AlienVault Open Threat eXchange network.,Description of the threat feed.
-8.8.0-dev,true,threat,threat.feed.name,keyword,extended,,AlienVault OTX,Name of the threat feed.
-8.8.0-dev,true,threat,threat.feed.reference,keyword,extended,,https://otx.alienvault.com,Reference for the threat feed.
-8.8.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
-8.8.0-dev,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group.
-8.8.0-dev,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group.
-8.8.0-dev,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group.
-8.8.0-dev,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group.
-8.8.0-dev,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.8.0-dev,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.8.0-dev,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.8.0-dev,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
-8.8.0-dev,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
-8.8.0-dev,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
-8.8.0-dev,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed.
-8.8.0-dev,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.8.0-dev,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.8.0-dev,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.8.0-dev,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.8.0-dev,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.8.0-dev,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.8.0-dev,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.8.0-dev,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.8.0-dev,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.8.0-dev,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.8.0-dev,true,threat,threat.indicator.file.created,date,extended,,,File creation time.
-8.8.0-dev,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.8.0-dev,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
-8.8.0-dev,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.8.0-dev,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.8.0-dev,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.8.0-dev,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.8.0-dev,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.8.0-dev,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
-8.8.0-dev,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.8.0-dev,true,threat,threat.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.8.0-dev,true,threat,threat.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.8.0-dev,true,threat,threat.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.8.0-dev,true,threat,threat.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.8.0-dev,true,threat,threat.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.8.0-dev,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.8.0-dev,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.8.0-dev,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.8.0-dev,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.8.0-dev,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.8.0-dev,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.8.0-dev,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.8.0-dev,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.8.0-dev,true,threat,threat.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.8.0-dev,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.8.0-dev,true,threat,threat.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev,true,threat,threat.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.8.0-dev,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.8.0-dev,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.8.0-dev,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.8.0-dev,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.8.0-dev,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.8.0-dev,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.8.0-dev,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.8.0-dev,true,threat,threat.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.8.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.8.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.8.0-dev,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
-8.8.0-dev,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.8.0-dev,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.8.0-dev,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.8.0-dev,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.8.0-dev,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.8.0-dev,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.8.0-dev,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.8.0-dev,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
-8.8.0-dev,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
-8.8.0-dev,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.8.0-dev,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.8.0-dev,true,threat,threat.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.8.0-dev,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.8.0-dev,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.8.0-dev,true,threat,threat.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.8.0-dev,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.8.0-dev,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.8.0-dev,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.8.0-dev,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified.
-8.8.0-dev,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.8.0-dev,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username.
-8.8.0-dev,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.8.0-dev,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.8.0-dev,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.8.0-dev,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.8.0-dev,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.8.0-dev,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.8.0-dev,true,threat,threat.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.8.0-dev,true,threat,threat.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.8.0-dev,true,threat,threat.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.8.0-dev,true,threat,threat.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.8.0-dev,true,threat,threat.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.8.0-dev,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.8.0-dev,true,threat,threat.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.8.0-dev,true,threat,threat.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.8.0-dev,true,threat,threat.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev,true,threat,threat.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.8.0-dev,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.8.0-dev,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.8.0-dev,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.8.0-dev,true,threat,threat.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
-8.8.0-dev,true,threat,threat.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.8.0-dev,true,threat,threat.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
-8.8.0-dev,true,threat,threat.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.8.0-dev,true,threat,threat.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.8.0-dev,true,threat,threat.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.8.0-dev,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes.
-8.8.0-dev,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
-8.8.0-dev,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.8.0-dev,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.8.0-dev,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.8.0-dev,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.8.0-dev,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.8.0-dev,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.8.0-dev,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.8.0-dev,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.8.0-dev,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.8.0-dev,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.8.0-dev,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.8.0-dev,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.8.0-dev,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.8.0-dev,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.8.0-dev,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.8.0-dev,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.8.0-dev,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.8.0-dev,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.8.0-dev,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.8.0-dev,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.8.0-dev,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.8.0-dev,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.8.0-dev,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.8.0-dev,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.8.0-dev,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.8.0-dev,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.8.0-dev,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.8.0-dev,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
-8.8.0-dev,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name.
-8.8.0-dev,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code.
-8.8.0-dev,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.8.0-dev,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.8.0-dev,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name.
-8.8.0-dev,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.8.0-dev,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.8.0-dev,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code.
-8.8.0-dev,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.8.0-dev,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name.
-8.8.0-dev,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.8.0-dev,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
-8.8.0-dev,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-8.8.0-dev,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
-8.8.0-dev,true,threat,threat.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
-8.8.0-dev,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
-8.8.0-dev,true,threat,threat.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
-8.8.0-dev,true,threat,threat.indicator.port,long,extended,,443,Indicator port
-8.8.0-dev,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
-8.8.0-dev,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
-8.8.0-dev,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.8.0-dev,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.8.0-dev,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.8.0-dev,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.8.0-dev,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.8.0-dev,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.8.0-dev,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
-8.8.0-dev,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics
-8.8.0-dev,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed
-8.8.0-dev,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
-8.8.0-dev,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.8.0-dev,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.8.0-dev,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.8.0-dev,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.8.0-dev,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.8.0-dev,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.8.0-dev,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.8.0-dev,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request.
-8.8.0-dev,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.8.0-dev,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
-8.8.0-dev,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request.
-8.8.0-dev,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.8.0-dev,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
-8.8.0-dev,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.8.0-dev,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.8.0-dev,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request.
-8.8.0-dev,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.8.0-dev,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.8.0-dev,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.8.0-dev,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.8.0-dev,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.8.0-dev,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.8.0-dev,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.8.0-dev,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.8.0-dev,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.8.0-dev,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.8.0-dev,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.8.0-dev,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.8.0-dev,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.8.0-dev,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.8.0-dev,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.8.0-dev,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.8.0-dev,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.8.0-dev,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.8.0-dev,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.8.0-dev,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.8.0-dev,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.8.0-dev,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.8.0-dev,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.8.0-dev,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.8.0-dev,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software
-8.8.0-dev,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software
-8.8.0-dev,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software.
-8.8.0-dev,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software.
-8.8.0-dev,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL.
-8.8.0-dev,true,threat,threat.software.type,keyword,extended,,Tool,Software type.
-8.8.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
-8.8.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
-8.8.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
-8.8.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
-8.8.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
-8.8.0-dev,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name.
-8.8.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
-8.8.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
-8.8.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
-8.8.0-dev,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
-8.8.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
-8.8.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
-8.8.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
-8.8.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
-8.8.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
-8.8.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
-8.8.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
-8.8.0-dev,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
-8.8.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
-8.8.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
-8.8.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
-8.8.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
-8.8.0-dev,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
-8.8.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
-8.8.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.8.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.8.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.8.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.8.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.8.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.8.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.8.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.8.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.8.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.8.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.8.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.8.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.8.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.8.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.8.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.8.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.8.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.8.0-dev,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.8.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.8.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.8.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.8.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.8.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.8.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
-8.8.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
-8.8.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
-8.8.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
-8.8.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
-8.8.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
-8.8.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
-8.8.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
-8.8.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
-8.8.0-dev,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
-8.8.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
-8.8.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
-8.8.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
-8.8.0-dev,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
-8.8.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.8.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.8.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.8.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.8.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.8.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.8.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.8.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.8.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.8.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.8.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.8.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.8.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.8.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.8.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.8.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.8.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.8.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.8.0-dev,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.8.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.8.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.8.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.8.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.8.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.8.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
-8.8.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
-8.8.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
-8.8.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
-8.8.0-dev,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.8.0-dev,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.8.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.8.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.8.0-dev,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.8.0-dev,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.8.0-dev,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.8.0-dev,true,url,url.password,keyword,extended,,,Password of the request.
-8.8.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.8.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
-8.8.0-dev,true,url,url.query,keyword,extended,,,Query string of the request.
-8.8.0-dev,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.8.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
-8.8.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.8.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.8.0-dev,true,url,url.username,keyword,extended,,,Username of the request.
-8.8.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.8.0-dev,true,user,user.changes.email,keyword,extended,,,User email address.
-8.8.0-dev,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.8.0-dev,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.8.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.8.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
-8.8.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.8.0-dev,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.8.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.8.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.8.0-dev,true,user,user.effective.email,keyword,extended,,,User email address.
-8.8.0-dev,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.8.0-dev,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.8.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.8.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
-8.8.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.8.0-dev,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.8.0-dev,true,user,user.email,keyword,extended,,,User email address.
-8.8.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.8.0-dev,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.8.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.8.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group.
-8.8.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.8.0-dev,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.8.0-dev,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.8.0-dev,true,user,user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.8.0-dev,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.8.0-dev,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.8.0-dev,true,user,user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-8.8.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.8.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.8.0-dev,true,user,user.target.email,keyword,extended,,,User email address.
-8.8.0-dev,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.8.0-dev,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.8.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.8.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.8.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group.
-8.8.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.8.0-dev,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.8.0-dev,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.8.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.8.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
-8.8.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
-8.8.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-8.8.0-dev,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-8.8.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.8.0-dev,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.8.0-dev,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.8.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.8.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.8.0-dev,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.8.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.8.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-8.8.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.8.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
-8.8.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
-8.8.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
-8.8.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-8.8.0-dev,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-8.8.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
-8.8.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
-8.8.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
-8.8.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
-8.8.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
-8.8.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
-8.8.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
-8.8.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
-8.8.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
-8.8.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
+8.9.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
+8.9.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
+8.9.0-dev,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer.
+8.9.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
+8.9.0-dev,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
+8.9.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
+8.9.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
+8.9.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
+8.9.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
+8.9.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
+8.9.0-dev,true,client,client.address,keyword,extended,,,Client network address.
+8.9.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.9.0-dev,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.9.0-dev,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.9.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
+8.9.0-dev,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client.
+8.9.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
+8.9.0-dev,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
+8.9.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.9.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.9.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
+8.9.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.9.0-dev,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.9.0-dev,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
+8.9.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.9.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
+8.9.0-dev,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.9.0-dev,true,client,client.ip,ip,core,,,IP address of the client.
+8.9.0-dev,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
+8.9.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
+8.9.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port
+8.9.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
+8.9.0-dev,true,client,client.port,long,core,,,Port of the client.
+8.9.0-dev,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
+8.9.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.9.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.9.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.9.0-dev,true,client,client.user.email,keyword,extended,,,User email address.
+8.9.0-dev,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.9.0-dev,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.9.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.9.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group.
+8.9.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.9.0-dev,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.9.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.9.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.9.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.9.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.9.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
+8.9.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.9.0-dev,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.9.0-dev,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.9.0-dev,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.9.0-dev,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.9.0-dev,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine.
+8.9.0-dev,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.9.0-dev,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id.
+8.9.0-dev,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name.
+8.9.0-dev,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider.
+8.9.0-dev,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.9.0-dev,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name.
+8.9.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
+8.9.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
+8.9.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
+8.9.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.9.0-dev,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name.
+8.9.0-dev,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.9.0-dev,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.9.0-dev,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.9.0-dev,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.9.0-dev,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine.
+8.9.0-dev,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.9.0-dev,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id.
+8.9.0-dev,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name.
+8.9.0-dev,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider.
+8.9.0-dev,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.9.0-dev,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name.
+8.9.0-dev,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
+8.9.0-dev,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
+8.9.0-dev,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
+8.9.0-dev,true,container,container.id,keyword,core,,,Unique container id.
+8.9.0-dev,true,container,container.image.hash.all,keyword,extended,array,[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26],An array of digests of the image the container was built on.
+8.9.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
+8.9.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags.
+8.9.0-dev,true,container,container.labels,object,extended,,,Image labels.
+8.9.0-dev,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1."
+8.9.0-dev,true,container,container.name,keyword,extended,,,Container name.
+8.9.0-dev,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
+8.9.0-dev,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+8.9.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
+8.9.0-dev,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
+8.9.0-dev,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
+8.9.0-dev,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
+8.9.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address.
+8.9.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.9.0-dev,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.9.0-dev,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.9.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
+8.9.0-dev,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination.
+8.9.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
+8.9.0-dev,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
+8.9.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.9.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.9.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
+8.9.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.9.0-dev,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.9.0-dev,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
+8.9.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.9.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
+8.9.0-dev,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.9.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination.
+8.9.0-dev,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
+8.9.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
+8.9.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
+8.9.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
+8.9.0-dev,true,destination,destination.port,long,core,,,Port of the destination.
+8.9.0-dev,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
+8.9.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.9.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.9.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.9.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address.
+8.9.0-dev,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.9.0-dev,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.9.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.9.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
+8.9.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.9.0-dev,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.9.0-dev,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device.
+8.9.0-dev,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer.
+8.9.0-dev,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model.
+8.9.0-dev,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model.
+8.9.0-dev,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.9.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.9.0-dev,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.9.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.9.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.9.0-dev,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.9.0-dev,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.9.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.9.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.9.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
+8.9.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
+8.9.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
+8.9.0-dev,true,dll,dll.hash.sha384,keyword,extended,,,SHA384 hash.
+8.9.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
+8.9.0-dev,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.9.0-dev,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash.
+8.9.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
+8.9.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
+8.9.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.9.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.9.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.9.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.9.0-dev,true,dll,dll.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.9.0-dev,true,dll,dll.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.9.0-dev,true,dll,dll.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.9.0-dev,true,dll,dll.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.9.0-dev,true,dll,dll.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.9.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.9.0-dev,true,dll,dll.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.9.0-dev,true,dll,dll.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.9.0-dev,true,dll,dll.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev,true,dll,dll.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.9.0-dev,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.9.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.9.0-dev,true,dll,dll.pe.sections,nested,extended,array,,Section information of the PE file.
+8.9.0-dev,true,dll,dll.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.9.0-dev,true,dll,dll.pe.sections.name,keyword,extended,,,PE Section List name.
+8.9.0-dev,true,dll,dll.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.9.0-dev,true,dll,dll.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.9.0-dev,true,dll,dll.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.9.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
+8.9.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
+8.9.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
+8.9.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
+8.9.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
+8.9.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
+8.9.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
+8.9.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
+8.9.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
+8.9.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
+8.9.0-dev,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
+8.9.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
+8.9.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
+8.9.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.9.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
+8.9.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
+8.9.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
+8.9.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
+8.9.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
+8.9.0-dev,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
+8.9.0-dev,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
+8.9.0-dev,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash.
+8.9.0-dev,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.9.0-dev,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.9.0-dev,true,email,email.attachments.file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.9.0-dev,true,email,email.attachments.file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.9.0-dev,true,email,email.attachments.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.9.0-dev,true,email,email.attachments.file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.9.0-dev,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file.
+8.9.0-dev,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file.
+8.9.0-dev,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size.
+8.9.0-dev,true,email,email.bcc.address,keyword,extended,array,bcc.user1@example.com,Email address of BCC recipient
+8.9.0-dev,true,email,email.cc.address,keyword,extended,array,cc.user1@example.com,Email address of CC recipient
+8.9.0-dev,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message.
+8.9.0-dev,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered.
+8.9.0-dev,true,email,email.direction,keyword,extended,,inbound,Direction of the message.
+8.9.0-dev,true,email,email.from.address,keyword,extended,array,sender@example.com,The sender's email address.
+8.9.0-dev,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source.
+8.9.0-dev,true,email,email.message_id,wildcard,extended,,81ce15$8r2j59@mail01.example.com,Value from the Message-ID header.
+8.9.0-dev,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed.
+8.9.0-dev,true,email,email.reply_to.address,keyword,extended,array,reply.here@example.com,Address replies should be delivered to.
+8.9.0-dev,true,email,email.sender.address,keyword,extended,,,Address of the message sender.
+8.9.0-dev,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message.
+8.9.0-dev,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
+8.9.0-dev,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient
+8.9.0-dev,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
+8.9.0-dev,true,error,error.code,keyword,core,,,Error code describing the error.
+8.9.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error.
+8.9.0-dev,true,error,error.message,match_only_text,core,,,Error message.
+8.9.0-dev,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
+8.9.0-dev,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text.
+8.9.0-dev,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
+8.9.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
+8.9.0-dev,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field.
+8.9.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
+8.9.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event.
+8.9.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
+8.9.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
+8.9.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
+8.9.0-dev,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed.
+8.9.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
+8.9.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
+8.9.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
+8.9.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
+8.9.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
+8.9.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
+8.9.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
+8.9.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event.
+8.9.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
+8.9.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
+8.9.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
+8.9.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
+8.9.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event.
+8.9.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event.
+8.9.0-dev,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed.
+8.9.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone.
+8.9.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
+8.9.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
+8.9.0-dev,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function.
+8.9.0-dev,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution.
+8.9.0-dev,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function.
+8.9.0-dev,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function.
+8.9.0-dev,true,faas,faas.trigger,nested,extended,,,Details about the function trigger.
+8.9.0-dev,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc."
+8.9.0-dev,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution.
+8.9.0-dev,true,faas,faas.version,keyword,extended,,123,The version of a serverless function.
+8.9.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed.
+8.9.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.9.0-dev,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.9.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.9.0-dev,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.9.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.9.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.9.0-dev,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.9.0-dev,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.9.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.9.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.9.0-dev,true,file,file.created,date,extended,,,File creation time.
+8.9.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.9.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
+8.9.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.9.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.9.0-dev,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.9.0-dev,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.9.0-dev,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.9.0-dev,true,file,file.elf.creation_date,date,extended,,,Build or compile date.
+8.9.0-dev,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.9.0-dev,true,file,file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.9.0-dev,true,file,file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.9.0-dev,true,file,file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.9.0-dev,true,file,file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.9.0-dev,true,file,file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.9.0-dev,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.9.0-dev,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.9.0-dev,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.9.0-dev,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.9.0-dev,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.9.0-dev,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.9.0-dev,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.9.0-dev,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.9.0-dev,true,file,file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.9.0-dev,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.9.0-dev,true,file,file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev,true,file,file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.9.0-dev,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.9.0-dev,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.9.0-dev,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.9.0-dev,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.9.0-dev,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.9.0-dev,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.9.0-dev,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.9.0-dev,true,file,file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.9.0-dev,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.9.0-dev,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.9.0-dev,true,file,file.elf.segments,nested,extended,array,,ELF object segment list.
+8.9.0-dev,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.9.0-dev,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.9.0-dev,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.9.0-dev,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.9.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.9.0-dev,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.9.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.9.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
+8.9.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
+8.9.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.9.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.9.0-dev,true,file,file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.9.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.9.0-dev,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.9.0-dev,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.9.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.9.0-dev,true,file,file.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+8.9.0-dev,true,file,file.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.9.0-dev,true,file,file.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.9.0-dev,true,file,file.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.9.0-dev,true,file,file.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.9.0-dev,true,file,file.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+8.9.0-dev,true,file,file.macho.imports,flattened,extended,array,,List of imported element names and types.
+8.9.0-dev,true,file,file.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev,true,file,file.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev,true,file,file.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+8.9.0-dev,true,file,file.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.9.0-dev,true,file,file.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+8.9.0-dev,true,file,file.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+8.9.0-dev,true,file,file.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.9.0-dev,true,file,file.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+8.9.0-dev,true,file,file.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+8.9.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.9.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.9.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified.
+8.9.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.9.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username.
+8.9.0-dev,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.9.0-dev,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.9.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.9.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.9.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.9.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.9.0-dev,true,file,file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.9.0-dev,true,file,file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.9.0-dev,true,file,file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.9.0-dev,true,file,file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.9.0-dev,true,file,file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.9.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.9.0-dev,true,file,file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.9.0-dev,true,file,file.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.9.0-dev,true,file,file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev,true,file,file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.9.0-dev,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.9.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.9.0-dev,true,file,file.pe.sections,nested,extended,array,,Section information of the PE file.
+8.9.0-dev,true,file,file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.9.0-dev,true,file,file.pe.sections.name,keyword,extended,,,PE Section List name.
+8.9.0-dev,true,file,file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.9.0-dev,true,file,file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.9.0-dev,true,file,file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.9.0-dev,true,file,file.size,long,extended,,16384,File size in bytes.
+8.9.0-dev,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
+8.9.0-dev,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.9.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.9.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.9.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.9.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.9.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.9.0-dev,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.9.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.9.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.9.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.9.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.9.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.9.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.9.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.9.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.9.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.9.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.9.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.9.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.9.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.9.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.9.0-dev,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.9.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.9.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.9.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.9.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.9.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.9.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.9.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev,true,group,group.name,keyword,extended,,,Name of the group.
+8.9.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
+8.9.0-dev,true,host,host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id
+8.9.0-dev,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
+8.9.0-dev,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
+8.9.0-dev,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
+8.9.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
+8.9.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
+8.9.0-dev,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
+8.9.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.9.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.9.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
+8.9.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.9.0-dev,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.9.0-dev,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
+8.9.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.9.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
+8.9.0-dev,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.9.0-dev,true,host,host.hostname,keyword,core,,,Hostname of the host.
+8.9.0-dev,true,host,host.id,keyword,core,,,Unique host id.
+8.9.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses.
+8.9.0-dev,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
+8.9.0-dev,true,host,host.name,keyword,core,,,Name of the host.
+8.9.0-dev,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
+8.9.0-dev,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
+8.9.0-dev,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+8.9.0-dev,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
+8.9.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.9.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.9.0-dev,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.9.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.9.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.9.0-dev,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.9.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.9.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+8.9.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.9.0-dev,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode
+8.9.0-dev,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.9.0-dev,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.9.0-dev,true,host,host.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.9.0-dev,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.9.0-dev,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.9.0-dev,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+8.9.0-dev,true,host,host.type,keyword,core,,,Type of host.
+8.9.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
+8.9.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
+8.9.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
+8.9.0-dev,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body.
+8.9.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
+8.9.0-dev,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
+8.9.0-dev,true,http,http.request.method,keyword,extended,,POST,HTTP request method.
+8.9.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
+8.9.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
+8.9.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
+8.9.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
+8.9.0-dev,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body.
+8.9.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
+8.9.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
+8.9.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
+8.9.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version.
+8.9.0-dev,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
+8.9.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event.
+8.9.0-dev,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
+8.9.0-dev,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event.
+8.9.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
+8.9.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
+8.9.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata
+8.9.0-dev,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message.
+8.9.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
+8.9.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
+8.9.0-dev,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message.
+8.9.0-dev,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message.
+8.9.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
+8.9.0-dev,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message.
+8.9.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
+8.9.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
+8.9.0-dev,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages.
+8.9.0-dev,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version.
+8.9.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name.
+8.9.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
+8.9.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
+8.9.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
+8.9.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
+8.9.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
+8.9.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information
+8.9.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.9.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.9.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
+8.9.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
+8.9.0-dev,true,network,network.protocol,keyword,core,,http,Application protocol name.
+8.9.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
+8.9.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
+8.9.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.9.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.9.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information
+8.9.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
+8.9.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
+8.9.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
+8.9.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.9.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.9.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
+8.9.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
+8.9.0-dev,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code.
+8.9.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.9.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.9.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
+8.9.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.9.0-dev,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.9.0-dev,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code.
+8.9.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.9.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
+8.9.0-dev,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.9.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
+8.9.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information
+8.9.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
+8.9.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
+8.9.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
+8.9.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.9.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.9.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
+8.9.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
+8.9.0-dev,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer.
+8.9.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
+8.9.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.9.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.9.0-dev,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.9.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.9.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.9.0-dev,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.9.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.9.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+8.9.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.9.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
+8.9.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
+8.9.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
+8.9.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
+8.9.0-dev,true,observer,observer.version,keyword,core,,,Observer version.
+8.9.0-dev,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action
+8.9.0-dev,true,orchestrator,orchestrator.cluster.id,keyword,extended,,,Unique ID of the cluster.
+8.9.0-dev,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster.
+8.9.0-dev,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster.
+8.9.0-dev,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster.
+8.9.0-dev,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place.
+8.9.0-dev,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups).
+8.9.0-dev,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon.
+8.9.0-dev,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed.
+8.9.0-dev,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon.
+8.9.0-dev,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed.
+8.9.0-dev,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon.
+8.9.0-dev,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)."
+8.9.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
+8.9.0-dev,true,organization,organization.name,keyword,extended,,,Organization name.
+8.9.0-dev,true,organization,organization.name.text,match_only_text,extended,,,Organization name.
+8.9.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
+8.9.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
+8.9.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
+8.9.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
+8.9.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
+8.9.0-dev,true,package,package.installed,date,extended,,,Time when package was installed.
+8.9.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
+8.9.0-dev,true,package,package.name,keyword,extended,,go,Package name
+8.9.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
+8.9.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
+8.9.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes.
+8.9.0-dev,true,package,package.type,keyword,extended,,rpm,Package type
+8.9.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version
+8.9.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.9.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array.
+8.9.0-dev,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.9.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.9.0-dev,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.9.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.9.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.9.0-dev,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.9.0-dev,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.9.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.9.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.9.0-dev,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.9.0-dev,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.9.0-dev,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.9.0-dev,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.9.0-dev,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.9.0-dev,true,process,process.elf.creation_date,date,extended,,,Build or compile date.
+8.9.0-dev,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.9.0-dev,true,process,process.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.9.0-dev,true,process,process.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.9.0-dev,true,process,process.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.9.0-dev,true,process,process.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.9.0-dev,true,process,process.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.9.0-dev,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.9.0-dev,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.9.0-dev,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.9.0-dev,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.9.0-dev,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.9.0-dev,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.9.0-dev,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.9.0-dev,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.9.0-dev,true,process,process.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.9.0-dev,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.9.0-dev,true,process,process.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev,true,process,process.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.9.0-dev,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.9.0-dev,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.9.0-dev,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.9.0-dev,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.9.0-dev,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.9.0-dev,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.9.0-dev,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.9.0-dev,true,process,process.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.9.0-dev,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.9.0-dev,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.9.0-dev,true,process,process.elf.segments,nested,extended,array,,ELF object segment list.
+8.9.0-dev,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.9.0-dev,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.9.0-dev,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.9.0-dev,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.9.0-dev,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+8.9.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.9.0-dev,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.9.0-dev,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array.
+8.9.0-dev,true,process,process.entry_leader.attested_groups.name,keyword,extended,,,Name of the group.
+8.9.0-dev,true,process,process.entry_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev,true,process,process.entry_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,process,process.entry_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.9.0-dev,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.9.0-dev,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.9.0-dev,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
+8.9.0-dev,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
+8.9.0-dev,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.9.0-dev,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.9.0-dev,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group.
+8.9.0-dev,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.9.0-dev,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name.
+8.9.0-dev,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name.
+8.9.0-dev,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.9.0-dev,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id.
+8.9.0-dev,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.9.0-dev,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id.
+8.9.0-dev,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.9.0-dev,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.9.0-dev,true,process,process.entry_leader.pid,long,core,,4242,Process id.
+8.9.0-dev,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group.
+8.9.0-dev,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,process,process.entry_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+8.9.0-dev,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group.
+8.9.0-dev,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,process,process.entry_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.9.0-dev,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.9.0-dev,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device.
+8.9.0-dev,true,process,process.entry_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.9.0-dev,true,process,process.entry_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.9.0-dev,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.9.0-dev,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.9.0-dev,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
+8.9.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.9.0-dev,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.9.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process.
+8.9.0-dev,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.9.0-dev,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array.
+8.9.0-dev,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.9.0-dev,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.9.0-dev,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.9.0-dev,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.9.0-dev,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.9.0-dev,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group.
+8.9.0-dev,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.9.0-dev,true,process,process.group_leader.name,keyword,extended,,ssh,Process name.
+8.9.0-dev,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name.
+8.9.0-dev,true,process,process.group_leader.pid,long,core,,4242,Process id.
+8.9.0-dev,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group.
+8.9.0-dev,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,process,process.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+8.9.0-dev,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group.
+8.9.0-dev,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,process,process.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.9.0-dev,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.9.0-dev,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device.
+8.9.0-dev,true,process,process.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.9.0-dev,true,process,process.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.9.0-dev,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.9.0-dev,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.9.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
+8.9.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
+8.9.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
+8.9.0-dev,true,process,process.hash.sha384,keyword,extended,,,SHA384 hash.
+8.9.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
+8.9.0-dev,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.9.0-dev,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash.
+8.9.0-dev,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.9.0-dev,true,process,process.io,object,extended,,,A chunk of input or output (IO) from a single process.
+8.9.0-dev,true,process,process.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
+8.9.0-dev,true,process,process.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
+8.9.0-dev,true,process,process.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
+8.9.0-dev,true,process,process.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
+8.9.0-dev,true,process,process.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
+8.9.0-dev,true,process,process.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
+8.9.0-dev,true,process,process.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
+8.9.0-dev,true,process,process.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
+8.9.0-dev,true,process,process.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+8.9.0-dev,true,process,process.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.9.0-dev,true,process,process.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.9.0-dev,true,process,process.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.9.0-dev,true,process,process.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.9.0-dev,true,process,process.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+8.9.0-dev,true,process,process.macho.imports,flattened,extended,array,,List of imported element names and types.
+8.9.0-dev,true,process,process.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev,true,process,process.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev,true,process,process.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+8.9.0-dev,true,process,process.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.9.0-dev,true,process,process.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+8.9.0-dev,true,process,process.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+8.9.0-dev,true,process,process.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.9.0-dev,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+8.9.0-dev,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+8.9.0-dev,true,process,process.name,keyword,extended,,ssh,Process name.
+8.9.0-dev,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
+8.9.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.9.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
+8.9.0-dev,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.9.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.9.0-dev,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.9.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.9.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.9.0-dev,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.9.0-dev,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.9.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.9.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.9.0-dev,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.9.0-dev,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.9.0-dev,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.9.0-dev,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.9.0-dev,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.9.0-dev,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date.
+8.9.0-dev,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.9.0-dev,true,process,process.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.9.0-dev,true,process,process.parent.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.9.0-dev,true,process,process.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.9.0-dev,true,process,process.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.9.0-dev,true,process,process.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.9.0-dev,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.9.0-dev,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.9.0-dev,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.9.0-dev,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.9.0-dev,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.9.0-dev,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.9.0-dev,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.9.0-dev,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.9.0-dev,true,process,process.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.9.0-dev,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.9.0-dev,true,process,process.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev,true,process,process.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.9.0-dev,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.9.0-dev,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.9.0-dev,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.9.0-dev,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.9.0-dev,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.9.0-dev,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.9.0-dev,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.9.0-dev,true,process,process.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.9.0-dev,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.9.0-dev,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.9.0-dev,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list.
+8.9.0-dev,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.9.0-dev,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.9.0-dev,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.9.0-dev,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.9.0-dev,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+8.9.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.9.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.9.0-dev,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.9.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
+8.9.0-dev,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev,true,process,process.parent.group.name,keyword,extended,,,Name of the group.
+8.9.0-dev,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.9.0-dev,true,process,process.parent.group_leader.pid,long,core,,4242,Process id.
+8.9.0-dev,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.9.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
+8.9.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
+8.9.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
+8.9.0-dev,true,process,process.parent.hash.sha384,keyword,extended,,,SHA384 hash.
+8.9.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
+8.9.0-dev,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.9.0-dev,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash.
+8.9.0-dev,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.9.0-dev,true,process,process.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+8.9.0-dev,true,process,process.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.9.0-dev,true,process,process.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.9.0-dev,true,process,process.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.9.0-dev,true,process,process.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.9.0-dev,true,process,process.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+8.9.0-dev,true,process,process.parent.macho.imports,flattened,extended,array,,List of imported element names and types.
+8.9.0-dev,true,process,process.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev,true,process,process.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev,true,process,process.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+8.9.0-dev,true,process,process.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.9.0-dev,true,process,process.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+8.9.0-dev,true,process,process.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+8.9.0-dev,true,process,process.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.9.0-dev,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+8.9.0-dev,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+8.9.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name.
+8.9.0-dev,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
+8.9.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.9.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.9.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.9.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.9.0-dev,true,process,process.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.9.0-dev,true,process,process.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.9.0-dev,true,process,process.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.9.0-dev,true,process,process.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.9.0-dev,true,process,process.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.9.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.9.0-dev,true,process,process.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.9.0-dev,true,process,process.parent.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.9.0-dev,true,process,process.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev,true,process,process.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.9.0-dev,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.9.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.9.0-dev,true,process,process.parent.pe.sections,nested,extended,array,,Section information of the PE file.
+8.9.0-dev,true,process,process.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.9.0-dev,true,process,process.parent.pe.sections.name,keyword,extended,,,PE Section List name.
+8.9.0-dev,true,process,process.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.9.0-dev,true,process,process.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.9.0-dev,true,process,process.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.9.0-dev,true,process,process.parent.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
+8.9.0-dev,true,process,process.parent.pid,long,core,,4242,Process id.
+8.9.0-dev,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group.
+8.9.0-dev,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,process,process.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group.
+8.9.0-dev,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,process,process.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.9.0-dev,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.9.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
+8.9.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
+8.9.0-dev,true,process,process.parent.title,keyword,extended,,,Process title.
+8.9.0-dev,true,process,process.parent.title.text,match_only_text,extended,,,Process title.
+8.9.0-dev,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device.
+8.9.0-dev,true,process,process.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.9.0-dev,true,process,process.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.9.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
+8.9.0-dev,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.9.0-dev,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.9.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.9.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.9.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.9.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.9.0-dev,true,process,process.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.9.0-dev,true,process,process.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.9.0-dev,true,process,process.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.9.0-dev,true,process,process.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.9.0-dev,true,process,process.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.9.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.9.0-dev,true,process,process.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.9.0-dev,true,process,process.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.9.0-dev,true,process,process.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev,true,process,process.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.9.0-dev,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.9.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.9.0-dev,true,process,process.pe.sections,nested,extended,array,,Section information of the PE file.
+8.9.0-dev,true,process,process.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.9.0-dev,true,process,process.pe.sections.name,keyword,extended,,,PE Section List name.
+8.9.0-dev,true,process,process.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.9.0-dev,true,process,process.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.9.0-dev,true,process,process.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.9.0-dev,true,process,process.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
+8.9.0-dev,true,process,process.pid,long,core,,4242,Process id.
+8.9.0-dev,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.9.0-dev,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array.
+8.9.0-dev,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.9.0-dev,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.9.0-dev,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev,true,process,process.real_group.name,keyword,extended,,,Name of the group.
+8.9.0-dev,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,process,process.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev,true,process,process.saved_group.name,keyword,extended,,,Name of the group.
+8.9.0-dev,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,process,process.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.9.0-dev,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array.
+8.9.0-dev,true,process,process.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.9.0-dev,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.9.0-dev,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.9.0-dev,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.9.0-dev,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.9.0-dev,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group.
+8.9.0-dev,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.9.0-dev,true,process,process.session_leader.name,keyword,extended,,ssh,Process name.
+8.9.0-dev,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name.
+8.9.0-dev,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.9.0-dev,true,process,process.session_leader.parent.pid,long,core,,4242,Process id.
+8.9.0-dev,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.9.0-dev,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id.
+8.9.0-dev,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.9.0-dev,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.9.0-dev,true,process,process.session_leader.pid,long,core,,4242,Process id.
+8.9.0-dev,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group.
+8.9.0-dev,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,process,process.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+8.9.0-dev,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group.
+8.9.0-dev,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,process,process.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.9.0-dev,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.9.0-dev,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device.
+8.9.0-dev,true,process,process.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.9.0-dev,true,process,process.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.9.0-dev,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.9.0-dev,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.9.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.9.0-dev,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.9.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID.
+8.9.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
+8.9.0-dev,true,process,process.title,keyword,extended,,,Process title.
+8.9.0-dev,true,process,process.title.text,match_only_text,extended,,,Process title.
+8.9.0-dev,true,process,process.tty,object,extended,,,Information about the controlling TTY device.
+8.9.0-dev,true,process,process.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.9.0-dev,true,process,process.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.9.0-dev,true,process,process.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
+8.9.0-dev,true,process,process.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
+8.9.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
+8.9.0-dev,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.9.0-dev,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.9.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.9.0-dev,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.9.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.9.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.9.0-dev,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.9.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.9.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
+8.9.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
+8.9.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
+8.9.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
+8.9.0-dev,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event.
+8.9.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
+8.9.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
+8.9.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
+8.9.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID
+8.9.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
+8.9.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
+8.9.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
+8.9.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
+8.9.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
+8.9.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version
+8.9.0-dev,true,server,server.address,keyword,extended,,,Server network address.
+8.9.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.9.0-dev,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.9.0-dev,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.9.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
+8.9.0-dev,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server.
+8.9.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
+8.9.0-dev,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
+8.9.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.9.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.9.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
+8.9.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.9.0-dev,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.9.0-dev,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
+8.9.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.9.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
+8.9.0-dev,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.9.0-dev,true,server,server.ip,ip,core,,,IP address of the server.
+8.9.0-dev,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
+8.9.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip
+8.9.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port
+8.9.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
+8.9.0-dev,true,server,server.port,long,core,,,Port of the server.
+8.9.0-dev,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
+8.9.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.9.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.9.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.9.0-dev,true,server,server.user.email,keyword,extended,,,User email address.
+8.9.0-dev,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.9.0-dev,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.9.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.9.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group.
+8.9.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.9.0-dev,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.9.0-dev,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.9.0-dev,true,service,service.environment,keyword,extended,,production,Environment of the service.
+8.9.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.9.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.9.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.9.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.9.0-dev,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.9.0-dev,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+8.9.0-dev,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.9.0-dev,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
+8.9.0-dev,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.9.0-dev,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.9.0-dev,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.9.0-dev,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.9.0-dev,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.9.0-dev,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+8.9.0-dev,true,service,service.origin.state,keyword,core,,,Current state of the service.
+8.9.0-dev,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service.
+8.9.0-dev,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service.
+8.9.0-dev,true,service,service.state,keyword,core,,,Current state of the service.
+8.9.0-dev,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.9.0-dev,true,service,service.target.environment,keyword,extended,,production,Environment of the service.
+8.9.0-dev,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.9.0-dev,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.9.0-dev,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.9.0-dev,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.9.0-dev,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.9.0-dev,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+8.9.0-dev,true,service,service.target.state,keyword,core,,,Current state of the service.
+8.9.0-dev,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service.
+8.9.0-dev,true,service,service.target.version,keyword,core,,3.2.4,Version of the service.
+8.9.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
+8.9.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service.
+8.9.0-dev,true,source,source.address,keyword,extended,,,Source network address.
+8.9.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.9.0-dev,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.9.0-dev,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.9.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
+8.9.0-dev,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source.
+8.9.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
+8.9.0-dev,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
+8.9.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.9.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.9.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
+8.9.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.9.0-dev,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.9.0-dev,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
+8.9.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.9.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
+8.9.0-dev,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.9.0-dev,true,source,source.ip,ip,core,,,IP address of the source.
+8.9.0-dev,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
+8.9.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip
+8.9.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port
+8.9.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
+8.9.0-dev,true,source,source.port,long,core,,,Port of the source.
+8.9.0-dev,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+8.9.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.9.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.9.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.9.0-dev,true,source,source.user.email,keyword,extended,,,User email address.
+8.9.0-dev,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.9.0-dev,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.9.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.9.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group.
+8.9.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.9.0-dev,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.9.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
+8.9.0-dev,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event.
+8.9.0-dev,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event.
+8.9.0-dev,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.9.0-dev,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.9.0-dev,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.9.0-dev,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
+8.9.0-dev,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
+8.9.0-dev,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.9.0-dev,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.9.0-dev,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.9.0-dev,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
+8.9.0-dev,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name.
+8.9.0-dev,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code.
+8.9.0-dev,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.9.0-dev,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.9.0-dev,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name.
+8.9.0-dev,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.9.0-dev,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.9.0-dev,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code.
+8.9.0-dev,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.9.0-dev,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name.
+8.9.0-dev,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.9.0-dev,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
+8.9.0-dev,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
+8.9.0-dev,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
+8.9.0-dev,true,threat,threat.enrichments.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
+8.9.0-dev,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
+8.9.0-dev,true,threat,threat.enrichments.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
+8.9.0-dev,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
+8.9.0-dev,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
+8.9.0-dev,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
+8.9.0-dev,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.9.0-dev,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.9.0-dev,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.9.0-dev,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.9.0-dev,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.9.0-dev,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.9.0-dev,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
+8.9.0-dev,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics
+8.9.0-dev,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed
+8.9.0-dev,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
+8.9.0-dev,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.9.0-dev,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.9.0-dev,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.9.0-dev,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.9.0-dev,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.9.0-dev,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.9.0-dev,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.9.0-dev,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request.
+8.9.0-dev,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.9.0-dev,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
+8.9.0-dev,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request.
+8.9.0-dev,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.9.0-dev,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
+8.9.0-dev,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.9.0-dev,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.9.0-dev,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request.
+8.9.0-dev,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.9.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.9.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.9.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.9.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.9.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.9.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.9.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.9.0-dev,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.9.0-dev,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.9.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.9.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.9.0-dev,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.9.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.9.0-dev,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.9.0-dev,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.9.0-dev,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.9.0-dev,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.9.0-dev,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.9.0-dev,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.9.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.9.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.9.0-dev,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.9.0-dev,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.9.0-dev,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value
+8.9.0-dev,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field
+8.9.0-dev,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier
+8.9.0-dev,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index
+8.9.0-dev,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05T17:00:58.326Z,Date of match
+8.9.0-dev,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match
+8.9.0-dev,true,threat,threat.feed.dashboard_id,keyword,extended,,5ba16340-72e6-11eb-a3e3-b3cc7c78a70f,Feed dashboard ID.
+8.9.0-dev,true,threat,threat.feed.description,keyword,extended,,Threat feed from the AlienVault Open Threat eXchange network.,Description of the threat feed.
+8.9.0-dev,true,threat,threat.feed.name,keyword,extended,,AlienVault OTX,Name of the threat feed.
+8.9.0-dev,true,threat,threat.feed.reference,keyword,extended,,https://otx.alienvault.com,Reference for the threat feed.
+8.9.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
+8.9.0-dev,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group.
+8.9.0-dev,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group.
+8.9.0-dev,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group.
+8.9.0-dev,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group.
+8.9.0-dev,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.9.0-dev,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.9.0-dev,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.9.0-dev,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
+8.9.0-dev,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
+8.9.0-dev,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
+8.9.0-dev,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed.
+8.9.0-dev,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.9.0-dev,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.9.0-dev,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.9.0-dev,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.9.0-dev,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.9.0-dev,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.9.0-dev,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.9.0-dev,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.9.0-dev,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.9.0-dev,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.9.0-dev,true,threat,threat.indicator.file.created,date,extended,,,File creation time.
+8.9.0-dev,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.9.0-dev,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
+8.9.0-dev,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.9.0-dev,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.9.0-dev,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.9.0-dev,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.9.0-dev,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.9.0-dev,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
+8.9.0-dev,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.9.0-dev,true,threat,threat.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.9.0-dev,true,threat,threat.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.9.0-dev,true,threat,threat.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.9.0-dev,true,threat,threat.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.9.0-dev,true,threat,threat.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.9.0-dev,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.9.0-dev,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.9.0-dev,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.9.0-dev,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.9.0-dev,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.9.0-dev,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.9.0-dev,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.9.0-dev,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.9.0-dev,true,threat,threat.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.9.0-dev,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.9.0-dev,true,threat,threat.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev,true,threat,threat.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.9.0-dev,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.9.0-dev,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.9.0-dev,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.9.0-dev,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.9.0-dev,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.9.0-dev,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.9.0-dev,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.9.0-dev,true,threat,threat.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.9.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.9.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.9.0-dev,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
+8.9.0-dev,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.9.0-dev,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.9.0-dev,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.9.0-dev,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.9.0-dev,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.9.0-dev,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.9.0-dev,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.9.0-dev,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
+8.9.0-dev,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
+8.9.0-dev,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.9.0-dev,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.9.0-dev,true,threat,threat.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.9.0-dev,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.9.0-dev,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.9.0-dev,true,threat,threat.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.9.0-dev,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.9.0-dev,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.9.0-dev,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.9.0-dev,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified.
+8.9.0-dev,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.9.0-dev,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username.
+8.9.0-dev,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.9.0-dev,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.9.0-dev,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.9.0-dev,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.9.0-dev,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.9.0-dev,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.9.0-dev,true,threat,threat.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.9.0-dev,true,threat,threat.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.9.0-dev,true,threat,threat.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.9.0-dev,true,threat,threat.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.9.0-dev,true,threat,threat.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.9.0-dev,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.9.0-dev,true,threat,threat.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.9.0-dev,true,threat,threat.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.9.0-dev,true,threat,threat.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev,true,threat,threat.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.9.0-dev,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.9.0-dev,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.9.0-dev,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.9.0-dev,true,threat,threat.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
+8.9.0-dev,true,threat,threat.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.9.0-dev,true,threat,threat.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
+8.9.0-dev,true,threat,threat.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.9.0-dev,true,threat,threat.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.9.0-dev,true,threat,threat.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.9.0-dev,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes.
+8.9.0-dev,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
+8.9.0-dev,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.9.0-dev,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.9.0-dev,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.9.0-dev,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.9.0-dev,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.9.0-dev,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.9.0-dev,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.9.0-dev,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.9.0-dev,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.9.0-dev,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.9.0-dev,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.9.0-dev,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.9.0-dev,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.9.0-dev,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.9.0-dev,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.9.0-dev,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.9.0-dev,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.9.0-dev,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.9.0-dev,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.9.0-dev,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.9.0-dev,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.9.0-dev,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.9.0-dev,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.9.0-dev,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.9.0-dev,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.9.0-dev,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.9.0-dev,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.9.0-dev,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
+8.9.0-dev,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name.
+8.9.0-dev,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code.
+8.9.0-dev,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.9.0-dev,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.9.0-dev,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name.
+8.9.0-dev,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.9.0-dev,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.9.0-dev,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code.
+8.9.0-dev,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.9.0-dev,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name.
+8.9.0-dev,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.9.0-dev,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
+8.9.0-dev,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
+8.9.0-dev,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
+8.9.0-dev,true,threat,threat.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
+8.9.0-dev,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
+8.9.0-dev,true,threat,threat.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
+8.9.0-dev,true,threat,threat.indicator.port,long,extended,,443,Indicator port
+8.9.0-dev,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
+8.9.0-dev,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
+8.9.0-dev,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.9.0-dev,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.9.0-dev,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.9.0-dev,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.9.0-dev,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.9.0-dev,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.9.0-dev,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
+8.9.0-dev,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics
+8.9.0-dev,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed
+8.9.0-dev,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
+8.9.0-dev,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.9.0-dev,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.9.0-dev,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.9.0-dev,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.9.0-dev,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.9.0-dev,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.9.0-dev,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.9.0-dev,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request.
+8.9.0-dev,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.9.0-dev,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
+8.9.0-dev,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request.
+8.9.0-dev,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.9.0-dev,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
+8.9.0-dev,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.9.0-dev,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.9.0-dev,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request.
+8.9.0-dev,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.9.0-dev,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.9.0-dev,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.9.0-dev,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.9.0-dev,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.9.0-dev,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.9.0-dev,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.9.0-dev,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.9.0-dev,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.9.0-dev,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.9.0-dev,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.9.0-dev,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.9.0-dev,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.9.0-dev,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.9.0-dev,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.9.0-dev,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.9.0-dev,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.9.0-dev,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.9.0-dev,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.9.0-dev,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.9.0-dev,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.9.0-dev,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.9.0-dev,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.9.0-dev,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.9.0-dev,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software
+8.9.0-dev,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software
+8.9.0-dev,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software.
+8.9.0-dev,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software.
+8.9.0-dev,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL.
+8.9.0-dev,true,threat,threat.software.type,keyword,extended,,Tool,Software type.
+8.9.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
+8.9.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
+8.9.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
+8.9.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
+8.9.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
+8.9.0-dev,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name.
+8.9.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
+8.9.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
+8.9.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
+8.9.0-dev,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
+8.9.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
+8.9.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
+8.9.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
+8.9.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
+8.9.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
+8.9.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
+8.9.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
+8.9.0-dev,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
+8.9.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
+8.9.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
+8.9.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
+8.9.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
+8.9.0-dev,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
+8.9.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
+8.9.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.9.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.9.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.9.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.9.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.9.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.9.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.9.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.9.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.9.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.9.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.9.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.9.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.9.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.9.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.9.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.9.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.9.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.9.0-dev,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.9.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.9.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.9.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.9.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.9.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.9.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
+8.9.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
+8.9.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
+8.9.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
+8.9.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
+8.9.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
+8.9.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
+8.9.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
+8.9.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
+8.9.0-dev,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
+8.9.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
+8.9.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
+8.9.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
+8.9.0-dev,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
+8.9.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.9.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.9.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.9.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.9.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.9.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.9.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.9.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.9.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.9.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.9.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.9.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.9.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.9.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.9.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.9.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.9.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.9.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.9.0-dev,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.9.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.9.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.9.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.9.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.9.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.9.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
+8.9.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
+8.9.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
+8.9.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
+8.9.0-dev,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.9.0-dev,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.9.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.9.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.9.0-dev,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.9.0-dev,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.9.0-dev,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.9.0-dev,true,url,url.password,keyword,extended,,,Password of the request.
+8.9.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.9.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
+8.9.0-dev,true,url,url.query,keyword,extended,,,Query string of the request.
+8.9.0-dev,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.9.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
+8.9.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.9.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.9.0-dev,true,url,url.username,keyword,extended,,,Username of the request.
+8.9.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.9.0-dev,true,user,user.changes.email,keyword,extended,,,User email address.
+8.9.0-dev,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.9.0-dev,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.9.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.9.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
+8.9.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.9.0-dev,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.9.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.9.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.9.0-dev,true,user,user.effective.email,keyword,extended,,,User email address.
+8.9.0-dev,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.9.0-dev,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.9.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.9.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
+8.9.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.9.0-dev,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.9.0-dev,true,user,user.email,keyword,extended,,,User email address.
+8.9.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.9.0-dev,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.9.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.9.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group.
+8.9.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.9.0-dev,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.9.0-dev,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.9.0-dev,true,user,user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.9.0-dev,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.9.0-dev,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.9.0-dev,true,user,user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+8.9.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.9.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.9.0-dev,true,user,user.target.email,keyword,extended,,,User email address.
+8.9.0-dev,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.9.0-dev,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.9.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.9.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.9.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group.
+8.9.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.9.0-dev,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.9.0-dev,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.9.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
+8.9.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
+8.9.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+8.9.0-dev,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+8.9.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.9.0-dev,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.9.0-dev,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.9.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.9.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.9.0-dev,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.9.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.9.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+8.9.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.9.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
+8.9.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
+8.9.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
+8.9.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+8.9.0-dev,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+8.9.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
+8.9.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
+8.9.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
+8.9.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
+8.9.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
+8.9.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
+8.9.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
+8.9.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
+8.9.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
+8.9.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
diff --git a/generated/elasticsearch/composable/component/agent.json b/generated/elasticsearch/composable/component/agent.json
index 9562999a35..c6defb3044 100644
--- a/generated/elasticsearch/composable/component/agent.json
+++ b/generated/elasticsearch/composable/component/agent.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html",
-    "ecs_version": "8.8.0-dev"
+    "ecs_version": "8.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/base.json b/generated/elasticsearch/composable/component/base.json
index c70e57ab84..12361f1c26 100644
--- a/generated/elasticsearch/composable/component/base.json
+++ b/generated/elasticsearch/composable/component/base.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
-    "ecs_version": "8.8.0-dev"
+    "ecs_version": "8.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/client.json b/generated/elasticsearch/composable/component/client.json
index f1f7362a50..2ca29e8591 100644
--- a/generated/elasticsearch/composable/component/client.json
+++ b/generated/elasticsearch/composable/component/client.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-client.html",
-    "ecs_version": "8.8.0-dev"
+    "ecs_version": "8.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/cloud.json b/generated/elasticsearch/composable/component/cloud.json
index f4fcfd54b6..561a0c1574 100644
--- a/generated/elasticsearch/composable/component/cloud.json
+++ b/generated/elasticsearch/composable/component/cloud.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cloud.html",
-    "ecs_version": "8.8.0-dev"
+    "ecs_version": "8.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/container.json b/generated/elasticsearch/composable/component/container.json
index bf41c0c011..234aa5763a 100644
--- a/generated/elasticsearch/composable/component/container.json
+++ b/generated/elasticsearch/composable/component/container.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-container.html",
-    "ecs_version": "8.8.0-dev"
+    "ecs_version": "8.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/data_stream.json b/generated/elasticsearch/composable/component/data_stream.json
index 31cf73d3de..4cf21c99db 100644
--- a/generated/elasticsearch/composable/component/data_stream.json
+++ b/generated/elasticsearch/composable/component/data_stream.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-data_stream.html",
-    "ecs_version": "8.8.0-dev"
+    "ecs_version": "8.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/destination.json b/generated/elasticsearch/composable/component/destination.json
index d0ff99e731..ce07f3a2f8 100644
--- a/generated/elasticsearch/composable/component/destination.json
+++ b/generated/elasticsearch/composable/component/destination.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-destination.html",
-    "ecs_version": "8.8.0-dev"
+    "ecs_version": "8.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/device.json b/generated/elasticsearch/composable/component/device.json
index ade22b0278..cd2b4671cb 100644
--- a/generated/elasticsearch/composable/component/device.json
+++ b/generated/elasticsearch/composable/component/device.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-device.html",
-    "ecs_version": "8.8.0-dev"
+    "ecs_version": "8.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/dll.json b/generated/elasticsearch/composable/component/dll.json
index f3fda29390..129bfe9c23 100644
--- a/generated/elasticsearch/composable/component/dll.json
+++ b/generated/elasticsearch/composable/component/dll.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dll.html",
-    "ecs_version": "8.8.0-dev"
+    "ecs_version": "8.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/dns.json b/generated/elasticsearch/composable/component/dns.json
index e1f38329ca..4ce6813663 100644
--- a/generated/elasticsearch/composable/component/dns.json
+++ b/generated/elasticsearch/composable/component/dns.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html",
-    "ecs_version": "8.8.0-dev"
+    "ecs_version": "8.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/ecs.json b/generated/elasticsearch/composable/component/ecs.json
index 0e1fd139aa..f4d3bffe9d 100644
--- a/generated/elasticsearch/composable/component/ecs.json
+++ b/generated/elasticsearch/composable/component/ecs.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html",
-    "ecs_version": "8.8.0-dev"
+    "ecs_version": "8.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/email.json b/generated/elasticsearch/composable/component/email.json
index 0add614215..bae0e508ae 100644
--- a/generated/elasticsearch/composable/component/email.json
+++ b/generated/elasticsearch/composable/component/email.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-email.html",
-    "ecs_version": "8.8.0-dev"
+    "ecs_version": "8.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/error.json b/generated/elasticsearch/composable/component/error.json
index b5dcdbf02b..62ba908ba5 100644
--- a/generated/elasticsearch/composable/component/error.json
+++ b/generated/elasticsearch/composable/component/error.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-error.html",
-    "ecs_version": "8.8.0-dev"
+    "ecs_version": "8.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/event.json b/generated/elasticsearch/composable/component/event.json
index 178698907d..2781993608 100644
--- a/generated/elasticsearch/composable/component/event.json
+++ b/generated/elasticsearch/composable/component/event.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html",
-    "ecs_version": "8.8.0-dev"
+    "ecs_version": "8.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/faas.json b/generated/elasticsearch/composable/component/faas.json
index 6b23dea34e..ef93c504f2 100644
--- a/generated/elasticsearch/composable/component/faas.json
+++ b/generated/elasticsearch/composable/component/faas.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-faas.html",
-    "ecs_version": "8.8.0-dev"
+    "ecs_version": "8.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/file.json b/generated/elasticsearch/composable/component/file.json
index 77a7b5537c..1132404fa9 100644
--- a/generated/elasticsearch/composable/component/file.json
+++ b/generated/elasticsearch/composable/component/file.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html",
-    "ecs_version": "8.8.0-dev"
+    "ecs_version": "8.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/group.json b/generated/elasticsearch/composable/component/group.json
index 08d511cc4b..854da6e5c2 100644
--- a/generated/elasticsearch/composable/component/group.json
+++ b/generated/elasticsearch/composable/component/group.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-group.html",
-    "ecs_version": "8.8.0-dev"
+    "ecs_version": "8.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/host.json b/generated/elasticsearch/composable/component/host.json
index fa3a9049b6..7fc5025611 100644
--- a/generated/elasticsearch/composable/component/host.json
+++ b/generated/elasticsearch/composable/component/host.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-host.html",
-    "ecs_version": "8.8.0-dev"
+    "ecs_version": "8.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/http.json b/generated/elasticsearch/composable/component/http.json
index 5c25e34645..9f6a49215e 100644
--- a/generated/elasticsearch/composable/component/http.json
+++ b/generated/elasticsearch/composable/component/http.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-http.html",
-    "ecs_version": "8.8.0-dev"
+    "ecs_version": "8.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/log.json b/generated/elasticsearch/composable/component/log.json
index ed03cb3148..6a8d324021 100644
--- a/generated/elasticsearch/composable/component/log.json
+++ b/generated/elasticsearch/composable/component/log.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-log.html",
-    "ecs_version": "8.8.0-dev"
+    "ecs_version": "8.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/network.json b/generated/elasticsearch/composable/component/network.json
index fb1a01358d..8bf777d4ab 100644
--- a/generated/elasticsearch/composable/component/network.json
+++ b/generated/elasticsearch/composable/component/network.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html",
-    "ecs_version": "8.8.0-dev"
+    "ecs_version": "8.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/observer.json b/generated/elasticsearch/composable/component/observer.json
index f5309feffe..536d646616 100644
--- a/generated/elasticsearch/composable/component/observer.json
+++ b/generated/elasticsearch/composable/component/observer.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html",
-    "ecs_version": "8.8.0-dev"
+    "ecs_version": "8.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/orchestrator.json b/generated/elasticsearch/composable/component/orchestrator.json
index ed20a55b2f..971f151316 100644
--- a/generated/elasticsearch/composable/component/orchestrator.json
+++ b/generated/elasticsearch/composable/component/orchestrator.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-orchestrator.html",
-    "ecs_version": "8.8.0-dev"
+    "ecs_version": "8.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/organization.json b/generated/elasticsearch/composable/component/organization.json
index 42013419ad..be584267bd 100644
--- a/generated/elasticsearch/composable/component/organization.json
+++ b/generated/elasticsearch/composable/component/organization.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-organization.html",
-    "ecs_version": "8.8.0-dev"
+    "ecs_version": "8.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/package.json b/generated/elasticsearch/composable/component/package.json
index dc46f7a4c4..15c056cc93 100644
--- a/generated/elasticsearch/composable/component/package.json
+++ b/generated/elasticsearch/composable/component/package.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-package.html",
-    "ecs_version": "8.8.0-dev"
+    "ecs_version": "8.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/process.json b/generated/elasticsearch/composable/component/process.json
index b2b3b2f9aa..698559b278 100644
--- a/generated/elasticsearch/composable/component/process.json
+++ b/generated/elasticsearch/composable/component/process.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-process.html",
-    "ecs_version": "8.8.0-dev"
+    "ecs_version": "8.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/registry.json b/generated/elasticsearch/composable/component/registry.json
index 1dd6a56297..cf0b5abddb 100644
--- a/generated/elasticsearch/composable/component/registry.json
+++ b/generated/elasticsearch/composable/component/registry.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-registry.html",
-    "ecs_version": "8.8.0-dev"
+    "ecs_version": "8.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/related.json b/generated/elasticsearch/composable/component/related.json
index bc9591b3d0..97ad411d42 100644
--- a/generated/elasticsearch/composable/component/related.json
+++ b/generated/elasticsearch/composable/component/related.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-related.html",
-    "ecs_version": "8.8.0-dev"
+    "ecs_version": "8.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/rule.json b/generated/elasticsearch/composable/component/rule.json
index da7656e533..b3014f0a62 100644
--- a/generated/elasticsearch/composable/component/rule.json
+++ b/generated/elasticsearch/composable/component/rule.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-rule.html",
-    "ecs_version": "8.8.0-dev"
+    "ecs_version": "8.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/server.json b/generated/elasticsearch/composable/component/server.json
index 1c4d5b0421..7f1b38b12e 100644
--- a/generated/elasticsearch/composable/component/server.json
+++ b/generated/elasticsearch/composable/component/server.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-server.html",
-    "ecs_version": "8.8.0-dev"
+    "ecs_version": "8.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/service.json b/generated/elasticsearch/composable/component/service.json
index 39633ba104..fc5e8ef73f 100644
--- a/generated/elasticsearch/composable/component/service.json
+++ b/generated/elasticsearch/composable/component/service.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-service.html",
-    "ecs_version": "8.8.0-dev"
+    "ecs_version": "8.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/source.json b/generated/elasticsearch/composable/component/source.json
index a06e61048e..4ca1c8edaf 100644
--- a/generated/elasticsearch/composable/component/source.json
+++ b/generated/elasticsearch/composable/component/source.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-source.html",
-    "ecs_version": "8.8.0-dev"
+    "ecs_version": "8.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/threat.json b/generated/elasticsearch/composable/component/threat.json
index ffbba799c7..9b1d930a78 100644
--- a/generated/elasticsearch/composable/component/threat.json
+++ b/generated/elasticsearch/composable/component/threat.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-threat.html",
-    "ecs_version": "8.8.0-dev"
+    "ecs_version": "8.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/tls.json b/generated/elasticsearch/composable/component/tls.json
index 82ff39f4bd..8e8acfcee6 100644
--- a/generated/elasticsearch/composable/component/tls.json
+++ b/generated/elasticsearch/composable/component/tls.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tls.html",
-    "ecs_version": "8.8.0-dev"
+    "ecs_version": "8.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/tracing.json b/generated/elasticsearch/composable/component/tracing.json
index 8c17ba0a07..cd43d65796 100644
--- a/generated/elasticsearch/composable/component/tracing.json
+++ b/generated/elasticsearch/composable/component/tracing.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tracing.html",
-    "ecs_version": "8.8.0-dev"
+    "ecs_version": "8.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/url.json b/generated/elasticsearch/composable/component/url.json
index 4974e21209..ce6c34a8eb 100644
--- a/generated/elasticsearch/composable/component/url.json
+++ b/generated/elasticsearch/composable/component/url.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-url.html",
-    "ecs_version": "8.8.0-dev"
+    "ecs_version": "8.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/user.json b/generated/elasticsearch/composable/component/user.json
index ebda098c2f..f17e31e8e0 100644
--- a/generated/elasticsearch/composable/component/user.json
+++ b/generated/elasticsearch/composable/component/user.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user.html",
-    "ecs_version": "8.8.0-dev"
+    "ecs_version": "8.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/user_agent.json b/generated/elasticsearch/composable/component/user_agent.json
index a0bd6537cc..8fcf0bd0c0 100644
--- a/generated/elasticsearch/composable/component/user_agent.json
+++ b/generated/elasticsearch/composable/component/user_agent.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html",
-    "ecs_version": "8.8.0-dev"
+    "ecs_version": "8.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/vulnerability.json b/generated/elasticsearch/composable/component/vulnerability.json
index 3a3ad83d5b..f6b8dc81d4 100644
--- a/generated/elasticsearch/composable/component/vulnerability.json
+++ b/generated/elasticsearch/composable/component/vulnerability.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html",
-    "ecs_version": "8.8.0-dev"
+    "ecs_version": "8.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/template.json b/generated/elasticsearch/composable/template.json
index 357b9f0051..d9ad7e34cf 100644
--- a/generated/elasticsearch/composable/template.json
+++ b/generated/elasticsearch/composable/template.json
@@ -1,48 +1,48 @@
 {
   "_meta": {
     "description": "Sample composable template that includes all ECS fields",
-    "ecs_version": "8.8.0-dev"
+    "ecs_version": "8.9.0-dev"
   },
   "composed_of": [
-    "ecs_8.8.0-dev_base",
-    "ecs_8.8.0-dev_agent",
-    "ecs_8.8.0-dev_client",
-    "ecs_8.8.0-dev_cloud",
-    "ecs_8.8.0-dev_container",
-    "ecs_8.8.0-dev_data_stream",
-    "ecs_8.8.0-dev_destination",
-    "ecs_8.8.0-dev_device",
-    "ecs_8.8.0-dev_dll",
-    "ecs_8.8.0-dev_dns",
-    "ecs_8.8.0-dev_ecs",
-    "ecs_8.8.0-dev_email",
-    "ecs_8.8.0-dev_error",
-    "ecs_8.8.0-dev_event",
-    "ecs_8.8.0-dev_faas",
-    "ecs_8.8.0-dev_file",
-    "ecs_8.8.0-dev_group",
-    "ecs_8.8.0-dev_host",
-    "ecs_8.8.0-dev_http",
-    "ecs_8.8.0-dev_log",
-    "ecs_8.8.0-dev_network",
-    "ecs_8.8.0-dev_observer",
-    "ecs_8.8.0-dev_orchestrator",
-    "ecs_8.8.0-dev_organization",
-    "ecs_8.8.0-dev_package",
-    "ecs_8.8.0-dev_process",
-    "ecs_8.8.0-dev_registry",
-    "ecs_8.8.0-dev_related",
-    "ecs_8.8.0-dev_rule",
-    "ecs_8.8.0-dev_server",
-    "ecs_8.8.0-dev_service",
-    "ecs_8.8.0-dev_source",
-    "ecs_8.8.0-dev_threat",
-    "ecs_8.8.0-dev_tls",
-    "ecs_8.8.0-dev_tracing",
-    "ecs_8.8.0-dev_url",
-    "ecs_8.8.0-dev_user_agent",
-    "ecs_8.8.0-dev_user",
-    "ecs_8.8.0-dev_vulnerability"
+    "ecs_8.9.0-dev_base",
+    "ecs_8.9.0-dev_agent",
+    "ecs_8.9.0-dev_client",
+    "ecs_8.9.0-dev_cloud",
+    "ecs_8.9.0-dev_container",
+    "ecs_8.9.0-dev_data_stream",
+    "ecs_8.9.0-dev_destination",
+    "ecs_8.9.0-dev_device",
+    "ecs_8.9.0-dev_dll",
+    "ecs_8.9.0-dev_dns",
+    "ecs_8.9.0-dev_ecs",
+    "ecs_8.9.0-dev_email",
+    "ecs_8.9.0-dev_error",
+    "ecs_8.9.0-dev_event",
+    "ecs_8.9.0-dev_faas",
+    "ecs_8.9.0-dev_file",
+    "ecs_8.9.0-dev_group",
+    "ecs_8.9.0-dev_host",
+    "ecs_8.9.0-dev_http",
+    "ecs_8.9.0-dev_log",
+    "ecs_8.9.0-dev_network",
+    "ecs_8.9.0-dev_observer",
+    "ecs_8.9.0-dev_orchestrator",
+    "ecs_8.9.0-dev_organization",
+    "ecs_8.9.0-dev_package",
+    "ecs_8.9.0-dev_process",
+    "ecs_8.9.0-dev_registry",
+    "ecs_8.9.0-dev_related",
+    "ecs_8.9.0-dev_rule",
+    "ecs_8.9.0-dev_server",
+    "ecs_8.9.0-dev_service",
+    "ecs_8.9.0-dev_source",
+    "ecs_8.9.0-dev_threat",
+    "ecs_8.9.0-dev_tls",
+    "ecs_8.9.0-dev_tracing",
+    "ecs_8.9.0-dev_url",
+    "ecs_8.9.0-dev_user_agent",
+    "ecs_8.9.0-dev_user",
+    "ecs_8.9.0-dev_vulnerability"
   ],
   "index_patterns": [
     "try-ecs-*"
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index a196ba4b76..033659e11a 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -4,7 +4,7 @@
   ],
   "mappings": {
     "_meta": {
-      "version": "8.8.0-dev"
+      "version": "8.9.0-dev"
     },
     "date_detection": false,
     "dynamic_templates": [
diff --git a/version b/version
index 4cc4170fef..38987536ce 100644
--- a/version
+++ b/version
@@ -1 +1 @@
-8.8.0-dev
+8.9.0-dev

From 7cb79f6ec6437f1f219a2b3465e817feead7afe0 Mon Sep 17 00:00:00 2001
From: Kylie Meli <kylie.geller@elastic.co>
Date: Tue, 25 Apr 2023 12:58:41 -0400
Subject: [PATCH 088/186] adding 8.8 to backport tool (#2199)

---
 .backportrc.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.backportrc.json b/.backportrc.json
index 0903268e48..6ecb3ac7a6 100644
--- a/.backportrc.json
+++ b/.backportrc.json
@@ -2,6 +2,7 @@
   "upstream": "elastic/ecs",
   "branches": [
     { "name": "main", "checked": true },
+    "8.8",
     "8.7",
     "8.6",
     "8.5",

From 2edbde7c1d85576b283e25dc7f0379111367d441 Mon Sep 17 00:00:00 2001
From: Kylie Meli <kylie.geller@elastic.co>
Date: Tue, 25 Apr 2023 13:22:23 -0400
Subject: [PATCH 089/186] [main] Changelog for 8.8 ff (#2198) (#2200)

---
 CHANGELOG.next.md | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 1c0548fd67..cfa90dc059 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -16,9 +16,6 @@ Thanks, you're awesome :-) -->
 
 #### Added
 
-* Add `access` as an allowed type for `event.type: file`. #2174
-* Add `event.kind: asset` as a beta category. #2191
-
 #### Improvements
 
 #### Deprecated
@@ -31,14 +28,25 @@ Thanks, you're awesome :-) -->
 
 #### Added
 
-* Add `parameters` property for field definitions, to provide any mapping parameter. #2084
-
 #### Improvements
 
-* Bump `gitpython` from `3.1.27` to `3.1.30` in `/scripts`. #2139
-
 #### Deprecated
 
+## 8.8.0 (Feature Freeze)
+
+### Schema Changes
+
+#### Added
+
+* Add `access` as an allowed type for `event.type: file`. #2174
+* Add `event.kind: asset` as a beta category. #2191
+
+### Tooling and Artifact Changes
+
+#### Added
+
+* Add `parameters` property for field definitions, to provide any mapping parameter. #2084
+
 <!-- All empty sections:
 
 ## Unreleased

From 9c30e0dee47e3fbd2cd1f80314c5928b2784b75c Mon Sep 17 00:00:00 2001
From: Giuseppe Santoro <giuseppe.santoro@elastic.co>
Date: Fri, 28 Apr 2023 07:49:55 +0100
Subject: [PATCH 090/186] [RFC] Faas fields - stage 2 - change faas.trigger
 type from nested to object (#2194)

---
 CHANGELOG.next.md                                |  1 +
 docs/fields/field-details.asciidoc               | 16 ----------------
 experimental/generated/beats/fields.ecs.yml      |  5 -----
 experimental/generated/csv/fields.csv            |  1 -
 experimental/generated/ecs/ecs_flat.yml          |  9 ---------
 experimental/generated/ecs/ecs_nested.yml        |  9 ---------
 .../elasticsearch/composable/component/faas.json |  3 +--
 .../generated/elasticsearch/legacy/template.json |  3 +--
 generated/beats/fields.ecs.yml                   |  5 -----
 generated/csv/fields.csv                         |  1 -
 generated/ecs/ecs_flat.yml                       |  9 ---------
 generated/ecs/ecs_nested.yml                     |  9 ---------
 .../elasticsearch/composable/component/faas.json |  3 +--
 generated/elasticsearch/legacy/template.json     |  3 +--
 schemas/faas.yml                                 |  5 -----
 15 files changed, 5 insertions(+), 77 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index cfa90dc059..911096ff95 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -19,6 +19,7 @@ Thanks, you're awesome :-) -->
 #### Improvements
 
 #### Deprecated
+* Removed `faas.trigger: nested` since we only have one trigger. #2194
 
 ### Tooling and Artifact Changes
 
diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index 6c78f2919a..f47e1dfa99 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -3928,22 +3928,6 @@ type: keyword
 
 example: `my-function`
 
-| extended
-
-// ===============================================================
-
-|
-[[field-faas-trigger]]
-<<field-faas-trigger, faas.trigger>>
-
-a| Details about the function trigger.
-
-type: nested
-
-
-
-
-
 | extended
 
 // ===============================================================
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 5401c30f08..d8a4d71a97 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -2697,11 +2697,6 @@
       description: The name of a serverless function.
       example: my-function
       default_field: false
-    - name: trigger
-      level: extended
-      type: nested
-      description: Details about the function trigger.
-      default_field: false
     - name: trigger.request_id
       level: extended
       type: keyword
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index ecbb826a0c..9714e055db 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -268,7 +268,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.9.0-dev+exp,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution.
 8.9.0-dev+exp,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function.
 8.9.0-dev+exp,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function.
-8.9.0-dev+exp,true,faas,faas.trigger,nested,extended,,,Details about the function trigger.
 8.9.0-dev+exp,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc."
 8.9.0-dev+exp,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution.
 8.9.0-dev+exp,true,faas,faas.version,keyword,extended,,123,The version of a serverless function.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index bff6b1f9b1..70131bf089 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -3794,15 +3794,6 @@ faas.name:
   normalize: []
   short: The name of a serverless function.
   type: keyword
-faas.trigger:
-  dashed_name: faas-trigger
-  description: Details about the function trigger.
-  flat_name: faas.trigger
-  level: extended
-  name: trigger
-  normalize: []
-  short: Details about the function trigger.
-  type: nested
 faas.trigger.request_id:
   dashed_name: faas-trigger-request-id
   description: The ID of the trigger request , message, event, etc.
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index ac4d22cc35..1ea077fd54 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -4813,15 +4813,6 @@ faas:
       normalize: []
       short: The name of a serverless function.
       type: keyword
-    faas.trigger:
-      dashed_name: faas-trigger
-      description: Details about the function trigger.
-      flat_name: faas.trigger
-      level: extended
-      name: trigger
-      normalize: []
-      short: Details about the function trigger.
-      type: nested
     faas.trigger.request_id:
       dashed_name: faas-trigger-request-id
       description: The ID of the trigger request , message, event, etc.
diff --git a/experimental/generated/elasticsearch/composable/component/faas.json b/experimental/generated/elasticsearch/composable/component/faas.json
index f4910103f1..db25dc7466 100644
--- a/experimental/generated/elasticsearch/composable/component/faas.json
+++ b/experimental/generated/elasticsearch/composable/component/faas.json
@@ -33,8 +33,7 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 }
-              },
-              "type": "nested"
+              }
             },
             "version": {
               "ignore_above": 1024,
diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json
index 4d6e6c25a0..4f9ddc2990 100644
--- a/experimental/generated/elasticsearch/legacy/template.json
+++ b/experimental/generated/elasticsearch/legacy/template.json
@@ -1327,8 +1327,7 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               }
-            },
-            "type": "nested"
+            }
           },
           "version": {
             "ignore_above": 1024,
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 464ffaf05d..6de87167ce 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -2647,11 +2647,6 @@
       description: The name of a serverless function.
       example: my-function
       default_field: false
-    - name: trigger
-      level: extended
-      type: nested
-      description: Details about the function trigger.
-      default_field: false
     - name: trigger.request_id
       level: extended
       type: keyword
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index c054bd227b..fb03a15830 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -261,7 +261,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.9.0-dev,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution.
 8.9.0-dev,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function.
 8.9.0-dev,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function.
-8.9.0-dev,true,faas,faas.trigger,nested,extended,,,Details about the function trigger.
 8.9.0-dev,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc."
 8.9.0-dev,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution.
 8.9.0-dev,true,faas,faas.version,keyword,extended,,123,The version of a serverless function.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 2507051061..62613614db 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -3725,15 +3725,6 @@ faas.name:
   normalize: []
   short: The name of a serverless function.
   type: keyword
-faas.trigger:
-  dashed_name: faas-trigger
-  description: Details about the function trigger.
-  flat_name: faas.trigger
-  level: extended
-  name: trigger
-  normalize: []
-  short: Details about the function trigger.
-  type: nested
 faas.trigger.request_id:
   dashed_name: faas-trigger-request-id
   description: The ID of the trigger request , message, event, etc.
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 14aebf51de..8f48efac76 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -4733,15 +4733,6 @@ faas:
       normalize: []
       short: The name of a serverless function.
       type: keyword
-    faas.trigger:
-      dashed_name: faas-trigger
-      description: Details about the function trigger.
-      flat_name: faas.trigger
-      level: extended
-      name: trigger
-      normalize: []
-      short: Details about the function trigger.
-      type: nested
     faas.trigger.request_id:
       dashed_name: faas-trigger-request-id
       description: The ID of the trigger request , message, event, etc.
diff --git a/generated/elasticsearch/composable/component/faas.json b/generated/elasticsearch/composable/component/faas.json
index ef93c504f2..721f97f65f 100644
--- a/generated/elasticsearch/composable/component/faas.json
+++ b/generated/elasticsearch/composable/component/faas.json
@@ -33,8 +33,7 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 }
-              },
-              "type": "nested"
+              }
             },
             "version": {
               "ignore_above": 1024,
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index 033659e11a..0731842c8d 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -1285,8 +1285,7 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               }
-            },
-            "type": "nested"
+            }
           },
           "version": {
             "ignore_above": 1024,
diff --git a/schemas/faas.yml b/schemas/faas.yml
index aeeff3de9f..018e3f93a9 100644
--- a/schemas/faas.yml
+++ b/schemas/faas.yml
@@ -58,11 +58,6 @@
       type: keyword
       level: extended
       example: "af9d5aa4-a685-4c5f-a22b-444f80b3cc28"
-    - name: trigger
-      level: extended
-      type: nested
-      description: >
-        Details about the function trigger.
     - name: trigger.type
       level: extended
       type: keyword

From 6def3e9b57894e460635175cc37d20f8ee9a763f Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Fri, 28 Apr 2023 12:04:48 -0500
Subject: [PATCH 091/186] add GH Action to comment with docs preview for
 relevant PRs (#2183)

---
 .github/workflows/docs-preview-comment.yml | 25 ++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 .github/workflows/docs-preview-comment.yml

diff --git a/.github/workflows/docs-preview-comment.yml b/.github/workflows/docs-preview-comment.yml
new file mode 100644
index 0000000000..484e1b83d0
--- /dev/null
+++ b/.github/workflows/docs-preview-comment.yml
@@ -0,0 +1,25 @@
+name: Docs Preview Comment
+
+on:
+  pull_request_target:
+    types: [opened]
+    paths:
+      - docs/**
+
+jobs:
+  doc-preview:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/github-script@v6
+        name: Add doc preview links
+        with:
+          script: |
+            const pr = context.payload.pull_request;
+            const comment = `Documentation changes preview: https://${context.repo.repo}_${pr.number}.docs-preview.app.elstc.co/diff`;
+
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: comment,
+            });

From f9a25f5fffa8bd1923f6f0cf833e4fa9a81e7be9 Mon Sep 17 00:00:00 2001
From: Karl Godard <kg@cmd.com>
Date: Fri, 28 Apr 2023 14:44:30 -0700
Subject: [PATCH 092/186] Orchestrator additions for features coming in 8.8
 (#2181)

* new fields added to orchestrator fieldset

* build artifacts

---------

Co-authored-by: Eric Beahan <eric.beahan@elastic.co>
---
 docs/fields/field-details.asciidoc            | 38 +++++++++++++++++++
 experimental/generated/beats/fields.ecs.yml   | 14 +++++++
 experimental/generated/csv/fields.csv         |  2 +
 experimental/generated/ecs/ecs_flat.yml       | 24 ++++++++++++
 experimental/generated/ecs/ecs_nested.yml     | 24 ++++++++++++
 .../composable/component/orchestrator.json    |  8 ++++
 .../elasticsearch/legacy/template.json        |  8 ++++
 generated/beats/fields.ecs.yml                | 14 +++++++
 generated/csv/fields.csv                      |  2 +
 generated/ecs/ecs_flat.yml                    | 24 ++++++++++++
 generated/ecs/ecs_nested.yml                  | 24 ++++++++++++
 .../composable/component/orchestrator.json    |  8 ++++
 generated/elasticsearch/legacy/template.json  |  8 ++++
 schemas/orchestrator.yml                      | 22 ++++++++++-
 14 files changed, 218 insertions(+), 2 deletions(-)

diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index f47e1dfa99..09f85d0743 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -6941,6 +6941,25 @@ example: `elastic`
 
 // ===============================================================
 
+|
+[[field-orchestrator-resource-annotation]]
+<<field-orchestrator-resource-annotation, orchestrator.resource.annotation>>
+
+a| The list of annotations added to the resource.
+
+type: keyword
+
+
+Note: this field should contain an array of values.
+
+
+
+example: `['key1:value1', 'key2:value2', 'key3:value3']`
+
+| extended
+
+// ===============================================================
+
 |
 [[field-orchestrator-resource-id]]
 <<field-orchestrator-resource-id, orchestrator.resource.id>>
@@ -6972,6 +6991,25 @@ Note: this field should contain an array of values.
 
 
 
+| extended
+
+// ===============================================================
+
+|
+[[field-orchestrator-resource-label]]
+<<field-orchestrator-resource-label, orchestrator.resource.label>>
+
+a| The list of labels added to the resource.
+
+type: keyword
+
+
+Note: this field should contain an array of values.
+
+
+
+example: `['key1:value1', 'key2:value2', 'key3:value3']`
+
 | extended
 
 // ===============================================================
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index d8a4d71a97..0447763b81 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -5174,6 +5174,13 @@
         setups).
       example: elastic
       default_field: false
+    - name: resource.annotation
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The list of annotations added to the resource.
+      example: '[''key1:value1'', ''key2:value2'', ''key3:value3'']'
+      default_field: false
     - name: resource.id
       level: extended
       type: keyword
@@ -5188,6 +5195,13 @@
         only one element: the IP of the Pod (as opposed to the Node on which the Pod
         is running).'
       default_field: false
+    - name: resource.label
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The list of labels added to the resource.
+      example: '[''key1:value1'', ''key2:value2'', ''key3:value3'']'
+      default_field: false
     - name: resource.name
       level: extended
       type: keyword
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index 9714e055db..404dd41828 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -558,8 +558,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.9.0-dev+exp,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster.
 8.9.0-dev+exp,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place.
 8.9.0-dev+exp,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups).
+8.9.0-dev+exp,true,orchestrator,orchestrator.resource.annotation,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of annotations added to the resource.
 8.9.0-dev+exp,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon.
 8.9.0-dev+exp,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed.
+8.9.0-dev+exp,true,orchestrator,orchestrator.resource.label,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of labels added to the resource.
 8.9.0-dev+exp,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon.
 8.9.0-dev+exp,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed.
 8.9.0-dev+exp,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 70131bf089..46e388afd2 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -7370,6 +7370,18 @@ orchestrator.organization:
   normalize: []
   short: Organization affected by the event (for multi-tenant orchestrator setups).
   type: keyword
+orchestrator.resource.annotation:
+  dashed_name: orchestrator-resource-annotation
+  description: The list of annotations added to the resource.
+  example: '[''key1:value1'', ''key2:value2'', ''key3:value3'']'
+  flat_name: orchestrator.resource.annotation
+  ignore_above: 1024
+  level: extended
+  name: resource.annotation
+  normalize:
+  - array
+  short: The list of annotations added to the resource.
+  type: keyword
 orchestrator.resource.id:
   dashed_name: orchestrator-resource-id
   description: Unique ID of the resource being acted upon.
@@ -7392,6 +7404,18 @@ orchestrator.resource.ip:
   - array
   short: IP address assigned to the resource associated with the event being observed.
   type: ip
+orchestrator.resource.label:
+  dashed_name: orchestrator-resource-label
+  description: The list of labels added to the resource.
+  example: '[''key1:value1'', ''key2:value2'', ''key3:value3'']'
+  flat_name: orchestrator.resource.label
+  ignore_above: 1024
+  level: extended
+  name: resource.label
+  normalize:
+  - array
+  short: The list of labels added to the resource.
+  type: keyword
 orchestrator.resource.name:
   dashed_name: orchestrator-resource-name
   description: Name of the resource being acted upon.
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 1ea077fd54..aa57d41b73 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -9135,6 +9135,18 @@ orchestrator:
       normalize: []
       short: Organization affected by the event (for multi-tenant orchestrator setups).
       type: keyword
+    orchestrator.resource.annotation:
+      dashed_name: orchestrator-resource-annotation
+      description: The list of annotations added to the resource.
+      example: '[''key1:value1'', ''key2:value2'', ''key3:value3'']'
+      flat_name: orchestrator.resource.annotation
+      ignore_above: 1024
+      level: extended
+      name: resource.annotation
+      normalize:
+      - array
+      short: The list of annotations added to the resource.
+      type: keyword
     orchestrator.resource.id:
       dashed_name: orchestrator-resource-id
       description: Unique ID of the resource being acted upon.
@@ -9158,6 +9170,18 @@ orchestrator:
       - array
       short: IP address assigned to the resource associated with the event being observed.
       type: ip
+    orchestrator.resource.label:
+      dashed_name: orchestrator-resource-label
+      description: The list of labels added to the resource.
+      example: '[''key1:value1'', ''key2:value2'', ''key3:value3'']'
+      flat_name: orchestrator.resource.label
+      ignore_above: 1024
+      level: extended
+      name: resource.label
+      normalize:
+      - array
+      short: The list of labels added to the resource.
+      type: keyword
     orchestrator.resource.name:
       dashed_name: orchestrator-resource-name
       description: Name of the resource being acted upon.
diff --git a/experimental/generated/elasticsearch/composable/component/orchestrator.json b/experimental/generated/elasticsearch/composable/component/orchestrator.json
index d4a15c9456..ae8295a66f 100644
--- a/experimental/generated/elasticsearch/composable/component/orchestrator.json
+++ b/experimental/generated/elasticsearch/composable/component/orchestrator.json
@@ -42,6 +42,10 @@
             },
             "resource": {
               "properties": {
+                "annotation": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "id": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -49,6 +53,10 @@
                 "ip": {
                   "type": "ip"
                 },
+                "label": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "name": {
                   "ignore_above": 1024,
                   "type": "keyword"
diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json
index 4f9ddc2990..d4e3f9c87f 100644
--- a/experimental/generated/elasticsearch/legacy/template.json
+++ b/experimental/generated/elasticsearch/legacy/template.json
@@ -2610,6 +2610,10 @@
           },
           "resource": {
             "properties": {
+              "annotation": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "id": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -2617,6 +2621,10 @@
               "ip": {
                 "type": "ip"
               },
+              "label": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "name": {
                 "ignore_above": 1024,
                 "type": "keyword"
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 6de87167ce..cb1149a649 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -5124,6 +5124,13 @@
         setups).
       example: elastic
       default_field: false
+    - name: resource.annotation
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The list of annotations added to the resource.
+      example: '[''key1:value1'', ''key2:value2'', ''key3:value3'']'
+      default_field: false
     - name: resource.id
       level: extended
       type: keyword
@@ -5138,6 +5145,13 @@
         only one element: the IP of the Pod (as opposed to the Node on which the Pod
         is running).'
       default_field: false
+    - name: resource.label
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The list of labels added to the resource.
+      example: '[''key1:value1'', ''key2:value2'', ''key3:value3'']'
+      default_field: false
     - name: resource.name
       level: extended
       type: keyword
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index fb03a15830..daa2f80795 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -551,8 +551,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.9.0-dev,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster.
 8.9.0-dev,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place.
 8.9.0-dev,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups).
+8.9.0-dev,true,orchestrator,orchestrator.resource.annotation,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of annotations added to the resource.
 8.9.0-dev,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon.
 8.9.0-dev,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed.
+8.9.0-dev,true,orchestrator,orchestrator.resource.label,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of labels added to the resource.
 8.9.0-dev,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon.
 8.9.0-dev,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed.
 8.9.0-dev,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 62613614db..2a758da057 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -7301,6 +7301,18 @@ orchestrator.organization:
   normalize: []
   short: Organization affected by the event (for multi-tenant orchestrator setups).
   type: keyword
+orchestrator.resource.annotation:
+  dashed_name: orchestrator-resource-annotation
+  description: The list of annotations added to the resource.
+  example: '[''key1:value1'', ''key2:value2'', ''key3:value3'']'
+  flat_name: orchestrator.resource.annotation
+  ignore_above: 1024
+  level: extended
+  name: resource.annotation
+  normalize:
+  - array
+  short: The list of annotations added to the resource.
+  type: keyword
 orchestrator.resource.id:
   dashed_name: orchestrator-resource-id
   description: Unique ID of the resource being acted upon.
@@ -7323,6 +7335,18 @@ orchestrator.resource.ip:
   - array
   short: IP address assigned to the resource associated with the event being observed.
   type: ip
+orchestrator.resource.label:
+  dashed_name: orchestrator-resource-label
+  description: The list of labels added to the resource.
+  example: '[''key1:value1'', ''key2:value2'', ''key3:value3'']'
+  flat_name: orchestrator.resource.label
+  ignore_above: 1024
+  level: extended
+  name: resource.label
+  normalize:
+  - array
+  short: The list of labels added to the resource.
+  type: keyword
 orchestrator.resource.name:
   dashed_name: orchestrator-resource-name
   description: Name of the resource being acted upon.
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 8f48efac76..58939dd619 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -9055,6 +9055,18 @@ orchestrator:
       normalize: []
       short: Organization affected by the event (for multi-tenant orchestrator setups).
       type: keyword
+    orchestrator.resource.annotation:
+      dashed_name: orchestrator-resource-annotation
+      description: The list of annotations added to the resource.
+      example: '[''key1:value1'', ''key2:value2'', ''key3:value3'']'
+      flat_name: orchestrator.resource.annotation
+      ignore_above: 1024
+      level: extended
+      name: resource.annotation
+      normalize:
+      - array
+      short: The list of annotations added to the resource.
+      type: keyword
     orchestrator.resource.id:
       dashed_name: orchestrator-resource-id
       description: Unique ID of the resource being acted upon.
@@ -9078,6 +9090,18 @@ orchestrator:
       - array
       short: IP address assigned to the resource associated with the event being observed.
       type: ip
+    orchestrator.resource.label:
+      dashed_name: orchestrator-resource-label
+      description: The list of labels added to the resource.
+      example: '[''key1:value1'', ''key2:value2'', ''key3:value3'']'
+      flat_name: orchestrator.resource.label
+      ignore_above: 1024
+      level: extended
+      name: resource.label
+      normalize:
+      - array
+      short: The list of labels added to the resource.
+      type: keyword
     orchestrator.resource.name:
       dashed_name: orchestrator-resource-name
       description: Name of the resource being acted upon.
diff --git a/generated/elasticsearch/composable/component/orchestrator.json b/generated/elasticsearch/composable/component/orchestrator.json
index 971f151316..8839f4f458 100644
--- a/generated/elasticsearch/composable/component/orchestrator.json
+++ b/generated/elasticsearch/composable/component/orchestrator.json
@@ -42,6 +42,10 @@
             },
             "resource": {
               "properties": {
+                "annotation": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "id": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -49,6 +53,10 @@
                 "ip": {
                   "type": "ip"
                 },
+                "label": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "name": {
                   "ignore_above": 1024,
                   "type": "keyword"
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index 0731842c8d..669b8094e0 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -2568,6 +2568,10 @@
           },
           "resource": {
             "properties": {
+              "annotation": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "id": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -2575,6 +2579,10 @@
               "ip": {
                 "type": "ip"
               },
+              "label": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "name": {
                 "ignore_above": 1024,
                 "type": "keyword"
diff --git a/schemas/orchestrator.yml b/schemas/orchestrator.yml
index f73f858a25..fa7fda91f5 100644
--- a/schemas/orchestrator.yml
+++ b/schemas/orchestrator.yml
@@ -34,7 +34,7 @@
       level: extended
       type: keyword
       description: >
-        Unique ID of the cluster.        
+        Unique ID of the cluster.
 
     - name: cluster.url
       level: extended
@@ -69,6 +69,24 @@
       description: >
         Namespace in which the action is taking place.
 
+    - name: resource.annotation
+      level: extended
+      type: keyword
+      example: "['key1:value1', 'key2:value2', 'key3:value3']"
+      description: >
+        The list of annotations added to the resource.
+      normalize:
+        - array
+
+    - name: resource.label
+      level: extended
+      type: keyword
+      example: "['key1:value1', 'key2:value2', 'key3:value3']"
+      description: >
+        The list of labels added to the resource.
+      normalize:
+        - array
+
     - name: resource.name
       level: extended
       type: keyword
@@ -106,7 +124,7 @@
       level: extended
       type: keyword
       description: >
-        Unique ID of the resource being acted upon.            
+        Unique ID of the resource being acted upon.
 
     - name: api_version
       level: extended

From e7e48b6cf4ff44f96a3dce8f628b170265332b62 Mon Sep 17 00:00:00 2001
From: Kylie Meli <kylie.geller@elastic.co>
Date: Thu, 25 May 2023 15:21:28 -0400
Subject: [PATCH 093/186] [main] Finalize 8.8 changelog (#2208) #2212

---
 CHANGELOG.md      | 16 ++++++++++++++++
 CHANGELOG.next.md | 15 ---------------
 2 files changed, 16 insertions(+), 15 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8c3af96c00..03ba6f75f0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,22 @@
 # CHANGELOG
 All notable changes to this project will be documented in this file based on the [Keep a Changelog](http://keepachangelog.com/) Standard. This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [8.8.0](https://github.com/elastic/ecs/compare/v8.7.0...v8.8.0)
+
+### Schema Changes
+
+#### Added
+
+* Add `access` as an allowed type for `event.type: file`. #2174
+* Add `orchestrator.resource.annotation` and `orchestrator.resource.label`. #2181
+* Add `event.kind: asset` as a beta category. #2191
+
+### Tooling and Artifact Changes
+
+#### Added
+
+* Add `parameters` property for field definitions, to provide any mapping parameter. #2084
+
 ## [8.7.0](https://github.com/elastic/ecs/compare/v8.6.1...v8.7.0)
 
 ### Schema Changes
diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 911096ff95..2906096d6a 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -33,21 +33,6 @@ Thanks, you're awesome :-) -->
 
 #### Deprecated
 
-## 8.8.0 (Feature Freeze)
-
-### Schema Changes
-
-#### Added
-
-* Add `access` as an allowed type for `event.type: file`. #2174
-* Add `event.kind: asset` as a beta category. #2191
-
-### Tooling and Artifact Changes
-
-#### Added
-
-* Add `parameters` property for field definitions, to provide any mapping parameter. #2084
-
 <!-- All empty sections:
 
 ## Unreleased

From 462b9e5ba80a38d48e5a4a5e14d65726956e512d Mon Sep 17 00:00:00 2001
From: Kylie Meli <kylie.geller@elastic.co>
Date: Thu, 25 May 2023 15:37:33 -0400
Subject: [PATCH 094/186] [main] adding release notes for ecs 8.8 (#2209)
 (#2213)

---
 docs/release-notes/8.8.asciidoc   | 25 +++++++++++++++++++++++++
 docs/release-notes/index.asciidoc |  2 ++
 2 files changed, 27 insertions(+)
 create mode 100644 docs/release-notes/8.8.asciidoc

diff --git a/docs/release-notes/8.8.asciidoc b/docs/release-notes/8.8.asciidoc
new file mode 100644
index 0000000000..e0d53da05b
--- /dev/null
+++ b/docs/release-notes/8.8.asciidoc
@@ -0,0 +1,25 @@
+[[ecs-release-notes-8.8.0]]
+=== 8.8.0
+
+[[schema-changes-8.8.0]]
+[float]
+==== Schema changes
+
+[[schema-added-8.8.0]]
+[float]
+===== Added
+
+* Add `access` as an allowed type for `event.type: file`. {ecs_pull}2174[#2174]
+* Add `orchestrator.resource.annotation` and `orchestrator.resource.label`. {ecs_pull}2181[#2181]
+* Add `event.kind: asset` as a beta category. {ecs_pull}2191[#2191]
+
+
+[[tooling-changes-8.8.0]]
+[float]
+==== Tooling and artifact changes
+
+[[tooling-added-8.8.0]]
+[float]
+===== Added
+
+* Add `parameters` property for field definitions, to provide any mapping parameter. {ecs_pull}2084[#2084]
\ No newline at end of file
diff --git a/docs/release-notes/index.asciidoc b/docs/release-notes/index.asciidoc
index 771a81cd02..97b6661f08 100644
--- a/docs/release-notes/index.asciidoc
+++ b/docs/release-notes/index.asciidoc
@@ -3,6 +3,7 @@
 
 This section summarizes the changes in each release.
 
+* <<ecs-release-notes-8.8.0, {ecs} version 8.8.0>>
 * <<ecs-release-notes-8.7.0, {ecs} version 8.7.0>>
 * <<ecs-release-notes-8.6.1, {ecs} version 8.6.1>>
 * <<ecs-release-notes-8.6.0, {ecs} version 8.6.0>>
@@ -23,6 +24,7 @@ This section summarizes the changes in each release.
 :issue: https://github.com/elastic/ecs/issues/
 :pull: https://github.com/elastic/ecs/pull/
 
+include::8.8.asciidoc[]
 include::8.7.asciidoc[]
 include::8.6.1.asciidoc[]
 include::8.6.asciidoc[]

From 2b5595051cd64030812e36ae34fdd5e4eb01c713 Mon Sep 17 00:00:00 2001
From: Maxwell Borden <Tacklebox@users.noreply.github.com>
Date: Fri, 9 Jun 2023 14:31:55 +0200
Subject: [PATCH 095/186] Introduce process.vpid (#2211)

---
 CHANGELOG.next.md                             |   1 +
 docs/fields/field-details.asciidoc            |  18 ++
 experimental/generated/beats/fields.ecs.yml   | 110 ++++++++++++
 experimental/generated/csv/fields.csv         |  10 ++
 experimental/generated/ecs/ecs_flat.yml       | 159 ++++++++++++++++++
 experimental/generated/ecs/ecs_nested.yml     | 159 ++++++++++++++++++
 .../composable/component/process.json         |  30 ++++
 .../elasticsearch/legacy/template.json        |  30 ++++
 generated/beats/fields.ecs.yml                | 110 ++++++++++++
 generated/csv/fields.csv                      |  10 ++
 generated/ecs/ecs_flat.yml                    | 159 ++++++++++++++++++
 generated/ecs/ecs_nested.yml                  | 159 ++++++++++++++++++
 .../composable/component/process.json         |  30 ++++
 generated/elasticsearch/legacy/template.json  |  30 ++++
 schemas/process.yml                           |  13 ++
 schemas/subsets/main.yml                      |  38 +++--
 16 files changed, 1052 insertions(+), 14 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 2906096d6a..57228cc83f 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -15,6 +15,7 @@ Thanks, you're awesome :-) -->
 #### Bugfixes
 
 #### Added
+* Added `process.vpid` for namespaced process ids. #2211
 
 #### Improvements
 
diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index 09f85d0743..28d6f700f0 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -8593,6 +8593,24 @@ example: `1325`
 
 // ===============================================================
 
+|
+[[field-process-vpid]]
+<<field-process-vpid, process.vpid>>
+
+a| Virtual process id.
+
+The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within.
+
+type: long
+
+
+
+example: `4242`
+
+| core
+
+// ===============================================================
+
 |
 [[field-process-working-directory]]
 <<field-process-working-directory, process.working_directory>>
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 0447763b81..5024360172 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -6165,12 +6165,34 @@
       description: The time the process started.
       example: '2016-05-23T08:05:34.853Z'
       default_field: false
+    - name: entry_leader.parent.session_leader.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      default_field: false
     - name: entry_leader.parent.start
       level: extended
       type: date
       description: The time the process started.
       example: '2016-05-23T08:05:34.853Z'
       default_field: false
+    - name: entry_leader.parent.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      default_field: false
     - name: entry_leader.pid
       level: core
       type: long
@@ -6319,6 +6341,17 @@
       description: Short name or login of the user.
       example: a.einstein
       default_field: false
+    - name: entry_leader.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      default_field: false
     - name: entry_leader.working_directory
       level: extended
       type: keyword
@@ -6603,6 +6636,17 @@
       description: Short name or login of the user.
       example: a.einstein
       default_field: false
+    - name: group_leader.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      default_field: false
     - name: group_leader.working_directory
       level: extended
       type: keyword
@@ -7294,6 +7338,17 @@
       description: The time the process started.
       example: '2016-05-23T08:05:34.853Z'
       default_field: false
+    - name: parent.group_leader.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      default_field: false
     - name: parent.hash.md5
       level: extended
       type: keyword
@@ -7812,6 +7867,17 @@
       description: Short name or login of the user.
       example: a.einstein
       default_field: false
+    - name: parent.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      default_field: false
     - name: parent.working_directory
       level: extended
       type: keyword
@@ -8239,12 +8305,34 @@
       description: The time the process started.
       example: '2016-05-23T08:05:34.853Z'
       default_field: false
+    - name: session_leader.parent.session_leader.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      default_field: false
     - name: session_leader.parent.start
       level: extended
       type: date
       description: The time the process started.
       example: '2016-05-23T08:05:34.853Z'
       default_field: false
+    - name: session_leader.parent.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      default_field: false
     - name: session_leader.pid
       level: core
       type: long
@@ -8393,6 +8481,17 @@
       description: Short name or login of the user.
       example: a.einstein
       default_field: false
+    - name: session_leader.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      default_field: false
     - name: session_leader.working_directory
       level: extended
       type: keyword
@@ -8508,6 +8607,17 @@
       description: Short name or login of the user.
       example: a.einstein
       default_field: false
+    - name: vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      default_field: false
     - name: working_directory
       level: extended
       type: keyword
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index 404dd41828..02bc6b6793 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -658,7 +658,9 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.9.0-dev+exp,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
 8.9.0-dev+exp,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id.
 8.9.0-dev+exp,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.9.0-dev+exp,true,process,process.entry_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
 8.9.0-dev+exp,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.9.0-dev+exp,true,process,process.entry_leader.parent.vpid,long,core,,4242,Virtual process id.
 8.9.0-dev+exp,true,process,process.entry_leader.pid,long,core,,4242,Process id.
 8.9.0-dev+exp,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 8.9.0-dev+exp,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group.
@@ -680,6 +682,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.9.0-dev+exp,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.9.0-dev+exp,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
 8.9.0-dev+exp,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,process,process.entry_leader.vpid,long,core,,4242,Virtual process id.
 8.9.0-dev+exp,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
 8.9.0-dev+exp,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
 8.9.0-dev+exp,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
@@ -719,6 +722,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.9.0-dev+exp,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.9.0-dev+exp,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
 8.9.0-dev+exp,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,process,process.group_leader.vpid,long,core,,4242,Virtual process id.
 8.9.0-dev+exp,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
 8.9.0-dev+exp,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
 8.9.0-dev+exp,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
@@ -817,6 +821,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.9.0-dev+exp,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
 8.9.0-dev+exp,true,process,process.parent.group_leader.pid,long,core,,4242,Process id.
 8.9.0-dev+exp,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.9.0-dev+exp,true,process,process.parent.group_leader.vpid,long,core,,4242,Virtual process id.
 8.9.0-dev+exp,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
 8.9.0-dev+exp,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
 8.9.0-dev+exp,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
@@ -892,6 +897,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.9.0-dev+exp,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.9.0-dev+exp,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
 8.9.0-dev+exp,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,process,process.parent.vpid,long,core,,4242,Virtual process id.
 8.9.0-dev+exp,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
 8.9.0-dev+exp,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
 8.9.0-dev+exp,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
@@ -950,7 +956,9 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.9.0-dev+exp,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
 8.9.0-dev+exp,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id.
 8.9.0-dev+exp,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.9.0-dev+exp,true,process,process.session_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
 8.9.0-dev+exp,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.9.0-dev+exp,true,process,process.session_leader.parent.vpid,long,core,,4242,Virtual process id.
 8.9.0-dev+exp,true,process,process.session_leader.pid,long,core,,4242,Process id.
 8.9.0-dev+exp,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 8.9.0-dev+exp,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group.
@@ -972,6 +980,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.9.0-dev+exp,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.9.0-dev+exp,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
 8.9.0-dev+exp,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,process,process.session_leader.vpid,long,core,,4242,Virtual process id.
 8.9.0-dev+exp,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
 8.9.0-dev+exp,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
 8.9.0-dev+exp,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
@@ -990,6 +999,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.9.0-dev+exp,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.9.0-dev+exp,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user.
 8.9.0-dev+exp,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev+exp,true,process,process.vpid,long,core,,4242,Virtual process id.
 8.9.0-dev+exp,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
 8.9.0-dev+exp,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
 8.9.0-dev+exp,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 46e388afd2..8a9b92abef 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -8560,6 +8560,22 @@ process.entry_leader.parent.session_leader.start:
   original_fieldset: process
   short: The time the process started.
   type: date
+process.entry_leader.parent.session_leader.vpid:
+  dashed_name: process-entry-leader-parent-session-leader-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.entry_leader.parent.session_leader.vpid
+  format: string
+  level: core
+  name: vpid
+  normalize: []
+  original_fieldset: process
+  short: Virtual process id.
+  type: long
 process.entry_leader.parent.start:
   dashed_name: process-entry-leader-parent-start
   description: The time the process started.
@@ -8571,6 +8587,22 @@ process.entry_leader.parent.start:
   original_fieldset: process
   short: The time the process started.
   type: date
+process.entry_leader.parent.vpid:
+  dashed_name: process-entry-leader-parent-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.entry_leader.parent.vpid
+  format: string
+  level: core
+  name: vpid
+  normalize: []
+  original_fieldset: process
+  short: Virtual process id.
+  type: long
 process.entry_leader.pid:
   dashed_name: process-entry-leader-pid
   description: Process id.
@@ -8813,6 +8845,22 @@ process.entry_leader.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+process.entry_leader.vpid:
+  dashed_name: process-entry-leader-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.entry_leader.vpid
+  format: string
+  level: core
+  name: vpid
+  normalize: []
+  original_fieldset: process
+  short: Virtual process id.
+  type: long
 process.entry_leader.working_directory:
   dashed_name: process-entry-leader-working-directory
   description: The working directory of the process.
@@ -9261,6 +9309,22 @@ process.group_leader.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+process.group_leader.vpid:
+  dashed_name: process-group-leader-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.group_leader.vpid
+  format: string
+  level: core
+  name: vpid
+  normalize: []
+  original_fieldset: process
+  short: Virtual process id.
+  type: long
 process.group_leader.working_directory:
   dashed_name: process-group-leader-working-directory
   description: The working directory of the process.
@@ -10441,6 +10505,22 @@ process.parent.group_leader.start:
   original_fieldset: process
   short: The time the process started.
   type: date
+process.parent.group_leader.vpid:
+  dashed_name: process-parent-group-leader-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.parent.group_leader.vpid
+  format: string
+  level: core
+  name: vpid
+  normalize: []
+  original_fieldset: process
+  short: Virtual process id.
+  type: long
 process.parent.hash.md5:
   dashed_name: process-parent-hash-md5
   description: MD5 hash.
@@ -11320,6 +11400,22 @@ process.parent.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+process.parent.vpid:
+  dashed_name: process-parent-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.parent.vpid
+  format: string
+  level: core
+  name: vpid
+  normalize: []
+  original_fieldset: process
+  short: Virtual process id.
+  type: long
 process.parent.working_directory:
   dashed_name: process-parent-working-directory
   description: The working directory of the process.
@@ -12014,6 +12110,22 @@ process.session_leader.parent.session_leader.start:
   original_fieldset: process
   short: The time the process started.
   type: date
+process.session_leader.parent.session_leader.vpid:
+  dashed_name: process-session-leader-parent-session-leader-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.session_leader.parent.session_leader.vpid
+  format: string
+  level: core
+  name: vpid
+  normalize: []
+  original_fieldset: process
+  short: Virtual process id.
+  type: long
 process.session_leader.parent.start:
   dashed_name: process-session-leader-parent-start
   description: The time the process started.
@@ -12025,6 +12137,22 @@ process.session_leader.parent.start:
   original_fieldset: process
   short: The time the process started.
   type: date
+process.session_leader.parent.vpid:
+  dashed_name: process-session-leader-parent-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.session_leader.parent.vpid
+  format: string
+  level: core
+  name: vpid
+  normalize: []
+  original_fieldset: process
+  short: Virtual process id.
+  type: long
 process.session_leader.pid:
   dashed_name: process-session-leader-pid
   description: Process id.
@@ -12267,6 +12395,22 @@ process.session_leader.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+process.session_leader.vpid:
+  dashed_name: process-session-leader-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.session_leader.vpid
+  format: string
+  level: core
+  name: vpid
+  normalize: []
+  original_fieldset: process
+  short: Virtual process id.
+  type: long
 process.session_leader.working_directory:
   dashed_name: process-session-leader-working-directory
   description: The working directory of the process.
@@ -12456,6 +12600,21 @@ process.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+process.vpid:
+  dashed_name: process-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.vpid
+  format: string
+  level: core
+  name: vpid
+  normalize: []
+  short: Virtual process id.
+  type: long
 process.working_directory:
   dashed_name: process-working-directory
   description: The working directory of the process.
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index aa57d41b73..0847697c3b 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -10771,6 +10771,22 @@ process:
       original_fieldset: process
       short: The time the process started.
       type: date
+    process.entry_leader.parent.session_leader.vpid:
+      dashed_name: process-entry-leader-parent-session-leader-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.entry_leader.parent.session_leader.vpid
+      format: string
+      level: core
+      name: vpid
+      normalize: []
+      original_fieldset: process
+      short: Virtual process id.
+      type: long
     process.entry_leader.parent.start:
       dashed_name: process-entry-leader-parent-start
       description: The time the process started.
@@ -10782,6 +10798,22 @@ process:
       original_fieldset: process
       short: The time the process started.
       type: date
+    process.entry_leader.parent.vpid:
+      dashed_name: process-entry-leader-parent-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.entry_leader.parent.vpid
+      format: string
+      level: core
+      name: vpid
+      normalize: []
+      original_fieldset: process
+      short: Virtual process id.
+      type: long
     process.entry_leader.pid:
       dashed_name: process-entry-leader-pid
       description: Process id.
@@ -11024,6 +11056,22 @@ process:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
+    process.entry_leader.vpid:
+      dashed_name: process-entry-leader-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.entry_leader.vpid
+      format: string
+      level: core
+      name: vpid
+      normalize: []
+      original_fieldset: process
+      short: Virtual process id.
+      type: long
     process.entry_leader.working_directory:
       dashed_name: process-entry-leader-working-directory
       description: The working directory of the process.
@@ -11472,6 +11520,22 @@ process:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
+    process.group_leader.vpid:
+      dashed_name: process-group-leader-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.group_leader.vpid
+      format: string
+      level: core
+      name: vpid
+      normalize: []
+      original_fieldset: process
+      short: Virtual process id.
+      type: long
     process.group_leader.working_directory:
       dashed_name: process-group-leader-working-directory
       description: The working directory of the process.
@@ -12657,6 +12721,22 @@ process:
       original_fieldset: process
       short: The time the process started.
       type: date
+    process.parent.group_leader.vpid:
+      dashed_name: process-parent-group-leader-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.parent.group_leader.vpid
+      format: string
+      level: core
+      name: vpid
+      normalize: []
+      original_fieldset: process
+      short: Virtual process id.
+      type: long
     process.parent.hash.md5:
       dashed_name: process-parent-hash-md5
       description: MD5 hash.
@@ -13538,6 +13618,22 @@ process:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
+    process.parent.vpid:
+      dashed_name: process-parent-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.parent.vpid
+      format: string
+      level: core
+      name: vpid
+      normalize: []
+      original_fieldset: process
+      short: Virtual process id.
+      type: long
     process.parent.working_directory:
       dashed_name: process-parent-working-directory
       description: The working directory of the process.
@@ -14233,6 +14329,22 @@ process:
       original_fieldset: process
       short: The time the process started.
       type: date
+    process.session_leader.parent.session_leader.vpid:
+      dashed_name: process-session-leader-parent-session-leader-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.session_leader.parent.session_leader.vpid
+      format: string
+      level: core
+      name: vpid
+      normalize: []
+      original_fieldset: process
+      short: Virtual process id.
+      type: long
     process.session_leader.parent.start:
       dashed_name: process-session-leader-parent-start
       description: The time the process started.
@@ -14244,6 +14356,22 @@ process:
       original_fieldset: process
       short: The time the process started.
       type: date
+    process.session_leader.parent.vpid:
+      dashed_name: process-session-leader-parent-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.session_leader.parent.vpid
+      format: string
+      level: core
+      name: vpid
+      normalize: []
+      original_fieldset: process
+      short: Virtual process id.
+      type: long
     process.session_leader.pid:
       dashed_name: process-session-leader-pid
       description: Process id.
@@ -14486,6 +14614,22 @@ process:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
+    process.session_leader.vpid:
+      dashed_name: process-session-leader-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.session_leader.vpid
+      format: string
+      level: core
+      name: vpid
+      normalize: []
+      original_fieldset: process
+      short: Virtual process id.
+      type: long
     process.session_leader.working_directory:
       dashed_name: process-session-leader-working-directory
       description: The working directory of the process.
@@ -14675,6 +14819,21 @@ process:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
+    process.vpid:
+      dashed_name: process-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.vpid
+      format: string
+      level: core
+      name: vpid
+      normalize: []
+      short: Virtual process id.
+      type: long
     process.working_directory:
       dashed_name: process-working-directory
       description: The working directory of the process.
diff --git a/experimental/generated/elasticsearch/composable/component/process.json b/experimental/generated/elasticsearch/composable/component/process.json
index 00c0d8dcce..45b31b978b 100644
--- a/experimental/generated/elasticsearch/composable/component/process.json
+++ b/experimental/generated/elasticsearch/composable/component/process.json
@@ -326,11 +326,17 @@
                         },
                         "start": {
                           "type": "date"
+                        },
+                        "vpid": {
+                          "type": "long"
                         }
                       }
                     },
                     "start": {
                       "type": "date"
+                    },
+                    "vpid": {
+                      "type": "long"
                     }
                   }
                 },
@@ -445,6 +451,9 @@
                     }
                   }
                 },
+                "vpid": {
+                  "type": "long"
+                },
                 "working_directory": {
                   "fields": {
                     "text": {
@@ -637,6 +646,9 @@
                     }
                   }
                 },
+                "vpid": {
+                  "type": "long"
+                },
                 "working_directory": {
                   "fields": {
                     "text": {
@@ -1023,6 +1035,9 @@
                     },
                     "start": {
                       "type": "date"
+                    },
+                    "vpid": {
+                      "type": "long"
                     }
                   }
                 },
@@ -1348,6 +1363,9 @@
                     }
                   }
                 },
+                "vpid": {
+                  "type": "long"
+                },
                 "working_directory": {
                   "fields": {
                     "text": {
@@ -1603,11 +1621,17 @@
                         },
                         "start": {
                           "type": "date"
+                        },
+                        "vpid": {
+                          "type": "long"
                         }
                       }
                     },
                     "start": {
                       "type": "date"
+                    },
+                    "vpid": {
+                      "type": "long"
                     }
                   }
                 },
@@ -1722,6 +1746,9 @@
                     }
                   }
                 },
+                "vpid": {
+                  "type": "long"
+                },
                 "working_directory": {
                   "fields": {
                     "text": {
@@ -1809,6 +1836,9 @@
                 }
               }
             },
+            "vpid": {
+              "type": "long"
+            },
             "working_directory": {
               "fields": {
                 "text": {
diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json
index d4e3f9c87f..eea9f65645 100644
--- a/experimental/generated/elasticsearch/legacy/template.json
+++ b/experimental/generated/elasticsearch/legacy/template.json
@@ -3040,11 +3040,17 @@
                       },
                       "start": {
                         "type": "date"
+                      },
+                      "vpid": {
+                        "type": "long"
                       }
                     }
                   },
                   "start": {
                     "type": "date"
+                  },
+                  "vpid": {
+                    "type": "long"
                   }
                 }
               },
@@ -3159,6 +3165,9 @@
                   }
                 }
               },
+              "vpid": {
+                "type": "long"
+              },
               "working_directory": {
                 "fields": {
                   "text": {
@@ -3351,6 +3360,9 @@
                   }
                 }
               },
+              "vpid": {
+                "type": "long"
+              },
               "working_directory": {
                 "fields": {
                   "text": {
@@ -3737,6 +3749,9 @@
                   },
                   "start": {
                     "type": "date"
+                  },
+                  "vpid": {
+                    "type": "long"
                   }
                 }
               },
@@ -4062,6 +4077,9 @@
                   }
                 }
               },
+              "vpid": {
+                "type": "long"
+              },
               "working_directory": {
                 "fields": {
                   "text": {
@@ -4317,11 +4335,17 @@
                       },
                       "start": {
                         "type": "date"
+                      },
+                      "vpid": {
+                        "type": "long"
                       }
                     }
                   },
                   "start": {
                     "type": "date"
+                  },
+                  "vpid": {
+                    "type": "long"
                   }
                 }
               },
@@ -4436,6 +4460,9 @@
                   }
                 }
               },
+              "vpid": {
+                "type": "long"
+              },
               "working_directory": {
                 "fields": {
                   "text": {
@@ -4523,6 +4550,9 @@
               }
             }
           },
+          "vpid": {
+            "type": "long"
+          },
           "working_directory": {
             "fields": {
               "text": {
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index cb1149a649..4874bbb2aa 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -6115,12 +6115,34 @@
       description: The time the process started.
       example: '2016-05-23T08:05:34.853Z'
       default_field: false
+    - name: entry_leader.parent.session_leader.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      default_field: false
     - name: entry_leader.parent.start
       level: extended
       type: date
       description: The time the process started.
       example: '2016-05-23T08:05:34.853Z'
       default_field: false
+    - name: entry_leader.parent.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      default_field: false
     - name: entry_leader.pid
       level: core
       type: long
@@ -6269,6 +6291,17 @@
       description: Short name or login of the user.
       example: a.einstein
       default_field: false
+    - name: entry_leader.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      default_field: false
     - name: entry_leader.working_directory
       level: extended
       type: keyword
@@ -6553,6 +6586,17 @@
       description: Short name or login of the user.
       example: a.einstein
       default_field: false
+    - name: group_leader.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      default_field: false
     - name: group_leader.working_directory
       level: extended
       type: keyword
@@ -7244,6 +7288,17 @@
       description: The time the process started.
       example: '2016-05-23T08:05:34.853Z'
       default_field: false
+    - name: parent.group_leader.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      default_field: false
     - name: parent.hash.md5
       level: extended
       type: keyword
@@ -7762,6 +7817,17 @@
       description: Short name or login of the user.
       example: a.einstein
       default_field: false
+    - name: parent.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      default_field: false
     - name: parent.working_directory
       level: extended
       type: keyword
@@ -8189,12 +8255,34 @@
       description: The time the process started.
       example: '2016-05-23T08:05:34.853Z'
       default_field: false
+    - name: session_leader.parent.session_leader.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      default_field: false
     - name: session_leader.parent.start
       level: extended
       type: date
       description: The time the process started.
       example: '2016-05-23T08:05:34.853Z'
       default_field: false
+    - name: session_leader.parent.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      default_field: false
     - name: session_leader.pid
       level: core
       type: long
@@ -8343,6 +8431,17 @@
       description: Short name or login of the user.
       example: a.einstein
       default_field: false
+    - name: session_leader.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      default_field: false
     - name: session_leader.working_directory
       level: extended
       type: keyword
@@ -8458,6 +8557,17 @@
       description: Short name or login of the user.
       example: a.einstein
       default_field: false
+    - name: vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      default_field: false
     - name: working_directory
       level: extended
       type: keyword
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index daa2f80795..82a0b4ddc5 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -651,7 +651,9 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.9.0-dev,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
 8.9.0-dev,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id.
 8.9.0-dev,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.9.0-dev,true,process,process.entry_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
 8.9.0-dev,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.9.0-dev,true,process,process.entry_leader.parent.vpid,long,core,,4242,Virtual process id.
 8.9.0-dev,true,process,process.entry_leader.pid,long,core,,4242,Process id.
 8.9.0-dev,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 8.9.0-dev,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group.
@@ -673,6 +675,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.9.0-dev,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.9.0-dev,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
 8.9.0-dev,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,process,process.entry_leader.vpid,long,core,,4242,Virtual process id.
 8.9.0-dev,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
 8.9.0-dev,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
 8.9.0-dev,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
@@ -712,6 +715,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.9.0-dev,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.9.0-dev,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
 8.9.0-dev,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,process,process.group_leader.vpid,long,core,,4242,Virtual process id.
 8.9.0-dev,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
 8.9.0-dev,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
 8.9.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
@@ -810,6 +814,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.9.0-dev,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
 8.9.0-dev,true,process,process.parent.group_leader.pid,long,core,,4242,Process id.
 8.9.0-dev,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.9.0-dev,true,process,process.parent.group_leader.vpid,long,core,,4242,Virtual process id.
 8.9.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
 8.9.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
 8.9.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
@@ -885,6 +890,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.9.0-dev,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.9.0-dev,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
 8.9.0-dev,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,process,process.parent.vpid,long,core,,4242,Virtual process id.
 8.9.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
 8.9.0-dev,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
 8.9.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
@@ -943,7 +949,9 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.9.0-dev,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
 8.9.0-dev,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id.
 8.9.0-dev,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.9.0-dev,true,process,process.session_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
 8.9.0-dev,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.9.0-dev,true,process,process.session_leader.parent.vpid,long,core,,4242,Virtual process id.
 8.9.0-dev,true,process,process.session_leader.pid,long,core,,4242,Process id.
 8.9.0-dev,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 8.9.0-dev,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group.
@@ -965,6 +973,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.9.0-dev,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.9.0-dev,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
 8.9.0-dev,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,process,process.session_leader.vpid,long,core,,4242,Virtual process id.
 8.9.0-dev,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
 8.9.0-dev,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
 8.9.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
@@ -983,6 +992,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.9.0-dev,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.9.0-dev,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user.
 8.9.0-dev,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.9.0-dev,true,process,process.vpid,long,core,,4242,Virtual process id.
 8.9.0-dev,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
 8.9.0-dev,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
 8.9.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 2a758da057..e042d14ef4 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -8491,6 +8491,22 @@ process.entry_leader.parent.session_leader.start:
   original_fieldset: process
   short: The time the process started.
   type: date
+process.entry_leader.parent.session_leader.vpid:
+  dashed_name: process-entry-leader-parent-session-leader-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.entry_leader.parent.session_leader.vpid
+  format: string
+  level: core
+  name: vpid
+  normalize: []
+  original_fieldset: process
+  short: Virtual process id.
+  type: long
 process.entry_leader.parent.start:
   dashed_name: process-entry-leader-parent-start
   description: The time the process started.
@@ -8502,6 +8518,22 @@ process.entry_leader.parent.start:
   original_fieldset: process
   short: The time the process started.
   type: date
+process.entry_leader.parent.vpid:
+  dashed_name: process-entry-leader-parent-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.entry_leader.parent.vpid
+  format: string
+  level: core
+  name: vpid
+  normalize: []
+  original_fieldset: process
+  short: Virtual process id.
+  type: long
 process.entry_leader.pid:
   dashed_name: process-entry-leader-pid
   description: Process id.
@@ -8744,6 +8776,22 @@ process.entry_leader.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+process.entry_leader.vpid:
+  dashed_name: process-entry-leader-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.entry_leader.vpid
+  format: string
+  level: core
+  name: vpid
+  normalize: []
+  original_fieldset: process
+  short: Virtual process id.
+  type: long
 process.entry_leader.working_directory:
   dashed_name: process-entry-leader-working-directory
   description: The working directory of the process.
@@ -9192,6 +9240,22 @@ process.group_leader.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+process.group_leader.vpid:
+  dashed_name: process-group-leader-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.group_leader.vpid
+  format: string
+  level: core
+  name: vpid
+  normalize: []
+  original_fieldset: process
+  short: Virtual process id.
+  type: long
 process.group_leader.working_directory:
   dashed_name: process-group-leader-working-directory
   description: The working directory of the process.
@@ -10372,6 +10436,22 @@ process.parent.group_leader.start:
   original_fieldset: process
   short: The time the process started.
   type: date
+process.parent.group_leader.vpid:
+  dashed_name: process-parent-group-leader-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.parent.group_leader.vpid
+  format: string
+  level: core
+  name: vpid
+  normalize: []
+  original_fieldset: process
+  short: Virtual process id.
+  type: long
 process.parent.hash.md5:
   dashed_name: process-parent-hash-md5
   description: MD5 hash.
@@ -11251,6 +11331,22 @@ process.parent.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+process.parent.vpid:
+  dashed_name: process-parent-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.parent.vpid
+  format: string
+  level: core
+  name: vpid
+  normalize: []
+  original_fieldset: process
+  short: Virtual process id.
+  type: long
 process.parent.working_directory:
   dashed_name: process-parent-working-directory
   description: The working directory of the process.
@@ -11945,6 +12041,22 @@ process.session_leader.parent.session_leader.start:
   original_fieldset: process
   short: The time the process started.
   type: date
+process.session_leader.parent.session_leader.vpid:
+  dashed_name: process-session-leader-parent-session-leader-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.session_leader.parent.session_leader.vpid
+  format: string
+  level: core
+  name: vpid
+  normalize: []
+  original_fieldset: process
+  short: Virtual process id.
+  type: long
 process.session_leader.parent.start:
   dashed_name: process-session-leader-parent-start
   description: The time the process started.
@@ -11956,6 +12068,22 @@ process.session_leader.parent.start:
   original_fieldset: process
   short: The time the process started.
   type: date
+process.session_leader.parent.vpid:
+  dashed_name: process-session-leader-parent-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.session_leader.parent.vpid
+  format: string
+  level: core
+  name: vpid
+  normalize: []
+  original_fieldset: process
+  short: Virtual process id.
+  type: long
 process.session_leader.pid:
   dashed_name: process-session-leader-pid
   description: Process id.
@@ -12198,6 +12326,22 @@ process.session_leader.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+process.session_leader.vpid:
+  dashed_name: process-session-leader-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.session_leader.vpid
+  format: string
+  level: core
+  name: vpid
+  normalize: []
+  original_fieldset: process
+  short: Virtual process id.
+  type: long
 process.session_leader.working_directory:
   dashed_name: process-session-leader-working-directory
   description: The working directory of the process.
@@ -12387,6 +12531,21 @@ process.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+process.vpid:
+  dashed_name: process-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.vpid
+  format: string
+  level: core
+  name: vpid
+  normalize: []
+  short: Virtual process id.
+  type: long
 process.working_directory:
   dashed_name: process-working-directory
   description: The working directory of the process.
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 58939dd619..eae3f3498d 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -10691,6 +10691,22 @@ process:
       original_fieldset: process
       short: The time the process started.
       type: date
+    process.entry_leader.parent.session_leader.vpid:
+      dashed_name: process-entry-leader-parent-session-leader-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.entry_leader.parent.session_leader.vpid
+      format: string
+      level: core
+      name: vpid
+      normalize: []
+      original_fieldset: process
+      short: Virtual process id.
+      type: long
     process.entry_leader.parent.start:
       dashed_name: process-entry-leader-parent-start
       description: The time the process started.
@@ -10702,6 +10718,22 @@ process:
       original_fieldset: process
       short: The time the process started.
       type: date
+    process.entry_leader.parent.vpid:
+      dashed_name: process-entry-leader-parent-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.entry_leader.parent.vpid
+      format: string
+      level: core
+      name: vpid
+      normalize: []
+      original_fieldset: process
+      short: Virtual process id.
+      type: long
     process.entry_leader.pid:
       dashed_name: process-entry-leader-pid
       description: Process id.
@@ -10944,6 +10976,22 @@ process:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
+    process.entry_leader.vpid:
+      dashed_name: process-entry-leader-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.entry_leader.vpid
+      format: string
+      level: core
+      name: vpid
+      normalize: []
+      original_fieldset: process
+      short: Virtual process id.
+      type: long
     process.entry_leader.working_directory:
       dashed_name: process-entry-leader-working-directory
       description: The working directory of the process.
@@ -11392,6 +11440,22 @@ process:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
+    process.group_leader.vpid:
+      dashed_name: process-group-leader-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.group_leader.vpid
+      format: string
+      level: core
+      name: vpid
+      normalize: []
+      original_fieldset: process
+      short: Virtual process id.
+      type: long
     process.group_leader.working_directory:
       dashed_name: process-group-leader-working-directory
       description: The working directory of the process.
@@ -12577,6 +12641,22 @@ process:
       original_fieldset: process
       short: The time the process started.
       type: date
+    process.parent.group_leader.vpid:
+      dashed_name: process-parent-group-leader-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.parent.group_leader.vpid
+      format: string
+      level: core
+      name: vpid
+      normalize: []
+      original_fieldset: process
+      short: Virtual process id.
+      type: long
     process.parent.hash.md5:
       dashed_name: process-parent-hash-md5
       description: MD5 hash.
@@ -13458,6 +13538,22 @@ process:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
+    process.parent.vpid:
+      dashed_name: process-parent-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.parent.vpid
+      format: string
+      level: core
+      name: vpid
+      normalize: []
+      original_fieldset: process
+      short: Virtual process id.
+      type: long
     process.parent.working_directory:
       dashed_name: process-parent-working-directory
       description: The working directory of the process.
@@ -14153,6 +14249,22 @@ process:
       original_fieldset: process
       short: The time the process started.
       type: date
+    process.session_leader.parent.session_leader.vpid:
+      dashed_name: process-session-leader-parent-session-leader-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.session_leader.parent.session_leader.vpid
+      format: string
+      level: core
+      name: vpid
+      normalize: []
+      original_fieldset: process
+      short: Virtual process id.
+      type: long
     process.session_leader.parent.start:
       dashed_name: process-session-leader-parent-start
       description: The time the process started.
@@ -14164,6 +14276,22 @@ process:
       original_fieldset: process
       short: The time the process started.
       type: date
+    process.session_leader.parent.vpid:
+      dashed_name: process-session-leader-parent-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.session_leader.parent.vpid
+      format: string
+      level: core
+      name: vpid
+      normalize: []
+      original_fieldset: process
+      short: Virtual process id.
+      type: long
     process.session_leader.pid:
       dashed_name: process-session-leader-pid
       description: Process id.
@@ -14406,6 +14534,22 @@ process:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
+    process.session_leader.vpid:
+      dashed_name: process-session-leader-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.session_leader.vpid
+      format: string
+      level: core
+      name: vpid
+      normalize: []
+      original_fieldset: process
+      short: Virtual process id.
+      type: long
     process.session_leader.working_directory:
       dashed_name: process-session-leader-working-directory
       description: The working directory of the process.
@@ -14595,6 +14739,21 @@ process:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
+    process.vpid:
+      dashed_name: process-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.vpid
+      format: string
+      level: core
+      name: vpid
+      normalize: []
+      short: Virtual process id.
+      type: long
     process.working_directory:
       dashed_name: process-working-directory
       description: The working directory of the process.
diff --git a/generated/elasticsearch/composable/component/process.json b/generated/elasticsearch/composable/component/process.json
index 698559b278..e41a6b83f3 100644
--- a/generated/elasticsearch/composable/component/process.json
+++ b/generated/elasticsearch/composable/component/process.json
@@ -326,11 +326,17 @@
                         },
                         "start": {
                           "type": "date"
+                        },
+                        "vpid": {
+                          "type": "long"
                         }
                       }
                     },
                     "start": {
                       "type": "date"
+                    },
+                    "vpid": {
+                      "type": "long"
                     }
                   }
                 },
@@ -445,6 +451,9 @@
                     }
                   }
                 },
+                "vpid": {
+                  "type": "long"
+                },
                 "working_directory": {
                   "fields": {
                     "text": {
@@ -637,6 +646,9 @@
                     }
                   }
                 },
+                "vpid": {
+                  "type": "long"
+                },
                 "working_directory": {
                   "fields": {
                     "text": {
@@ -1023,6 +1035,9 @@
                     },
                     "start": {
                       "type": "date"
+                    },
+                    "vpid": {
+                      "type": "long"
                     }
                   }
                 },
@@ -1348,6 +1363,9 @@
                     }
                   }
                 },
+                "vpid": {
+                  "type": "long"
+                },
                 "working_directory": {
                   "fields": {
                     "text": {
@@ -1603,11 +1621,17 @@
                         },
                         "start": {
                           "type": "date"
+                        },
+                        "vpid": {
+                          "type": "long"
                         }
                       }
                     },
                     "start": {
                       "type": "date"
+                    },
+                    "vpid": {
+                      "type": "long"
                     }
                   }
                 },
@@ -1722,6 +1746,9 @@
                     }
                   }
                 },
+                "vpid": {
+                  "type": "long"
+                },
                 "working_directory": {
                   "fields": {
                     "text": {
@@ -1809,6 +1836,9 @@
                 }
               }
             },
+            "vpid": {
+              "type": "long"
+            },
             "working_directory": {
               "fields": {
                 "text": {
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index 669b8094e0..bd747c0c7d 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -2998,11 +2998,17 @@
                       },
                       "start": {
                         "type": "date"
+                      },
+                      "vpid": {
+                        "type": "long"
                       }
                     }
                   },
                   "start": {
                     "type": "date"
+                  },
+                  "vpid": {
+                    "type": "long"
                   }
                 }
               },
@@ -3117,6 +3123,9 @@
                   }
                 }
               },
+              "vpid": {
+                "type": "long"
+              },
               "working_directory": {
                 "fields": {
                   "text": {
@@ -3309,6 +3318,9 @@
                   }
                 }
               },
+              "vpid": {
+                "type": "long"
+              },
               "working_directory": {
                 "fields": {
                   "text": {
@@ -3695,6 +3707,9 @@
                   },
                   "start": {
                     "type": "date"
+                  },
+                  "vpid": {
+                    "type": "long"
                   }
                 }
               },
@@ -4020,6 +4035,9 @@
                   }
                 }
               },
+              "vpid": {
+                "type": "long"
+              },
               "working_directory": {
                 "fields": {
                   "text": {
@@ -4275,11 +4293,17 @@
                       },
                       "start": {
                         "type": "date"
+                      },
+                      "vpid": {
+                        "type": "long"
                       }
                     }
                   },
                   "start": {
                     "type": "date"
+                  },
+                  "vpid": {
+                    "type": "long"
                   }
                 }
               },
@@ -4394,6 +4418,9 @@
                   }
                 }
               },
+              "vpid": {
+                "type": "long"
+              },
               "working_directory": {
                 "fields": {
                   "text": {
@@ -4481,6 +4508,9 @@
               }
             }
           },
+          "vpid": {
+            "type": "long"
+          },
           "working_directory": {
             "fields": {
               "text": {
diff --git a/schemas/process.yml b/schemas/process.yml
index 1a42e401f5..9b42a21d4a 100644
--- a/schemas/process.yml
+++ b/schemas/process.yml
@@ -72,6 +72,19 @@
         Process id.
       example: 4242
 
+    - name: vpid
+      format: string
+      level: core
+      type: long
+      short: Virtual process id.
+      description: >
+        Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily
+        unique across all processes on the host but it is unique within the
+        process namespace that the process exists within.
+      example: 4242
+
     - name: entity_id
       level: extended
       type: keyword
diff --git a/schemas/subsets/main.yml b/schemas/subsets/main.yml
index 0f2bc7dcd4..50312f7b0d 100644
--- a/schemas/subsets/main.yml
+++ b/schemas/subsets/main.yml
@@ -18,7 +18,7 @@ fields:
         fields: "*"
       ip: {}
       mac: {}
-      nat: 
+      nat:
         fields:
           ip: {}
           port: {}
@@ -27,7 +27,7 @@ fields:
       subdomain: {}
       registered_domain: {}
       top_level_domain: {}
-      user: 
+      user:
         fields:
           domain: {}
           email: {}
@@ -57,7 +57,7 @@ fields:
         fields: "*"
       ip: {}
       mac: {}
-      nat: 
+      nat:
         fields:
           ip: {}
           port: {}
@@ -66,7 +66,7 @@ fields:
       subdomain: {}
       registered_domain: {}
       top_level_domain: {}
-      user: 
+      user:
         fields:
           domain: {}
           email: {}
@@ -157,13 +157,16 @@ fields:
             fields:
               entity_id: {}
               pid: {}
+              vpid: {}
               start: {}
               session_leader:
                 fields:
                   entity_id: {}
                   pid: {}
+                  vpid: {}
                   start: {}
           pid: {}
+          vpid: {}
           same_as_process: {}
           start: {}
           tty:
@@ -225,6 +228,7 @@ fields:
           interactive: {}
           name: {}
           pid: {}
+          vpid: {}
           same_as_process: {}
           start: {}
           tty:
@@ -265,7 +269,7 @@ fields:
       hash:
         fields: "*"
       interactive: {}
-      io: 
+      io:
         fields: "*"
       macho:
         fields: "*"
@@ -287,6 +291,7 @@ fields:
             fields:
               entity_id: {}
               pid: {}
+              vpid: {}
               start: {}
           hash:
             fields: "*"
@@ -298,6 +303,7 @@ fields:
             fields: "*"
           pgid: {}
           pid: {}
+          vpid: {}
           start: {}
           thread:
             fields:
@@ -344,6 +350,7 @@ fields:
         fields: "*"
       pgid: {}
       pid: {}
+      vpid: {}
       previous:
         fields:
           args: {}
@@ -382,6 +389,7 @@ fields:
           interactive: {}
           name: {}
           pid: {}
+          vpid: {}
           same_as_process: {}
           start: {}
           tty:
@@ -395,11 +403,13 @@ fields:
             fields:
               entity_id: {}
               pid: {}
+              vpid: {}
               start: {}
               session_leader:
                 fields:
                   entity_id: {}
                   pid: {}
+                  vpid: {}
                   start: {}
           user:
             fields:
@@ -461,7 +471,7 @@ fields:
         fields: "*"
       ip: {}
       mac: {}
-      nat: 
+      nat:
         fields:
           ip: {}
           port: {}
@@ -470,7 +480,7 @@ fields:
       subdomain: {}
       registered_domain: {}
       top_level_domain: {}
-      user: 
+      user:
         fields:
           domain: {}
           email: {}
@@ -494,7 +504,7 @@ fields:
         fields: "*"
       ip: {}
       mac: {}
-      nat: 
+      nat:
         fields:
           ip: {}
           port: {}
@@ -503,7 +513,7 @@ fields:
       subdomain: {}
       registered_domain: {}
       top_level_domain: {}
-      user: 
+      user:
         fields:
           domain: {}
           email: {}
@@ -530,7 +540,7 @@ fields:
         fields:
           domain: {}
           email: {}
-          group: 
+          group:
             fields: "*"
           full_name: {}
           hash: {}
@@ -542,7 +552,7 @@ fields:
         fields:
           domain: {}
           email: {}
-          group: 
+          group:
             fields: "*"
           full_name: {}
           hash: {}
@@ -550,7 +560,7 @@ fields:
           name: {}
           roles: {}
       email: {}
-      group: 
+      group:
         fields: "*"
       full_name: {}
       hash: {}
@@ -559,11 +569,11 @@ fields:
       risk:
         fields: "*"
       roles: {}
-      target: 
+      target:
         fields:
           domain: {}
           email: {}
-          group: 
+          group:
             fields: "*"
           full_name: {}
           hash: {}

From 78d012dd1a9a56670c99ad23de6f6591a527e68d Mon Sep 17 00:00:00 2001
From: Kylie Meli <kylie.geller@elastic.co>
Date: Fri, 9 Jun 2023 12:56:33 -0400
Subject: [PATCH 096/186] clarifying changelog entry text (#2216)

---
 CHANGELOG.md                    | 2 +-
 docs/release-notes/8.8.asciidoc | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 03ba6f75f0..9e2af687a0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,7 +9,7 @@ All notable changes to this project will be documented in this file based on the
 
 #### Added
 
-* Add `access` as an allowed type for `event.type: file`. #2174
+* Add `event.type: access` as an allowed value for `event.category: file`. #2174
 * Add `orchestrator.resource.annotation` and `orchestrator.resource.label`. #2181
 * Add `event.kind: asset` as a beta category. #2191
 
diff --git a/docs/release-notes/8.8.asciidoc b/docs/release-notes/8.8.asciidoc
index e0d53da05b..f94a5f1a84 100644
--- a/docs/release-notes/8.8.asciidoc
+++ b/docs/release-notes/8.8.asciidoc
@@ -9,7 +9,7 @@
 [float]
 ===== Added
 
-* Add `access` as an allowed type for `event.type: file`. {ecs_pull}2174[#2174]
+* Add `event.type: access` as an allowed value for `event.category: file`. {ecs_pull}2174[#2174]
 * Add `orchestrator.resource.annotation` and `orchestrator.resource.label`. {ecs_pull}2181[#2181]
 * Add `event.kind: asset` as a beta category. {ecs_pull}2191[#2191]
 
@@ -22,4 +22,4 @@
 [float]
 ===== Added
 
-* Add `parameters` property for field definitions, to provide any mapping parameter. {ecs_pull}2084[#2084]
\ No newline at end of file
+* Add `parameters` property for field definitions, to provide any mapping parameter. {ecs_pull}2084[#2084]

From acfada38a17ca726d3e0a6d98e464da81e8a63ba Mon Sep 17 00:00:00 2001
From: Yamin Tian <56367679+Trinity2019@users.noreply.github.com>
Date: Sat, 10 Jun 2023 03:58:37 +0800
Subject: [PATCH 097/186] [RFC] Stge 0 - New fieldset for volume device (#2201)

Co-authored-by: Eric Beahan <eric.beahan@elastic.co>
---
 rfcs/text/0040-volume-device.md | 138 ++++++++++++++++++++++++++++++++
 1 file changed, 138 insertions(+)
 create mode 100644 rfcs/text/0040-volume-device.md

diff --git a/rfcs/text/0040-volume-device.md b/rfcs/text/0040-volume-device.md
new file mode 100644
index 0000000000..ae0d013859
--- /dev/null
+++ b/rfcs/text/0040-volume-device.md
@@ -0,0 +1,138 @@
+# 0040: Volume device
+<!-- Leave this ID at 0000. The ECS team will assign a unique, contiguous RFC number upon merging the initial stage of this RFC. -->
+
+- Stage: **0 (strawperson)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
+- Date: **2023-06-09** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
+
+<!--
+As you work on your RFC, use the "Stage N" comments to guide you in what you should focus on, for the stage you're targeting.
+Feel free to remove these comments as you go along.
+-->
+
+<!--
+Stage 0: Provide a high level summary of the premise of these changes. Briefly describe the nature, purpose, and impact of the changes. ~2-5 sentences.
+-->
+
+This RFC propose adding the volume device fieldset to describe volume storage devices such as hard disks, removable USB, mountable virtual disks such as ISO.
+
+ * volume.mount_name
+ * volume.device_name
+ * volume.dos_name
+ * volume.nt_name
+ * volume.bus_type
+ * volume.writable
+ * volume.default_access
+ * volume.file_system_type
+ * volume.product_id
+ * volume.product_name
+ * volume.vendor_id
+ * volume.vendor_name
+ * volume.serial_number
+ * volume.volume_device_type
+ * volume.action
+ * volume.size
+
+These volume device fields can be used to describe some events and alerts associated with a volume device, which was proven to be [useful](https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion) for Elastic Defend.
+
+These fields can also be used by the products and features to manage such devices based on their properties such as serial number and vendor name, etc.
+
+<!--
+Stage 1: If the changes include field additions or modifications, please create a folder titled as the RFC number under rfcs/text/. This will be where proposed schema changes as standalone YAML files or extended example mappings and larger source documents will go as the RFC is iterated upon.
+-->
+
+<!--
+Stage X: Provide a brief explanation of why the proposal is being marked as abandoned. This is useful context for anyone revisiting this proposal or considering similar changes later on.
+-->
+
+## Fields
+
+<!--
+Stage 1: Describe at a high level how this change affects fields. Include new or updated yml field definitions for all of the essential fields in this draft. While not exhaustive, the fields documented here should be comprehensive enough to deeply evaluate the technical considerations of this change. The goal here is to validate the technical details for all essential fields and to provide a basis for adding experimental field definitions to the schema. Use GitHub code blocks with yml syntax formatting, and add them to the corresponding RFC folder.
+-->
+
+<!--
+Stage 2: Add or update all remaining field definitions. The list should now be exhaustive. The goal here is to validate the technical details of all remaining fields and to provide a basis for releasing these field definitions as beta in the schema. Use GitHub code blocks with yml syntax formatting, and add them to the corresponding RFC folder.
+-->
+
+## Usage
+
+<!--
+Stage 1: Describe at a high-level how these field changes will be used in practice. Real world examples are encouraged. The goal here is to understand how people would leverage these fields to gain insights or solve problems. ~1-3 paragraphs.
+-->
+
+## Source data
+
+The source of this data comes from monitoring a host, a Virtual Machine, or a k8s node.
+
+<!--
+Stage 1: Provide a high-level description of example sources of data. This does not yet need to be a concrete example of a source document, but instead can simply describe a potential source (e.g. nginx access log). This will ultimately be fleshed out to include literal source examples in a future stage. The goal here is to identify practical sources for these fields in the real world. ~1-3 sentences or unordered list.
+-->
+
+<!--
+Stage 2: Included a real world example source document. Ideally this example comes from the source(s) identified in stage 1. If not, it should replace them. The goal here is to validate the utility of these field changes in the context of a real world example. Format with the source name as a ### header and the example document in a GitHub code block with json formatting, or if on the larger side, add them to the corresponding RFC folder.
+-->
+
+<!--
+Stage 3: Add more real world example source documents so we have at least 2 total, but ideally 3. Format as described in stage 2.
+-->
+
+## Scope of impact
+
+<!--
+Stage 2: Identifies scope of impact of changes. Are breaking changes required? Should deprecation strategies be adopted? Will significant refactoring be involved? Break the impact down into:
+ * Ingestion mechanisms (e.g. beats/logstash)
+ * Usage mechanisms (e.g. Kibana applications, detections)
+ * ECS project (e.g. docs, tooling)
+The goal here is to research and understand the impact of these changes on users in the community and development teams across Elastic. 2-5 sentences each.
+-->
+
+## Concerns
+
+<!--
+Stage 1: Identify potential concerns, implementation challenges, or complexity. Spend some time on this. Play devil's advocate. Try to identify the sort of non-obvious challenges that tend to surface later. The goal here is to surface risks early, allow everyone the time to work through them, and ultimately document resolution for posterity's sake.
+-->
+
+<!--
+Stage 2: Document new concerns or resolutions to previously listed concerns. It's not critical that all concerns have resolutions at this point, but it would be helpful if resolutions were taking shape for the most significant concerns.
+-->
+
+<!--
+Stage 3: Document resolutions for all existing concerns. Any new concerns should be documented along with their resolution. The goal here is to eliminate risk of churn and instability by ensuring all concerns have been addressed.
+-->
+
+## People
+
+The following are the people that consulted on the contents of this RFC.
+
+ * @Trinity2019    | author
+ * @ricardoelastic | reviewer
+
+<!--
+Who will be or has been consulted on the contents of this RFC? Identify authorship and sponsorship, and optionally identify the nature of involvement of others. Link to GitHub aliases where possible. This list will likely change or grow stage after stage.
+
+e.g.:
+
+* @Yasmina | author
+* @Monique | sponsor
+* @EunJung | subject matter expert
+* @JaneDoe | grammar, spelling, prose
+* @Mariana
+-->
+
+
+## References
+
+https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/macOS/policy/device_control_policy_schema.json
+
+<!-- Insert any links appropriate to this RFC in this section. -->
+
+### RFC Pull Requests
+
+<!-- An RFC should link to the PRs for each of it stage advancements. -->
+
+* Stage 0: https://github.com/elastic/ecs/pull/2201
+
+<!--
+* Stage 1: https://github.com/elastic/ecs/pull/NNN
+...
+-->

From 7b125b9736f01d61a612a44b57c1016f3ef06c03 Mon Sep 17 00:00:00 2001
From: Bharat Pasupula <123897612+bhapas@users.noreply.github.com>
Date: Wed, 21 Jun 2023 14:53:15 +0200
Subject: [PATCH 098/186] Update artifacts (#2221)

---
 docs/fields/fields.asciidoc                   |    2 +-
 docs/index.asciidoc                           |    2 +-
 experimental/generated/beats/fields.ecs.yml   |    2 +-
 experimental/generated/csv/fields.csv         | 3498 ++++++++---------
 .../composable/component/agent.json           |    2 +-
 .../composable/component/base.json            |    2 +-
 .../composable/component/cgroup.json          |    2 +-
 .../composable/component/client.json          |    2 +-
 .../composable/component/cloud.json           |    2 +-
 .../composable/component/container.json       |    2 +-
 .../composable/component/data_stream.json     |    2 +-
 .../composable/component/destination.json     |    2 +-
 .../composable/component/device.json          |    2 +-
 .../composable/component/dll.json             |    2 +-
 .../composable/component/dns.json             |    2 +-
 .../composable/component/ecs.json             |    2 +-
 .../composable/component/email.json           |    2 +-
 .../composable/component/error.json           |    2 +-
 .../composable/component/event.json           |    2 +-
 .../composable/component/faas.json            |    2 +-
 .../composable/component/file.json            |    2 +-
 .../composable/component/group.json           |    2 +-
 .../composable/component/host.json            |    2 +-
 .../composable/component/http.json            |    2 +-
 .../composable/component/log.json             |    2 +-
 .../composable/component/network.json         |    2 +-
 .../composable/component/observer.json        |    2 +-
 .../composable/component/orchestrator.json    |    2 +-
 .../composable/component/organization.json    |    2 +-
 .../composable/component/package.json         |    2 +-
 .../composable/component/process.json         |    2 +-
 .../composable/component/registry.json        |    2 +-
 .../composable/component/related.json         |    2 +-
 .../composable/component/rule.json            |    2 +-
 .../composable/component/server.json          |    2 +-
 .../composable/component/service.json         |    2 +-
 .../composable/component/source.json          |    2 +-
 .../composable/component/threat.json          |    2 +-
 .../composable/component/tls.json             |    2 +-
 .../composable/component/tracing.json         |    2 +-
 .../composable/component/url.json             |    2 +-
 .../composable/component/user.json            |    2 +-
 .../composable/component/user_agent.json      |    2 +-
 .../composable/component/vulnerability.json   |    2 +-
 .../elasticsearch/composable/template.json    |   82 +-
 .../elasticsearch/legacy/template.json        |    2 +-
 generated/beats/fields.ecs.yml                |    2 +-
 generated/csv/fields.csv                      | 3484 ++++++++--------
 .../composable/component/agent.json           |    2 +-
 .../composable/component/base.json            |    2 +-
 .../composable/component/client.json          |    2 +-
 .../composable/component/cloud.json           |    2 +-
 .../composable/component/container.json       |    2 +-
 .../composable/component/data_stream.json     |    2 +-
 .../composable/component/destination.json     |    2 +-
 .../composable/component/device.json          |    2 +-
 .../composable/component/dll.json             |    2 +-
 .../composable/component/dns.json             |    2 +-
 .../composable/component/ecs.json             |    2 +-
 .../composable/component/email.json           |    2 +-
 .../composable/component/error.json           |    2 +-
 .../composable/component/event.json           |    2 +-
 .../composable/component/faas.json            |    2 +-
 .../composable/component/file.json            |    2 +-
 .../composable/component/group.json           |    2 +-
 .../composable/component/host.json            |    2 +-
 .../composable/component/http.json            |    2 +-
 .../composable/component/log.json             |    2 +-
 .../composable/component/network.json         |    2 +-
 .../composable/component/observer.json        |    2 +-
 .../composable/component/orchestrator.json    |    2 +-
 .../composable/component/organization.json    |    2 +-
 .../composable/component/package.json         |    2 +-
 .../composable/component/process.json         |    2 +-
 .../composable/component/registry.json        |    2 +-
 .../composable/component/related.json         |    2 +-
 .../composable/component/rule.json            |    2 +-
 .../composable/component/server.json          |    2 +-
 .../composable/component/service.json         |    2 +-
 .../composable/component/source.json          |    2 +-
 .../composable/component/threat.json          |    2 +-
 .../composable/component/tls.json             |    2 +-
 .../composable/component/tracing.json         |    2 +-
 .../composable/component/url.json             |    2 +-
 .../composable/component/user.json            |    2 +-
 .../composable/component/user_agent.json      |    2 +-
 .../composable/component/vulnerability.json   |    2 +-
 .../elasticsearch/composable/template.json    |   80 +-
 generated/elasticsearch/legacy/template.json  |    2 +-
 version                                       |    2 +-
 90 files changed, 3658 insertions(+), 3658 deletions(-)

diff --git a/docs/fields/fields.asciidoc b/docs/fields/fields.asciidoc
index 0fef5fa1e1..a4fac87e72 100644
--- a/docs/fields/fields.asciidoc
+++ b/docs/fields/fields.asciidoc
@@ -1,7 +1,7 @@
 [[ecs-field-reference]]
 == {ecs} Field Reference
 
-This is the documentation of ECS version 8.9.0-dev.
+This is the documentation of ECS version 8.10.0-dev.
 
 ECS defines multiple groups of related fields. They are called "field sets".
 The <<ecs-base,Base>> field set is the only one whose fields are defined
diff --git a/docs/index.asciidoc b/docs/index.asciidoc
index 30d36104ca..cdcd2968b0 100644
--- a/docs/index.asciidoc
+++ b/docs/index.asciidoc
@@ -13,7 +13,7 @@ include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
 [[ecs-reference]]
 == Overview
 
-This is the documentation of ECS version 8.9.0-dev.
+This is the documentation of ECS version 8.10.0-dev.
 
 [float]
 === What is ECS?
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 5024360172..b7b1360826 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -1,5 +1,5 @@
 # WARNING! Do not edit this file directly, it was generated by the ECS project,
-# based on ECS version 8.9.0-dev+exp.
+# based on ECS version 8.10.0-dev+exp.
 # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields.
 
 - key: ecs
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index 02bc6b6793..810c86fbb8 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -1,1750 +1,1750 @@
 ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
-8.9.0-dev+exp,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
-8.9.0-dev+exp,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
-8.9.0-dev+exp,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer.
-8.9.0-dev+exp,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
-8.9.0-dev+exp,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
-8.9.0-dev+exp,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
-8.9.0-dev+exp,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
-8.9.0-dev+exp,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
-8.9.0-dev+exp,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
-8.9.0-dev+exp,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
-8.9.0-dev+exp,true,cgroup,cgroup.cpu.periods,long,extended,,454839343,Number of period intervals that have elapsed.
-8.9.0-dev+exp,true,cgroup,cgroup.cpu.throttled.us,long,extended,,15000,Microseconds of CPU throttled time.
-8.9.0-dev+exp,true,cgroup,cgroup.cpu.usage,scaled_float,extended,,,"CPU usage, normalized by the CPU count."
-8.9.0-dev+exp,true,cgroup,cgroup.memory.limit,long,extended,,256,Memory limit within the cgroup.
-8.9.0-dev+exp,true,cgroup,cgroup.memory.swap.usage,long,extended,,5600,The amount of cgroup memory in swap.
-8.9.0-dev+exp,true,cgroup,cgroup.memory.usage,long,extended,,25600,Memory usage in bytes
-8.9.0-dev+exp,true,cgroup,cgroup.version,long,extended,,,The cgroup version linked to the metrics
-8.9.0-dev+exp,true,client,client.address,keyword,extended,,,Client network address.
-8.9.0-dev+exp,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.9.0-dev+exp,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.9.0-dev+exp,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.9.0-dev+exp,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
-8.9.0-dev+exp,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client.
-8.9.0-dev+exp,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
-8.9.0-dev+exp,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
-8.9.0-dev+exp,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.9.0-dev+exp,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.9.0-dev+exp,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
-8.9.0-dev+exp,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.9.0-dev+exp,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.9.0-dev+exp,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
-8.9.0-dev+exp,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.9.0-dev+exp,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
-8.9.0-dev+exp,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.9.0-dev+exp,true,client,client.ip,ip,core,,,IP address of the client.
-8.9.0-dev+exp,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
-8.9.0-dev+exp,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
-8.9.0-dev+exp,true,client,client.nat.port,long,extended,,,Client NAT port
-8.9.0-dev+exp,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
-8.9.0-dev+exp,true,client,client.port,long,core,,,Port of the client.
-8.9.0-dev+exp,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
-8.9.0-dev+exp,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.9.0-dev+exp,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.9.0-dev+exp,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.9.0-dev+exp,true,client,client.user.email,keyword,extended,,,User email address.
-8.9.0-dev+exp,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.9.0-dev+exp,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.9.0-dev+exp,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.9.0-dev+exp,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev+exp,true,client,client.user.group.name,keyword,extended,,,Name of the group.
-8.9.0-dev+exp,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.9.0-dev+exp,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev+exp,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.9.0-dev+exp,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.9.0-dev+exp,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.9.0-dev+exp,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.9.0-dev+exp,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.9.0-dev+exp,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
-8.9.0-dev+exp,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.9.0-dev+exp,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.9.0-dev+exp,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.9.0-dev+exp,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.9.0-dev+exp,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.9.0-dev+exp,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine.
-8.9.0-dev+exp,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.9.0-dev+exp,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id.
-8.9.0-dev+exp,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name.
-8.9.0-dev+exp,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider.
-8.9.0-dev+exp,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.9.0-dev+exp,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name.
-8.9.0-dev+exp,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
-8.9.0-dev+exp,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
-8.9.0-dev+exp,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
-8.9.0-dev+exp,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.9.0-dev+exp,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name.
-8.9.0-dev+exp,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.9.0-dev+exp,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.9.0-dev+exp,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.9.0-dev+exp,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.9.0-dev+exp,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine.
-8.9.0-dev+exp,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.9.0-dev+exp,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id.
-8.9.0-dev+exp,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name.
-8.9.0-dev+exp,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider.
-8.9.0-dev+exp,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.9.0-dev+exp,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name.
-8.9.0-dev+exp,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
-8.9.0-dev+exp,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
-8.9.0-dev+exp,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
-8.9.0-dev+exp,true,container,container.id,keyword,core,,,Unique container id.
-8.9.0-dev+exp,true,container,container.image.hash.all,keyword,extended,array,[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26],An array of digests of the image the container was built on.
-8.9.0-dev+exp,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
-8.9.0-dev+exp,true,container,container.image.tag,keyword,extended,array,,Container image tags.
-8.9.0-dev+exp,true,container,container.labels,object,extended,,,Image labels.
-8.9.0-dev+exp,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1."
-8.9.0-dev+exp,true,container,container.name,keyword,extended,,,Container name.
-8.9.0-dev+exp,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
-8.9.0-dev+exp,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
-8.9.0-dev+exp,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
-8.9.0-dev+exp,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
-8.9.0-dev+exp,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
-8.9.0-dev+exp,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
-8.9.0-dev+exp,true,destination,destination.address,keyword,extended,,,Destination network address.
-8.9.0-dev+exp,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.9.0-dev+exp,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.9.0-dev+exp,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.9.0-dev+exp,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
-8.9.0-dev+exp,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination.
-8.9.0-dev+exp,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
-8.9.0-dev+exp,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
-8.9.0-dev+exp,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.9.0-dev+exp,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.9.0-dev+exp,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
-8.9.0-dev+exp,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.9.0-dev+exp,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.9.0-dev+exp,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
-8.9.0-dev+exp,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.9.0-dev+exp,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
-8.9.0-dev+exp,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.9.0-dev+exp,true,destination,destination.ip,ip,core,,,IP address of the destination.
-8.9.0-dev+exp,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
-8.9.0-dev+exp,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
-8.9.0-dev+exp,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
-8.9.0-dev+exp,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
-8.9.0-dev+exp,true,destination,destination.port,long,core,,,Port of the destination.
-8.9.0-dev+exp,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
-8.9.0-dev+exp,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.9.0-dev+exp,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.9.0-dev+exp,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.9.0-dev+exp,true,destination,destination.user.email,keyword,extended,,,User email address.
-8.9.0-dev+exp,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.9.0-dev+exp,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.9.0-dev+exp,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.9.0-dev+exp,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev+exp,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
-8.9.0-dev+exp,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.9.0-dev+exp,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev+exp,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.9.0-dev+exp,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device.
-8.9.0-dev+exp,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer.
-8.9.0-dev+exp,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model.
-8.9.0-dev+exp,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model.
-8.9.0-dev+exp,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.9.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.9.0-dev+exp,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.9.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.9.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.9.0-dev+exp,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.9.0-dev+exp,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.9.0-dev+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.9.0-dev+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.9.0-dev+exp,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
-8.9.0-dev+exp,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
-8.9.0-dev+exp,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
-8.9.0-dev+exp,true,dll,dll.hash.sha384,keyword,extended,,,SHA384 hash.
-8.9.0-dev+exp,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
-8.9.0-dev+exp,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.9.0-dev+exp,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash.
-8.9.0-dev+exp,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
-8.9.0-dev+exp,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
-8.9.0-dev+exp,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.9.0-dev+exp,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.9.0-dev+exp,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.9.0-dev+exp,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.9.0-dev+exp,true,dll,dll.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.9.0-dev+exp,true,dll,dll.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.9.0-dev+exp,true,dll,dll.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.9.0-dev+exp,true,dll,dll.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.9.0-dev+exp,true,dll,dll.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.9.0-dev+exp,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.9.0-dev+exp,true,dll,dll.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.9.0-dev+exp,true,dll,dll.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.9.0-dev+exp,true,dll,dll.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev+exp,true,dll,dll.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev+exp,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.9.0-dev+exp,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.9.0-dev+exp,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.9.0-dev+exp,true,dll,dll.pe.sections,nested,extended,array,,Section information of the PE file.
-8.9.0-dev+exp,true,dll,dll.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.9.0-dev+exp,true,dll,dll.pe.sections.name,keyword,extended,,,PE Section List name.
-8.9.0-dev+exp,true,dll,dll.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.9.0-dev+exp,true,dll,dll.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.9.0-dev+exp,true,dll,dll.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.9.0-dev+exp,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
-8.9.0-dev+exp,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
-8.9.0-dev+exp,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
-8.9.0-dev+exp,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
-8.9.0-dev+exp,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
-8.9.0-dev+exp,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
-8.9.0-dev+exp,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
-8.9.0-dev+exp,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
-8.9.0-dev+exp,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
-8.9.0-dev+exp,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
-8.9.0-dev+exp,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
-8.9.0-dev+exp,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
-8.9.0-dev+exp,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
-8.9.0-dev+exp,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.9.0-dev+exp,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
-8.9.0-dev+exp,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
-8.9.0-dev+exp,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
-8.9.0-dev+exp,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
-8.9.0-dev+exp,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
-8.9.0-dev+exp,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
-8.9.0-dev+exp,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
-8.9.0-dev+exp,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash.
-8.9.0-dev+exp,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.9.0-dev+exp,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.9.0-dev+exp,true,email,email.attachments.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.9.0-dev+exp,true,email,email.attachments.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.9.0-dev+exp,true,email,email.attachments.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.9.0-dev+exp,true,email,email.attachments.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.9.0-dev+exp,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file.
-8.9.0-dev+exp,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file.
-8.9.0-dev+exp,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size.
-8.9.0-dev+exp,true,email,email.bcc.address,keyword,extended,array,bcc.user1@example.com,Email address of BCC recipient
-8.9.0-dev+exp,true,email,email.cc.address,keyword,extended,array,cc.user1@example.com,Email address of CC recipient
-8.9.0-dev+exp,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message.
-8.9.0-dev+exp,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered.
-8.9.0-dev+exp,true,email,email.direction,keyword,extended,,inbound,Direction of the message.
-8.9.0-dev+exp,true,email,email.from.address,keyword,extended,array,sender@example.com,The sender's email address.
-8.9.0-dev+exp,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source.
-8.9.0-dev+exp,true,email,email.message_id,wildcard,extended,,81ce15$8r2j59@mail01.example.com,Value from the Message-ID header.
-8.9.0-dev+exp,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed.
-8.9.0-dev+exp,true,email,email.reply_to.address,keyword,extended,array,reply.here@example.com,Address replies should be delivered to.
-8.9.0-dev+exp,true,email,email.sender.address,keyword,extended,,,Address of the message sender.
-8.9.0-dev+exp,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message.
-8.9.0-dev+exp,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
-8.9.0-dev+exp,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient
-8.9.0-dev+exp,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
-8.9.0-dev+exp,true,error,error.code,keyword,core,,,Error code describing the error.
-8.9.0-dev+exp,true,error,error.id,keyword,core,,,Unique identifier for the error.
-8.9.0-dev+exp,true,error,error.message,match_only_text,core,,,Error message.
-8.9.0-dev+exp,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
-8.9.0-dev+exp,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text.
-8.9.0-dev+exp,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
-8.9.0-dev+exp,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
-8.9.0-dev+exp,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field.
-8.9.0-dev+exp,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
-8.9.0-dev+exp,true,event,event.code,keyword,extended,,4648,Identification code for this event.
-8.9.0-dev+exp,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
-8.9.0-dev+exp,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
-8.9.0-dev+exp,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
-8.9.0-dev+exp,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed.
-8.9.0-dev+exp,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
-8.9.0-dev+exp,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
-8.9.0-dev+exp,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
-8.9.0-dev+exp,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
-8.9.0-dev+exp,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
-8.9.0-dev+exp,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
-8.9.0-dev+exp,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
-8.9.0-dev+exp,true,event,event.provider,keyword,extended,,kernel,Source of the event.
-8.9.0-dev+exp,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
-8.9.0-dev+exp,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
-8.9.0-dev+exp,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
-8.9.0-dev+exp,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
-8.9.0-dev+exp,true,event,event.sequence,long,extended,,,Sequence number of the event.
-8.9.0-dev+exp,true,event,event.severity,long,core,,7,Numeric severity of the event.
-8.9.0-dev+exp,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed.
-8.9.0-dev+exp,true,event,event.timezone,keyword,extended,,,Event time zone.
-8.9.0-dev+exp,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
-8.9.0-dev+exp,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
-8.9.0-dev+exp,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function.
-8.9.0-dev+exp,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution.
-8.9.0-dev+exp,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function.
-8.9.0-dev+exp,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function.
-8.9.0-dev+exp,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc."
-8.9.0-dev+exp,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution.
-8.9.0-dev+exp,true,faas,faas.version,keyword,extended,,123,The version of a serverless function.
-8.9.0-dev+exp,true,file,file.accessed,date,extended,,,Last time the file was accessed.
-8.9.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.9.0-dev+exp,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.9.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.9.0-dev+exp,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.9.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.9.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.9.0-dev+exp,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.9.0-dev+exp,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.9.0-dev+exp,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.9.0-dev+exp,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.9.0-dev+exp,true,file,file.created,date,extended,,,File creation time.
-8.9.0-dev+exp,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.9.0-dev+exp,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
-8.9.0-dev+exp,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.9.0-dev+exp,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.9.0-dev+exp,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.9.0-dev+exp,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.9.0-dev+exp,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.9.0-dev+exp,true,file,file.elf.creation_date,date,extended,,,Build or compile date.
-8.9.0-dev+exp,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.9.0-dev+exp,true,file,file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.9.0-dev+exp,true,file,file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.9.0-dev+exp,true,file,file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.9.0-dev+exp,true,file,file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.9.0-dev+exp,true,file,file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.9.0-dev+exp,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.9.0-dev+exp,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.9.0-dev+exp,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.9.0-dev+exp,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.9.0-dev+exp,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.9.0-dev+exp,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.9.0-dev+exp,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.9.0-dev+exp,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.9.0-dev+exp,true,file,file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.9.0-dev+exp,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.9.0-dev+exp,true,file,file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev+exp,true,file,file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev+exp,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.9.0-dev+exp,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.9.0-dev+exp,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.9.0-dev+exp,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.9.0-dev+exp,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.9.0-dev+exp,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.9.0-dev+exp,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.9.0-dev+exp,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.9.0-dev+exp,true,file,file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.9.0-dev+exp,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.9.0-dev+exp,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.9.0-dev+exp,true,file,file.elf.segments,nested,extended,array,,ELF object segment list.
-8.9.0-dev+exp,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.9.0-dev+exp,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.9.0-dev+exp,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.9.0-dev+exp,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.9.0-dev+exp,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.9.0-dev+exp,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.9.0-dev+exp,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.9.0-dev+exp,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
-8.9.0-dev+exp,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
-8.9.0-dev+exp,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.9.0-dev+exp,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.9.0-dev+exp,true,file,file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.9.0-dev+exp,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.9.0-dev+exp,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.9.0-dev+exp,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.9.0-dev+exp,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.9.0-dev+exp,true,file,file.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-8.9.0-dev+exp,true,file,file.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.9.0-dev+exp,true,file,file.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.9.0-dev+exp,true,file,file.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.9.0-dev+exp,true,file,file.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.9.0-dev+exp,true,file,file.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-8.9.0-dev+exp,true,file,file.macho.imports,flattened,extended,array,,List of imported element names and types.
-8.9.0-dev+exp,true,file,file.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev+exp,true,file,file.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev+exp,true,file,file.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-8.9.0-dev+exp,true,file,file.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.9.0-dev+exp,true,file,file.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-8.9.0-dev+exp,true,file,file.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-8.9.0-dev+exp,true,file,file.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.9.0-dev+exp,true,file,file.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-8.9.0-dev+exp,true,file,file.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-8.9.0-dev+exp,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.9.0-dev+exp,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.9.0-dev+exp,true,file,file.mtime,date,extended,,,Last time the file content was modified.
-8.9.0-dev+exp,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.9.0-dev+exp,true,file,file.owner,keyword,extended,,alice,File owner's username.
-8.9.0-dev+exp,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.9.0-dev+exp,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.9.0-dev+exp,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.9.0-dev+exp,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.9.0-dev+exp,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.9.0-dev+exp,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.9.0-dev+exp,true,file,file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.9.0-dev+exp,true,file,file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.9.0-dev+exp,true,file,file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.9.0-dev+exp,true,file,file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.9.0-dev+exp,true,file,file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.9.0-dev+exp,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.9.0-dev+exp,true,file,file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.9.0-dev+exp,true,file,file.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.9.0-dev+exp,true,file,file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev+exp,true,file,file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev+exp,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.9.0-dev+exp,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.9.0-dev+exp,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.9.0-dev+exp,true,file,file.pe.sections,nested,extended,array,,Section information of the PE file.
-8.9.0-dev+exp,true,file,file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.9.0-dev+exp,true,file,file.pe.sections.name,keyword,extended,,,PE Section List name.
-8.9.0-dev+exp,true,file,file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.9.0-dev+exp,true,file,file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.9.0-dev+exp,true,file,file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.9.0-dev+exp,true,file,file.size,long,extended,,16384,File size in bytes.
-8.9.0-dev+exp,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
-8.9.0-dev+exp,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.9.0-dev+exp,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.9.0-dev+exp,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.9.0-dev+exp,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.9.0-dev+exp,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.9.0-dev+exp,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.9.0-dev+exp,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.9.0-dev+exp,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.9.0-dev+exp,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.9.0-dev+exp,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.9.0-dev+exp,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.9.0-dev+exp,true,file,file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.9.0-dev+exp,true,file,file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.9.0-dev+exp,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.9.0-dev+exp,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.9.0-dev+exp,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.9.0-dev+exp,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.9.0-dev+exp,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.9.0-dev+exp,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.9.0-dev+exp,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.9.0-dev+exp,true,file,file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.9.0-dev+exp,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.9.0-dev+exp,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.9.0-dev+exp,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.9.0-dev+exp,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.9.0-dev+exp,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.9.0-dev+exp,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.9.0-dev+exp,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.9.0-dev+exp,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev+exp,true,group,group.name,keyword,extended,,,Name of the group.
-8.9.0-dev+exp,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
-8.9.0-dev+exp,true,host,host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id
-8.9.0-dev+exp,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
-8.9.0-dev+exp,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
-8.9.0-dev+exp,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
-8.9.0-dev+exp,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
-8.9.0-dev+exp,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
-8.9.0-dev+exp,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
-8.9.0-dev+exp,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.9.0-dev+exp,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.9.0-dev+exp,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
-8.9.0-dev+exp,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.9.0-dev+exp,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.9.0-dev+exp,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
-8.9.0-dev+exp,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.9.0-dev+exp,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
-8.9.0-dev+exp,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.9.0-dev+exp,true,host,host.hostname,keyword,core,,,Hostname of the host.
-8.9.0-dev+exp,true,host,host.id,keyword,core,,,Unique host id.
-8.9.0-dev+exp,true,host,host.ip,ip,core,array,,Host ip addresses.
-8.9.0-dev+exp,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
-8.9.0-dev+exp,true,host,host.name,keyword,core,,,Name of the host.
-8.9.0-dev+exp,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
-8.9.0-dev+exp,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
-8.9.0-dev+exp,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
-8.9.0-dev+exp,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
-8.9.0-dev+exp,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.9.0-dev+exp,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.9.0-dev+exp,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.9.0-dev+exp,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.9.0-dev+exp,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.9.0-dev+exp,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.9.0-dev+exp,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.9.0-dev+exp,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-8.9.0-dev+exp,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.9.0-dev+exp,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode
-8.9.0-dev+exp,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.9.0-dev+exp,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.9.0-dev+exp,true,host,host.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.9.0-dev+exp,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.9.0-dev+exp,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.9.0-dev+exp,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-8.9.0-dev+exp,true,host,host.type,keyword,core,,,Type of host.
-8.9.0-dev+exp,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
-8.9.0-dev+exp,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
-8.9.0-dev+exp,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
-8.9.0-dev+exp,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body.
-8.9.0-dev+exp,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
-8.9.0-dev+exp,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
-8.9.0-dev+exp,true,http,http.request.method,keyword,extended,,POST,HTTP request method.
-8.9.0-dev+exp,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
-8.9.0-dev+exp,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
-8.9.0-dev+exp,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
-8.9.0-dev+exp,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
-8.9.0-dev+exp,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body.
-8.9.0-dev+exp,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
-8.9.0-dev+exp,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
-8.9.0-dev+exp,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
-8.9.0-dev+exp,true,http,http.version,keyword,extended,,1.1,HTTP version.
-8.9.0-dev+exp,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
-8.9.0-dev+exp,true,log,log.level,keyword,core,,error,Log level of the log event.
-8.9.0-dev+exp,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
-8.9.0-dev+exp,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event.
-8.9.0-dev+exp,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
-8.9.0-dev+exp,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
-8.9.0-dev+exp,true,log,log.syslog,object,extended,,,Syslog metadata
-8.9.0-dev+exp,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message.
-8.9.0-dev+exp,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
-8.9.0-dev+exp,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
-8.9.0-dev+exp,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message.
-8.9.0-dev+exp,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message.
-8.9.0-dev+exp,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
-8.9.0-dev+exp,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message.
-8.9.0-dev+exp,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
-8.9.0-dev+exp,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
-8.9.0-dev+exp,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages.
-8.9.0-dev+exp,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version.
-8.9.0-dev+exp,true,network,network.application,keyword,extended,,aim,Application level protocol name.
-8.9.0-dev+exp,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
-8.9.0-dev+exp,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
-8.9.0-dev+exp,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
-8.9.0-dev+exp,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
-8.9.0-dev+exp,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
-8.9.0-dev+exp,true,network,network.inner,object,extended,,,Inner VLAN tag information
-8.9.0-dev+exp,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.9.0-dev+exp,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.9.0-dev+exp,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
-8.9.0-dev+exp,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
-8.9.0-dev+exp,true,network,network.protocol,keyword,core,,http,Application protocol name.
-8.9.0-dev+exp,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
-8.9.0-dev+exp,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
-8.9.0-dev+exp,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.9.0-dev+exp,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.9.0-dev+exp,true,observer,observer.egress,object,extended,,,Object field for egress information
-8.9.0-dev+exp,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
-8.9.0-dev+exp,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
-8.9.0-dev+exp,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
-8.9.0-dev+exp,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.9.0-dev+exp,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.9.0-dev+exp,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
-8.9.0-dev+exp,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
-8.9.0-dev+exp,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code.
-8.9.0-dev+exp,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.9.0-dev+exp,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.9.0-dev+exp,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
-8.9.0-dev+exp,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.9.0-dev+exp,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.9.0-dev+exp,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code.
-8.9.0-dev+exp,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.9.0-dev+exp,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
-8.9.0-dev+exp,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.9.0-dev+exp,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
-8.9.0-dev+exp,true,observer,observer.ingress,object,extended,,,Object field for ingress information
-8.9.0-dev+exp,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
-8.9.0-dev+exp,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
-8.9.0-dev+exp,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
-8.9.0-dev+exp,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.9.0-dev+exp,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.9.0-dev+exp,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
-8.9.0-dev+exp,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
-8.9.0-dev+exp,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer.
-8.9.0-dev+exp,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
-8.9.0-dev+exp,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.9.0-dev+exp,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.9.0-dev+exp,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.9.0-dev+exp,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.9.0-dev+exp,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.9.0-dev+exp,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.9.0-dev+exp,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.9.0-dev+exp,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-8.9.0-dev+exp,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.9.0-dev+exp,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
-8.9.0-dev+exp,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
-8.9.0-dev+exp,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
-8.9.0-dev+exp,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
-8.9.0-dev+exp,true,observer,observer.version,keyword,core,,,Observer version.
-8.9.0-dev+exp,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action
-8.9.0-dev+exp,true,orchestrator,orchestrator.cluster.id,keyword,extended,,,Unique ID of the cluster.
-8.9.0-dev+exp,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster.
-8.9.0-dev+exp,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster.
-8.9.0-dev+exp,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster.
-8.9.0-dev+exp,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place.
-8.9.0-dev+exp,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups).
-8.9.0-dev+exp,true,orchestrator,orchestrator.resource.annotation,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of annotations added to the resource.
-8.9.0-dev+exp,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon.
-8.9.0-dev+exp,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed.
-8.9.0-dev+exp,true,orchestrator,orchestrator.resource.label,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of labels added to the resource.
-8.9.0-dev+exp,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon.
-8.9.0-dev+exp,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed.
-8.9.0-dev+exp,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon.
-8.9.0-dev+exp,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)."
-8.9.0-dev+exp,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
-8.9.0-dev+exp,true,organization,organization.name,keyword,extended,,,Organization name.
-8.9.0-dev+exp,true,organization,organization.name.text,match_only_text,extended,,,Organization name.
-8.9.0-dev+exp,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
-8.9.0-dev+exp,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
-8.9.0-dev+exp,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
-8.9.0-dev+exp,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
-8.9.0-dev+exp,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
-8.9.0-dev+exp,true,package,package.installed,date,extended,,,Time when package was installed.
-8.9.0-dev+exp,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
-8.9.0-dev+exp,true,package,package.name,keyword,extended,,go,Package name
-8.9.0-dev+exp,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
-8.9.0-dev+exp,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
-8.9.0-dev+exp,true,package,package.size,long,extended,,62231,Package size in bytes.
-8.9.0-dev+exp,true,package,package.type,keyword,extended,,rpm,Package type
-8.9.0-dev+exp,true,package,package.version,keyword,extended,,1.12.9,Package version
-8.9.0-dev+exp,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.9.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array.
-8.9.0-dev+exp,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.9.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.9.0-dev+exp,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.9.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.9.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.9.0-dev+exp,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.9.0-dev+exp,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.9.0-dev+exp,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.9.0-dev+exp,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.9.0-dev+exp,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.9.0-dev+exp,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.9.0-dev+exp,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.9.0-dev+exp,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.9.0-dev+exp,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.9.0-dev+exp,true,process,process.elf.creation_date,date,extended,,,Build or compile date.
-8.9.0-dev+exp,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.9.0-dev+exp,true,process,process.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.9.0-dev+exp,true,process,process.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.9.0-dev+exp,true,process,process.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.9.0-dev+exp,true,process,process.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.9.0-dev+exp,true,process,process.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.9.0-dev+exp,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.9.0-dev+exp,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.9.0-dev+exp,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.9.0-dev+exp,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.9.0-dev+exp,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.9.0-dev+exp,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.9.0-dev+exp,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.9.0-dev+exp,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.9.0-dev+exp,true,process,process.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.9.0-dev+exp,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.9.0-dev+exp,true,process,process.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev+exp,true,process,process.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev+exp,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.9.0-dev+exp,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.9.0-dev+exp,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.9.0-dev+exp,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.9.0-dev+exp,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.9.0-dev+exp,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.9.0-dev+exp,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.9.0-dev+exp,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.9.0-dev+exp,true,process,process.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.9.0-dev+exp,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.9.0-dev+exp,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.9.0-dev+exp,true,process,process.elf.segments,nested,extended,array,,ELF object segment list.
-8.9.0-dev+exp,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.9.0-dev+exp,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.9.0-dev+exp,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.9.0-dev+exp,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.9.0-dev+exp,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-8.9.0-dev+exp,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.9.0-dev+exp,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.9.0-dev+exp,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array.
-8.9.0-dev+exp,true,process,process.entry_leader.attested_groups.name,keyword,extended,,,Name of the group.
-8.9.0-dev+exp,true,process,process.entry_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev+exp,true,process,process.entry_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,process,process.entry_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.9.0-dev+exp,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.9.0-dev+exp,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.9.0-dev+exp,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
-8.9.0-dev+exp,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
-8.9.0-dev+exp,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.9.0-dev+exp,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.9.0-dev+exp,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev+exp,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group.
-8.9.0-dev+exp,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.9.0-dev+exp,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name.
-8.9.0-dev+exp,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.9.0-dev+exp,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.9.0-dev+exp,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id.
-8.9.0-dev+exp,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.9.0-dev+exp,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id.
-8.9.0-dev+exp,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.9.0-dev+exp,true,process,process.entry_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
-8.9.0-dev+exp,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.9.0-dev+exp,true,process,process.entry_leader.parent.vpid,long,core,,4242,Virtual process id.
-8.9.0-dev+exp,true,process,process.entry_leader.pid,long,core,,4242,Process id.
-8.9.0-dev+exp,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev+exp,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group.
-8.9.0-dev+exp,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev+exp,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,process,process.entry_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.9.0-dev+exp,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev+exp,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.9.0-dev+exp,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev+exp,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,process,process.entry_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.9.0-dev+exp,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev+exp,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.9.0-dev+exp,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.9.0-dev+exp,true,process,process.entry_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.9.0-dev+exp,true,process,process.entry_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.9.0-dev+exp,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev+exp,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,process,process.entry_leader.vpid,long,core,,4242,Virtual process id.
-8.9.0-dev+exp,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.9.0-dev+exp,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.9.0-dev+exp,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
-8.9.0-dev+exp,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.9.0-dev+exp,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.9.0-dev+exp,true,process,process.exit_code,long,extended,,137,The exit code of the process.
-8.9.0-dev+exp,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.9.0-dev+exp,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array.
-8.9.0-dev+exp,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.9.0-dev+exp,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.9.0-dev+exp,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.9.0-dev+exp,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.9.0-dev+exp,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.9.0-dev+exp,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev+exp,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group.
-8.9.0-dev+exp,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.9.0-dev+exp,true,process,process.group_leader.name,keyword,extended,,ssh,Process name.
-8.9.0-dev+exp,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.9.0-dev+exp,true,process,process.group_leader.pid,long,core,,4242,Process id.
-8.9.0-dev+exp,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev+exp,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group.
-8.9.0-dev+exp,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev+exp,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,process,process.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.9.0-dev+exp,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev+exp,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.9.0-dev+exp,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev+exp,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,process,process.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.9.0-dev+exp,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev+exp,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.9.0-dev+exp,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.9.0-dev+exp,true,process,process.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.9.0-dev+exp,true,process,process.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.9.0-dev+exp,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev+exp,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,process,process.group_leader.vpid,long,core,,4242,Virtual process id.
-8.9.0-dev+exp,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.9.0-dev+exp,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.9.0-dev+exp,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
-8.9.0-dev+exp,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
-8.9.0-dev+exp,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
-8.9.0-dev+exp,true,process,process.hash.sha384,keyword,extended,,,SHA384 hash.
-8.9.0-dev+exp,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
-8.9.0-dev+exp,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.9.0-dev+exp,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash.
-8.9.0-dev+exp,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.9.0-dev+exp,true,process,process.io,object,extended,,,A chunk of input or output (IO) from a single process.
-8.9.0-dev+exp,true,process,process.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
-8.9.0-dev+exp,true,process,process.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
-8.9.0-dev+exp,true,process,process.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
-8.9.0-dev+exp,true,process,process.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
-8.9.0-dev+exp,true,process,process.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
-8.9.0-dev+exp,true,process,process.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
-8.9.0-dev+exp,true,process,process.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
-8.9.0-dev+exp,true,process,process.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
-8.9.0-dev+exp,true,process,process.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-8.9.0-dev+exp,true,process,process.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.9.0-dev+exp,true,process,process.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.9.0-dev+exp,true,process,process.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.9.0-dev+exp,true,process,process.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.9.0-dev+exp,true,process,process.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-8.9.0-dev+exp,true,process,process.macho.imports,flattened,extended,array,,List of imported element names and types.
-8.9.0-dev+exp,true,process,process.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev+exp,true,process,process.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev+exp,true,process,process.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-8.9.0-dev+exp,true,process,process.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.9.0-dev+exp,true,process,process.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-8.9.0-dev+exp,true,process,process.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-8.9.0-dev+exp,true,process,process.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.9.0-dev+exp,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-8.9.0-dev+exp,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-8.9.0-dev+exp,true,process,process.name,keyword,extended,,ssh,Process name.
-8.9.0-dev+exp,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
-8.9.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.9.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
-8.9.0-dev+exp,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.9.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.9.0-dev+exp,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.9.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.9.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.9.0-dev+exp,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.9.0-dev+exp,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.9.0-dev+exp,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.9.0-dev+exp,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.9.0-dev+exp,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.9.0-dev+exp,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.9.0-dev+exp,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.9.0-dev+exp,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.9.0-dev+exp,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.9.0-dev+exp,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date.
-8.9.0-dev+exp,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.9.0-dev+exp,true,process,process.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.9.0-dev+exp,true,process,process.parent.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.9.0-dev+exp,true,process,process.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.9.0-dev+exp,true,process,process.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.9.0-dev+exp,true,process,process.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.9.0-dev+exp,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.9.0-dev+exp,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.9.0-dev+exp,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.9.0-dev+exp,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.9.0-dev+exp,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.9.0-dev+exp,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.9.0-dev+exp,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.9.0-dev+exp,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.9.0-dev+exp,true,process,process.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.9.0-dev+exp,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.9.0-dev+exp,true,process,process.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev+exp,true,process,process.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev+exp,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.9.0-dev+exp,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.9.0-dev+exp,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.9.0-dev+exp,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.9.0-dev+exp,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.9.0-dev+exp,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.9.0-dev+exp,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.9.0-dev+exp,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.9.0-dev+exp,true,process,process.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.9.0-dev+exp,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.9.0-dev+exp,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.9.0-dev+exp,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list.
-8.9.0-dev+exp,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.9.0-dev+exp,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.9.0-dev+exp,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.9.0-dev+exp,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.9.0-dev+exp,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-8.9.0-dev+exp,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.9.0-dev+exp,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.9.0-dev+exp,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.9.0-dev+exp,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
-8.9.0-dev+exp,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev+exp,true,process,process.parent.group.name,keyword,extended,,,Name of the group.
-8.9.0-dev+exp,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.9.0-dev+exp,true,process,process.parent.group_leader.pid,long,core,,4242,Process id.
-8.9.0-dev+exp,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.9.0-dev+exp,true,process,process.parent.group_leader.vpid,long,core,,4242,Virtual process id.
-8.9.0-dev+exp,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
-8.9.0-dev+exp,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
-8.9.0-dev+exp,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
-8.9.0-dev+exp,true,process,process.parent.hash.sha384,keyword,extended,,,SHA384 hash.
-8.9.0-dev+exp,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
-8.9.0-dev+exp,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.9.0-dev+exp,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash.
-8.9.0-dev+exp,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.9.0-dev+exp,true,process,process.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-8.9.0-dev+exp,true,process,process.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.9.0-dev+exp,true,process,process.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.9.0-dev+exp,true,process,process.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.9.0-dev+exp,true,process,process.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.9.0-dev+exp,true,process,process.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-8.9.0-dev+exp,true,process,process.parent.macho.imports,flattened,extended,array,,List of imported element names and types.
-8.9.0-dev+exp,true,process,process.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev+exp,true,process,process.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev+exp,true,process,process.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-8.9.0-dev+exp,true,process,process.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.9.0-dev+exp,true,process,process.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-8.9.0-dev+exp,true,process,process.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-8.9.0-dev+exp,true,process,process.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.9.0-dev+exp,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-8.9.0-dev+exp,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-8.9.0-dev+exp,true,process,process.parent.name,keyword,extended,,ssh,Process name.
-8.9.0-dev+exp,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
-8.9.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.9.0-dev+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.9.0-dev+exp,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.9.0-dev+exp,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.9.0-dev+exp,true,process,process.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.9.0-dev+exp,true,process,process.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.9.0-dev+exp,true,process,process.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.9.0-dev+exp,true,process,process.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.9.0-dev+exp,true,process,process.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.9.0-dev+exp,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.9.0-dev+exp,true,process,process.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.9.0-dev+exp,true,process,process.parent.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.9.0-dev+exp,true,process,process.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev+exp,true,process,process.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev+exp,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.9.0-dev+exp,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.9.0-dev+exp,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.9.0-dev+exp,true,process,process.parent.pe.sections,nested,extended,array,,Section information of the PE file.
-8.9.0-dev+exp,true,process,process.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.9.0-dev+exp,true,process,process.parent.pe.sections.name,keyword,extended,,,PE Section List name.
-8.9.0-dev+exp,true,process,process.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.9.0-dev+exp,true,process,process.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.9.0-dev+exp,true,process,process.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.9.0-dev+exp,true,process,process.parent.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
-8.9.0-dev+exp,true,process,process.parent.pid,long,core,,4242,Process id.
-8.9.0-dev+exp,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev+exp,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group.
-8.9.0-dev+exp,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev+exp,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,process,process.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev+exp,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group.
-8.9.0-dev+exp,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev+exp,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,process,process.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.9.0-dev+exp,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev+exp,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.9.0-dev+exp,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
-8.9.0-dev+exp,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
-8.9.0-dev+exp,true,process,process.parent.title,keyword,extended,,,Process title.
-8.9.0-dev+exp,true,process,process.parent.title.text,match_only_text,extended,,,Process title.
-8.9.0-dev+exp,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device.
-8.9.0-dev+exp,true,process,process.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.9.0-dev+exp,true,process,process.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.9.0-dev+exp,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
-8.9.0-dev+exp,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev+exp,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,process,process.parent.vpid,long,core,,4242,Virtual process id.
-8.9.0-dev+exp,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.9.0-dev+exp,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.9.0-dev+exp,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.9.0-dev+exp,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.9.0-dev+exp,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.9.0-dev+exp,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.9.0-dev+exp,true,process,process.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.9.0-dev+exp,true,process,process.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.9.0-dev+exp,true,process,process.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.9.0-dev+exp,true,process,process.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.9.0-dev+exp,true,process,process.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.9.0-dev+exp,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.9.0-dev+exp,true,process,process.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.9.0-dev+exp,true,process,process.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.9.0-dev+exp,true,process,process.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev+exp,true,process,process.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev+exp,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.9.0-dev+exp,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.9.0-dev+exp,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.9.0-dev+exp,true,process,process.pe.sections,nested,extended,array,,Section information of the PE file.
-8.9.0-dev+exp,true,process,process.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.9.0-dev+exp,true,process,process.pe.sections.name,keyword,extended,,,PE Section List name.
-8.9.0-dev+exp,true,process,process.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.9.0-dev+exp,true,process,process.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.9.0-dev+exp,true,process,process.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.9.0-dev+exp,true,process,process.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
-8.9.0-dev+exp,true,process,process.pid,long,core,,4242,Process id.
-8.9.0-dev+exp,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.9.0-dev+exp,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array.
-8.9.0-dev+exp,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.9.0-dev+exp,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.9.0-dev+exp,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev+exp,true,process,process.real_group.name,keyword,extended,,,Name of the group.
-8.9.0-dev+exp,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev+exp,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,process,process.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev+exp,true,process,process.saved_group.name,keyword,extended,,,Name of the group.
-8.9.0-dev+exp,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev+exp,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,process,process.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.9.0-dev+exp,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array.
-8.9.0-dev+exp,true,process,process.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.9.0-dev+exp,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.9.0-dev+exp,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.9.0-dev+exp,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.9.0-dev+exp,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.9.0-dev+exp,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev+exp,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group.
-8.9.0-dev+exp,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.9.0-dev+exp,true,process,process.session_leader.name,keyword,extended,,ssh,Process name.
-8.9.0-dev+exp,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.9.0-dev+exp,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.9.0-dev+exp,true,process,process.session_leader.parent.pid,long,core,,4242,Process id.
-8.9.0-dev+exp,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.9.0-dev+exp,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id.
-8.9.0-dev+exp,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.9.0-dev+exp,true,process,process.session_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
-8.9.0-dev+exp,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.9.0-dev+exp,true,process,process.session_leader.parent.vpid,long,core,,4242,Virtual process id.
-8.9.0-dev+exp,true,process,process.session_leader.pid,long,core,,4242,Process id.
-8.9.0-dev+exp,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev+exp,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group.
-8.9.0-dev+exp,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev+exp,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,process,process.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.9.0-dev+exp,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev+exp,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.9.0-dev+exp,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev+exp,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,process,process.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.9.0-dev+exp,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev+exp,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.9.0-dev+exp,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.9.0-dev+exp,true,process,process.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.9.0-dev+exp,true,process,process.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.9.0-dev+exp,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev+exp,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,process,process.session_leader.vpid,long,core,,4242,Virtual process id.
-8.9.0-dev+exp,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.9.0-dev+exp,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.9.0-dev+exp,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.9.0-dev+exp,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev+exp,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.9.0-dev+exp,true,process,process.thread.id,long,extended,,4242,Thread ID.
-8.9.0-dev+exp,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
-8.9.0-dev+exp,true,process,process.title,keyword,extended,,,Process title.
-8.9.0-dev+exp,true,process,process.title.text,match_only_text,extended,,,Process title.
-8.9.0-dev+exp,true,process,process.tty,object,extended,,,Information about the controlling TTY device.
-8.9.0-dev+exp,true,process,process.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.9.0-dev+exp,true,process,process.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.9.0-dev+exp,true,process,process.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
-8.9.0-dev+exp,true,process,process.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
-8.9.0-dev+exp,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
-8.9.0-dev+exp,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev+exp,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,process,process.vpid,long,core,,4242,Virtual process id.
-8.9.0-dev+exp,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.9.0-dev+exp,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.9.0-dev+exp,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.9.0-dev+exp,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.9.0-dev+exp,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.9.0-dev+exp,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.9.0-dev+exp,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.9.0-dev+exp,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.9.0-dev+exp,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
-8.9.0-dev+exp,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
-8.9.0-dev+exp,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
-8.9.0-dev+exp,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
-8.9.0-dev+exp,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event.
-8.9.0-dev+exp,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
-8.9.0-dev+exp,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
-8.9.0-dev+exp,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
-8.9.0-dev+exp,true,rule,rule.id,keyword,extended,,101,Rule ID
-8.9.0-dev+exp,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
-8.9.0-dev+exp,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
-8.9.0-dev+exp,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
-8.9.0-dev+exp,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
-8.9.0-dev+exp,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
-8.9.0-dev+exp,true,rule,rule.version,keyword,extended,,1.1,Rule version
-8.9.0-dev+exp,true,server,server.address,keyword,extended,,,Server network address.
-8.9.0-dev+exp,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.9.0-dev+exp,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.9.0-dev+exp,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.9.0-dev+exp,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
-8.9.0-dev+exp,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server.
-8.9.0-dev+exp,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
-8.9.0-dev+exp,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
-8.9.0-dev+exp,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.9.0-dev+exp,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.9.0-dev+exp,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
-8.9.0-dev+exp,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.9.0-dev+exp,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.9.0-dev+exp,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
-8.9.0-dev+exp,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.9.0-dev+exp,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
-8.9.0-dev+exp,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.9.0-dev+exp,true,server,server.ip,ip,core,,,IP address of the server.
-8.9.0-dev+exp,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
-8.9.0-dev+exp,true,server,server.nat.ip,ip,extended,,,Server NAT ip
-8.9.0-dev+exp,true,server,server.nat.port,long,extended,,,Server NAT port
-8.9.0-dev+exp,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
-8.9.0-dev+exp,true,server,server.port,long,core,,,Port of the server.
-8.9.0-dev+exp,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
-8.9.0-dev+exp,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.9.0-dev+exp,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.9.0-dev+exp,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.9.0-dev+exp,true,server,server.user.email,keyword,extended,,,User email address.
-8.9.0-dev+exp,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.9.0-dev+exp,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.9.0-dev+exp,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.9.0-dev+exp,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev+exp,true,server,server.user.group.name,keyword,extended,,,Name of the group.
-8.9.0-dev+exp,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.9.0-dev+exp,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev+exp,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.9.0-dev+exp,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.9.0-dev+exp,true,service,service.environment,keyword,extended,,production,Environment of the service.
-8.9.0-dev+exp,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.9.0-dev+exp,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.9.0-dev+exp,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.9.0-dev+exp,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.9.0-dev+exp,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.9.0-dev+exp,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.9.0-dev+exp,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.9.0-dev+exp,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
-8.9.0-dev+exp,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.9.0-dev+exp,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.9.0-dev+exp,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.9.0-dev+exp,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.9.0-dev+exp,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.9.0-dev+exp,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.9.0-dev+exp,true,service,service.origin.state,keyword,core,,,Current state of the service.
-8.9.0-dev+exp,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service.
-8.9.0-dev+exp,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service.
-8.9.0-dev+exp,true,service,service.state,keyword,core,,,Current state of the service.
-8.9.0-dev+exp,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.9.0-dev+exp,true,service,service.target.environment,keyword,extended,,production,Environment of the service.
-8.9.0-dev+exp,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.9.0-dev+exp,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.9.0-dev+exp,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.9.0-dev+exp,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.9.0-dev+exp,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.9.0-dev+exp,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.9.0-dev+exp,true,service,service.target.state,keyword,core,,,Current state of the service.
-8.9.0-dev+exp,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service.
-8.9.0-dev+exp,true,service,service.target.version,keyword,core,,3.2.4,Version of the service.
-8.9.0-dev+exp,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
-8.9.0-dev+exp,true,service,service.version,keyword,core,,3.2.4,Version of the service.
-8.9.0-dev+exp,true,source,source.address,keyword,extended,,,Source network address.
-8.9.0-dev+exp,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.9.0-dev+exp,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.9.0-dev+exp,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.9.0-dev+exp,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
-8.9.0-dev+exp,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source.
-8.9.0-dev+exp,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
-8.9.0-dev+exp,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
-8.9.0-dev+exp,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.9.0-dev+exp,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.9.0-dev+exp,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
-8.9.0-dev+exp,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.9.0-dev+exp,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.9.0-dev+exp,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
-8.9.0-dev+exp,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.9.0-dev+exp,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
-8.9.0-dev+exp,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.9.0-dev+exp,true,source,source.ip,ip,core,,,IP address of the source.
-8.9.0-dev+exp,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
-8.9.0-dev+exp,true,source,source.nat.ip,ip,extended,,,Source NAT ip
-8.9.0-dev+exp,true,source,source.nat.port,long,extended,,,Source NAT port
-8.9.0-dev+exp,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
-8.9.0-dev+exp,true,source,source.port,long,core,,,Port of the source.
-8.9.0-dev+exp,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-8.9.0-dev+exp,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.9.0-dev+exp,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.9.0-dev+exp,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.9.0-dev+exp,true,source,source.user.email,keyword,extended,,,User email address.
-8.9.0-dev+exp,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.9.0-dev+exp,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.9.0-dev+exp,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.9.0-dev+exp,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev+exp,true,source,source.user.group.name,keyword,extended,,,Name of the group.
-8.9.0-dev+exp,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.9.0-dev+exp,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev+exp,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.9.0-dev+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
-8.9.0-dev+exp,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.9.0-dev+exp,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.9.0-dev+exp,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.9.0-dev+exp,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.9.0-dev+exp,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value
-8.9.0-dev+exp,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field
-8.9.0-dev+exp,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier
-8.9.0-dev+exp,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index
-8.9.0-dev+exp,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05T17:00:58.326Z,Date of match
-8.9.0-dev+exp,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match
-8.9.0-dev+exp,true,threat,threat.feed.dashboard_id,keyword,extended,,5ba16340-72e6-11eb-a3e3-b3cc7c78a70f,Feed dashboard ID.
-8.9.0-dev+exp,true,threat,threat.feed.description,keyword,extended,,Threat feed from the AlienVault Open Threat eXchange network.,Description of the threat feed.
-8.9.0-dev+exp,true,threat,threat.feed.name,keyword,extended,,AlienVault OTX,Name of the threat feed.
-8.9.0-dev+exp,true,threat,threat.feed.reference,keyword,extended,,https://otx.alienvault.com,Reference for the threat feed.
-8.9.0-dev+exp,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
-8.9.0-dev+exp,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group.
-8.9.0-dev+exp,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group.
-8.9.0-dev+exp,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group.
-8.9.0-dev+exp,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group.
-8.9.0-dev+exp,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.9.0-dev+exp,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.9.0-dev+exp,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.9.0-dev+exp,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
-8.9.0-dev+exp,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
-8.9.0-dev+exp,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
-8.9.0-dev+exp,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed.
-8.9.0-dev+exp,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.9.0-dev+exp,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.9.0-dev+exp,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.9.0-dev+exp,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.9.0-dev+exp,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.9.0-dev+exp,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.9.0-dev+exp,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.9.0-dev+exp,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.9.0-dev+exp,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.9.0-dev+exp,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.9.0-dev+exp,true,threat,threat.indicator.file.created,date,extended,,,File creation time.
-8.9.0-dev+exp,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.9.0-dev+exp,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
-8.9.0-dev+exp,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.9.0-dev+exp,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.9.0-dev+exp,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.9.0-dev+exp,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.9.0-dev+exp,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.9.0-dev+exp,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
-8.9.0-dev+exp,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.9.0-dev+exp,true,threat,threat.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.9.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.9.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.9.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.9.0-dev+exp,true,threat,threat.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.9.0-dev+exp,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.9.0-dev+exp,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.9.0-dev+exp,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.9.0-dev+exp,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.9.0-dev+exp,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.9.0-dev+exp,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.9.0-dev+exp,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.9.0-dev+exp,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.9.0-dev+exp,true,threat,threat.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.9.0-dev+exp,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.9.0-dev+exp,true,threat,threat.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev+exp,true,threat,threat.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev+exp,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.9.0-dev+exp,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.9.0-dev+exp,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.9.0-dev+exp,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.9.0-dev+exp,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.9.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.9.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.9.0-dev+exp,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.9.0-dev+exp,true,threat,threat.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.9.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.9.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.9.0-dev+exp,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
-8.9.0-dev+exp,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.9.0-dev+exp,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.9.0-dev+exp,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.9.0-dev+exp,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.9.0-dev+exp,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.9.0-dev+exp,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.9.0-dev+exp,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.9.0-dev+exp,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
-8.9.0-dev+exp,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
-8.9.0-dev+exp,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.9.0-dev+exp,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.9.0-dev+exp,true,threat,threat.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.9.0-dev+exp,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.9.0-dev+exp,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.9.0-dev+exp,true,threat,threat.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.9.0-dev+exp,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.9.0-dev+exp,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.9.0-dev+exp,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.9.0-dev+exp,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified.
-8.9.0-dev+exp,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.9.0-dev+exp,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username.
-8.9.0-dev+exp,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.9.0-dev+exp,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.9.0-dev+exp,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.9.0-dev+exp,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.9.0-dev+exp,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.9.0-dev+exp,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.9.0-dev+exp,true,threat,threat.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.9.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.9.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.9.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.9.0-dev+exp,true,threat,threat.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.9.0-dev+exp,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.9.0-dev+exp,true,threat,threat.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.9.0-dev+exp,true,threat,threat.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.9.0-dev+exp,true,threat,threat.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev+exp,true,threat,threat.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev+exp,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.9.0-dev+exp,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.9.0-dev+exp,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.9.0-dev+exp,true,threat,threat.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
-8.9.0-dev+exp,true,threat,threat.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.9.0-dev+exp,true,threat,threat.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
-8.9.0-dev+exp,true,threat,threat.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.9.0-dev+exp,true,threat,threat.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.9.0-dev+exp,true,threat,threat.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.9.0-dev+exp,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes.
-8.9.0-dev+exp,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
-8.9.0-dev+exp,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.9.0-dev+exp,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.9.0-dev+exp,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.9.0-dev+exp,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.9.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.9.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.9.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.9.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.9.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.9.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.9.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.9.0-dev+exp,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.9.0-dev+exp,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.9.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.9.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.9.0-dev+exp,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.9.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.9.0-dev+exp,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.9.0-dev+exp,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.9.0-dev+exp,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.9.0-dev+exp,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.9.0-dev+exp,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.9.0-dev+exp,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.9.0-dev+exp,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.9.0-dev+exp,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.9.0-dev+exp,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.9.0-dev+exp,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.9.0-dev+exp,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
-8.9.0-dev+exp,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name.
-8.9.0-dev+exp,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code.
-8.9.0-dev+exp,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.9.0-dev+exp,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.9.0-dev+exp,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name.
-8.9.0-dev+exp,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.9.0-dev+exp,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.9.0-dev+exp,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code.
-8.9.0-dev+exp,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.9.0-dev+exp,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name.
-8.9.0-dev+exp,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.9.0-dev+exp,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
-8.9.0-dev+exp,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-8.9.0-dev+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
-8.9.0-dev+exp,true,threat,threat.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
-8.9.0-dev+exp,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
-8.9.0-dev+exp,true,threat,threat.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
-8.9.0-dev+exp,true,threat,threat.indicator.port,long,extended,,443,Indicator port
-8.9.0-dev+exp,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
-8.9.0-dev+exp,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
-8.9.0-dev+exp,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.9.0-dev+exp,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.9.0-dev+exp,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.9.0-dev+exp,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.9.0-dev+exp,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.9.0-dev+exp,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.9.0-dev+exp,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
-8.9.0-dev+exp,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics
-8.9.0-dev+exp,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed
-8.9.0-dev+exp,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
-8.9.0-dev+exp,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.9.0-dev+exp,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.9.0-dev+exp,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.9.0-dev+exp,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.9.0-dev+exp,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.9.0-dev+exp,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.9.0-dev+exp,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.9.0-dev+exp,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request.
-8.9.0-dev+exp,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.9.0-dev+exp,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
-8.9.0-dev+exp,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request.
-8.9.0-dev+exp,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.9.0-dev+exp,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
-8.9.0-dev+exp,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.9.0-dev+exp,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.9.0-dev+exp,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request.
-8.9.0-dev+exp,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.9.0-dev+exp,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.9.0-dev+exp,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.9.0-dev+exp,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.9.0-dev+exp,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.9.0-dev+exp,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.9.0-dev+exp,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.9.0-dev+exp,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.9.0-dev+exp,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.9.0-dev+exp,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.9.0-dev+exp,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.9.0-dev+exp,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.9.0-dev+exp,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.9.0-dev+exp,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.9.0-dev+exp,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.9.0-dev+exp,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.9.0-dev+exp,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.9.0-dev+exp,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.9.0-dev+exp,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.9.0-dev+exp,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.9.0-dev+exp,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.9.0-dev+exp,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.9.0-dev+exp,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.9.0-dev+exp,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.9.0-dev+exp,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software
-8.9.0-dev+exp,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software
-8.9.0-dev+exp,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software.
-8.9.0-dev+exp,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software.
-8.9.0-dev+exp,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL.
-8.9.0-dev+exp,true,threat,threat.software.type,keyword,extended,,Tool,Software type.
-8.9.0-dev+exp,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
-8.9.0-dev+exp,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
-8.9.0-dev+exp,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
-8.9.0-dev+exp,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
-8.9.0-dev+exp,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
-8.9.0-dev+exp,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name.
-8.9.0-dev+exp,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
-8.9.0-dev+exp,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
-8.9.0-dev+exp,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
-8.9.0-dev+exp,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
-8.9.0-dev+exp,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
-8.9.0-dev+exp,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
-8.9.0-dev+exp,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
-8.9.0-dev+exp,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
-8.9.0-dev+exp,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
-8.9.0-dev+exp,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
-8.9.0-dev+exp,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
-8.9.0-dev+exp,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
-8.9.0-dev+exp,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
-8.9.0-dev+exp,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
-8.9.0-dev+exp,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
-8.9.0-dev+exp,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
-8.9.0-dev+exp,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
-8.9.0-dev+exp,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
-8.9.0-dev+exp,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.9.0-dev+exp,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.9.0-dev+exp,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.9.0-dev+exp,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.9.0-dev+exp,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.9.0-dev+exp,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.9.0-dev+exp,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.9.0-dev+exp,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.9.0-dev+exp,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.9.0-dev+exp,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.9.0-dev+exp,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.9.0-dev+exp,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.9.0-dev+exp,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.9.0-dev+exp,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.9.0-dev+exp,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.9.0-dev+exp,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.9.0-dev+exp,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.9.0-dev+exp,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.9.0-dev+exp,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.9.0-dev+exp,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.9.0-dev+exp,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.9.0-dev+exp,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.9.0-dev+exp,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.9.0-dev+exp,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.9.0-dev+exp,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
-8.9.0-dev+exp,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
-8.9.0-dev+exp,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
-8.9.0-dev+exp,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
-8.9.0-dev+exp,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
-8.9.0-dev+exp,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
-8.9.0-dev+exp,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
-8.9.0-dev+exp,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
-8.9.0-dev+exp,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
-8.9.0-dev+exp,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
-8.9.0-dev+exp,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
-8.9.0-dev+exp,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
-8.9.0-dev+exp,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
-8.9.0-dev+exp,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
-8.9.0-dev+exp,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.9.0-dev+exp,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.9.0-dev+exp,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.9.0-dev+exp,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.9.0-dev+exp,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.9.0-dev+exp,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.9.0-dev+exp,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.9.0-dev+exp,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.9.0-dev+exp,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.9.0-dev+exp,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.9.0-dev+exp,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.9.0-dev+exp,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.9.0-dev+exp,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.9.0-dev+exp,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.9.0-dev+exp,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.9.0-dev+exp,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.9.0-dev+exp,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.9.0-dev+exp,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.9.0-dev+exp,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.9.0-dev+exp,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.9.0-dev+exp,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.9.0-dev+exp,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.9.0-dev+exp,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.9.0-dev+exp,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.9.0-dev+exp,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
-8.9.0-dev+exp,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
-8.9.0-dev+exp,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
-8.9.0-dev+exp,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
-8.9.0-dev+exp,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.9.0-dev+exp,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.9.0-dev+exp,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.9.0-dev+exp,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.9.0-dev+exp,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.9.0-dev+exp,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.9.0-dev+exp,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.9.0-dev+exp,true,url,url.password,keyword,extended,,,Password of the request.
-8.9.0-dev+exp,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.9.0-dev+exp,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
-8.9.0-dev+exp,true,url,url.query,keyword,extended,,,Query string of the request.
-8.9.0-dev+exp,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.9.0-dev+exp,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
-8.9.0-dev+exp,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.9.0-dev+exp,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.9.0-dev+exp,true,url,url.username,keyword,extended,,,Username of the request.
-8.9.0-dev+exp,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.9.0-dev+exp,true,user,user.changes.email,keyword,extended,,,User email address.
-8.9.0-dev+exp,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.9.0-dev+exp,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.9.0-dev+exp,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.9.0-dev+exp,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev+exp,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
-8.9.0-dev+exp,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.9.0-dev+exp,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev+exp,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.9.0-dev+exp,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.9.0-dev+exp,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.9.0-dev+exp,true,user,user.effective.email,keyword,extended,,,User email address.
-8.9.0-dev+exp,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.9.0-dev+exp,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.9.0-dev+exp,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.9.0-dev+exp,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev+exp,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
-8.9.0-dev+exp,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.9.0-dev+exp,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev+exp,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.9.0-dev+exp,true,user,user.email,keyword,extended,,,User email address.
-8.9.0-dev+exp,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.9.0-dev+exp,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.9.0-dev+exp,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.9.0-dev+exp,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev+exp,true,user,user.group.name,keyword,extended,,,Name of the group.
-8.9.0-dev+exp,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.9.0-dev+exp,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev+exp,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.9.0-dev+exp,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.9.0-dev+exp,true,user,user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.9.0-dev+exp,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.9.0-dev+exp,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.9.0-dev+exp,true,user,user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-8.9.0-dev+exp,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.9.0-dev+exp,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.9.0-dev+exp,true,user,user.target.email,keyword,extended,,,User email address.
-8.9.0-dev+exp,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.9.0-dev+exp,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.9.0-dev+exp,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.9.0-dev+exp,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev+exp,true,user,user.target.group.name,keyword,extended,,,Name of the group.
-8.9.0-dev+exp,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.9.0-dev+exp,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev+exp,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev+exp,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.9.0-dev+exp,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
-8.9.0-dev+exp,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
-8.9.0-dev+exp,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-8.9.0-dev+exp,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-8.9.0-dev+exp,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.9.0-dev+exp,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.9.0-dev+exp,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.9.0-dev+exp,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.9.0-dev+exp,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.9.0-dev+exp,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.9.0-dev+exp,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.9.0-dev+exp,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-8.9.0-dev+exp,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.9.0-dev+exp,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
-8.9.0-dev+exp,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
-8.9.0-dev+exp,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
-8.9.0-dev+exp,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-8.9.0-dev+exp,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-8.9.0-dev+exp,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
-8.9.0-dev+exp,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
-8.9.0-dev+exp,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
-8.9.0-dev+exp,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
-8.9.0-dev+exp,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
-8.9.0-dev+exp,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
-8.9.0-dev+exp,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
-8.9.0-dev+exp,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
-8.9.0-dev+exp,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
-8.9.0-dev+exp,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
+8.10.0-dev+exp,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
+8.10.0-dev+exp,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
+8.10.0-dev+exp,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer.
+8.10.0-dev+exp,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
+8.10.0-dev+exp,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
+8.10.0-dev+exp,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
+8.10.0-dev+exp,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
+8.10.0-dev+exp,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
+8.10.0-dev+exp,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
+8.10.0-dev+exp,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
+8.10.0-dev+exp,true,cgroup,cgroup.cpu.periods,long,extended,,454839343,Number of period intervals that have elapsed.
+8.10.0-dev+exp,true,cgroup,cgroup.cpu.throttled.us,long,extended,,15000,Microseconds of CPU throttled time.
+8.10.0-dev+exp,true,cgroup,cgroup.cpu.usage,scaled_float,extended,,,"CPU usage, normalized by the CPU count."
+8.10.0-dev+exp,true,cgroup,cgroup.memory.limit,long,extended,,256,Memory limit within the cgroup.
+8.10.0-dev+exp,true,cgroup,cgroup.memory.swap.usage,long,extended,,5600,The amount of cgroup memory in swap.
+8.10.0-dev+exp,true,cgroup,cgroup.memory.usage,long,extended,,25600,Memory usage in bytes
+8.10.0-dev+exp,true,cgroup,cgroup.version,long,extended,,,The cgroup version linked to the metrics
+8.10.0-dev+exp,true,client,client.address,keyword,extended,,,Client network address.
+8.10.0-dev+exp,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.10.0-dev+exp,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.10.0-dev+exp,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.10.0-dev+exp,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
+8.10.0-dev+exp,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client.
+8.10.0-dev+exp,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
+8.10.0-dev+exp,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
+8.10.0-dev+exp,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.10.0-dev+exp,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.10.0-dev+exp,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
+8.10.0-dev+exp,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.10.0-dev+exp,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.10.0-dev+exp,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
+8.10.0-dev+exp,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.10.0-dev+exp,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
+8.10.0-dev+exp,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.10.0-dev+exp,true,client,client.ip,ip,core,,,IP address of the client.
+8.10.0-dev+exp,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
+8.10.0-dev+exp,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
+8.10.0-dev+exp,true,client,client.nat.port,long,extended,,,Client NAT port
+8.10.0-dev+exp,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
+8.10.0-dev+exp,true,client,client.port,long,core,,,Port of the client.
+8.10.0-dev+exp,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
+8.10.0-dev+exp,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.10.0-dev+exp,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.10.0-dev+exp,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.10.0-dev+exp,true,client,client.user.email,keyword,extended,,,User email address.
+8.10.0-dev+exp,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.10.0-dev+exp,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.10.0-dev+exp,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.10.0-dev+exp,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev+exp,true,client,client.user.group.name,keyword,extended,,,Name of the group.
+8.10.0-dev+exp,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.10.0-dev+exp,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev+exp,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.10.0-dev+exp,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.10.0-dev+exp,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.10.0-dev+exp,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.10.0-dev+exp,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.10.0-dev+exp,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
+8.10.0-dev+exp,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.10.0-dev+exp,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.10.0-dev+exp,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.10.0-dev+exp,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.10.0-dev+exp,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.10.0-dev+exp,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine.
+8.10.0-dev+exp,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.10.0-dev+exp,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id.
+8.10.0-dev+exp,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name.
+8.10.0-dev+exp,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider.
+8.10.0-dev+exp,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.10.0-dev+exp,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name.
+8.10.0-dev+exp,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
+8.10.0-dev+exp,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
+8.10.0-dev+exp,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
+8.10.0-dev+exp,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.10.0-dev+exp,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name.
+8.10.0-dev+exp,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.10.0-dev+exp,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.10.0-dev+exp,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.10.0-dev+exp,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.10.0-dev+exp,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine.
+8.10.0-dev+exp,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.10.0-dev+exp,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id.
+8.10.0-dev+exp,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name.
+8.10.0-dev+exp,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider.
+8.10.0-dev+exp,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.10.0-dev+exp,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name.
+8.10.0-dev+exp,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
+8.10.0-dev+exp,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
+8.10.0-dev+exp,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
+8.10.0-dev+exp,true,container,container.id,keyword,core,,,Unique container id.
+8.10.0-dev+exp,true,container,container.image.hash.all,keyword,extended,array,[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26],An array of digests of the image the container was built on.
+8.10.0-dev+exp,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
+8.10.0-dev+exp,true,container,container.image.tag,keyword,extended,array,,Container image tags.
+8.10.0-dev+exp,true,container,container.labels,object,extended,,,Image labels.
+8.10.0-dev+exp,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1."
+8.10.0-dev+exp,true,container,container.name,keyword,extended,,,Container name.
+8.10.0-dev+exp,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
+8.10.0-dev+exp,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+8.10.0-dev+exp,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
+8.10.0-dev+exp,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
+8.10.0-dev+exp,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
+8.10.0-dev+exp,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
+8.10.0-dev+exp,true,destination,destination.address,keyword,extended,,,Destination network address.
+8.10.0-dev+exp,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.10.0-dev+exp,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.10.0-dev+exp,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.10.0-dev+exp,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
+8.10.0-dev+exp,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination.
+8.10.0-dev+exp,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
+8.10.0-dev+exp,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
+8.10.0-dev+exp,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.10.0-dev+exp,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.10.0-dev+exp,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
+8.10.0-dev+exp,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.10.0-dev+exp,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.10.0-dev+exp,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
+8.10.0-dev+exp,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.10.0-dev+exp,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
+8.10.0-dev+exp,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.10.0-dev+exp,true,destination,destination.ip,ip,core,,,IP address of the destination.
+8.10.0-dev+exp,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
+8.10.0-dev+exp,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
+8.10.0-dev+exp,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
+8.10.0-dev+exp,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
+8.10.0-dev+exp,true,destination,destination.port,long,core,,,Port of the destination.
+8.10.0-dev+exp,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
+8.10.0-dev+exp,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.10.0-dev+exp,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.10.0-dev+exp,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.10.0-dev+exp,true,destination,destination.user.email,keyword,extended,,,User email address.
+8.10.0-dev+exp,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.10.0-dev+exp,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.10.0-dev+exp,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.10.0-dev+exp,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev+exp,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
+8.10.0-dev+exp,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.10.0-dev+exp,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev+exp,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.10.0-dev+exp,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device.
+8.10.0-dev+exp,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer.
+8.10.0-dev+exp,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model.
+8.10.0-dev+exp,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model.
+8.10.0-dev+exp,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.10.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.10.0-dev+exp,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.10.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.10.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.10.0-dev+exp,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.10.0-dev+exp,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.10.0-dev+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.10.0-dev+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.10.0-dev+exp,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
+8.10.0-dev+exp,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
+8.10.0-dev+exp,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
+8.10.0-dev+exp,true,dll,dll.hash.sha384,keyword,extended,,,SHA384 hash.
+8.10.0-dev+exp,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
+8.10.0-dev+exp,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.10.0-dev+exp,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash.
+8.10.0-dev+exp,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
+8.10.0-dev+exp,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
+8.10.0-dev+exp,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.10.0-dev+exp,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.10.0-dev+exp,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.10.0-dev+exp,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.10.0-dev+exp,true,dll,dll.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.10.0-dev+exp,true,dll,dll.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.10.0-dev+exp,true,dll,dll.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.10.0-dev+exp,true,dll,dll.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.10.0-dev+exp,true,dll,dll.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.10.0-dev+exp,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.10.0-dev+exp,true,dll,dll.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.10.0-dev+exp,true,dll,dll.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.10.0-dev+exp,true,dll,dll.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev+exp,true,dll,dll.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev+exp,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.10.0-dev+exp,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.10.0-dev+exp,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.10.0-dev+exp,true,dll,dll.pe.sections,nested,extended,array,,Section information of the PE file.
+8.10.0-dev+exp,true,dll,dll.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.10.0-dev+exp,true,dll,dll.pe.sections.name,keyword,extended,,,PE Section List name.
+8.10.0-dev+exp,true,dll,dll.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.10.0-dev+exp,true,dll,dll.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.10.0-dev+exp,true,dll,dll.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.10.0-dev+exp,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
+8.10.0-dev+exp,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
+8.10.0-dev+exp,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
+8.10.0-dev+exp,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
+8.10.0-dev+exp,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
+8.10.0-dev+exp,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
+8.10.0-dev+exp,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
+8.10.0-dev+exp,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
+8.10.0-dev+exp,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
+8.10.0-dev+exp,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
+8.10.0-dev+exp,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
+8.10.0-dev+exp,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
+8.10.0-dev+exp,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
+8.10.0-dev+exp,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.10.0-dev+exp,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
+8.10.0-dev+exp,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
+8.10.0-dev+exp,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
+8.10.0-dev+exp,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
+8.10.0-dev+exp,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
+8.10.0-dev+exp,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
+8.10.0-dev+exp,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
+8.10.0-dev+exp,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash.
+8.10.0-dev+exp,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.10.0-dev+exp,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.10.0-dev+exp,true,email,email.attachments.file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.10.0-dev+exp,true,email,email.attachments.file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.10.0-dev+exp,true,email,email.attachments.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.10.0-dev+exp,true,email,email.attachments.file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.10.0-dev+exp,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file.
+8.10.0-dev+exp,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file.
+8.10.0-dev+exp,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size.
+8.10.0-dev+exp,true,email,email.bcc.address,keyword,extended,array,bcc.user1@example.com,Email address of BCC recipient
+8.10.0-dev+exp,true,email,email.cc.address,keyword,extended,array,cc.user1@example.com,Email address of CC recipient
+8.10.0-dev+exp,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message.
+8.10.0-dev+exp,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered.
+8.10.0-dev+exp,true,email,email.direction,keyword,extended,,inbound,Direction of the message.
+8.10.0-dev+exp,true,email,email.from.address,keyword,extended,array,sender@example.com,The sender's email address.
+8.10.0-dev+exp,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source.
+8.10.0-dev+exp,true,email,email.message_id,wildcard,extended,,81ce15$8r2j59@mail01.example.com,Value from the Message-ID header.
+8.10.0-dev+exp,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed.
+8.10.0-dev+exp,true,email,email.reply_to.address,keyword,extended,array,reply.here@example.com,Address replies should be delivered to.
+8.10.0-dev+exp,true,email,email.sender.address,keyword,extended,,,Address of the message sender.
+8.10.0-dev+exp,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message.
+8.10.0-dev+exp,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
+8.10.0-dev+exp,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient
+8.10.0-dev+exp,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
+8.10.0-dev+exp,true,error,error.code,keyword,core,,,Error code describing the error.
+8.10.0-dev+exp,true,error,error.id,keyword,core,,,Unique identifier for the error.
+8.10.0-dev+exp,true,error,error.message,match_only_text,core,,,Error message.
+8.10.0-dev+exp,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
+8.10.0-dev+exp,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text.
+8.10.0-dev+exp,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
+8.10.0-dev+exp,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
+8.10.0-dev+exp,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field.
+8.10.0-dev+exp,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
+8.10.0-dev+exp,true,event,event.code,keyword,extended,,4648,Identification code for this event.
+8.10.0-dev+exp,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
+8.10.0-dev+exp,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
+8.10.0-dev+exp,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
+8.10.0-dev+exp,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed.
+8.10.0-dev+exp,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
+8.10.0-dev+exp,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
+8.10.0-dev+exp,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
+8.10.0-dev+exp,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
+8.10.0-dev+exp,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
+8.10.0-dev+exp,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
+8.10.0-dev+exp,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
+8.10.0-dev+exp,true,event,event.provider,keyword,extended,,kernel,Source of the event.
+8.10.0-dev+exp,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
+8.10.0-dev+exp,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
+8.10.0-dev+exp,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
+8.10.0-dev+exp,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
+8.10.0-dev+exp,true,event,event.sequence,long,extended,,,Sequence number of the event.
+8.10.0-dev+exp,true,event,event.severity,long,core,,7,Numeric severity of the event.
+8.10.0-dev+exp,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed.
+8.10.0-dev+exp,true,event,event.timezone,keyword,extended,,,Event time zone.
+8.10.0-dev+exp,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
+8.10.0-dev+exp,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
+8.10.0-dev+exp,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function.
+8.10.0-dev+exp,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution.
+8.10.0-dev+exp,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function.
+8.10.0-dev+exp,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function.
+8.10.0-dev+exp,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc."
+8.10.0-dev+exp,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution.
+8.10.0-dev+exp,true,faas,faas.version,keyword,extended,,123,The version of a serverless function.
+8.10.0-dev+exp,true,file,file.accessed,date,extended,,,Last time the file was accessed.
+8.10.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.10.0-dev+exp,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.10.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.10.0-dev+exp,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.10.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.10.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.10.0-dev+exp,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.10.0-dev+exp,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.10.0-dev+exp,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.10.0-dev+exp,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.10.0-dev+exp,true,file,file.created,date,extended,,,File creation time.
+8.10.0-dev+exp,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.10.0-dev+exp,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
+8.10.0-dev+exp,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.10.0-dev+exp,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.10.0-dev+exp,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.10.0-dev+exp,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.10.0-dev+exp,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.10.0-dev+exp,true,file,file.elf.creation_date,date,extended,,,Build or compile date.
+8.10.0-dev+exp,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.10.0-dev+exp,true,file,file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.10.0-dev+exp,true,file,file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.10.0-dev+exp,true,file,file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.10.0-dev+exp,true,file,file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.10.0-dev+exp,true,file,file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.10.0-dev+exp,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.10.0-dev+exp,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.10.0-dev+exp,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.10.0-dev+exp,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.10.0-dev+exp,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.10.0-dev+exp,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.10.0-dev+exp,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.10.0-dev+exp,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.10.0-dev+exp,true,file,file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.10.0-dev+exp,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.10.0-dev+exp,true,file,file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev+exp,true,file,file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev+exp,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.10.0-dev+exp,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.10.0-dev+exp,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.10.0-dev+exp,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.10.0-dev+exp,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.10.0-dev+exp,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.10.0-dev+exp,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.10.0-dev+exp,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.10.0-dev+exp,true,file,file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.10.0-dev+exp,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.10.0-dev+exp,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.10.0-dev+exp,true,file,file.elf.segments,nested,extended,array,,ELF object segment list.
+8.10.0-dev+exp,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.10.0-dev+exp,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.10.0-dev+exp,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.10.0-dev+exp,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.10.0-dev+exp,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.10.0-dev+exp,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.10.0-dev+exp,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.10.0-dev+exp,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
+8.10.0-dev+exp,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
+8.10.0-dev+exp,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.10.0-dev+exp,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.10.0-dev+exp,true,file,file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.10.0-dev+exp,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.10.0-dev+exp,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.10.0-dev+exp,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.10.0-dev+exp,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.10.0-dev+exp,true,file,file.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+8.10.0-dev+exp,true,file,file.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.10.0-dev+exp,true,file,file.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.10.0-dev+exp,true,file,file.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.10.0-dev+exp,true,file,file.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.10.0-dev+exp,true,file,file.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+8.10.0-dev+exp,true,file,file.macho.imports,flattened,extended,array,,List of imported element names and types.
+8.10.0-dev+exp,true,file,file.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev+exp,true,file,file.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev+exp,true,file,file.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+8.10.0-dev+exp,true,file,file.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.10.0-dev+exp,true,file,file.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+8.10.0-dev+exp,true,file,file.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+8.10.0-dev+exp,true,file,file.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.10.0-dev+exp,true,file,file.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+8.10.0-dev+exp,true,file,file.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+8.10.0-dev+exp,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.10.0-dev+exp,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.10.0-dev+exp,true,file,file.mtime,date,extended,,,Last time the file content was modified.
+8.10.0-dev+exp,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.10.0-dev+exp,true,file,file.owner,keyword,extended,,alice,File owner's username.
+8.10.0-dev+exp,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.10.0-dev+exp,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.10.0-dev+exp,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.10.0-dev+exp,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.10.0-dev+exp,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.10.0-dev+exp,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.10.0-dev+exp,true,file,file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.10.0-dev+exp,true,file,file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.10.0-dev+exp,true,file,file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.10.0-dev+exp,true,file,file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.10.0-dev+exp,true,file,file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.10.0-dev+exp,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.10.0-dev+exp,true,file,file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.10.0-dev+exp,true,file,file.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.10.0-dev+exp,true,file,file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev+exp,true,file,file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev+exp,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.10.0-dev+exp,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.10.0-dev+exp,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.10.0-dev+exp,true,file,file.pe.sections,nested,extended,array,,Section information of the PE file.
+8.10.0-dev+exp,true,file,file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.10.0-dev+exp,true,file,file.pe.sections.name,keyword,extended,,,PE Section List name.
+8.10.0-dev+exp,true,file,file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.10.0-dev+exp,true,file,file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.10.0-dev+exp,true,file,file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.10.0-dev+exp,true,file,file.size,long,extended,,16384,File size in bytes.
+8.10.0-dev+exp,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
+8.10.0-dev+exp,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.10.0-dev+exp,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.10.0-dev+exp,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.10.0-dev+exp,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.10.0-dev+exp,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.10.0-dev+exp,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.10.0-dev+exp,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.10.0-dev+exp,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.10.0-dev+exp,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.10.0-dev+exp,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.10.0-dev+exp,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.10.0-dev+exp,true,file,file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.10.0-dev+exp,true,file,file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.10.0-dev+exp,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.10.0-dev+exp,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.10.0-dev+exp,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.10.0-dev+exp,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.10.0-dev+exp,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.10.0-dev+exp,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.10.0-dev+exp,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.10.0-dev+exp,true,file,file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.10.0-dev+exp,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.10.0-dev+exp,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.10.0-dev+exp,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.10.0-dev+exp,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.10.0-dev+exp,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.10.0-dev+exp,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.10.0-dev+exp,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.10.0-dev+exp,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev+exp,true,group,group.name,keyword,extended,,,Name of the group.
+8.10.0-dev+exp,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
+8.10.0-dev+exp,true,host,host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id
+8.10.0-dev+exp,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
+8.10.0-dev+exp,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
+8.10.0-dev+exp,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
+8.10.0-dev+exp,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
+8.10.0-dev+exp,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
+8.10.0-dev+exp,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
+8.10.0-dev+exp,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.10.0-dev+exp,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.10.0-dev+exp,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
+8.10.0-dev+exp,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.10.0-dev+exp,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.10.0-dev+exp,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
+8.10.0-dev+exp,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.10.0-dev+exp,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
+8.10.0-dev+exp,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.10.0-dev+exp,true,host,host.hostname,keyword,core,,,Hostname of the host.
+8.10.0-dev+exp,true,host,host.id,keyword,core,,,Unique host id.
+8.10.0-dev+exp,true,host,host.ip,ip,core,array,,Host ip addresses.
+8.10.0-dev+exp,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
+8.10.0-dev+exp,true,host,host.name,keyword,core,,,Name of the host.
+8.10.0-dev+exp,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
+8.10.0-dev+exp,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
+8.10.0-dev+exp,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+8.10.0-dev+exp,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
+8.10.0-dev+exp,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.10.0-dev+exp,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.10.0-dev+exp,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.10.0-dev+exp,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.10.0-dev+exp,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.10.0-dev+exp,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.10.0-dev+exp,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.10.0-dev+exp,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+8.10.0-dev+exp,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.10.0-dev+exp,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode
+8.10.0-dev+exp,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.10.0-dev+exp,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.10.0-dev+exp,true,host,host.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.10.0-dev+exp,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.10.0-dev+exp,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.10.0-dev+exp,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+8.10.0-dev+exp,true,host,host.type,keyword,core,,,Type of host.
+8.10.0-dev+exp,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
+8.10.0-dev+exp,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
+8.10.0-dev+exp,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
+8.10.0-dev+exp,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body.
+8.10.0-dev+exp,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
+8.10.0-dev+exp,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
+8.10.0-dev+exp,true,http,http.request.method,keyword,extended,,POST,HTTP request method.
+8.10.0-dev+exp,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
+8.10.0-dev+exp,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
+8.10.0-dev+exp,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
+8.10.0-dev+exp,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
+8.10.0-dev+exp,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body.
+8.10.0-dev+exp,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
+8.10.0-dev+exp,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
+8.10.0-dev+exp,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
+8.10.0-dev+exp,true,http,http.version,keyword,extended,,1.1,HTTP version.
+8.10.0-dev+exp,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
+8.10.0-dev+exp,true,log,log.level,keyword,core,,error,Log level of the log event.
+8.10.0-dev+exp,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
+8.10.0-dev+exp,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event.
+8.10.0-dev+exp,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
+8.10.0-dev+exp,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
+8.10.0-dev+exp,true,log,log.syslog,object,extended,,,Syslog metadata
+8.10.0-dev+exp,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message.
+8.10.0-dev+exp,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
+8.10.0-dev+exp,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
+8.10.0-dev+exp,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message.
+8.10.0-dev+exp,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message.
+8.10.0-dev+exp,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
+8.10.0-dev+exp,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message.
+8.10.0-dev+exp,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
+8.10.0-dev+exp,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
+8.10.0-dev+exp,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages.
+8.10.0-dev+exp,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version.
+8.10.0-dev+exp,true,network,network.application,keyword,extended,,aim,Application level protocol name.
+8.10.0-dev+exp,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
+8.10.0-dev+exp,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
+8.10.0-dev+exp,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
+8.10.0-dev+exp,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
+8.10.0-dev+exp,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
+8.10.0-dev+exp,true,network,network.inner,object,extended,,,Inner VLAN tag information
+8.10.0-dev+exp,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.10.0-dev+exp,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.10.0-dev+exp,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
+8.10.0-dev+exp,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
+8.10.0-dev+exp,true,network,network.protocol,keyword,core,,http,Application protocol name.
+8.10.0-dev+exp,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
+8.10.0-dev+exp,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
+8.10.0-dev+exp,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.10.0-dev+exp,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.10.0-dev+exp,true,observer,observer.egress,object,extended,,,Object field for egress information
+8.10.0-dev+exp,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
+8.10.0-dev+exp,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
+8.10.0-dev+exp,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
+8.10.0-dev+exp,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.10.0-dev+exp,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.10.0-dev+exp,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
+8.10.0-dev+exp,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
+8.10.0-dev+exp,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code.
+8.10.0-dev+exp,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.10.0-dev+exp,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.10.0-dev+exp,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
+8.10.0-dev+exp,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.10.0-dev+exp,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.10.0-dev+exp,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code.
+8.10.0-dev+exp,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.10.0-dev+exp,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
+8.10.0-dev+exp,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.10.0-dev+exp,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
+8.10.0-dev+exp,true,observer,observer.ingress,object,extended,,,Object field for ingress information
+8.10.0-dev+exp,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
+8.10.0-dev+exp,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
+8.10.0-dev+exp,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
+8.10.0-dev+exp,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.10.0-dev+exp,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.10.0-dev+exp,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
+8.10.0-dev+exp,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
+8.10.0-dev+exp,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer.
+8.10.0-dev+exp,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
+8.10.0-dev+exp,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.10.0-dev+exp,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.10.0-dev+exp,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.10.0-dev+exp,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.10.0-dev+exp,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.10.0-dev+exp,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.10.0-dev+exp,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.10.0-dev+exp,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+8.10.0-dev+exp,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.10.0-dev+exp,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
+8.10.0-dev+exp,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
+8.10.0-dev+exp,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
+8.10.0-dev+exp,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
+8.10.0-dev+exp,true,observer,observer.version,keyword,core,,,Observer version.
+8.10.0-dev+exp,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action
+8.10.0-dev+exp,true,orchestrator,orchestrator.cluster.id,keyword,extended,,,Unique ID of the cluster.
+8.10.0-dev+exp,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster.
+8.10.0-dev+exp,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster.
+8.10.0-dev+exp,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster.
+8.10.0-dev+exp,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place.
+8.10.0-dev+exp,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups).
+8.10.0-dev+exp,true,orchestrator,orchestrator.resource.annotation,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of annotations added to the resource.
+8.10.0-dev+exp,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon.
+8.10.0-dev+exp,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed.
+8.10.0-dev+exp,true,orchestrator,orchestrator.resource.label,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of labels added to the resource.
+8.10.0-dev+exp,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon.
+8.10.0-dev+exp,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed.
+8.10.0-dev+exp,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon.
+8.10.0-dev+exp,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)."
+8.10.0-dev+exp,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
+8.10.0-dev+exp,true,organization,organization.name,keyword,extended,,,Organization name.
+8.10.0-dev+exp,true,organization,organization.name.text,match_only_text,extended,,,Organization name.
+8.10.0-dev+exp,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
+8.10.0-dev+exp,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
+8.10.0-dev+exp,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
+8.10.0-dev+exp,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
+8.10.0-dev+exp,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
+8.10.0-dev+exp,true,package,package.installed,date,extended,,,Time when package was installed.
+8.10.0-dev+exp,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
+8.10.0-dev+exp,true,package,package.name,keyword,extended,,go,Package name
+8.10.0-dev+exp,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
+8.10.0-dev+exp,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
+8.10.0-dev+exp,true,package,package.size,long,extended,,62231,Package size in bytes.
+8.10.0-dev+exp,true,package,package.type,keyword,extended,,rpm,Package type
+8.10.0-dev+exp,true,package,package.version,keyword,extended,,1.12.9,Package version
+8.10.0-dev+exp,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.10.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array.
+8.10.0-dev+exp,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.10.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.10.0-dev+exp,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.10.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.10.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.10.0-dev+exp,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.10.0-dev+exp,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.10.0-dev+exp,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.10.0-dev+exp,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.10.0-dev+exp,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.10.0-dev+exp,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.10.0-dev+exp,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.10.0-dev+exp,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.10.0-dev+exp,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.10.0-dev+exp,true,process,process.elf.creation_date,date,extended,,,Build or compile date.
+8.10.0-dev+exp,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.10.0-dev+exp,true,process,process.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.10.0-dev+exp,true,process,process.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.10.0-dev+exp,true,process,process.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.10.0-dev+exp,true,process,process.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.10.0-dev+exp,true,process,process.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.10.0-dev+exp,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.10.0-dev+exp,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.10.0-dev+exp,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.10.0-dev+exp,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.10.0-dev+exp,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.10.0-dev+exp,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.10.0-dev+exp,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.10.0-dev+exp,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.10.0-dev+exp,true,process,process.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.10.0-dev+exp,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.10.0-dev+exp,true,process,process.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev+exp,true,process,process.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev+exp,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.10.0-dev+exp,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.10.0-dev+exp,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.10.0-dev+exp,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.10.0-dev+exp,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.10.0-dev+exp,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.10.0-dev+exp,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.10.0-dev+exp,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.10.0-dev+exp,true,process,process.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.10.0-dev+exp,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.10.0-dev+exp,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.10.0-dev+exp,true,process,process.elf.segments,nested,extended,array,,ELF object segment list.
+8.10.0-dev+exp,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.10.0-dev+exp,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.10.0-dev+exp,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.10.0-dev+exp,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.10.0-dev+exp,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+8.10.0-dev+exp,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.10.0-dev+exp,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.10.0-dev+exp,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array.
+8.10.0-dev+exp,true,process,process.entry_leader.attested_groups.name,keyword,extended,,,Name of the group.
+8.10.0-dev+exp,true,process,process.entry_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev+exp,true,process,process.entry_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,process,process.entry_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.10.0-dev+exp,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.10.0-dev+exp,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.10.0-dev+exp,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
+8.10.0-dev+exp,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
+8.10.0-dev+exp,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.10.0-dev+exp,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.10.0-dev+exp,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev+exp,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group.
+8.10.0-dev+exp,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.10.0-dev+exp,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name.
+8.10.0-dev+exp,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name.
+8.10.0-dev+exp,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.10.0-dev+exp,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id.
+8.10.0-dev+exp,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.10.0-dev+exp,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id.
+8.10.0-dev+exp,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.10.0-dev+exp,true,process,process.entry_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
+8.10.0-dev+exp,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.10.0-dev+exp,true,process,process.entry_leader.parent.vpid,long,core,,4242,Virtual process id.
+8.10.0-dev+exp,true,process,process.entry_leader.pid,long,core,,4242,Process id.
+8.10.0-dev+exp,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev+exp,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group.
+8.10.0-dev+exp,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev+exp,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,process,process.entry_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+8.10.0-dev+exp,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev+exp,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group.
+8.10.0-dev+exp,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev+exp,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,process,process.entry_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.10.0-dev+exp,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev+exp,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.10.0-dev+exp,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device.
+8.10.0-dev+exp,true,process,process.entry_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.10.0-dev+exp,true,process,process.entry_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.10.0-dev+exp,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev+exp,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,process,process.entry_leader.vpid,long,core,,4242,Virtual process id.
+8.10.0-dev+exp,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.10.0-dev+exp,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.10.0-dev+exp,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
+8.10.0-dev+exp,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.10.0-dev+exp,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.10.0-dev+exp,true,process,process.exit_code,long,extended,,137,The exit code of the process.
+8.10.0-dev+exp,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.10.0-dev+exp,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array.
+8.10.0-dev+exp,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.10.0-dev+exp,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.10.0-dev+exp,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.10.0-dev+exp,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.10.0-dev+exp,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.10.0-dev+exp,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev+exp,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group.
+8.10.0-dev+exp,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.10.0-dev+exp,true,process,process.group_leader.name,keyword,extended,,ssh,Process name.
+8.10.0-dev+exp,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name.
+8.10.0-dev+exp,true,process,process.group_leader.pid,long,core,,4242,Process id.
+8.10.0-dev+exp,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev+exp,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group.
+8.10.0-dev+exp,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev+exp,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,process,process.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+8.10.0-dev+exp,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev+exp,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group.
+8.10.0-dev+exp,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev+exp,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,process,process.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.10.0-dev+exp,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev+exp,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.10.0-dev+exp,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device.
+8.10.0-dev+exp,true,process,process.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.10.0-dev+exp,true,process,process.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.10.0-dev+exp,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev+exp,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,process,process.group_leader.vpid,long,core,,4242,Virtual process id.
+8.10.0-dev+exp,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.10.0-dev+exp,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.10.0-dev+exp,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
+8.10.0-dev+exp,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
+8.10.0-dev+exp,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
+8.10.0-dev+exp,true,process,process.hash.sha384,keyword,extended,,,SHA384 hash.
+8.10.0-dev+exp,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
+8.10.0-dev+exp,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.10.0-dev+exp,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash.
+8.10.0-dev+exp,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.10.0-dev+exp,true,process,process.io,object,extended,,,A chunk of input or output (IO) from a single process.
+8.10.0-dev+exp,true,process,process.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
+8.10.0-dev+exp,true,process,process.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
+8.10.0-dev+exp,true,process,process.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
+8.10.0-dev+exp,true,process,process.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
+8.10.0-dev+exp,true,process,process.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
+8.10.0-dev+exp,true,process,process.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
+8.10.0-dev+exp,true,process,process.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
+8.10.0-dev+exp,true,process,process.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
+8.10.0-dev+exp,true,process,process.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+8.10.0-dev+exp,true,process,process.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.10.0-dev+exp,true,process,process.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.10.0-dev+exp,true,process,process.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.10.0-dev+exp,true,process,process.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.10.0-dev+exp,true,process,process.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+8.10.0-dev+exp,true,process,process.macho.imports,flattened,extended,array,,List of imported element names and types.
+8.10.0-dev+exp,true,process,process.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev+exp,true,process,process.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev+exp,true,process,process.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+8.10.0-dev+exp,true,process,process.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.10.0-dev+exp,true,process,process.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+8.10.0-dev+exp,true,process,process.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+8.10.0-dev+exp,true,process,process.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.10.0-dev+exp,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+8.10.0-dev+exp,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+8.10.0-dev+exp,true,process,process.name,keyword,extended,,ssh,Process name.
+8.10.0-dev+exp,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
+8.10.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.10.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
+8.10.0-dev+exp,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.10.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.10.0-dev+exp,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.10.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.10.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.10.0-dev+exp,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.10.0-dev+exp,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.10.0-dev+exp,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.10.0-dev+exp,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.10.0-dev+exp,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.10.0-dev+exp,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.10.0-dev+exp,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.10.0-dev+exp,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.10.0-dev+exp,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.10.0-dev+exp,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date.
+8.10.0-dev+exp,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.10.0-dev+exp,true,process,process.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.10.0-dev+exp,true,process,process.parent.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.10.0-dev+exp,true,process,process.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.10.0-dev+exp,true,process,process.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.10.0-dev+exp,true,process,process.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.10.0-dev+exp,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.10.0-dev+exp,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.10.0-dev+exp,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.10.0-dev+exp,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.10.0-dev+exp,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.10.0-dev+exp,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.10.0-dev+exp,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.10.0-dev+exp,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.10.0-dev+exp,true,process,process.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.10.0-dev+exp,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.10.0-dev+exp,true,process,process.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev+exp,true,process,process.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev+exp,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.10.0-dev+exp,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.10.0-dev+exp,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.10.0-dev+exp,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.10.0-dev+exp,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.10.0-dev+exp,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.10.0-dev+exp,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.10.0-dev+exp,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.10.0-dev+exp,true,process,process.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.10.0-dev+exp,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.10.0-dev+exp,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.10.0-dev+exp,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list.
+8.10.0-dev+exp,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.10.0-dev+exp,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.10.0-dev+exp,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.10.0-dev+exp,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.10.0-dev+exp,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+8.10.0-dev+exp,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.10.0-dev+exp,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.10.0-dev+exp,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.10.0-dev+exp,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
+8.10.0-dev+exp,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev+exp,true,process,process.parent.group.name,keyword,extended,,,Name of the group.
+8.10.0-dev+exp,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.10.0-dev+exp,true,process,process.parent.group_leader.pid,long,core,,4242,Process id.
+8.10.0-dev+exp,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.10.0-dev+exp,true,process,process.parent.group_leader.vpid,long,core,,4242,Virtual process id.
+8.10.0-dev+exp,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
+8.10.0-dev+exp,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
+8.10.0-dev+exp,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
+8.10.0-dev+exp,true,process,process.parent.hash.sha384,keyword,extended,,,SHA384 hash.
+8.10.0-dev+exp,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
+8.10.0-dev+exp,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.10.0-dev+exp,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash.
+8.10.0-dev+exp,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.10.0-dev+exp,true,process,process.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+8.10.0-dev+exp,true,process,process.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.10.0-dev+exp,true,process,process.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.10.0-dev+exp,true,process,process.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.10.0-dev+exp,true,process,process.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.10.0-dev+exp,true,process,process.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+8.10.0-dev+exp,true,process,process.parent.macho.imports,flattened,extended,array,,List of imported element names and types.
+8.10.0-dev+exp,true,process,process.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev+exp,true,process,process.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev+exp,true,process,process.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+8.10.0-dev+exp,true,process,process.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.10.0-dev+exp,true,process,process.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+8.10.0-dev+exp,true,process,process.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+8.10.0-dev+exp,true,process,process.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.10.0-dev+exp,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+8.10.0-dev+exp,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+8.10.0-dev+exp,true,process,process.parent.name,keyword,extended,,ssh,Process name.
+8.10.0-dev+exp,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
+8.10.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.10.0-dev+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.10.0-dev+exp,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.10.0-dev+exp,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.10.0-dev+exp,true,process,process.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.10.0-dev+exp,true,process,process.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.10.0-dev+exp,true,process,process.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.10.0-dev+exp,true,process,process.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.10.0-dev+exp,true,process,process.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.10.0-dev+exp,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.10.0-dev+exp,true,process,process.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.10.0-dev+exp,true,process,process.parent.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.10.0-dev+exp,true,process,process.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev+exp,true,process,process.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev+exp,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.10.0-dev+exp,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.10.0-dev+exp,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.10.0-dev+exp,true,process,process.parent.pe.sections,nested,extended,array,,Section information of the PE file.
+8.10.0-dev+exp,true,process,process.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.10.0-dev+exp,true,process,process.parent.pe.sections.name,keyword,extended,,,PE Section List name.
+8.10.0-dev+exp,true,process,process.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.10.0-dev+exp,true,process,process.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.10.0-dev+exp,true,process,process.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.10.0-dev+exp,true,process,process.parent.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
+8.10.0-dev+exp,true,process,process.parent.pid,long,core,,4242,Process id.
+8.10.0-dev+exp,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev+exp,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group.
+8.10.0-dev+exp,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev+exp,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,process,process.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev+exp,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group.
+8.10.0-dev+exp,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev+exp,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,process,process.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.10.0-dev+exp,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev+exp,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.10.0-dev+exp,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
+8.10.0-dev+exp,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
+8.10.0-dev+exp,true,process,process.parent.title,keyword,extended,,,Process title.
+8.10.0-dev+exp,true,process,process.parent.title.text,match_only_text,extended,,,Process title.
+8.10.0-dev+exp,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device.
+8.10.0-dev+exp,true,process,process.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.10.0-dev+exp,true,process,process.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.10.0-dev+exp,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
+8.10.0-dev+exp,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev+exp,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,process,process.parent.vpid,long,core,,4242,Virtual process id.
+8.10.0-dev+exp,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.10.0-dev+exp,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.10.0-dev+exp,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.10.0-dev+exp,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.10.0-dev+exp,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.10.0-dev+exp,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.10.0-dev+exp,true,process,process.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.10.0-dev+exp,true,process,process.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.10.0-dev+exp,true,process,process.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.10.0-dev+exp,true,process,process.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.10.0-dev+exp,true,process,process.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.10.0-dev+exp,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.10.0-dev+exp,true,process,process.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.10.0-dev+exp,true,process,process.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.10.0-dev+exp,true,process,process.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev+exp,true,process,process.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev+exp,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.10.0-dev+exp,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.10.0-dev+exp,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.10.0-dev+exp,true,process,process.pe.sections,nested,extended,array,,Section information of the PE file.
+8.10.0-dev+exp,true,process,process.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.10.0-dev+exp,true,process,process.pe.sections.name,keyword,extended,,,PE Section List name.
+8.10.0-dev+exp,true,process,process.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.10.0-dev+exp,true,process,process.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.10.0-dev+exp,true,process,process.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.10.0-dev+exp,true,process,process.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
+8.10.0-dev+exp,true,process,process.pid,long,core,,4242,Process id.
+8.10.0-dev+exp,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.10.0-dev+exp,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array.
+8.10.0-dev+exp,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.10.0-dev+exp,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.10.0-dev+exp,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev+exp,true,process,process.real_group.name,keyword,extended,,,Name of the group.
+8.10.0-dev+exp,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev+exp,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,process,process.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev+exp,true,process,process.saved_group.name,keyword,extended,,,Name of the group.
+8.10.0-dev+exp,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev+exp,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,process,process.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.10.0-dev+exp,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array.
+8.10.0-dev+exp,true,process,process.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.10.0-dev+exp,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.10.0-dev+exp,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.10.0-dev+exp,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.10.0-dev+exp,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.10.0-dev+exp,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev+exp,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group.
+8.10.0-dev+exp,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.10.0-dev+exp,true,process,process.session_leader.name,keyword,extended,,ssh,Process name.
+8.10.0-dev+exp,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name.
+8.10.0-dev+exp,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.10.0-dev+exp,true,process,process.session_leader.parent.pid,long,core,,4242,Process id.
+8.10.0-dev+exp,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.10.0-dev+exp,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id.
+8.10.0-dev+exp,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.10.0-dev+exp,true,process,process.session_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
+8.10.0-dev+exp,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.10.0-dev+exp,true,process,process.session_leader.parent.vpid,long,core,,4242,Virtual process id.
+8.10.0-dev+exp,true,process,process.session_leader.pid,long,core,,4242,Process id.
+8.10.0-dev+exp,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev+exp,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group.
+8.10.0-dev+exp,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev+exp,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,process,process.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+8.10.0-dev+exp,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev+exp,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group.
+8.10.0-dev+exp,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev+exp,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,process,process.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.10.0-dev+exp,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev+exp,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.10.0-dev+exp,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device.
+8.10.0-dev+exp,true,process,process.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.10.0-dev+exp,true,process,process.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.10.0-dev+exp,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev+exp,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,process,process.session_leader.vpid,long,core,,4242,Virtual process id.
+8.10.0-dev+exp,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.10.0-dev+exp,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.10.0-dev+exp,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.10.0-dev+exp,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev+exp,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.10.0-dev+exp,true,process,process.thread.id,long,extended,,4242,Thread ID.
+8.10.0-dev+exp,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
+8.10.0-dev+exp,true,process,process.title,keyword,extended,,,Process title.
+8.10.0-dev+exp,true,process,process.title.text,match_only_text,extended,,,Process title.
+8.10.0-dev+exp,true,process,process.tty,object,extended,,,Information about the controlling TTY device.
+8.10.0-dev+exp,true,process,process.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.10.0-dev+exp,true,process,process.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.10.0-dev+exp,true,process,process.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
+8.10.0-dev+exp,true,process,process.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
+8.10.0-dev+exp,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
+8.10.0-dev+exp,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev+exp,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,process,process.vpid,long,core,,4242,Virtual process id.
+8.10.0-dev+exp,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.10.0-dev+exp,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.10.0-dev+exp,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.10.0-dev+exp,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.10.0-dev+exp,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.10.0-dev+exp,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.10.0-dev+exp,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.10.0-dev+exp,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.10.0-dev+exp,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
+8.10.0-dev+exp,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
+8.10.0-dev+exp,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
+8.10.0-dev+exp,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
+8.10.0-dev+exp,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event.
+8.10.0-dev+exp,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
+8.10.0-dev+exp,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
+8.10.0-dev+exp,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
+8.10.0-dev+exp,true,rule,rule.id,keyword,extended,,101,Rule ID
+8.10.0-dev+exp,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
+8.10.0-dev+exp,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
+8.10.0-dev+exp,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
+8.10.0-dev+exp,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
+8.10.0-dev+exp,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
+8.10.0-dev+exp,true,rule,rule.version,keyword,extended,,1.1,Rule version
+8.10.0-dev+exp,true,server,server.address,keyword,extended,,,Server network address.
+8.10.0-dev+exp,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.10.0-dev+exp,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.10.0-dev+exp,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.10.0-dev+exp,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
+8.10.0-dev+exp,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server.
+8.10.0-dev+exp,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
+8.10.0-dev+exp,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
+8.10.0-dev+exp,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.10.0-dev+exp,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.10.0-dev+exp,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
+8.10.0-dev+exp,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.10.0-dev+exp,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.10.0-dev+exp,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
+8.10.0-dev+exp,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.10.0-dev+exp,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
+8.10.0-dev+exp,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.10.0-dev+exp,true,server,server.ip,ip,core,,,IP address of the server.
+8.10.0-dev+exp,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
+8.10.0-dev+exp,true,server,server.nat.ip,ip,extended,,,Server NAT ip
+8.10.0-dev+exp,true,server,server.nat.port,long,extended,,,Server NAT port
+8.10.0-dev+exp,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
+8.10.0-dev+exp,true,server,server.port,long,core,,,Port of the server.
+8.10.0-dev+exp,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
+8.10.0-dev+exp,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.10.0-dev+exp,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.10.0-dev+exp,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.10.0-dev+exp,true,server,server.user.email,keyword,extended,,,User email address.
+8.10.0-dev+exp,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.10.0-dev+exp,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.10.0-dev+exp,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.10.0-dev+exp,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev+exp,true,server,server.user.group.name,keyword,extended,,,Name of the group.
+8.10.0-dev+exp,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.10.0-dev+exp,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev+exp,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.10.0-dev+exp,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.10.0-dev+exp,true,service,service.environment,keyword,extended,,production,Environment of the service.
+8.10.0-dev+exp,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.10.0-dev+exp,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.10.0-dev+exp,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.10.0-dev+exp,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.10.0-dev+exp,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.10.0-dev+exp,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+8.10.0-dev+exp,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.10.0-dev+exp,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
+8.10.0-dev+exp,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.10.0-dev+exp,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.10.0-dev+exp,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.10.0-dev+exp,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.10.0-dev+exp,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.10.0-dev+exp,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+8.10.0-dev+exp,true,service,service.origin.state,keyword,core,,,Current state of the service.
+8.10.0-dev+exp,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service.
+8.10.0-dev+exp,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service.
+8.10.0-dev+exp,true,service,service.state,keyword,core,,,Current state of the service.
+8.10.0-dev+exp,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.10.0-dev+exp,true,service,service.target.environment,keyword,extended,,production,Environment of the service.
+8.10.0-dev+exp,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.10.0-dev+exp,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.10.0-dev+exp,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.10.0-dev+exp,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.10.0-dev+exp,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.10.0-dev+exp,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+8.10.0-dev+exp,true,service,service.target.state,keyword,core,,,Current state of the service.
+8.10.0-dev+exp,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service.
+8.10.0-dev+exp,true,service,service.target.version,keyword,core,,3.2.4,Version of the service.
+8.10.0-dev+exp,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
+8.10.0-dev+exp,true,service,service.version,keyword,core,,3.2.4,Version of the service.
+8.10.0-dev+exp,true,source,source.address,keyword,extended,,,Source network address.
+8.10.0-dev+exp,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.10.0-dev+exp,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.10.0-dev+exp,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.10.0-dev+exp,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
+8.10.0-dev+exp,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source.
+8.10.0-dev+exp,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
+8.10.0-dev+exp,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
+8.10.0-dev+exp,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.10.0-dev+exp,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.10.0-dev+exp,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
+8.10.0-dev+exp,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.10.0-dev+exp,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.10.0-dev+exp,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
+8.10.0-dev+exp,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.10.0-dev+exp,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
+8.10.0-dev+exp,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.10.0-dev+exp,true,source,source.ip,ip,core,,,IP address of the source.
+8.10.0-dev+exp,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
+8.10.0-dev+exp,true,source,source.nat.ip,ip,extended,,,Source NAT ip
+8.10.0-dev+exp,true,source,source.nat.port,long,extended,,,Source NAT port
+8.10.0-dev+exp,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
+8.10.0-dev+exp,true,source,source.port,long,core,,,Port of the source.
+8.10.0-dev+exp,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+8.10.0-dev+exp,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.10.0-dev+exp,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.10.0-dev+exp,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.10.0-dev+exp,true,source,source.user.email,keyword,extended,,,User email address.
+8.10.0-dev+exp,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.10.0-dev+exp,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.10.0-dev+exp,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.10.0-dev+exp,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev+exp,true,source,source.user.group.name,keyword,extended,,,Name of the group.
+8.10.0-dev+exp,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.10.0-dev+exp,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev+exp,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.10.0-dev+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
+8.10.0-dev+exp,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.10.0-dev+exp,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.10.0-dev+exp,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.10.0-dev+exp,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.10.0-dev+exp,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value
+8.10.0-dev+exp,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field
+8.10.0-dev+exp,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier
+8.10.0-dev+exp,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index
+8.10.0-dev+exp,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05T17:00:58.326Z,Date of match
+8.10.0-dev+exp,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match
+8.10.0-dev+exp,true,threat,threat.feed.dashboard_id,keyword,extended,,5ba16340-72e6-11eb-a3e3-b3cc7c78a70f,Feed dashboard ID.
+8.10.0-dev+exp,true,threat,threat.feed.description,keyword,extended,,Threat feed from the AlienVault Open Threat eXchange network.,Description of the threat feed.
+8.10.0-dev+exp,true,threat,threat.feed.name,keyword,extended,,AlienVault OTX,Name of the threat feed.
+8.10.0-dev+exp,true,threat,threat.feed.reference,keyword,extended,,https://otx.alienvault.com,Reference for the threat feed.
+8.10.0-dev+exp,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
+8.10.0-dev+exp,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group.
+8.10.0-dev+exp,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group.
+8.10.0-dev+exp,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group.
+8.10.0-dev+exp,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group.
+8.10.0-dev+exp,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.10.0-dev+exp,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.10.0-dev+exp,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.10.0-dev+exp,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
+8.10.0-dev+exp,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
+8.10.0-dev+exp,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
+8.10.0-dev+exp,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed.
+8.10.0-dev+exp,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.10.0-dev+exp,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.10.0-dev+exp,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.10.0-dev+exp,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.10.0-dev+exp,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.10.0-dev+exp,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.10.0-dev+exp,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.10.0-dev+exp,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.10.0-dev+exp,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.10.0-dev+exp,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.10.0-dev+exp,true,threat,threat.indicator.file.created,date,extended,,,File creation time.
+8.10.0-dev+exp,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.10.0-dev+exp,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
+8.10.0-dev+exp,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.10.0-dev+exp,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.10.0-dev+exp,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.10.0-dev+exp,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.10.0-dev+exp,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.10.0-dev+exp,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
+8.10.0-dev+exp,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.10.0-dev+exp,true,threat,threat.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.10.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.10.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.10.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.10.0-dev+exp,true,threat,threat.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.10.0-dev+exp,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.10.0-dev+exp,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.10.0-dev+exp,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.10.0-dev+exp,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.10.0-dev+exp,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.10.0-dev+exp,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.10.0-dev+exp,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.10.0-dev+exp,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.10.0-dev+exp,true,threat,threat.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.10.0-dev+exp,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.10.0-dev+exp,true,threat,threat.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev+exp,true,threat,threat.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev+exp,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.10.0-dev+exp,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.10.0-dev+exp,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.10.0-dev+exp,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.10.0-dev+exp,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.10.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.10.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.10.0-dev+exp,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.10.0-dev+exp,true,threat,threat.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.10.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.10.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.10.0-dev+exp,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
+8.10.0-dev+exp,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.10.0-dev+exp,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.10.0-dev+exp,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.10.0-dev+exp,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.10.0-dev+exp,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.10.0-dev+exp,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.10.0-dev+exp,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.10.0-dev+exp,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
+8.10.0-dev+exp,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
+8.10.0-dev+exp,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.10.0-dev+exp,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.10.0-dev+exp,true,threat,threat.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.10.0-dev+exp,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.10.0-dev+exp,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.10.0-dev+exp,true,threat,threat.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.10.0-dev+exp,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.10.0-dev+exp,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.10.0-dev+exp,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.10.0-dev+exp,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified.
+8.10.0-dev+exp,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.10.0-dev+exp,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username.
+8.10.0-dev+exp,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.10.0-dev+exp,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.10.0-dev+exp,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.10.0-dev+exp,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.10.0-dev+exp,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.10.0-dev+exp,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.10.0-dev+exp,true,threat,threat.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.10.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.10.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.10.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.10.0-dev+exp,true,threat,threat.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.10.0-dev+exp,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.10.0-dev+exp,true,threat,threat.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.10.0-dev+exp,true,threat,threat.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.10.0-dev+exp,true,threat,threat.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev+exp,true,threat,threat.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev+exp,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.10.0-dev+exp,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.10.0-dev+exp,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.10.0-dev+exp,true,threat,threat.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
+8.10.0-dev+exp,true,threat,threat.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.10.0-dev+exp,true,threat,threat.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
+8.10.0-dev+exp,true,threat,threat.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.10.0-dev+exp,true,threat,threat.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.10.0-dev+exp,true,threat,threat.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.10.0-dev+exp,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes.
+8.10.0-dev+exp,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
+8.10.0-dev+exp,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.10.0-dev+exp,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.10.0-dev+exp,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.10.0-dev+exp,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.10.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.10.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.10.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.10.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.10.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.10.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.10.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.10.0-dev+exp,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.10.0-dev+exp,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.10.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.10.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.10.0-dev+exp,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.10.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.10.0-dev+exp,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.10.0-dev+exp,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.10.0-dev+exp,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.10.0-dev+exp,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.10.0-dev+exp,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.10.0-dev+exp,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.10.0-dev+exp,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.10.0-dev+exp,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.10.0-dev+exp,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.10.0-dev+exp,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.10.0-dev+exp,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
+8.10.0-dev+exp,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name.
+8.10.0-dev+exp,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code.
+8.10.0-dev+exp,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.10.0-dev+exp,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.10.0-dev+exp,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name.
+8.10.0-dev+exp,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.10.0-dev+exp,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.10.0-dev+exp,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code.
+8.10.0-dev+exp,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.10.0-dev+exp,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name.
+8.10.0-dev+exp,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.10.0-dev+exp,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
+8.10.0-dev+exp,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
+8.10.0-dev+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
+8.10.0-dev+exp,true,threat,threat.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
+8.10.0-dev+exp,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
+8.10.0-dev+exp,true,threat,threat.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
+8.10.0-dev+exp,true,threat,threat.indicator.port,long,extended,,443,Indicator port
+8.10.0-dev+exp,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
+8.10.0-dev+exp,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
+8.10.0-dev+exp,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.10.0-dev+exp,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.10.0-dev+exp,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.10.0-dev+exp,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.10.0-dev+exp,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.10.0-dev+exp,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.10.0-dev+exp,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
+8.10.0-dev+exp,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics
+8.10.0-dev+exp,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed
+8.10.0-dev+exp,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
+8.10.0-dev+exp,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.10.0-dev+exp,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.10.0-dev+exp,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.10.0-dev+exp,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.10.0-dev+exp,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.10.0-dev+exp,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.10.0-dev+exp,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.10.0-dev+exp,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request.
+8.10.0-dev+exp,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.10.0-dev+exp,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
+8.10.0-dev+exp,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request.
+8.10.0-dev+exp,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.10.0-dev+exp,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
+8.10.0-dev+exp,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.10.0-dev+exp,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.10.0-dev+exp,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request.
+8.10.0-dev+exp,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.10.0-dev+exp,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.10.0-dev+exp,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.10.0-dev+exp,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.10.0-dev+exp,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.10.0-dev+exp,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.10.0-dev+exp,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.10.0-dev+exp,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.10.0-dev+exp,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.10.0-dev+exp,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.10.0-dev+exp,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.10.0-dev+exp,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.10.0-dev+exp,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.10.0-dev+exp,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.10.0-dev+exp,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.10.0-dev+exp,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.10.0-dev+exp,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.10.0-dev+exp,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.10.0-dev+exp,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.10.0-dev+exp,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.10.0-dev+exp,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.10.0-dev+exp,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.10.0-dev+exp,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.10.0-dev+exp,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.10.0-dev+exp,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software
+8.10.0-dev+exp,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software
+8.10.0-dev+exp,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software.
+8.10.0-dev+exp,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software.
+8.10.0-dev+exp,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL.
+8.10.0-dev+exp,true,threat,threat.software.type,keyword,extended,,Tool,Software type.
+8.10.0-dev+exp,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
+8.10.0-dev+exp,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
+8.10.0-dev+exp,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
+8.10.0-dev+exp,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
+8.10.0-dev+exp,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
+8.10.0-dev+exp,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name.
+8.10.0-dev+exp,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
+8.10.0-dev+exp,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
+8.10.0-dev+exp,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
+8.10.0-dev+exp,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
+8.10.0-dev+exp,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
+8.10.0-dev+exp,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
+8.10.0-dev+exp,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
+8.10.0-dev+exp,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
+8.10.0-dev+exp,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
+8.10.0-dev+exp,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
+8.10.0-dev+exp,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
+8.10.0-dev+exp,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
+8.10.0-dev+exp,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
+8.10.0-dev+exp,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
+8.10.0-dev+exp,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
+8.10.0-dev+exp,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
+8.10.0-dev+exp,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
+8.10.0-dev+exp,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
+8.10.0-dev+exp,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.10.0-dev+exp,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.10.0-dev+exp,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.10.0-dev+exp,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.10.0-dev+exp,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.10.0-dev+exp,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.10.0-dev+exp,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.10.0-dev+exp,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.10.0-dev+exp,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.10.0-dev+exp,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.10.0-dev+exp,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.10.0-dev+exp,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.10.0-dev+exp,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.10.0-dev+exp,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.10.0-dev+exp,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.10.0-dev+exp,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.10.0-dev+exp,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.10.0-dev+exp,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.10.0-dev+exp,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.10.0-dev+exp,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.10.0-dev+exp,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.10.0-dev+exp,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.10.0-dev+exp,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.10.0-dev+exp,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.10.0-dev+exp,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
+8.10.0-dev+exp,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
+8.10.0-dev+exp,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
+8.10.0-dev+exp,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
+8.10.0-dev+exp,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
+8.10.0-dev+exp,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
+8.10.0-dev+exp,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
+8.10.0-dev+exp,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
+8.10.0-dev+exp,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
+8.10.0-dev+exp,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
+8.10.0-dev+exp,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
+8.10.0-dev+exp,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
+8.10.0-dev+exp,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
+8.10.0-dev+exp,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
+8.10.0-dev+exp,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.10.0-dev+exp,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.10.0-dev+exp,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.10.0-dev+exp,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.10.0-dev+exp,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.10.0-dev+exp,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.10.0-dev+exp,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.10.0-dev+exp,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.10.0-dev+exp,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.10.0-dev+exp,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.10.0-dev+exp,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.10.0-dev+exp,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.10.0-dev+exp,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.10.0-dev+exp,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.10.0-dev+exp,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.10.0-dev+exp,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.10.0-dev+exp,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.10.0-dev+exp,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.10.0-dev+exp,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.10.0-dev+exp,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.10.0-dev+exp,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.10.0-dev+exp,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.10.0-dev+exp,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.10.0-dev+exp,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.10.0-dev+exp,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
+8.10.0-dev+exp,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
+8.10.0-dev+exp,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
+8.10.0-dev+exp,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
+8.10.0-dev+exp,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.10.0-dev+exp,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.10.0-dev+exp,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.10.0-dev+exp,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.10.0-dev+exp,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.10.0-dev+exp,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.10.0-dev+exp,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.10.0-dev+exp,true,url,url.password,keyword,extended,,,Password of the request.
+8.10.0-dev+exp,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.10.0-dev+exp,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
+8.10.0-dev+exp,true,url,url.query,keyword,extended,,,Query string of the request.
+8.10.0-dev+exp,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.10.0-dev+exp,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
+8.10.0-dev+exp,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.10.0-dev+exp,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.10.0-dev+exp,true,url,url.username,keyword,extended,,,Username of the request.
+8.10.0-dev+exp,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.10.0-dev+exp,true,user,user.changes.email,keyword,extended,,,User email address.
+8.10.0-dev+exp,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.10.0-dev+exp,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.10.0-dev+exp,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.10.0-dev+exp,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev+exp,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
+8.10.0-dev+exp,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.10.0-dev+exp,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev+exp,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.10.0-dev+exp,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.10.0-dev+exp,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.10.0-dev+exp,true,user,user.effective.email,keyword,extended,,,User email address.
+8.10.0-dev+exp,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.10.0-dev+exp,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.10.0-dev+exp,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.10.0-dev+exp,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev+exp,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
+8.10.0-dev+exp,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.10.0-dev+exp,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev+exp,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.10.0-dev+exp,true,user,user.email,keyword,extended,,,User email address.
+8.10.0-dev+exp,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.10.0-dev+exp,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.10.0-dev+exp,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.10.0-dev+exp,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev+exp,true,user,user.group.name,keyword,extended,,,Name of the group.
+8.10.0-dev+exp,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.10.0-dev+exp,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev+exp,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.10.0-dev+exp,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.10.0-dev+exp,true,user,user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.10.0-dev+exp,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.10.0-dev+exp,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.10.0-dev+exp,true,user,user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+8.10.0-dev+exp,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.10.0-dev+exp,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.10.0-dev+exp,true,user,user.target.email,keyword,extended,,,User email address.
+8.10.0-dev+exp,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.10.0-dev+exp,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.10.0-dev+exp,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.10.0-dev+exp,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev+exp,true,user,user.target.group.name,keyword,extended,,,Name of the group.
+8.10.0-dev+exp,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.10.0-dev+exp,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev+exp,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev+exp,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.10.0-dev+exp,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
+8.10.0-dev+exp,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
+8.10.0-dev+exp,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+8.10.0-dev+exp,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+8.10.0-dev+exp,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.10.0-dev+exp,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.10.0-dev+exp,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.10.0-dev+exp,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.10.0-dev+exp,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.10.0-dev+exp,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.10.0-dev+exp,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.10.0-dev+exp,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+8.10.0-dev+exp,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.10.0-dev+exp,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
+8.10.0-dev+exp,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
+8.10.0-dev+exp,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
+8.10.0-dev+exp,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+8.10.0-dev+exp,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+8.10.0-dev+exp,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
+8.10.0-dev+exp,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
+8.10.0-dev+exp,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
+8.10.0-dev+exp,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
+8.10.0-dev+exp,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
+8.10.0-dev+exp,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
+8.10.0-dev+exp,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
+8.10.0-dev+exp,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
+8.10.0-dev+exp,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
+8.10.0-dev+exp,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
diff --git a/experimental/generated/elasticsearch/composable/component/agent.json b/experimental/generated/elasticsearch/composable/component/agent.json
index 400335649b..78388b1100 100644
--- a/experimental/generated/elasticsearch/composable/component/agent.json
+++ b/experimental/generated/elasticsearch/composable/component/agent.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html",
-    "ecs_version": "8.9.0-dev+exp"
+    "ecs_version": "8.10.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/base.json b/experimental/generated/elasticsearch/composable/component/base.json
index c42f7bf007..fecaea681f 100644
--- a/experimental/generated/elasticsearch/composable/component/base.json
+++ b/experimental/generated/elasticsearch/composable/component/base.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
-    "ecs_version": "8.9.0-dev+exp"
+    "ecs_version": "8.10.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/cgroup.json b/experimental/generated/elasticsearch/composable/component/cgroup.json
index d764321de9..5d8f391825 100644
--- a/experimental/generated/elasticsearch/composable/component/cgroup.json
+++ b/experimental/generated/elasticsearch/composable/component/cgroup.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cgroup.html",
-    "ecs_version": "8.9.0-dev+exp"
+    "ecs_version": "8.10.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/client.json b/experimental/generated/elasticsearch/composable/component/client.json
index ff1fd3e8bb..acf7b3df54 100644
--- a/experimental/generated/elasticsearch/composable/component/client.json
+++ b/experimental/generated/elasticsearch/composable/component/client.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-client.html",
-    "ecs_version": "8.9.0-dev+exp"
+    "ecs_version": "8.10.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/cloud.json b/experimental/generated/elasticsearch/composable/component/cloud.json
index 076f971d31..0a6fb2bf1b 100644
--- a/experimental/generated/elasticsearch/composable/component/cloud.json
+++ b/experimental/generated/elasticsearch/composable/component/cloud.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cloud.html",
-    "ecs_version": "8.9.0-dev+exp"
+    "ecs_version": "8.10.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/container.json b/experimental/generated/elasticsearch/composable/component/container.json
index 0ac4eac808..61b9d3fb50 100644
--- a/experimental/generated/elasticsearch/composable/component/container.json
+++ b/experimental/generated/elasticsearch/composable/component/container.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-container.html",
-    "ecs_version": "8.9.0-dev+exp"
+    "ecs_version": "8.10.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/data_stream.json b/experimental/generated/elasticsearch/composable/component/data_stream.json
index 8a41e1b0ea..fa237cfa57 100644
--- a/experimental/generated/elasticsearch/composable/component/data_stream.json
+++ b/experimental/generated/elasticsearch/composable/component/data_stream.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-data_stream.html",
-    "ecs_version": "8.9.0-dev+exp"
+    "ecs_version": "8.10.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/destination.json b/experimental/generated/elasticsearch/composable/component/destination.json
index 90158fd329..94b2c25c4e 100644
--- a/experimental/generated/elasticsearch/composable/component/destination.json
+++ b/experimental/generated/elasticsearch/composable/component/destination.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-destination.html",
-    "ecs_version": "8.9.0-dev+exp"
+    "ecs_version": "8.10.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/device.json b/experimental/generated/elasticsearch/composable/component/device.json
index b951610169..6f76dd04a7 100644
--- a/experimental/generated/elasticsearch/composable/component/device.json
+++ b/experimental/generated/elasticsearch/composable/component/device.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-device.html",
-    "ecs_version": "8.9.0-dev+exp"
+    "ecs_version": "8.10.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/dll.json b/experimental/generated/elasticsearch/composable/component/dll.json
index efdf45bf8f..9f67d33fb1 100644
--- a/experimental/generated/elasticsearch/composable/component/dll.json
+++ b/experimental/generated/elasticsearch/composable/component/dll.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dll.html",
-    "ecs_version": "8.9.0-dev+exp"
+    "ecs_version": "8.10.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/dns.json b/experimental/generated/elasticsearch/composable/component/dns.json
index 153b7ff22b..f7f4941d8a 100644
--- a/experimental/generated/elasticsearch/composable/component/dns.json
+++ b/experimental/generated/elasticsearch/composable/component/dns.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html",
-    "ecs_version": "8.9.0-dev+exp"
+    "ecs_version": "8.10.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/ecs.json b/experimental/generated/elasticsearch/composable/component/ecs.json
index 945b28116c..e365369299 100644
--- a/experimental/generated/elasticsearch/composable/component/ecs.json
+++ b/experimental/generated/elasticsearch/composable/component/ecs.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html",
-    "ecs_version": "8.9.0-dev+exp"
+    "ecs_version": "8.10.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/email.json b/experimental/generated/elasticsearch/composable/component/email.json
index 7cea6cb835..fa9c6ba80a 100644
--- a/experimental/generated/elasticsearch/composable/component/email.json
+++ b/experimental/generated/elasticsearch/composable/component/email.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-email.html",
-    "ecs_version": "8.9.0-dev+exp"
+    "ecs_version": "8.10.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/error.json b/experimental/generated/elasticsearch/composable/component/error.json
index e6621ceecb..347914573d 100644
--- a/experimental/generated/elasticsearch/composable/component/error.json
+++ b/experimental/generated/elasticsearch/composable/component/error.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-error.html",
-    "ecs_version": "8.9.0-dev+exp"
+    "ecs_version": "8.10.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/event.json b/experimental/generated/elasticsearch/composable/component/event.json
index 7859fe68fc..ecd51fc535 100644
--- a/experimental/generated/elasticsearch/composable/component/event.json
+++ b/experimental/generated/elasticsearch/composable/component/event.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html",
-    "ecs_version": "8.9.0-dev+exp"
+    "ecs_version": "8.10.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/faas.json b/experimental/generated/elasticsearch/composable/component/faas.json
index db25dc7466..4dbe1af5ed 100644
--- a/experimental/generated/elasticsearch/composable/component/faas.json
+++ b/experimental/generated/elasticsearch/composable/component/faas.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-faas.html",
-    "ecs_version": "8.9.0-dev+exp"
+    "ecs_version": "8.10.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/file.json b/experimental/generated/elasticsearch/composable/component/file.json
index c7f12b791c..7edda7c20b 100644
--- a/experimental/generated/elasticsearch/composable/component/file.json
+++ b/experimental/generated/elasticsearch/composable/component/file.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html",
-    "ecs_version": "8.9.0-dev+exp"
+    "ecs_version": "8.10.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/group.json b/experimental/generated/elasticsearch/composable/component/group.json
index e571b8fd56..2c25549e80 100644
--- a/experimental/generated/elasticsearch/composable/component/group.json
+++ b/experimental/generated/elasticsearch/composable/component/group.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-group.html",
-    "ecs_version": "8.9.0-dev+exp"
+    "ecs_version": "8.10.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/host.json b/experimental/generated/elasticsearch/composable/component/host.json
index 9805c27de9..3be8016d8b 100644
--- a/experimental/generated/elasticsearch/composable/component/host.json
+++ b/experimental/generated/elasticsearch/composable/component/host.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-host.html",
-    "ecs_version": "8.9.0-dev+exp"
+    "ecs_version": "8.10.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/http.json b/experimental/generated/elasticsearch/composable/component/http.json
index 57a5ab6d0e..fd9bfc8e60 100644
--- a/experimental/generated/elasticsearch/composable/component/http.json
+++ b/experimental/generated/elasticsearch/composable/component/http.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-http.html",
-    "ecs_version": "8.9.0-dev+exp"
+    "ecs_version": "8.10.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/log.json b/experimental/generated/elasticsearch/composable/component/log.json
index 59944d63e1..6bd8603319 100644
--- a/experimental/generated/elasticsearch/composable/component/log.json
+++ b/experimental/generated/elasticsearch/composable/component/log.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-log.html",
-    "ecs_version": "8.9.0-dev+exp"
+    "ecs_version": "8.10.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/network.json b/experimental/generated/elasticsearch/composable/component/network.json
index 0bae4a2e61..d402ba78bb 100644
--- a/experimental/generated/elasticsearch/composable/component/network.json
+++ b/experimental/generated/elasticsearch/composable/component/network.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html",
-    "ecs_version": "8.9.0-dev+exp"
+    "ecs_version": "8.10.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/observer.json b/experimental/generated/elasticsearch/composable/component/observer.json
index 0c5e3a9df4..7686e9a604 100644
--- a/experimental/generated/elasticsearch/composable/component/observer.json
+++ b/experimental/generated/elasticsearch/composable/component/observer.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html",
-    "ecs_version": "8.9.0-dev+exp"
+    "ecs_version": "8.10.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/orchestrator.json b/experimental/generated/elasticsearch/composable/component/orchestrator.json
index ae8295a66f..38531f3d75 100644
--- a/experimental/generated/elasticsearch/composable/component/orchestrator.json
+++ b/experimental/generated/elasticsearch/composable/component/orchestrator.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-orchestrator.html",
-    "ecs_version": "8.9.0-dev+exp"
+    "ecs_version": "8.10.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/organization.json b/experimental/generated/elasticsearch/composable/component/organization.json
index c3a52d21ab..8a2a2d8b05 100644
--- a/experimental/generated/elasticsearch/composable/component/organization.json
+++ b/experimental/generated/elasticsearch/composable/component/organization.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-organization.html",
-    "ecs_version": "8.9.0-dev+exp"
+    "ecs_version": "8.10.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/package.json b/experimental/generated/elasticsearch/composable/component/package.json
index d20fbdff5f..eeedf1914f 100644
--- a/experimental/generated/elasticsearch/composable/component/package.json
+++ b/experimental/generated/elasticsearch/composable/component/package.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-package.html",
-    "ecs_version": "8.9.0-dev+exp"
+    "ecs_version": "8.10.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/process.json b/experimental/generated/elasticsearch/composable/component/process.json
index 45b31b978b..2bba95883f 100644
--- a/experimental/generated/elasticsearch/composable/component/process.json
+++ b/experimental/generated/elasticsearch/composable/component/process.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-process.html",
-    "ecs_version": "8.9.0-dev+exp"
+    "ecs_version": "8.10.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/registry.json b/experimental/generated/elasticsearch/composable/component/registry.json
index cc4b0bd5e3..5ea2af86ec 100644
--- a/experimental/generated/elasticsearch/composable/component/registry.json
+++ b/experimental/generated/elasticsearch/composable/component/registry.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-registry.html",
-    "ecs_version": "8.9.0-dev+exp"
+    "ecs_version": "8.10.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/related.json b/experimental/generated/elasticsearch/composable/component/related.json
index de13d8aef8..7f13db613a 100644
--- a/experimental/generated/elasticsearch/composable/component/related.json
+++ b/experimental/generated/elasticsearch/composable/component/related.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-related.html",
-    "ecs_version": "8.9.0-dev+exp"
+    "ecs_version": "8.10.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/rule.json b/experimental/generated/elasticsearch/composable/component/rule.json
index c40dd66416..434c426d59 100644
--- a/experimental/generated/elasticsearch/composable/component/rule.json
+++ b/experimental/generated/elasticsearch/composable/component/rule.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-rule.html",
-    "ecs_version": "8.9.0-dev+exp"
+    "ecs_version": "8.10.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/server.json b/experimental/generated/elasticsearch/composable/component/server.json
index 2ceda6687b..0428a7bb07 100644
--- a/experimental/generated/elasticsearch/composable/component/server.json
+++ b/experimental/generated/elasticsearch/composable/component/server.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-server.html",
-    "ecs_version": "8.9.0-dev+exp"
+    "ecs_version": "8.10.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/service.json b/experimental/generated/elasticsearch/composable/component/service.json
index 88d85c58a1..72718bc224 100644
--- a/experimental/generated/elasticsearch/composable/component/service.json
+++ b/experimental/generated/elasticsearch/composable/component/service.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-service.html",
-    "ecs_version": "8.9.0-dev+exp"
+    "ecs_version": "8.10.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/source.json b/experimental/generated/elasticsearch/composable/component/source.json
index 225cecfff5..d5d7bce3eb 100644
--- a/experimental/generated/elasticsearch/composable/component/source.json
+++ b/experimental/generated/elasticsearch/composable/component/source.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-source.html",
-    "ecs_version": "8.9.0-dev+exp"
+    "ecs_version": "8.10.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/threat.json b/experimental/generated/elasticsearch/composable/component/threat.json
index d15aa1186f..7b652d6791 100644
--- a/experimental/generated/elasticsearch/composable/component/threat.json
+++ b/experimental/generated/elasticsearch/composable/component/threat.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-threat.html",
-    "ecs_version": "8.9.0-dev+exp"
+    "ecs_version": "8.10.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/tls.json b/experimental/generated/elasticsearch/composable/component/tls.json
index 40008b12b4..512f95a6e8 100644
--- a/experimental/generated/elasticsearch/composable/component/tls.json
+++ b/experimental/generated/elasticsearch/composable/component/tls.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tls.html",
-    "ecs_version": "8.9.0-dev+exp"
+    "ecs_version": "8.10.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/tracing.json b/experimental/generated/elasticsearch/composable/component/tracing.json
index f0ccf8d906..55e6a8d986 100644
--- a/experimental/generated/elasticsearch/composable/component/tracing.json
+++ b/experimental/generated/elasticsearch/composable/component/tracing.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tracing.html",
-    "ecs_version": "8.9.0-dev+exp"
+    "ecs_version": "8.10.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/url.json b/experimental/generated/elasticsearch/composable/component/url.json
index a1b0e899ab..67619ff74f 100644
--- a/experimental/generated/elasticsearch/composable/component/url.json
+++ b/experimental/generated/elasticsearch/composable/component/url.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-url.html",
-    "ecs_version": "8.9.0-dev+exp"
+    "ecs_version": "8.10.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/user.json b/experimental/generated/elasticsearch/composable/component/user.json
index 79f572a641..3da71b9cbd 100644
--- a/experimental/generated/elasticsearch/composable/component/user.json
+++ b/experimental/generated/elasticsearch/composable/component/user.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user.html",
-    "ecs_version": "8.9.0-dev+exp"
+    "ecs_version": "8.10.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/user_agent.json b/experimental/generated/elasticsearch/composable/component/user_agent.json
index af7a0ea9e9..3a181766bd 100644
--- a/experimental/generated/elasticsearch/composable/component/user_agent.json
+++ b/experimental/generated/elasticsearch/composable/component/user_agent.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html",
-    "ecs_version": "8.9.0-dev+exp"
+    "ecs_version": "8.10.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/vulnerability.json b/experimental/generated/elasticsearch/composable/component/vulnerability.json
index f522d8de43..5b358e5921 100644
--- a/experimental/generated/elasticsearch/composable/component/vulnerability.json
+++ b/experimental/generated/elasticsearch/composable/component/vulnerability.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html",
-    "ecs_version": "8.9.0-dev+exp"
+    "ecs_version": "8.10.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/template.json b/experimental/generated/elasticsearch/composable/template.json
index fcd1ba5dc4..0b774a2c32 100644
--- a/experimental/generated/elasticsearch/composable/template.json
+++ b/experimental/generated/elasticsearch/composable/template.json
@@ -1,49 +1,49 @@
 {
   "_meta": {
     "description": "Sample composable template that includes all ECS fields",
-    "ecs_version": "8.9.0-dev+exp"
+    "ecs_version": "8.10.0-dev+exp"
   },
   "composed_of": [
-    "ecs_8.9.0-dev-exp_cgroup",
-    "ecs_8.9.0-dev-exp_base",
-    "ecs_8.9.0-dev-exp_agent",
-    "ecs_8.9.0-dev-exp_client",
-    "ecs_8.9.0-dev-exp_cloud",
-    "ecs_8.9.0-dev-exp_container",
-    "ecs_8.9.0-dev-exp_data_stream",
-    "ecs_8.9.0-dev-exp_destination",
-    "ecs_8.9.0-dev-exp_device",
-    "ecs_8.9.0-dev-exp_dll",
-    "ecs_8.9.0-dev-exp_dns",
-    "ecs_8.9.0-dev-exp_ecs",
-    "ecs_8.9.0-dev-exp_email",
-    "ecs_8.9.0-dev-exp_error",
-    "ecs_8.9.0-dev-exp_event",
-    "ecs_8.9.0-dev-exp_faas",
-    "ecs_8.9.0-dev-exp_file",
-    "ecs_8.9.0-dev-exp_group",
-    "ecs_8.9.0-dev-exp_host",
-    "ecs_8.9.0-dev-exp_http",
-    "ecs_8.9.0-dev-exp_log",
-    "ecs_8.9.0-dev-exp_network",
-    "ecs_8.9.0-dev-exp_observer",
-    "ecs_8.9.0-dev-exp_orchestrator",
-    "ecs_8.9.0-dev-exp_organization",
-    "ecs_8.9.0-dev-exp_package",
-    "ecs_8.9.0-dev-exp_process",
-    "ecs_8.9.0-dev-exp_registry",
-    "ecs_8.9.0-dev-exp_related",
-    "ecs_8.9.0-dev-exp_rule",
-    "ecs_8.9.0-dev-exp_server",
-    "ecs_8.9.0-dev-exp_service",
-    "ecs_8.9.0-dev-exp_source",
-    "ecs_8.9.0-dev-exp_threat",
-    "ecs_8.9.0-dev-exp_tls",
-    "ecs_8.9.0-dev-exp_tracing",
-    "ecs_8.9.0-dev-exp_url",
-    "ecs_8.9.0-dev-exp_user_agent",
-    "ecs_8.9.0-dev-exp_user",
-    "ecs_8.9.0-dev-exp_vulnerability"
+    "ecs_8.10.0-dev-exp_cgroup",
+    "ecs_8.10.0-dev-exp_base",
+    "ecs_8.10.0-dev-exp_agent",
+    "ecs_8.10.0-dev-exp_client",
+    "ecs_8.10.0-dev-exp_cloud",
+    "ecs_8.10.0-dev-exp_container",
+    "ecs_8.10.0-dev-exp_data_stream",
+    "ecs_8.10.0-dev-exp_destination",
+    "ecs_8.10.0-dev-exp_device",
+    "ecs_8.10.0-dev-exp_dll",
+    "ecs_8.10.0-dev-exp_dns",
+    "ecs_8.10.0-dev-exp_ecs",
+    "ecs_8.10.0-dev-exp_email",
+    "ecs_8.10.0-dev-exp_error",
+    "ecs_8.10.0-dev-exp_event",
+    "ecs_8.10.0-dev-exp_faas",
+    "ecs_8.10.0-dev-exp_file",
+    "ecs_8.10.0-dev-exp_group",
+    "ecs_8.10.0-dev-exp_host",
+    "ecs_8.10.0-dev-exp_http",
+    "ecs_8.10.0-dev-exp_log",
+    "ecs_8.10.0-dev-exp_network",
+    "ecs_8.10.0-dev-exp_observer",
+    "ecs_8.10.0-dev-exp_orchestrator",
+    "ecs_8.10.0-dev-exp_organization",
+    "ecs_8.10.0-dev-exp_package",
+    "ecs_8.10.0-dev-exp_process",
+    "ecs_8.10.0-dev-exp_registry",
+    "ecs_8.10.0-dev-exp_related",
+    "ecs_8.10.0-dev-exp_rule",
+    "ecs_8.10.0-dev-exp_server",
+    "ecs_8.10.0-dev-exp_service",
+    "ecs_8.10.0-dev-exp_source",
+    "ecs_8.10.0-dev-exp_threat",
+    "ecs_8.10.0-dev-exp_tls",
+    "ecs_8.10.0-dev-exp_tracing",
+    "ecs_8.10.0-dev-exp_url",
+    "ecs_8.10.0-dev-exp_user_agent",
+    "ecs_8.10.0-dev-exp_user",
+    "ecs_8.10.0-dev-exp_vulnerability"
   ],
   "index_patterns": [
     "try-ecs-*"
diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json
index eea9f65645..e04671d803 100644
--- a/experimental/generated/elasticsearch/legacy/template.json
+++ b/experimental/generated/elasticsearch/legacy/template.json
@@ -4,7 +4,7 @@
   ],
   "mappings": {
     "_meta": {
-      "version": "8.9.0-dev+exp"
+      "version": "8.10.0-dev+exp"
     },
     "date_detection": false,
     "dynamic_templates": [
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 4874bbb2aa..1c99c802b3 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -1,5 +1,5 @@
 # WARNING! Do not edit this file directly, it was generated by the ECS project,
-# based on ECS version 8.9.0-dev.
+# based on ECS version 8.10.0-dev.
 # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields.
 
 - key: ecs
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index 82a0b4ddc5..4ccb5f6a15 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -1,1743 +1,1743 @@
 ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
-8.9.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
-8.9.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
-8.9.0-dev,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer.
-8.9.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
-8.9.0-dev,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
-8.9.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
-8.9.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
-8.9.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
-8.9.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
-8.9.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
-8.9.0-dev,true,client,client.address,keyword,extended,,,Client network address.
-8.9.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.9.0-dev,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.9.0-dev,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.9.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
-8.9.0-dev,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client.
-8.9.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
-8.9.0-dev,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
-8.9.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.9.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.9.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
-8.9.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.9.0-dev,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.9.0-dev,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
-8.9.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.9.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
-8.9.0-dev,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.9.0-dev,true,client,client.ip,ip,core,,,IP address of the client.
-8.9.0-dev,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
-8.9.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
-8.9.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port
-8.9.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
-8.9.0-dev,true,client,client.port,long,core,,,Port of the client.
-8.9.0-dev,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
-8.9.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.9.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.9.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.9.0-dev,true,client,client.user.email,keyword,extended,,,User email address.
-8.9.0-dev,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.9.0-dev,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.9.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.9.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group.
-8.9.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.9.0-dev,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.9.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.9.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.9.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.9.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.9.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
-8.9.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.9.0-dev,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.9.0-dev,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.9.0-dev,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.9.0-dev,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.9.0-dev,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine.
-8.9.0-dev,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.9.0-dev,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id.
-8.9.0-dev,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name.
-8.9.0-dev,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider.
-8.9.0-dev,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.9.0-dev,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name.
-8.9.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
-8.9.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
-8.9.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
-8.9.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.9.0-dev,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name.
-8.9.0-dev,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.9.0-dev,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.9.0-dev,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.9.0-dev,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.9.0-dev,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine.
-8.9.0-dev,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.9.0-dev,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id.
-8.9.0-dev,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name.
-8.9.0-dev,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider.
-8.9.0-dev,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.9.0-dev,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name.
-8.9.0-dev,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
-8.9.0-dev,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
-8.9.0-dev,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
-8.9.0-dev,true,container,container.id,keyword,core,,,Unique container id.
-8.9.0-dev,true,container,container.image.hash.all,keyword,extended,array,[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26],An array of digests of the image the container was built on.
-8.9.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
-8.9.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags.
-8.9.0-dev,true,container,container.labels,object,extended,,,Image labels.
-8.9.0-dev,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1."
-8.9.0-dev,true,container,container.name,keyword,extended,,,Container name.
-8.9.0-dev,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
-8.9.0-dev,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
-8.9.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
-8.9.0-dev,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
-8.9.0-dev,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
-8.9.0-dev,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
-8.9.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address.
-8.9.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.9.0-dev,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.9.0-dev,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.9.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
-8.9.0-dev,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination.
-8.9.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
-8.9.0-dev,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
-8.9.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.9.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.9.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
-8.9.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.9.0-dev,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.9.0-dev,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
-8.9.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.9.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
-8.9.0-dev,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.9.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination.
-8.9.0-dev,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
-8.9.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
-8.9.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
-8.9.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
-8.9.0-dev,true,destination,destination.port,long,core,,,Port of the destination.
-8.9.0-dev,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
-8.9.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.9.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.9.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.9.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address.
-8.9.0-dev,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.9.0-dev,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.9.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.9.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
-8.9.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.9.0-dev,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.9.0-dev,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device.
-8.9.0-dev,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer.
-8.9.0-dev,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model.
-8.9.0-dev,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model.
-8.9.0-dev,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.9.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.9.0-dev,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.9.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.9.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.9.0-dev,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.9.0-dev,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.9.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.9.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.9.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
-8.9.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
-8.9.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
-8.9.0-dev,true,dll,dll.hash.sha384,keyword,extended,,,SHA384 hash.
-8.9.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
-8.9.0-dev,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.9.0-dev,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash.
-8.9.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
-8.9.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
-8.9.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.9.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.9.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.9.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.9.0-dev,true,dll,dll.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.9.0-dev,true,dll,dll.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.9.0-dev,true,dll,dll.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.9.0-dev,true,dll,dll.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.9.0-dev,true,dll,dll.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.9.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.9.0-dev,true,dll,dll.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.9.0-dev,true,dll,dll.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.9.0-dev,true,dll,dll.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev,true,dll,dll.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.9.0-dev,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.9.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.9.0-dev,true,dll,dll.pe.sections,nested,extended,array,,Section information of the PE file.
-8.9.0-dev,true,dll,dll.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.9.0-dev,true,dll,dll.pe.sections.name,keyword,extended,,,PE Section List name.
-8.9.0-dev,true,dll,dll.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.9.0-dev,true,dll,dll.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.9.0-dev,true,dll,dll.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.9.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
-8.9.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
-8.9.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
-8.9.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
-8.9.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
-8.9.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
-8.9.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
-8.9.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
-8.9.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
-8.9.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
-8.9.0-dev,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
-8.9.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
-8.9.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
-8.9.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.9.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
-8.9.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
-8.9.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
-8.9.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
-8.9.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
-8.9.0-dev,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
-8.9.0-dev,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
-8.9.0-dev,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash.
-8.9.0-dev,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.9.0-dev,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.9.0-dev,true,email,email.attachments.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.9.0-dev,true,email,email.attachments.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.9.0-dev,true,email,email.attachments.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.9.0-dev,true,email,email.attachments.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.9.0-dev,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file.
-8.9.0-dev,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file.
-8.9.0-dev,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size.
-8.9.0-dev,true,email,email.bcc.address,keyword,extended,array,bcc.user1@example.com,Email address of BCC recipient
-8.9.0-dev,true,email,email.cc.address,keyword,extended,array,cc.user1@example.com,Email address of CC recipient
-8.9.0-dev,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message.
-8.9.0-dev,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered.
-8.9.0-dev,true,email,email.direction,keyword,extended,,inbound,Direction of the message.
-8.9.0-dev,true,email,email.from.address,keyword,extended,array,sender@example.com,The sender's email address.
-8.9.0-dev,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source.
-8.9.0-dev,true,email,email.message_id,wildcard,extended,,81ce15$8r2j59@mail01.example.com,Value from the Message-ID header.
-8.9.0-dev,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed.
-8.9.0-dev,true,email,email.reply_to.address,keyword,extended,array,reply.here@example.com,Address replies should be delivered to.
-8.9.0-dev,true,email,email.sender.address,keyword,extended,,,Address of the message sender.
-8.9.0-dev,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message.
-8.9.0-dev,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
-8.9.0-dev,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient
-8.9.0-dev,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
-8.9.0-dev,true,error,error.code,keyword,core,,,Error code describing the error.
-8.9.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error.
-8.9.0-dev,true,error,error.message,match_only_text,core,,,Error message.
-8.9.0-dev,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
-8.9.0-dev,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text.
-8.9.0-dev,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
-8.9.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
-8.9.0-dev,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field.
-8.9.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
-8.9.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event.
-8.9.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
-8.9.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
-8.9.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
-8.9.0-dev,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed.
-8.9.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
-8.9.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
-8.9.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
-8.9.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
-8.9.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
-8.9.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
-8.9.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
-8.9.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event.
-8.9.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
-8.9.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
-8.9.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
-8.9.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
-8.9.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event.
-8.9.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event.
-8.9.0-dev,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed.
-8.9.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone.
-8.9.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
-8.9.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
-8.9.0-dev,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function.
-8.9.0-dev,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution.
-8.9.0-dev,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function.
-8.9.0-dev,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function.
-8.9.0-dev,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc."
-8.9.0-dev,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution.
-8.9.0-dev,true,faas,faas.version,keyword,extended,,123,The version of a serverless function.
-8.9.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed.
-8.9.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.9.0-dev,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.9.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.9.0-dev,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.9.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.9.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.9.0-dev,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.9.0-dev,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.9.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.9.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.9.0-dev,true,file,file.created,date,extended,,,File creation time.
-8.9.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.9.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
-8.9.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.9.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.9.0-dev,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.9.0-dev,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.9.0-dev,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.9.0-dev,true,file,file.elf.creation_date,date,extended,,,Build or compile date.
-8.9.0-dev,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.9.0-dev,true,file,file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.9.0-dev,true,file,file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.9.0-dev,true,file,file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.9.0-dev,true,file,file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.9.0-dev,true,file,file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.9.0-dev,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.9.0-dev,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.9.0-dev,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.9.0-dev,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.9.0-dev,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.9.0-dev,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.9.0-dev,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.9.0-dev,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.9.0-dev,true,file,file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.9.0-dev,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.9.0-dev,true,file,file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev,true,file,file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.9.0-dev,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.9.0-dev,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.9.0-dev,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.9.0-dev,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.9.0-dev,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.9.0-dev,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.9.0-dev,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.9.0-dev,true,file,file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.9.0-dev,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.9.0-dev,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.9.0-dev,true,file,file.elf.segments,nested,extended,array,,ELF object segment list.
-8.9.0-dev,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.9.0-dev,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.9.0-dev,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.9.0-dev,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.9.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.9.0-dev,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.9.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.9.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
-8.9.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
-8.9.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.9.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.9.0-dev,true,file,file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.9.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.9.0-dev,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.9.0-dev,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.9.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.9.0-dev,true,file,file.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-8.9.0-dev,true,file,file.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.9.0-dev,true,file,file.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.9.0-dev,true,file,file.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.9.0-dev,true,file,file.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.9.0-dev,true,file,file.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-8.9.0-dev,true,file,file.macho.imports,flattened,extended,array,,List of imported element names and types.
-8.9.0-dev,true,file,file.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev,true,file,file.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev,true,file,file.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-8.9.0-dev,true,file,file.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.9.0-dev,true,file,file.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-8.9.0-dev,true,file,file.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-8.9.0-dev,true,file,file.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.9.0-dev,true,file,file.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-8.9.0-dev,true,file,file.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-8.9.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.9.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.9.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified.
-8.9.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.9.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username.
-8.9.0-dev,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.9.0-dev,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.9.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.9.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.9.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.9.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.9.0-dev,true,file,file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.9.0-dev,true,file,file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.9.0-dev,true,file,file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.9.0-dev,true,file,file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.9.0-dev,true,file,file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.9.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.9.0-dev,true,file,file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.9.0-dev,true,file,file.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.9.0-dev,true,file,file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev,true,file,file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.9.0-dev,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.9.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.9.0-dev,true,file,file.pe.sections,nested,extended,array,,Section information of the PE file.
-8.9.0-dev,true,file,file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.9.0-dev,true,file,file.pe.sections.name,keyword,extended,,,PE Section List name.
-8.9.0-dev,true,file,file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.9.0-dev,true,file,file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.9.0-dev,true,file,file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.9.0-dev,true,file,file.size,long,extended,,16384,File size in bytes.
-8.9.0-dev,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
-8.9.0-dev,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.9.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.9.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.9.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.9.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.9.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.9.0-dev,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.9.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.9.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.9.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.9.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.9.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.9.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.9.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.9.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.9.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.9.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.9.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.9.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.9.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.9.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.9.0-dev,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.9.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.9.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.9.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.9.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.9.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.9.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.9.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev,true,group,group.name,keyword,extended,,,Name of the group.
-8.9.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
-8.9.0-dev,true,host,host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id
-8.9.0-dev,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
-8.9.0-dev,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
-8.9.0-dev,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
-8.9.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
-8.9.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
-8.9.0-dev,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
-8.9.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.9.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.9.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
-8.9.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.9.0-dev,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.9.0-dev,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
-8.9.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.9.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
-8.9.0-dev,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.9.0-dev,true,host,host.hostname,keyword,core,,,Hostname of the host.
-8.9.0-dev,true,host,host.id,keyword,core,,,Unique host id.
-8.9.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses.
-8.9.0-dev,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
-8.9.0-dev,true,host,host.name,keyword,core,,,Name of the host.
-8.9.0-dev,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
-8.9.0-dev,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
-8.9.0-dev,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
-8.9.0-dev,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
-8.9.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.9.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.9.0-dev,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.9.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.9.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.9.0-dev,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.9.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.9.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-8.9.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.9.0-dev,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode
-8.9.0-dev,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.9.0-dev,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.9.0-dev,true,host,host.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.9.0-dev,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.9.0-dev,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.9.0-dev,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-8.9.0-dev,true,host,host.type,keyword,core,,,Type of host.
-8.9.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
-8.9.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
-8.9.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
-8.9.0-dev,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body.
-8.9.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
-8.9.0-dev,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
-8.9.0-dev,true,http,http.request.method,keyword,extended,,POST,HTTP request method.
-8.9.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
-8.9.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
-8.9.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
-8.9.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
-8.9.0-dev,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body.
-8.9.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
-8.9.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
-8.9.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
-8.9.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version.
-8.9.0-dev,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
-8.9.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event.
-8.9.0-dev,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
-8.9.0-dev,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event.
-8.9.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
-8.9.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
-8.9.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata
-8.9.0-dev,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message.
-8.9.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
-8.9.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
-8.9.0-dev,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message.
-8.9.0-dev,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message.
-8.9.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
-8.9.0-dev,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message.
-8.9.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
-8.9.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
-8.9.0-dev,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages.
-8.9.0-dev,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version.
-8.9.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name.
-8.9.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
-8.9.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
-8.9.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
-8.9.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
-8.9.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
-8.9.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information
-8.9.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.9.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.9.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
-8.9.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
-8.9.0-dev,true,network,network.protocol,keyword,core,,http,Application protocol name.
-8.9.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
-8.9.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
-8.9.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.9.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.9.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information
-8.9.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
-8.9.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
-8.9.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
-8.9.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.9.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.9.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
-8.9.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
-8.9.0-dev,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code.
-8.9.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.9.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.9.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
-8.9.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.9.0-dev,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.9.0-dev,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code.
-8.9.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.9.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
-8.9.0-dev,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.9.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
-8.9.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information
-8.9.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
-8.9.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
-8.9.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
-8.9.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.9.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.9.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
-8.9.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
-8.9.0-dev,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer.
-8.9.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
-8.9.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.9.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.9.0-dev,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.9.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.9.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.9.0-dev,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.9.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.9.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-8.9.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.9.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
-8.9.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
-8.9.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
-8.9.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
-8.9.0-dev,true,observer,observer.version,keyword,core,,,Observer version.
-8.9.0-dev,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action
-8.9.0-dev,true,orchestrator,orchestrator.cluster.id,keyword,extended,,,Unique ID of the cluster.
-8.9.0-dev,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster.
-8.9.0-dev,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster.
-8.9.0-dev,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster.
-8.9.0-dev,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place.
-8.9.0-dev,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups).
-8.9.0-dev,true,orchestrator,orchestrator.resource.annotation,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of annotations added to the resource.
-8.9.0-dev,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon.
-8.9.0-dev,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed.
-8.9.0-dev,true,orchestrator,orchestrator.resource.label,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of labels added to the resource.
-8.9.0-dev,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon.
-8.9.0-dev,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed.
-8.9.0-dev,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon.
-8.9.0-dev,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)."
-8.9.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
-8.9.0-dev,true,organization,organization.name,keyword,extended,,,Organization name.
-8.9.0-dev,true,organization,organization.name.text,match_only_text,extended,,,Organization name.
-8.9.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
-8.9.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
-8.9.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
-8.9.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
-8.9.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
-8.9.0-dev,true,package,package.installed,date,extended,,,Time when package was installed.
-8.9.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
-8.9.0-dev,true,package,package.name,keyword,extended,,go,Package name
-8.9.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
-8.9.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
-8.9.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes.
-8.9.0-dev,true,package,package.type,keyword,extended,,rpm,Package type
-8.9.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version
-8.9.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.9.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array.
-8.9.0-dev,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.9.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.9.0-dev,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.9.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.9.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.9.0-dev,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.9.0-dev,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.9.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.9.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.9.0-dev,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.9.0-dev,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.9.0-dev,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.9.0-dev,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.9.0-dev,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.9.0-dev,true,process,process.elf.creation_date,date,extended,,,Build or compile date.
-8.9.0-dev,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.9.0-dev,true,process,process.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.9.0-dev,true,process,process.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.9.0-dev,true,process,process.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.9.0-dev,true,process,process.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.9.0-dev,true,process,process.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.9.0-dev,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.9.0-dev,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.9.0-dev,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.9.0-dev,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.9.0-dev,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.9.0-dev,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.9.0-dev,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.9.0-dev,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.9.0-dev,true,process,process.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.9.0-dev,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.9.0-dev,true,process,process.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev,true,process,process.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.9.0-dev,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.9.0-dev,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.9.0-dev,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.9.0-dev,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.9.0-dev,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.9.0-dev,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.9.0-dev,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.9.0-dev,true,process,process.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.9.0-dev,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.9.0-dev,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.9.0-dev,true,process,process.elf.segments,nested,extended,array,,ELF object segment list.
-8.9.0-dev,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.9.0-dev,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.9.0-dev,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.9.0-dev,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.9.0-dev,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-8.9.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.9.0-dev,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.9.0-dev,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array.
-8.9.0-dev,true,process,process.entry_leader.attested_groups.name,keyword,extended,,,Name of the group.
-8.9.0-dev,true,process,process.entry_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev,true,process,process.entry_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,process,process.entry_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.9.0-dev,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.9.0-dev,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.9.0-dev,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
-8.9.0-dev,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
-8.9.0-dev,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.9.0-dev,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.9.0-dev,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group.
-8.9.0-dev,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.9.0-dev,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name.
-8.9.0-dev,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.9.0-dev,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.9.0-dev,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id.
-8.9.0-dev,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.9.0-dev,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id.
-8.9.0-dev,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.9.0-dev,true,process,process.entry_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
-8.9.0-dev,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.9.0-dev,true,process,process.entry_leader.parent.vpid,long,core,,4242,Virtual process id.
-8.9.0-dev,true,process,process.entry_leader.pid,long,core,,4242,Process id.
-8.9.0-dev,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group.
-8.9.0-dev,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,process,process.entry_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.9.0-dev,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.9.0-dev,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,process,process.entry_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.9.0-dev,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.9.0-dev,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.9.0-dev,true,process,process.entry_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.9.0-dev,true,process,process.entry_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.9.0-dev,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,process,process.entry_leader.vpid,long,core,,4242,Virtual process id.
-8.9.0-dev,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.9.0-dev,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.9.0-dev,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
-8.9.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.9.0-dev,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.9.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process.
-8.9.0-dev,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.9.0-dev,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array.
-8.9.0-dev,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.9.0-dev,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.9.0-dev,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.9.0-dev,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.9.0-dev,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.9.0-dev,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group.
-8.9.0-dev,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.9.0-dev,true,process,process.group_leader.name,keyword,extended,,ssh,Process name.
-8.9.0-dev,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.9.0-dev,true,process,process.group_leader.pid,long,core,,4242,Process id.
-8.9.0-dev,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group.
-8.9.0-dev,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,process,process.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.9.0-dev,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.9.0-dev,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,process,process.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.9.0-dev,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.9.0-dev,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.9.0-dev,true,process,process.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.9.0-dev,true,process,process.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.9.0-dev,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,process,process.group_leader.vpid,long,core,,4242,Virtual process id.
-8.9.0-dev,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.9.0-dev,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.9.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
-8.9.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
-8.9.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
-8.9.0-dev,true,process,process.hash.sha384,keyword,extended,,,SHA384 hash.
-8.9.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
-8.9.0-dev,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.9.0-dev,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash.
-8.9.0-dev,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.9.0-dev,true,process,process.io,object,extended,,,A chunk of input or output (IO) from a single process.
-8.9.0-dev,true,process,process.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
-8.9.0-dev,true,process,process.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
-8.9.0-dev,true,process,process.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
-8.9.0-dev,true,process,process.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
-8.9.0-dev,true,process,process.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
-8.9.0-dev,true,process,process.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
-8.9.0-dev,true,process,process.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
-8.9.0-dev,true,process,process.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
-8.9.0-dev,true,process,process.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-8.9.0-dev,true,process,process.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.9.0-dev,true,process,process.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.9.0-dev,true,process,process.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.9.0-dev,true,process,process.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.9.0-dev,true,process,process.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-8.9.0-dev,true,process,process.macho.imports,flattened,extended,array,,List of imported element names and types.
-8.9.0-dev,true,process,process.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev,true,process,process.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev,true,process,process.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-8.9.0-dev,true,process,process.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.9.0-dev,true,process,process.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-8.9.0-dev,true,process,process.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-8.9.0-dev,true,process,process.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.9.0-dev,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-8.9.0-dev,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-8.9.0-dev,true,process,process.name,keyword,extended,,ssh,Process name.
-8.9.0-dev,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
-8.9.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.9.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
-8.9.0-dev,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.9.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.9.0-dev,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.9.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.9.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.9.0-dev,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.9.0-dev,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.9.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.9.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.9.0-dev,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.9.0-dev,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.9.0-dev,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.9.0-dev,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.9.0-dev,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.9.0-dev,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date.
-8.9.0-dev,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.9.0-dev,true,process,process.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.9.0-dev,true,process,process.parent.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.9.0-dev,true,process,process.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.9.0-dev,true,process,process.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.9.0-dev,true,process,process.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.9.0-dev,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.9.0-dev,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.9.0-dev,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.9.0-dev,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.9.0-dev,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.9.0-dev,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.9.0-dev,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.9.0-dev,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.9.0-dev,true,process,process.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.9.0-dev,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.9.0-dev,true,process,process.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev,true,process,process.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.9.0-dev,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.9.0-dev,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.9.0-dev,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.9.0-dev,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.9.0-dev,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.9.0-dev,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.9.0-dev,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.9.0-dev,true,process,process.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.9.0-dev,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.9.0-dev,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.9.0-dev,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list.
-8.9.0-dev,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.9.0-dev,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.9.0-dev,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.9.0-dev,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.9.0-dev,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-8.9.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.9.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.9.0-dev,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.9.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
-8.9.0-dev,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev,true,process,process.parent.group.name,keyword,extended,,,Name of the group.
-8.9.0-dev,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.9.0-dev,true,process,process.parent.group_leader.pid,long,core,,4242,Process id.
-8.9.0-dev,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.9.0-dev,true,process,process.parent.group_leader.vpid,long,core,,4242,Virtual process id.
-8.9.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
-8.9.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
-8.9.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
-8.9.0-dev,true,process,process.parent.hash.sha384,keyword,extended,,,SHA384 hash.
-8.9.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
-8.9.0-dev,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.9.0-dev,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash.
-8.9.0-dev,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.9.0-dev,true,process,process.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-8.9.0-dev,true,process,process.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.9.0-dev,true,process,process.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.9.0-dev,true,process,process.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.9.0-dev,true,process,process.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.9.0-dev,true,process,process.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-8.9.0-dev,true,process,process.parent.macho.imports,flattened,extended,array,,List of imported element names and types.
-8.9.0-dev,true,process,process.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev,true,process,process.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev,true,process,process.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-8.9.0-dev,true,process,process.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.9.0-dev,true,process,process.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-8.9.0-dev,true,process,process.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-8.9.0-dev,true,process,process.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.9.0-dev,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-8.9.0-dev,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-8.9.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name.
-8.9.0-dev,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
-8.9.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.9.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.9.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.9.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.9.0-dev,true,process,process.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.9.0-dev,true,process,process.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.9.0-dev,true,process,process.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.9.0-dev,true,process,process.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.9.0-dev,true,process,process.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.9.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.9.0-dev,true,process,process.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.9.0-dev,true,process,process.parent.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.9.0-dev,true,process,process.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev,true,process,process.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.9.0-dev,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.9.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.9.0-dev,true,process,process.parent.pe.sections,nested,extended,array,,Section information of the PE file.
-8.9.0-dev,true,process,process.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.9.0-dev,true,process,process.parent.pe.sections.name,keyword,extended,,,PE Section List name.
-8.9.0-dev,true,process,process.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.9.0-dev,true,process,process.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.9.0-dev,true,process,process.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.9.0-dev,true,process,process.parent.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
-8.9.0-dev,true,process,process.parent.pid,long,core,,4242,Process id.
-8.9.0-dev,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group.
-8.9.0-dev,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,process,process.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group.
-8.9.0-dev,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,process,process.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.9.0-dev,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.9.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
-8.9.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
-8.9.0-dev,true,process,process.parent.title,keyword,extended,,,Process title.
-8.9.0-dev,true,process,process.parent.title.text,match_only_text,extended,,,Process title.
-8.9.0-dev,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device.
-8.9.0-dev,true,process,process.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.9.0-dev,true,process,process.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.9.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
-8.9.0-dev,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,process,process.parent.vpid,long,core,,4242,Virtual process id.
-8.9.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.9.0-dev,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.9.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.9.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.9.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.9.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.9.0-dev,true,process,process.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.9.0-dev,true,process,process.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.9.0-dev,true,process,process.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.9.0-dev,true,process,process.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.9.0-dev,true,process,process.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.9.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.9.0-dev,true,process,process.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.9.0-dev,true,process,process.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.9.0-dev,true,process,process.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev,true,process,process.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.9.0-dev,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.9.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.9.0-dev,true,process,process.pe.sections,nested,extended,array,,Section information of the PE file.
-8.9.0-dev,true,process,process.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.9.0-dev,true,process,process.pe.sections.name,keyword,extended,,,PE Section List name.
-8.9.0-dev,true,process,process.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.9.0-dev,true,process,process.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.9.0-dev,true,process,process.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.9.0-dev,true,process,process.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
-8.9.0-dev,true,process,process.pid,long,core,,4242,Process id.
-8.9.0-dev,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.9.0-dev,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array.
-8.9.0-dev,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.9.0-dev,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.9.0-dev,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev,true,process,process.real_group.name,keyword,extended,,,Name of the group.
-8.9.0-dev,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,process,process.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev,true,process,process.saved_group.name,keyword,extended,,,Name of the group.
-8.9.0-dev,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,process,process.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.9.0-dev,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array.
-8.9.0-dev,true,process,process.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.9.0-dev,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.9.0-dev,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.9.0-dev,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.9.0-dev,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.9.0-dev,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group.
-8.9.0-dev,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.9.0-dev,true,process,process.session_leader.name,keyword,extended,,ssh,Process name.
-8.9.0-dev,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.9.0-dev,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.9.0-dev,true,process,process.session_leader.parent.pid,long,core,,4242,Process id.
-8.9.0-dev,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.9.0-dev,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id.
-8.9.0-dev,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.9.0-dev,true,process,process.session_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
-8.9.0-dev,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.9.0-dev,true,process,process.session_leader.parent.vpid,long,core,,4242,Virtual process id.
-8.9.0-dev,true,process,process.session_leader.pid,long,core,,4242,Process id.
-8.9.0-dev,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group.
-8.9.0-dev,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,process,process.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.9.0-dev,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.9.0-dev,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,process,process.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.9.0-dev,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.9.0-dev,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.9.0-dev,true,process,process.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.9.0-dev,true,process,process.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.9.0-dev,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,process,process.session_leader.vpid,long,core,,4242,Virtual process id.
-8.9.0-dev,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.9.0-dev,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.9.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.9.0-dev,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.9.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID.
-8.9.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
-8.9.0-dev,true,process,process.title,keyword,extended,,,Process title.
-8.9.0-dev,true,process,process.title.text,match_only_text,extended,,,Process title.
-8.9.0-dev,true,process,process.tty,object,extended,,,Information about the controlling TTY device.
-8.9.0-dev,true,process,process.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.9.0-dev,true,process,process.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.9.0-dev,true,process,process.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
-8.9.0-dev,true,process,process.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
-8.9.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
-8.9.0-dev,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,process,process.vpid,long,core,,4242,Virtual process id.
-8.9.0-dev,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.9.0-dev,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.9.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.9.0-dev,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.9.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.9.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.9.0-dev,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.9.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.9.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
-8.9.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
-8.9.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
-8.9.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
-8.9.0-dev,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event.
-8.9.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
-8.9.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
-8.9.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
-8.9.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID
-8.9.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
-8.9.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
-8.9.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
-8.9.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
-8.9.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
-8.9.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version
-8.9.0-dev,true,server,server.address,keyword,extended,,,Server network address.
-8.9.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.9.0-dev,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.9.0-dev,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.9.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
-8.9.0-dev,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server.
-8.9.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
-8.9.0-dev,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
-8.9.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.9.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.9.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
-8.9.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.9.0-dev,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.9.0-dev,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
-8.9.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.9.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
-8.9.0-dev,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.9.0-dev,true,server,server.ip,ip,core,,,IP address of the server.
-8.9.0-dev,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
-8.9.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip
-8.9.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port
-8.9.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
-8.9.0-dev,true,server,server.port,long,core,,,Port of the server.
-8.9.0-dev,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
-8.9.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.9.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.9.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.9.0-dev,true,server,server.user.email,keyword,extended,,,User email address.
-8.9.0-dev,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.9.0-dev,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.9.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.9.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group.
-8.9.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.9.0-dev,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.9.0-dev,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.9.0-dev,true,service,service.environment,keyword,extended,,production,Environment of the service.
-8.9.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.9.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.9.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.9.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.9.0-dev,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.9.0-dev,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.9.0-dev,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.9.0-dev,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
-8.9.0-dev,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.9.0-dev,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.9.0-dev,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.9.0-dev,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.9.0-dev,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.9.0-dev,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.9.0-dev,true,service,service.origin.state,keyword,core,,,Current state of the service.
-8.9.0-dev,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service.
-8.9.0-dev,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service.
-8.9.0-dev,true,service,service.state,keyword,core,,,Current state of the service.
-8.9.0-dev,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.9.0-dev,true,service,service.target.environment,keyword,extended,,production,Environment of the service.
-8.9.0-dev,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.9.0-dev,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.9.0-dev,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.9.0-dev,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.9.0-dev,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.9.0-dev,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.9.0-dev,true,service,service.target.state,keyword,core,,,Current state of the service.
-8.9.0-dev,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service.
-8.9.0-dev,true,service,service.target.version,keyword,core,,3.2.4,Version of the service.
-8.9.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
-8.9.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service.
-8.9.0-dev,true,source,source.address,keyword,extended,,,Source network address.
-8.9.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.9.0-dev,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.9.0-dev,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.9.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
-8.9.0-dev,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source.
-8.9.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
-8.9.0-dev,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
-8.9.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.9.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.9.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
-8.9.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.9.0-dev,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.9.0-dev,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
-8.9.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.9.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
-8.9.0-dev,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.9.0-dev,true,source,source.ip,ip,core,,,IP address of the source.
-8.9.0-dev,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
-8.9.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip
-8.9.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port
-8.9.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
-8.9.0-dev,true,source,source.port,long,core,,,Port of the source.
-8.9.0-dev,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-8.9.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.9.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.9.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.9.0-dev,true,source,source.user.email,keyword,extended,,,User email address.
-8.9.0-dev,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.9.0-dev,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.9.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.9.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group.
-8.9.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.9.0-dev,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.9.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
-8.9.0-dev,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event.
-8.9.0-dev,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event.
-8.9.0-dev,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.9.0-dev,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.9.0-dev,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.9.0-dev,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
-8.9.0-dev,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
-8.9.0-dev,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.9.0-dev,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.9.0-dev,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.9.0-dev,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
-8.9.0-dev,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name.
-8.9.0-dev,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code.
-8.9.0-dev,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.9.0-dev,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.9.0-dev,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name.
-8.9.0-dev,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.9.0-dev,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.9.0-dev,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code.
-8.9.0-dev,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.9.0-dev,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name.
-8.9.0-dev,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.9.0-dev,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
-8.9.0-dev,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-8.9.0-dev,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
-8.9.0-dev,true,threat,threat.enrichments.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
-8.9.0-dev,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
-8.9.0-dev,true,threat,threat.enrichments.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
-8.9.0-dev,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
-8.9.0-dev,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
-8.9.0-dev,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
-8.9.0-dev,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.9.0-dev,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.9.0-dev,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.9.0-dev,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.9.0-dev,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.9.0-dev,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.9.0-dev,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
-8.9.0-dev,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics
-8.9.0-dev,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed
-8.9.0-dev,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
-8.9.0-dev,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.9.0-dev,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.9.0-dev,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.9.0-dev,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.9.0-dev,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.9.0-dev,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.9.0-dev,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.9.0-dev,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request.
-8.9.0-dev,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.9.0-dev,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
-8.9.0-dev,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request.
-8.9.0-dev,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.9.0-dev,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
-8.9.0-dev,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.9.0-dev,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.9.0-dev,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request.
-8.9.0-dev,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.9.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.9.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.9.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.9.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.9.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.9.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.9.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.9.0-dev,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.9.0-dev,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.9.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.9.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.9.0-dev,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.9.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.9.0-dev,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.9.0-dev,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.9.0-dev,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.9.0-dev,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.9.0-dev,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.9.0-dev,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.9.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.9.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.9.0-dev,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.9.0-dev,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.9.0-dev,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value
-8.9.0-dev,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field
-8.9.0-dev,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier
-8.9.0-dev,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index
-8.9.0-dev,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05T17:00:58.326Z,Date of match
-8.9.0-dev,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match
-8.9.0-dev,true,threat,threat.feed.dashboard_id,keyword,extended,,5ba16340-72e6-11eb-a3e3-b3cc7c78a70f,Feed dashboard ID.
-8.9.0-dev,true,threat,threat.feed.description,keyword,extended,,Threat feed from the AlienVault Open Threat eXchange network.,Description of the threat feed.
-8.9.0-dev,true,threat,threat.feed.name,keyword,extended,,AlienVault OTX,Name of the threat feed.
-8.9.0-dev,true,threat,threat.feed.reference,keyword,extended,,https://otx.alienvault.com,Reference for the threat feed.
-8.9.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
-8.9.0-dev,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group.
-8.9.0-dev,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group.
-8.9.0-dev,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group.
-8.9.0-dev,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group.
-8.9.0-dev,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.9.0-dev,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.9.0-dev,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.9.0-dev,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
-8.9.0-dev,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
-8.9.0-dev,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
-8.9.0-dev,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed.
-8.9.0-dev,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.9.0-dev,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.9.0-dev,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.9.0-dev,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.9.0-dev,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.9.0-dev,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.9.0-dev,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.9.0-dev,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.9.0-dev,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.9.0-dev,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.9.0-dev,true,threat,threat.indicator.file.created,date,extended,,,File creation time.
-8.9.0-dev,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.9.0-dev,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
-8.9.0-dev,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.9.0-dev,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.9.0-dev,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.9.0-dev,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.9.0-dev,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.9.0-dev,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
-8.9.0-dev,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.9.0-dev,true,threat,threat.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.9.0-dev,true,threat,threat.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.9.0-dev,true,threat,threat.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.9.0-dev,true,threat,threat.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.9.0-dev,true,threat,threat.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.9.0-dev,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.9.0-dev,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.9.0-dev,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.9.0-dev,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.9.0-dev,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.9.0-dev,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.9.0-dev,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.9.0-dev,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.9.0-dev,true,threat,threat.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.9.0-dev,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.9.0-dev,true,threat,threat.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev,true,threat,threat.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.9.0-dev,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.9.0-dev,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.9.0-dev,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.9.0-dev,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.9.0-dev,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.9.0-dev,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.9.0-dev,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.9.0-dev,true,threat,threat.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.9.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.9.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.9.0-dev,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
-8.9.0-dev,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.9.0-dev,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.9.0-dev,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.9.0-dev,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.9.0-dev,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.9.0-dev,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.9.0-dev,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.9.0-dev,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
-8.9.0-dev,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
-8.9.0-dev,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.9.0-dev,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.9.0-dev,true,threat,threat.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.9.0-dev,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.9.0-dev,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.9.0-dev,true,threat,threat.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.9.0-dev,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.9.0-dev,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.9.0-dev,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.9.0-dev,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified.
-8.9.0-dev,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.9.0-dev,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username.
-8.9.0-dev,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.9.0-dev,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.9.0-dev,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.9.0-dev,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.9.0-dev,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.9.0-dev,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.9.0-dev,true,threat,threat.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.9.0-dev,true,threat,threat.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.9.0-dev,true,threat,threat.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.9.0-dev,true,threat,threat.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.9.0-dev,true,threat,threat.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.9.0-dev,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.9.0-dev,true,threat,threat.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.9.0-dev,true,threat,threat.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.9.0-dev,true,threat,threat.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev,true,threat,threat.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.9.0-dev,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.9.0-dev,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.9.0-dev,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.9.0-dev,true,threat,threat.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
-8.9.0-dev,true,threat,threat.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.9.0-dev,true,threat,threat.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
-8.9.0-dev,true,threat,threat.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.9.0-dev,true,threat,threat.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.9.0-dev,true,threat,threat.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.9.0-dev,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes.
-8.9.0-dev,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
-8.9.0-dev,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.9.0-dev,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.9.0-dev,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.9.0-dev,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.9.0-dev,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.9.0-dev,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.9.0-dev,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.9.0-dev,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.9.0-dev,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.9.0-dev,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.9.0-dev,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.9.0-dev,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.9.0-dev,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.9.0-dev,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.9.0-dev,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.9.0-dev,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.9.0-dev,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.9.0-dev,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.9.0-dev,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.9.0-dev,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.9.0-dev,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.9.0-dev,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.9.0-dev,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.9.0-dev,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.9.0-dev,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.9.0-dev,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.9.0-dev,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.9.0-dev,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
-8.9.0-dev,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name.
-8.9.0-dev,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code.
-8.9.0-dev,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.9.0-dev,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.9.0-dev,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name.
-8.9.0-dev,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.9.0-dev,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.9.0-dev,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code.
-8.9.0-dev,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.9.0-dev,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name.
-8.9.0-dev,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.9.0-dev,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
-8.9.0-dev,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-8.9.0-dev,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
-8.9.0-dev,true,threat,threat.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
-8.9.0-dev,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
-8.9.0-dev,true,threat,threat.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
-8.9.0-dev,true,threat,threat.indicator.port,long,extended,,443,Indicator port
-8.9.0-dev,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
-8.9.0-dev,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
-8.9.0-dev,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.9.0-dev,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.9.0-dev,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.9.0-dev,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.9.0-dev,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.9.0-dev,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.9.0-dev,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
-8.9.0-dev,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics
-8.9.0-dev,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed
-8.9.0-dev,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
-8.9.0-dev,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.9.0-dev,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.9.0-dev,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.9.0-dev,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.9.0-dev,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.9.0-dev,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.9.0-dev,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.9.0-dev,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request.
-8.9.0-dev,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.9.0-dev,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
-8.9.0-dev,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request.
-8.9.0-dev,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.9.0-dev,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
-8.9.0-dev,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.9.0-dev,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.9.0-dev,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request.
-8.9.0-dev,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.9.0-dev,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.9.0-dev,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.9.0-dev,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.9.0-dev,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.9.0-dev,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.9.0-dev,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.9.0-dev,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.9.0-dev,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.9.0-dev,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.9.0-dev,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.9.0-dev,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.9.0-dev,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.9.0-dev,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.9.0-dev,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.9.0-dev,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.9.0-dev,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.9.0-dev,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.9.0-dev,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.9.0-dev,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.9.0-dev,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.9.0-dev,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.9.0-dev,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.9.0-dev,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.9.0-dev,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software
-8.9.0-dev,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software
-8.9.0-dev,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software.
-8.9.0-dev,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software.
-8.9.0-dev,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL.
-8.9.0-dev,true,threat,threat.software.type,keyword,extended,,Tool,Software type.
-8.9.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
-8.9.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
-8.9.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
-8.9.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
-8.9.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
-8.9.0-dev,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name.
-8.9.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
-8.9.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
-8.9.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
-8.9.0-dev,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
-8.9.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
-8.9.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
-8.9.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
-8.9.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
-8.9.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
-8.9.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
-8.9.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
-8.9.0-dev,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
-8.9.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
-8.9.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
-8.9.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
-8.9.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
-8.9.0-dev,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
-8.9.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
-8.9.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.9.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.9.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.9.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.9.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.9.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.9.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.9.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.9.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.9.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.9.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.9.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.9.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.9.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.9.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.9.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.9.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.9.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.9.0-dev,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.9.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.9.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.9.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.9.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.9.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.9.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
-8.9.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
-8.9.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
-8.9.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
-8.9.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
-8.9.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
-8.9.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
-8.9.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
-8.9.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
-8.9.0-dev,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
-8.9.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
-8.9.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
-8.9.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
-8.9.0-dev,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
-8.9.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.9.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.9.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.9.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.9.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.9.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.9.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.9.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.9.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.9.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.9.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.9.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.9.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.9.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.9.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.9.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.9.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.9.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.9.0-dev,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.9.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.9.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.9.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.9.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.9.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.9.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
-8.9.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
-8.9.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
-8.9.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
-8.9.0-dev,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.9.0-dev,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.9.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.9.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.9.0-dev,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.9.0-dev,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.9.0-dev,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.9.0-dev,true,url,url.password,keyword,extended,,,Password of the request.
-8.9.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.9.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
-8.9.0-dev,true,url,url.query,keyword,extended,,,Query string of the request.
-8.9.0-dev,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.9.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
-8.9.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.9.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.9.0-dev,true,url,url.username,keyword,extended,,,Username of the request.
-8.9.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.9.0-dev,true,user,user.changes.email,keyword,extended,,,User email address.
-8.9.0-dev,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.9.0-dev,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.9.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.9.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
-8.9.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.9.0-dev,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.9.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.9.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.9.0-dev,true,user,user.effective.email,keyword,extended,,,User email address.
-8.9.0-dev,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.9.0-dev,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.9.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.9.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
-8.9.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.9.0-dev,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.9.0-dev,true,user,user.email,keyword,extended,,,User email address.
-8.9.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.9.0-dev,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.9.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.9.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group.
-8.9.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.9.0-dev,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.9.0-dev,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.9.0-dev,true,user,user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.9.0-dev,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.9.0-dev,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.9.0-dev,true,user,user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-8.9.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.9.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.9.0-dev,true,user,user.target.email,keyword,extended,,,User email address.
-8.9.0-dev,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.9.0-dev,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.9.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.9.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.9.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group.
-8.9.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.9.0-dev,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.9.0-dev,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.9.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.9.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
-8.9.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
-8.9.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-8.9.0-dev,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-8.9.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.9.0-dev,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.9.0-dev,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.9.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.9.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.9.0-dev,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.9.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.9.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-8.9.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.9.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
-8.9.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
-8.9.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
-8.9.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-8.9.0-dev,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-8.9.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
-8.9.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
-8.9.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
-8.9.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
-8.9.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
-8.9.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
-8.9.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
-8.9.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
-8.9.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
-8.9.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
+8.10.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
+8.10.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
+8.10.0-dev,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer.
+8.10.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
+8.10.0-dev,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
+8.10.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
+8.10.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
+8.10.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
+8.10.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
+8.10.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
+8.10.0-dev,true,client,client.address,keyword,extended,,,Client network address.
+8.10.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.10.0-dev,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.10.0-dev,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.10.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
+8.10.0-dev,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client.
+8.10.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
+8.10.0-dev,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
+8.10.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.10.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.10.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
+8.10.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.10.0-dev,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.10.0-dev,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
+8.10.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.10.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
+8.10.0-dev,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.10.0-dev,true,client,client.ip,ip,core,,,IP address of the client.
+8.10.0-dev,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
+8.10.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
+8.10.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port
+8.10.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
+8.10.0-dev,true,client,client.port,long,core,,,Port of the client.
+8.10.0-dev,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
+8.10.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.10.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.10.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.10.0-dev,true,client,client.user.email,keyword,extended,,,User email address.
+8.10.0-dev,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.10.0-dev,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.10.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.10.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group.
+8.10.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.10.0-dev,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.10.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.10.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.10.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.10.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.10.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
+8.10.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.10.0-dev,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.10.0-dev,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.10.0-dev,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.10.0-dev,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.10.0-dev,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine.
+8.10.0-dev,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.10.0-dev,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id.
+8.10.0-dev,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name.
+8.10.0-dev,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider.
+8.10.0-dev,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.10.0-dev,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name.
+8.10.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
+8.10.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
+8.10.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
+8.10.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.10.0-dev,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name.
+8.10.0-dev,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.10.0-dev,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.10.0-dev,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.10.0-dev,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.10.0-dev,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine.
+8.10.0-dev,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.10.0-dev,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id.
+8.10.0-dev,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name.
+8.10.0-dev,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider.
+8.10.0-dev,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.10.0-dev,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name.
+8.10.0-dev,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
+8.10.0-dev,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
+8.10.0-dev,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
+8.10.0-dev,true,container,container.id,keyword,core,,,Unique container id.
+8.10.0-dev,true,container,container.image.hash.all,keyword,extended,array,[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26],An array of digests of the image the container was built on.
+8.10.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
+8.10.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags.
+8.10.0-dev,true,container,container.labels,object,extended,,,Image labels.
+8.10.0-dev,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1."
+8.10.0-dev,true,container,container.name,keyword,extended,,,Container name.
+8.10.0-dev,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
+8.10.0-dev,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+8.10.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
+8.10.0-dev,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
+8.10.0-dev,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
+8.10.0-dev,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
+8.10.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address.
+8.10.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.10.0-dev,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.10.0-dev,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.10.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
+8.10.0-dev,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination.
+8.10.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
+8.10.0-dev,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
+8.10.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.10.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.10.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
+8.10.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.10.0-dev,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.10.0-dev,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
+8.10.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.10.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
+8.10.0-dev,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.10.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination.
+8.10.0-dev,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
+8.10.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
+8.10.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
+8.10.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
+8.10.0-dev,true,destination,destination.port,long,core,,,Port of the destination.
+8.10.0-dev,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
+8.10.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.10.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.10.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.10.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address.
+8.10.0-dev,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.10.0-dev,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.10.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.10.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
+8.10.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.10.0-dev,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.10.0-dev,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device.
+8.10.0-dev,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer.
+8.10.0-dev,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model.
+8.10.0-dev,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model.
+8.10.0-dev,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.10.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.10.0-dev,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.10.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.10.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.10.0-dev,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.10.0-dev,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.10.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.10.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.10.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
+8.10.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
+8.10.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
+8.10.0-dev,true,dll,dll.hash.sha384,keyword,extended,,,SHA384 hash.
+8.10.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
+8.10.0-dev,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.10.0-dev,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash.
+8.10.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
+8.10.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
+8.10.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.10.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.10.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.10.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.10.0-dev,true,dll,dll.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.10.0-dev,true,dll,dll.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.10.0-dev,true,dll,dll.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.10.0-dev,true,dll,dll.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.10.0-dev,true,dll,dll.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.10.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.10.0-dev,true,dll,dll.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.10.0-dev,true,dll,dll.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.10.0-dev,true,dll,dll.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev,true,dll,dll.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.10.0-dev,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.10.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.10.0-dev,true,dll,dll.pe.sections,nested,extended,array,,Section information of the PE file.
+8.10.0-dev,true,dll,dll.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.10.0-dev,true,dll,dll.pe.sections.name,keyword,extended,,,PE Section List name.
+8.10.0-dev,true,dll,dll.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.10.0-dev,true,dll,dll.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.10.0-dev,true,dll,dll.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.10.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
+8.10.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
+8.10.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
+8.10.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
+8.10.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
+8.10.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
+8.10.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
+8.10.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
+8.10.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
+8.10.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
+8.10.0-dev,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
+8.10.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
+8.10.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
+8.10.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.10.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
+8.10.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
+8.10.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
+8.10.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
+8.10.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
+8.10.0-dev,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
+8.10.0-dev,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
+8.10.0-dev,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash.
+8.10.0-dev,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.10.0-dev,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.10.0-dev,true,email,email.attachments.file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.10.0-dev,true,email,email.attachments.file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.10.0-dev,true,email,email.attachments.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.10.0-dev,true,email,email.attachments.file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.10.0-dev,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file.
+8.10.0-dev,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file.
+8.10.0-dev,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size.
+8.10.0-dev,true,email,email.bcc.address,keyword,extended,array,bcc.user1@example.com,Email address of BCC recipient
+8.10.0-dev,true,email,email.cc.address,keyword,extended,array,cc.user1@example.com,Email address of CC recipient
+8.10.0-dev,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message.
+8.10.0-dev,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered.
+8.10.0-dev,true,email,email.direction,keyword,extended,,inbound,Direction of the message.
+8.10.0-dev,true,email,email.from.address,keyword,extended,array,sender@example.com,The sender's email address.
+8.10.0-dev,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source.
+8.10.0-dev,true,email,email.message_id,wildcard,extended,,81ce15$8r2j59@mail01.example.com,Value from the Message-ID header.
+8.10.0-dev,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed.
+8.10.0-dev,true,email,email.reply_to.address,keyword,extended,array,reply.here@example.com,Address replies should be delivered to.
+8.10.0-dev,true,email,email.sender.address,keyword,extended,,,Address of the message sender.
+8.10.0-dev,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message.
+8.10.0-dev,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
+8.10.0-dev,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient
+8.10.0-dev,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
+8.10.0-dev,true,error,error.code,keyword,core,,,Error code describing the error.
+8.10.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error.
+8.10.0-dev,true,error,error.message,match_only_text,core,,,Error message.
+8.10.0-dev,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
+8.10.0-dev,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text.
+8.10.0-dev,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
+8.10.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
+8.10.0-dev,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field.
+8.10.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
+8.10.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event.
+8.10.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
+8.10.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
+8.10.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
+8.10.0-dev,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed.
+8.10.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
+8.10.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
+8.10.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
+8.10.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
+8.10.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
+8.10.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
+8.10.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
+8.10.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event.
+8.10.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
+8.10.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
+8.10.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
+8.10.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
+8.10.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event.
+8.10.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event.
+8.10.0-dev,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed.
+8.10.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone.
+8.10.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
+8.10.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
+8.10.0-dev,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function.
+8.10.0-dev,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution.
+8.10.0-dev,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function.
+8.10.0-dev,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function.
+8.10.0-dev,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc."
+8.10.0-dev,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution.
+8.10.0-dev,true,faas,faas.version,keyword,extended,,123,The version of a serverless function.
+8.10.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed.
+8.10.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.10.0-dev,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.10.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.10.0-dev,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.10.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.10.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.10.0-dev,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.10.0-dev,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.10.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.10.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.10.0-dev,true,file,file.created,date,extended,,,File creation time.
+8.10.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.10.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
+8.10.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.10.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.10.0-dev,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.10.0-dev,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.10.0-dev,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.10.0-dev,true,file,file.elf.creation_date,date,extended,,,Build or compile date.
+8.10.0-dev,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.10.0-dev,true,file,file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.10.0-dev,true,file,file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.10.0-dev,true,file,file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.10.0-dev,true,file,file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.10.0-dev,true,file,file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.10.0-dev,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.10.0-dev,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.10.0-dev,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.10.0-dev,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.10.0-dev,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.10.0-dev,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.10.0-dev,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.10.0-dev,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.10.0-dev,true,file,file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.10.0-dev,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.10.0-dev,true,file,file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev,true,file,file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.10.0-dev,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.10.0-dev,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.10.0-dev,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.10.0-dev,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.10.0-dev,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.10.0-dev,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.10.0-dev,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.10.0-dev,true,file,file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.10.0-dev,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.10.0-dev,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.10.0-dev,true,file,file.elf.segments,nested,extended,array,,ELF object segment list.
+8.10.0-dev,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.10.0-dev,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.10.0-dev,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.10.0-dev,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.10.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.10.0-dev,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.10.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.10.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
+8.10.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
+8.10.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.10.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.10.0-dev,true,file,file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.10.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.10.0-dev,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.10.0-dev,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.10.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.10.0-dev,true,file,file.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+8.10.0-dev,true,file,file.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.10.0-dev,true,file,file.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.10.0-dev,true,file,file.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.10.0-dev,true,file,file.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.10.0-dev,true,file,file.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+8.10.0-dev,true,file,file.macho.imports,flattened,extended,array,,List of imported element names and types.
+8.10.0-dev,true,file,file.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev,true,file,file.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev,true,file,file.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+8.10.0-dev,true,file,file.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.10.0-dev,true,file,file.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+8.10.0-dev,true,file,file.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+8.10.0-dev,true,file,file.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.10.0-dev,true,file,file.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+8.10.0-dev,true,file,file.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+8.10.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.10.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.10.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified.
+8.10.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.10.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username.
+8.10.0-dev,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.10.0-dev,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.10.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.10.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.10.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.10.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.10.0-dev,true,file,file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.10.0-dev,true,file,file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.10.0-dev,true,file,file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.10.0-dev,true,file,file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.10.0-dev,true,file,file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.10.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.10.0-dev,true,file,file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.10.0-dev,true,file,file.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.10.0-dev,true,file,file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev,true,file,file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.10.0-dev,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.10.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.10.0-dev,true,file,file.pe.sections,nested,extended,array,,Section information of the PE file.
+8.10.0-dev,true,file,file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.10.0-dev,true,file,file.pe.sections.name,keyword,extended,,,PE Section List name.
+8.10.0-dev,true,file,file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.10.0-dev,true,file,file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.10.0-dev,true,file,file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.10.0-dev,true,file,file.size,long,extended,,16384,File size in bytes.
+8.10.0-dev,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
+8.10.0-dev,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.10.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.10.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.10.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.10.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.10.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.10.0-dev,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.10.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.10.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.10.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.10.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.10.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.10.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.10.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.10.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.10.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.10.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.10.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.10.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.10.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.10.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.10.0-dev,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.10.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.10.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.10.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.10.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.10.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.10.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.10.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev,true,group,group.name,keyword,extended,,,Name of the group.
+8.10.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
+8.10.0-dev,true,host,host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id
+8.10.0-dev,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
+8.10.0-dev,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
+8.10.0-dev,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
+8.10.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
+8.10.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
+8.10.0-dev,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
+8.10.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.10.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.10.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
+8.10.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.10.0-dev,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.10.0-dev,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
+8.10.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.10.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
+8.10.0-dev,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.10.0-dev,true,host,host.hostname,keyword,core,,,Hostname of the host.
+8.10.0-dev,true,host,host.id,keyword,core,,,Unique host id.
+8.10.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses.
+8.10.0-dev,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
+8.10.0-dev,true,host,host.name,keyword,core,,,Name of the host.
+8.10.0-dev,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
+8.10.0-dev,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
+8.10.0-dev,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+8.10.0-dev,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
+8.10.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.10.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.10.0-dev,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.10.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.10.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.10.0-dev,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.10.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.10.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+8.10.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.10.0-dev,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode
+8.10.0-dev,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.10.0-dev,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.10.0-dev,true,host,host.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.10.0-dev,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.10.0-dev,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.10.0-dev,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+8.10.0-dev,true,host,host.type,keyword,core,,,Type of host.
+8.10.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
+8.10.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
+8.10.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
+8.10.0-dev,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body.
+8.10.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
+8.10.0-dev,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
+8.10.0-dev,true,http,http.request.method,keyword,extended,,POST,HTTP request method.
+8.10.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
+8.10.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
+8.10.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
+8.10.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
+8.10.0-dev,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body.
+8.10.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
+8.10.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
+8.10.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
+8.10.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version.
+8.10.0-dev,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
+8.10.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event.
+8.10.0-dev,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
+8.10.0-dev,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event.
+8.10.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
+8.10.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
+8.10.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata
+8.10.0-dev,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message.
+8.10.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
+8.10.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
+8.10.0-dev,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message.
+8.10.0-dev,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message.
+8.10.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
+8.10.0-dev,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message.
+8.10.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
+8.10.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
+8.10.0-dev,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages.
+8.10.0-dev,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version.
+8.10.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name.
+8.10.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
+8.10.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
+8.10.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
+8.10.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
+8.10.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
+8.10.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information
+8.10.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.10.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.10.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
+8.10.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
+8.10.0-dev,true,network,network.protocol,keyword,core,,http,Application protocol name.
+8.10.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
+8.10.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
+8.10.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.10.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.10.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information
+8.10.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
+8.10.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
+8.10.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
+8.10.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.10.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.10.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
+8.10.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
+8.10.0-dev,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code.
+8.10.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.10.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.10.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
+8.10.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.10.0-dev,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.10.0-dev,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code.
+8.10.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.10.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
+8.10.0-dev,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.10.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
+8.10.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information
+8.10.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
+8.10.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
+8.10.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
+8.10.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.10.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.10.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
+8.10.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
+8.10.0-dev,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer.
+8.10.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
+8.10.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.10.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.10.0-dev,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.10.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.10.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.10.0-dev,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.10.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.10.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+8.10.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.10.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
+8.10.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
+8.10.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
+8.10.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
+8.10.0-dev,true,observer,observer.version,keyword,core,,,Observer version.
+8.10.0-dev,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action
+8.10.0-dev,true,orchestrator,orchestrator.cluster.id,keyword,extended,,,Unique ID of the cluster.
+8.10.0-dev,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster.
+8.10.0-dev,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster.
+8.10.0-dev,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster.
+8.10.0-dev,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place.
+8.10.0-dev,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups).
+8.10.0-dev,true,orchestrator,orchestrator.resource.annotation,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of annotations added to the resource.
+8.10.0-dev,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon.
+8.10.0-dev,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed.
+8.10.0-dev,true,orchestrator,orchestrator.resource.label,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of labels added to the resource.
+8.10.0-dev,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon.
+8.10.0-dev,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed.
+8.10.0-dev,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon.
+8.10.0-dev,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)."
+8.10.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
+8.10.0-dev,true,organization,organization.name,keyword,extended,,,Organization name.
+8.10.0-dev,true,organization,organization.name.text,match_only_text,extended,,,Organization name.
+8.10.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
+8.10.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
+8.10.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
+8.10.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
+8.10.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
+8.10.0-dev,true,package,package.installed,date,extended,,,Time when package was installed.
+8.10.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
+8.10.0-dev,true,package,package.name,keyword,extended,,go,Package name
+8.10.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
+8.10.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
+8.10.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes.
+8.10.0-dev,true,package,package.type,keyword,extended,,rpm,Package type
+8.10.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version
+8.10.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.10.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array.
+8.10.0-dev,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.10.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.10.0-dev,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.10.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.10.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.10.0-dev,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.10.0-dev,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.10.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.10.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.10.0-dev,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.10.0-dev,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.10.0-dev,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.10.0-dev,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.10.0-dev,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.10.0-dev,true,process,process.elf.creation_date,date,extended,,,Build or compile date.
+8.10.0-dev,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.10.0-dev,true,process,process.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.10.0-dev,true,process,process.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.10.0-dev,true,process,process.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.10.0-dev,true,process,process.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.10.0-dev,true,process,process.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.10.0-dev,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.10.0-dev,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.10.0-dev,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.10.0-dev,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.10.0-dev,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.10.0-dev,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.10.0-dev,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.10.0-dev,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.10.0-dev,true,process,process.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.10.0-dev,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.10.0-dev,true,process,process.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev,true,process,process.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.10.0-dev,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.10.0-dev,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.10.0-dev,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.10.0-dev,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.10.0-dev,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.10.0-dev,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.10.0-dev,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.10.0-dev,true,process,process.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.10.0-dev,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.10.0-dev,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.10.0-dev,true,process,process.elf.segments,nested,extended,array,,ELF object segment list.
+8.10.0-dev,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.10.0-dev,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.10.0-dev,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.10.0-dev,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.10.0-dev,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+8.10.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.10.0-dev,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.10.0-dev,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array.
+8.10.0-dev,true,process,process.entry_leader.attested_groups.name,keyword,extended,,,Name of the group.
+8.10.0-dev,true,process,process.entry_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev,true,process,process.entry_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,process,process.entry_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.10.0-dev,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.10.0-dev,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.10.0-dev,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
+8.10.0-dev,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
+8.10.0-dev,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.10.0-dev,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.10.0-dev,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group.
+8.10.0-dev,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.10.0-dev,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name.
+8.10.0-dev,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name.
+8.10.0-dev,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.10.0-dev,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id.
+8.10.0-dev,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.10.0-dev,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id.
+8.10.0-dev,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.10.0-dev,true,process,process.entry_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
+8.10.0-dev,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.10.0-dev,true,process,process.entry_leader.parent.vpid,long,core,,4242,Virtual process id.
+8.10.0-dev,true,process,process.entry_leader.pid,long,core,,4242,Process id.
+8.10.0-dev,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group.
+8.10.0-dev,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,process,process.entry_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+8.10.0-dev,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group.
+8.10.0-dev,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,process,process.entry_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.10.0-dev,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.10.0-dev,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device.
+8.10.0-dev,true,process,process.entry_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.10.0-dev,true,process,process.entry_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.10.0-dev,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,process,process.entry_leader.vpid,long,core,,4242,Virtual process id.
+8.10.0-dev,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.10.0-dev,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.10.0-dev,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
+8.10.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.10.0-dev,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.10.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process.
+8.10.0-dev,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.10.0-dev,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array.
+8.10.0-dev,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.10.0-dev,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.10.0-dev,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.10.0-dev,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.10.0-dev,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.10.0-dev,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group.
+8.10.0-dev,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.10.0-dev,true,process,process.group_leader.name,keyword,extended,,ssh,Process name.
+8.10.0-dev,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name.
+8.10.0-dev,true,process,process.group_leader.pid,long,core,,4242,Process id.
+8.10.0-dev,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group.
+8.10.0-dev,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,process,process.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+8.10.0-dev,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group.
+8.10.0-dev,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,process,process.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.10.0-dev,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.10.0-dev,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device.
+8.10.0-dev,true,process,process.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.10.0-dev,true,process,process.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.10.0-dev,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,process,process.group_leader.vpid,long,core,,4242,Virtual process id.
+8.10.0-dev,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.10.0-dev,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.10.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
+8.10.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
+8.10.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
+8.10.0-dev,true,process,process.hash.sha384,keyword,extended,,,SHA384 hash.
+8.10.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
+8.10.0-dev,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.10.0-dev,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash.
+8.10.0-dev,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.10.0-dev,true,process,process.io,object,extended,,,A chunk of input or output (IO) from a single process.
+8.10.0-dev,true,process,process.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
+8.10.0-dev,true,process,process.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
+8.10.0-dev,true,process,process.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
+8.10.0-dev,true,process,process.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
+8.10.0-dev,true,process,process.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
+8.10.0-dev,true,process,process.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
+8.10.0-dev,true,process,process.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
+8.10.0-dev,true,process,process.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
+8.10.0-dev,true,process,process.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+8.10.0-dev,true,process,process.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.10.0-dev,true,process,process.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.10.0-dev,true,process,process.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.10.0-dev,true,process,process.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.10.0-dev,true,process,process.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+8.10.0-dev,true,process,process.macho.imports,flattened,extended,array,,List of imported element names and types.
+8.10.0-dev,true,process,process.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev,true,process,process.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev,true,process,process.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+8.10.0-dev,true,process,process.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.10.0-dev,true,process,process.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+8.10.0-dev,true,process,process.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+8.10.0-dev,true,process,process.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.10.0-dev,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+8.10.0-dev,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+8.10.0-dev,true,process,process.name,keyword,extended,,ssh,Process name.
+8.10.0-dev,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
+8.10.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.10.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
+8.10.0-dev,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.10.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.10.0-dev,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.10.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.10.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.10.0-dev,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.10.0-dev,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.10.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.10.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.10.0-dev,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.10.0-dev,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.10.0-dev,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.10.0-dev,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.10.0-dev,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.10.0-dev,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date.
+8.10.0-dev,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.10.0-dev,true,process,process.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.10.0-dev,true,process,process.parent.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.10.0-dev,true,process,process.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.10.0-dev,true,process,process.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.10.0-dev,true,process,process.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.10.0-dev,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.10.0-dev,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.10.0-dev,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.10.0-dev,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.10.0-dev,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.10.0-dev,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.10.0-dev,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.10.0-dev,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.10.0-dev,true,process,process.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.10.0-dev,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.10.0-dev,true,process,process.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev,true,process,process.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.10.0-dev,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.10.0-dev,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.10.0-dev,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.10.0-dev,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.10.0-dev,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.10.0-dev,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.10.0-dev,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.10.0-dev,true,process,process.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.10.0-dev,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.10.0-dev,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.10.0-dev,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list.
+8.10.0-dev,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.10.0-dev,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.10.0-dev,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.10.0-dev,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.10.0-dev,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+8.10.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.10.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.10.0-dev,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.10.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
+8.10.0-dev,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev,true,process,process.parent.group.name,keyword,extended,,,Name of the group.
+8.10.0-dev,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.10.0-dev,true,process,process.parent.group_leader.pid,long,core,,4242,Process id.
+8.10.0-dev,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.10.0-dev,true,process,process.parent.group_leader.vpid,long,core,,4242,Virtual process id.
+8.10.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
+8.10.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
+8.10.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
+8.10.0-dev,true,process,process.parent.hash.sha384,keyword,extended,,,SHA384 hash.
+8.10.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
+8.10.0-dev,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.10.0-dev,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash.
+8.10.0-dev,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.10.0-dev,true,process,process.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+8.10.0-dev,true,process,process.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.10.0-dev,true,process,process.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.10.0-dev,true,process,process.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.10.0-dev,true,process,process.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.10.0-dev,true,process,process.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+8.10.0-dev,true,process,process.parent.macho.imports,flattened,extended,array,,List of imported element names and types.
+8.10.0-dev,true,process,process.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev,true,process,process.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev,true,process,process.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+8.10.0-dev,true,process,process.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.10.0-dev,true,process,process.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+8.10.0-dev,true,process,process.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+8.10.0-dev,true,process,process.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.10.0-dev,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+8.10.0-dev,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+8.10.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name.
+8.10.0-dev,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
+8.10.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.10.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.10.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.10.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.10.0-dev,true,process,process.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.10.0-dev,true,process,process.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.10.0-dev,true,process,process.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.10.0-dev,true,process,process.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.10.0-dev,true,process,process.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.10.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.10.0-dev,true,process,process.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.10.0-dev,true,process,process.parent.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.10.0-dev,true,process,process.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev,true,process,process.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.10.0-dev,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.10.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.10.0-dev,true,process,process.parent.pe.sections,nested,extended,array,,Section information of the PE file.
+8.10.0-dev,true,process,process.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.10.0-dev,true,process,process.parent.pe.sections.name,keyword,extended,,,PE Section List name.
+8.10.0-dev,true,process,process.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.10.0-dev,true,process,process.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.10.0-dev,true,process,process.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.10.0-dev,true,process,process.parent.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
+8.10.0-dev,true,process,process.parent.pid,long,core,,4242,Process id.
+8.10.0-dev,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group.
+8.10.0-dev,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,process,process.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group.
+8.10.0-dev,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,process,process.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.10.0-dev,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.10.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
+8.10.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
+8.10.0-dev,true,process,process.parent.title,keyword,extended,,,Process title.
+8.10.0-dev,true,process,process.parent.title.text,match_only_text,extended,,,Process title.
+8.10.0-dev,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device.
+8.10.0-dev,true,process,process.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.10.0-dev,true,process,process.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.10.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
+8.10.0-dev,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,process,process.parent.vpid,long,core,,4242,Virtual process id.
+8.10.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.10.0-dev,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.10.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.10.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.10.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.10.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.10.0-dev,true,process,process.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.10.0-dev,true,process,process.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.10.0-dev,true,process,process.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.10.0-dev,true,process,process.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.10.0-dev,true,process,process.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.10.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.10.0-dev,true,process,process.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.10.0-dev,true,process,process.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.10.0-dev,true,process,process.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev,true,process,process.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.10.0-dev,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.10.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.10.0-dev,true,process,process.pe.sections,nested,extended,array,,Section information of the PE file.
+8.10.0-dev,true,process,process.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.10.0-dev,true,process,process.pe.sections.name,keyword,extended,,,PE Section List name.
+8.10.0-dev,true,process,process.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.10.0-dev,true,process,process.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.10.0-dev,true,process,process.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.10.0-dev,true,process,process.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
+8.10.0-dev,true,process,process.pid,long,core,,4242,Process id.
+8.10.0-dev,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.10.0-dev,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array.
+8.10.0-dev,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.10.0-dev,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.10.0-dev,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev,true,process,process.real_group.name,keyword,extended,,,Name of the group.
+8.10.0-dev,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,process,process.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev,true,process,process.saved_group.name,keyword,extended,,,Name of the group.
+8.10.0-dev,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,process,process.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.10.0-dev,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array.
+8.10.0-dev,true,process,process.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.10.0-dev,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.10.0-dev,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.10.0-dev,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.10.0-dev,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.10.0-dev,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group.
+8.10.0-dev,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.10.0-dev,true,process,process.session_leader.name,keyword,extended,,ssh,Process name.
+8.10.0-dev,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name.
+8.10.0-dev,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.10.0-dev,true,process,process.session_leader.parent.pid,long,core,,4242,Process id.
+8.10.0-dev,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.10.0-dev,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id.
+8.10.0-dev,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.10.0-dev,true,process,process.session_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
+8.10.0-dev,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.10.0-dev,true,process,process.session_leader.parent.vpid,long,core,,4242,Virtual process id.
+8.10.0-dev,true,process,process.session_leader.pid,long,core,,4242,Process id.
+8.10.0-dev,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group.
+8.10.0-dev,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,process,process.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+8.10.0-dev,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group.
+8.10.0-dev,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,process,process.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.10.0-dev,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.10.0-dev,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device.
+8.10.0-dev,true,process,process.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.10.0-dev,true,process,process.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.10.0-dev,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,process,process.session_leader.vpid,long,core,,4242,Virtual process id.
+8.10.0-dev,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.10.0-dev,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.10.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.10.0-dev,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.10.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID.
+8.10.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
+8.10.0-dev,true,process,process.title,keyword,extended,,,Process title.
+8.10.0-dev,true,process,process.title.text,match_only_text,extended,,,Process title.
+8.10.0-dev,true,process,process.tty,object,extended,,,Information about the controlling TTY device.
+8.10.0-dev,true,process,process.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.10.0-dev,true,process,process.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.10.0-dev,true,process,process.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
+8.10.0-dev,true,process,process.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
+8.10.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
+8.10.0-dev,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,process,process.vpid,long,core,,4242,Virtual process id.
+8.10.0-dev,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.10.0-dev,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.10.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.10.0-dev,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.10.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.10.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.10.0-dev,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.10.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.10.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
+8.10.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
+8.10.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
+8.10.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
+8.10.0-dev,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event.
+8.10.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
+8.10.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
+8.10.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
+8.10.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID
+8.10.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
+8.10.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
+8.10.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
+8.10.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
+8.10.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
+8.10.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version
+8.10.0-dev,true,server,server.address,keyword,extended,,,Server network address.
+8.10.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.10.0-dev,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.10.0-dev,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.10.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
+8.10.0-dev,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server.
+8.10.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
+8.10.0-dev,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
+8.10.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.10.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.10.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
+8.10.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.10.0-dev,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.10.0-dev,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
+8.10.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.10.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
+8.10.0-dev,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.10.0-dev,true,server,server.ip,ip,core,,,IP address of the server.
+8.10.0-dev,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
+8.10.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip
+8.10.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port
+8.10.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
+8.10.0-dev,true,server,server.port,long,core,,,Port of the server.
+8.10.0-dev,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
+8.10.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.10.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.10.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.10.0-dev,true,server,server.user.email,keyword,extended,,,User email address.
+8.10.0-dev,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.10.0-dev,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.10.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.10.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group.
+8.10.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.10.0-dev,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.10.0-dev,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.10.0-dev,true,service,service.environment,keyword,extended,,production,Environment of the service.
+8.10.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.10.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.10.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.10.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.10.0-dev,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.10.0-dev,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+8.10.0-dev,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.10.0-dev,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
+8.10.0-dev,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.10.0-dev,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.10.0-dev,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.10.0-dev,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.10.0-dev,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.10.0-dev,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+8.10.0-dev,true,service,service.origin.state,keyword,core,,,Current state of the service.
+8.10.0-dev,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service.
+8.10.0-dev,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service.
+8.10.0-dev,true,service,service.state,keyword,core,,,Current state of the service.
+8.10.0-dev,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.10.0-dev,true,service,service.target.environment,keyword,extended,,production,Environment of the service.
+8.10.0-dev,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.10.0-dev,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.10.0-dev,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.10.0-dev,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.10.0-dev,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.10.0-dev,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+8.10.0-dev,true,service,service.target.state,keyword,core,,,Current state of the service.
+8.10.0-dev,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service.
+8.10.0-dev,true,service,service.target.version,keyword,core,,3.2.4,Version of the service.
+8.10.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
+8.10.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service.
+8.10.0-dev,true,source,source.address,keyword,extended,,,Source network address.
+8.10.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.10.0-dev,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.10.0-dev,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.10.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
+8.10.0-dev,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source.
+8.10.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
+8.10.0-dev,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
+8.10.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.10.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.10.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
+8.10.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.10.0-dev,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.10.0-dev,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
+8.10.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.10.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
+8.10.0-dev,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.10.0-dev,true,source,source.ip,ip,core,,,IP address of the source.
+8.10.0-dev,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
+8.10.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip
+8.10.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port
+8.10.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
+8.10.0-dev,true,source,source.port,long,core,,,Port of the source.
+8.10.0-dev,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+8.10.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.10.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.10.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.10.0-dev,true,source,source.user.email,keyword,extended,,,User email address.
+8.10.0-dev,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.10.0-dev,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.10.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.10.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group.
+8.10.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.10.0-dev,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.10.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
+8.10.0-dev,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event.
+8.10.0-dev,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event.
+8.10.0-dev,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.10.0-dev,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.10.0-dev,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.10.0-dev,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
+8.10.0-dev,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
+8.10.0-dev,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.10.0-dev,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.10.0-dev,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.10.0-dev,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
+8.10.0-dev,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name.
+8.10.0-dev,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code.
+8.10.0-dev,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.10.0-dev,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.10.0-dev,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name.
+8.10.0-dev,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.10.0-dev,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.10.0-dev,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code.
+8.10.0-dev,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.10.0-dev,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name.
+8.10.0-dev,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.10.0-dev,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
+8.10.0-dev,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
+8.10.0-dev,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
+8.10.0-dev,true,threat,threat.enrichments.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
+8.10.0-dev,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
+8.10.0-dev,true,threat,threat.enrichments.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
+8.10.0-dev,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
+8.10.0-dev,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
+8.10.0-dev,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
+8.10.0-dev,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.10.0-dev,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.10.0-dev,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.10.0-dev,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.10.0-dev,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.10.0-dev,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.10.0-dev,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
+8.10.0-dev,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics
+8.10.0-dev,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed
+8.10.0-dev,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
+8.10.0-dev,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.10.0-dev,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.10.0-dev,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.10.0-dev,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.10.0-dev,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.10.0-dev,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.10.0-dev,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.10.0-dev,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request.
+8.10.0-dev,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.10.0-dev,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
+8.10.0-dev,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request.
+8.10.0-dev,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.10.0-dev,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
+8.10.0-dev,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.10.0-dev,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.10.0-dev,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request.
+8.10.0-dev,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.10.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.10.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.10.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.10.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.10.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.10.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.10.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.10.0-dev,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.10.0-dev,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.10.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.10.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.10.0-dev,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.10.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.10.0-dev,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.10.0-dev,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.10.0-dev,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.10.0-dev,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.10.0-dev,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.10.0-dev,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.10.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.10.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.10.0-dev,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.10.0-dev,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.10.0-dev,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value
+8.10.0-dev,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field
+8.10.0-dev,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier
+8.10.0-dev,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index
+8.10.0-dev,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05T17:00:58.326Z,Date of match
+8.10.0-dev,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match
+8.10.0-dev,true,threat,threat.feed.dashboard_id,keyword,extended,,5ba16340-72e6-11eb-a3e3-b3cc7c78a70f,Feed dashboard ID.
+8.10.0-dev,true,threat,threat.feed.description,keyword,extended,,Threat feed from the AlienVault Open Threat eXchange network.,Description of the threat feed.
+8.10.0-dev,true,threat,threat.feed.name,keyword,extended,,AlienVault OTX,Name of the threat feed.
+8.10.0-dev,true,threat,threat.feed.reference,keyword,extended,,https://otx.alienvault.com,Reference for the threat feed.
+8.10.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
+8.10.0-dev,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group.
+8.10.0-dev,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group.
+8.10.0-dev,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group.
+8.10.0-dev,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group.
+8.10.0-dev,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.10.0-dev,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.10.0-dev,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.10.0-dev,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
+8.10.0-dev,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
+8.10.0-dev,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
+8.10.0-dev,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed.
+8.10.0-dev,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.10.0-dev,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.10.0-dev,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.10.0-dev,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.10.0-dev,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.10.0-dev,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.10.0-dev,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.10.0-dev,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.10.0-dev,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.10.0-dev,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.10.0-dev,true,threat,threat.indicator.file.created,date,extended,,,File creation time.
+8.10.0-dev,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.10.0-dev,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
+8.10.0-dev,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.10.0-dev,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.10.0-dev,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.10.0-dev,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.10.0-dev,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.10.0-dev,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
+8.10.0-dev,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.10.0-dev,true,threat,threat.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.10.0-dev,true,threat,threat.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.10.0-dev,true,threat,threat.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.10.0-dev,true,threat,threat.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.10.0-dev,true,threat,threat.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.10.0-dev,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.10.0-dev,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.10.0-dev,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.10.0-dev,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.10.0-dev,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.10.0-dev,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.10.0-dev,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.10.0-dev,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.10.0-dev,true,threat,threat.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.10.0-dev,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.10.0-dev,true,threat,threat.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev,true,threat,threat.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.10.0-dev,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.10.0-dev,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.10.0-dev,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.10.0-dev,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.10.0-dev,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.10.0-dev,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.10.0-dev,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.10.0-dev,true,threat,threat.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.10.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.10.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.10.0-dev,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
+8.10.0-dev,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.10.0-dev,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.10.0-dev,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.10.0-dev,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.10.0-dev,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.10.0-dev,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.10.0-dev,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.10.0-dev,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
+8.10.0-dev,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
+8.10.0-dev,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.10.0-dev,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.10.0-dev,true,threat,threat.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.10.0-dev,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.10.0-dev,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.10.0-dev,true,threat,threat.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.10.0-dev,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.10.0-dev,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.10.0-dev,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.10.0-dev,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified.
+8.10.0-dev,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.10.0-dev,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username.
+8.10.0-dev,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.10.0-dev,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.10.0-dev,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.10.0-dev,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.10.0-dev,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.10.0-dev,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.10.0-dev,true,threat,threat.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.10.0-dev,true,threat,threat.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.10.0-dev,true,threat,threat.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.10.0-dev,true,threat,threat.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.10.0-dev,true,threat,threat.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.10.0-dev,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.10.0-dev,true,threat,threat.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.10.0-dev,true,threat,threat.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.10.0-dev,true,threat,threat.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev,true,threat,threat.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.10.0-dev,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.10.0-dev,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.10.0-dev,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.10.0-dev,true,threat,threat.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
+8.10.0-dev,true,threat,threat.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.10.0-dev,true,threat,threat.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
+8.10.0-dev,true,threat,threat.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.10.0-dev,true,threat,threat.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.10.0-dev,true,threat,threat.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.10.0-dev,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes.
+8.10.0-dev,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
+8.10.0-dev,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.10.0-dev,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.10.0-dev,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.10.0-dev,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.10.0-dev,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.10.0-dev,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.10.0-dev,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.10.0-dev,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.10.0-dev,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.10.0-dev,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.10.0-dev,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.10.0-dev,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.10.0-dev,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.10.0-dev,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.10.0-dev,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.10.0-dev,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.10.0-dev,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.10.0-dev,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.10.0-dev,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.10.0-dev,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.10.0-dev,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.10.0-dev,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.10.0-dev,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.10.0-dev,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.10.0-dev,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.10.0-dev,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.10.0-dev,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.10.0-dev,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
+8.10.0-dev,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name.
+8.10.0-dev,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code.
+8.10.0-dev,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.10.0-dev,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.10.0-dev,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name.
+8.10.0-dev,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.10.0-dev,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.10.0-dev,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code.
+8.10.0-dev,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.10.0-dev,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name.
+8.10.0-dev,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.10.0-dev,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
+8.10.0-dev,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
+8.10.0-dev,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
+8.10.0-dev,true,threat,threat.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
+8.10.0-dev,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
+8.10.0-dev,true,threat,threat.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
+8.10.0-dev,true,threat,threat.indicator.port,long,extended,,443,Indicator port
+8.10.0-dev,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
+8.10.0-dev,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
+8.10.0-dev,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.10.0-dev,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.10.0-dev,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.10.0-dev,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.10.0-dev,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.10.0-dev,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.10.0-dev,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
+8.10.0-dev,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics
+8.10.0-dev,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed
+8.10.0-dev,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
+8.10.0-dev,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.10.0-dev,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.10.0-dev,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.10.0-dev,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.10.0-dev,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.10.0-dev,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.10.0-dev,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.10.0-dev,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request.
+8.10.0-dev,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.10.0-dev,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
+8.10.0-dev,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request.
+8.10.0-dev,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.10.0-dev,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
+8.10.0-dev,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.10.0-dev,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.10.0-dev,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request.
+8.10.0-dev,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.10.0-dev,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.10.0-dev,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.10.0-dev,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.10.0-dev,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.10.0-dev,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.10.0-dev,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.10.0-dev,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.10.0-dev,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.10.0-dev,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.10.0-dev,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.10.0-dev,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.10.0-dev,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.10.0-dev,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.10.0-dev,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.10.0-dev,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.10.0-dev,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.10.0-dev,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.10.0-dev,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.10.0-dev,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.10.0-dev,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.10.0-dev,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.10.0-dev,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.10.0-dev,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.10.0-dev,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software
+8.10.0-dev,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software
+8.10.0-dev,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software.
+8.10.0-dev,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software.
+8.10.0-dev,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL.
+8.10.0-dev,true,threat,threat.software.type,keyword,extended,,Tool,Software type.
+8.10.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
+8.10.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
+8.10.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
+8.10.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
+8.10.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
+8.10.0-dev,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name.
+8.10.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
+8.10.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
+8.10.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
+8.10.0-dev,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
+8.10.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
+8.10.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
+8.10.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
+8.10.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
+8.10.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
+8.10.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
+8.10.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
+8.10.0-dev,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
+8.10.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
+8.10.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
+8.10.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
+8.10.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
+8.10.0-dev,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
+8.10.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
+8.10.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.10.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.10.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.10.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.10.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.10.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.10.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.10.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.10.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.10.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.10.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.10.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.10.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.10.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.10.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.10.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.10.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.10.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.10.0-dev,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.10.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.10.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.10.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.10.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.10.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.10.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
+8.10.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
+8.10.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
+8.10.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
+8.10.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
+8.10.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
+8.10.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
+8.10.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
+8.10.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
+8.10.0-dev,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
+8.10.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
+8.10.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
+8.10.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
+8.10.0-dev,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
+8.10.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.10.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.10.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.10.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.10.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.10.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.10.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.10.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.10.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.10.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.10.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.10.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.10.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.10.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.10.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.10.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.10.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.10.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.10.0-dev,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.10.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.10.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.10.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.10.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.10.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.10.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
+8.10.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
+8.10.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
+8.10.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
+8.10.0-dev,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.10.0-dev,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.10.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.10.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.10.0-dev,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.10.0-dev,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.10.0-dev,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.10.0-dev,true,url,url.password,keyword,extended,,,Password of the request.
+8.10.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.10.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
+8.10.0-dev,true,url,url.query,keyword,extended,,,Query string of the request.
+8.10.0-dev,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.10.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
+8.10.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.10.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.10.0-dev,true,url,url.username,keyword,extended,,,Username of the request.
+8.10.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.10.0-dev,true,user,user.changes.email,keyword,extended,,,User email address.
+8.10.0-dev,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.10.0-dev,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.10.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.10.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
+8.10.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.10.0-dev,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.10.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.10.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.10.0-dev,true,user,user.effective.email,keyword,extended,,,User email address.
+8.10.0-dev,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.10.0-dev,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.10.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.10.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
+8.10.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.10.0-dev,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.10.0-dev,true,user,user.email,keyword,extended,,,User email address.
+8.10.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.10.0-dev,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.10.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.10.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group.
+8.10.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.10.0-dev,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.10.0-dev,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.10.0-dev,true,user,user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.10.0-dev,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.10.0-dev,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.10.0-dev,true,user,user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+8.10.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.10.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.10.0-dev,true,user,user.target.email,keyword,extended,,,User email address.
+8.10.0-dev,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.10.0-dev,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.10.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.10.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.10.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group.
+8.10.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.10.0-dev,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.10.0-dev,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.10.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.10.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
+8.10.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
+8.10.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+8.10.0-dev,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+8.10.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.10.0-dev,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.10.0-dev,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.10.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.10.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.10.0-dev,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.10.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.10.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+8.10.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.10.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
+8.10.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
+8.10.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
+8.10.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+8.10.0-dev,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+8.10.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
+8.10.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
+8.10.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
+8.10.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
+8.10.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
+8.10.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
+8.10.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
+8.10.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
+8.10.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
+8.10.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
diff --git a/generated/elasticsearch/composable/component/agent.json b/generated/elasticsearch/composable/component/agent.json
index c6defb3044..3989ed428b 100644
--- a/generated/elasticsearch/composable/component/agent.json
+++ b/generated/elasticsearch/composable/component/agent.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html",
-    "ecs_version": "8.9.0-dev"
+    "ecs_version": "8.10.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/base.json b/generated/elasticsearch/composable/component/base.json
index 12361f1c26..137ce99572 100644
--- a/generated/elasticsearch/composable/component/base.json
+++ b/generated/elasticsearch/composable/component/base.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
-    "ecs_version": "8.9.0-dev"
+    "ecs_version": "8.10.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/client.json b/generated/elasticsearch/composable/component/client.json
index 2ca29e8591..71d14570a1 100644
--- a/generated/elasticsearch/composable/component/client.json
+++ b/generated/elasticsearch/composable/component/client.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-client.html",
-    "ecs_version": "8.9.0-dev"
+    "ecs_version": "8.10.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/cloud.json b/generated/elasticsearch/composable/component/cloud.json
index 561a0c1574..9c532a1f79 100644
--- a/generated/elasticsearch/composable/component/cloud.json
+++ b/generated/elasticsearch/composable/component/cloud.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cloud.html",
-    "ecs_version": "8.9.0-dev"
+    "ecs_version": "8.10.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/container.json b/generated/elasticsearch/composable/component/container.json
index 234aa5763a..ae8d228433 100644
--- a/generated/elasticsearch/composable/component/container.json
+++ b/generated/elasticsearch/composable/component/container.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-container.html",
-    "ecs_version": "8.9.0-dev"
+    "ecs_version": "8.10.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/data_stream.json b/generated/elasticsearch/composable/component/data_stream.json
index 4cf21c99db..65043ae47b 100644
--- a/generated/elasticsearch/composable/component/data_stream.json
+++ b/generated/elasticsearch/composable/component/data_stream.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-data_stream.html",
-    "ecs_version": "8.9.0-dev"
+    "ecs_version": "8.10.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/destination.json b/generated/elasticsearch/composable/component/destination.json
index ce07f3a2f8..6f4dd0278f 100644
--- a/generated/elasticsearch/composable/component/destination.json
+++ b/generated/elasticsearch/composable/component/destination.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-destination.html",
-    "ecs_version": "8.9.0-dev"
+    "ecs_version": "8.10.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/device.json b/generated/elasticsearch/composable/component/device.json
index cd2b4671cb..4e026e2c97 100644
--- a/generated/elasticsearch/composable/component/device.json
+++ b/generated/elasticsearch/composable/component/device.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-device.html",
-    "ecs_version": "8.9.0-dev"
+    "ecs_version": "8.10.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/dll.json b/generated/elasticsearch/composable/component/dll.json
index 129bfe9c23..203da51d2a 100644
--- a/generated/elasticsearch/composable/component/dll.json
+++ b/generated/elasticsearch/composable/component/dll.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dll.html",
-    "ecs_version": "8.9.0-dev"
+    "ecs_version": "8.10.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/dns.json b/generated/elasticsearch/composable/component/dns.json
index 4ce6813663..d02766c153 100644
--- a/generated/elasticsearch/composable/component/dns.json
+++ b/generated/elasticsearch/composable/component/dns.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html",
-    "ecs_version": "8.9.0-dev"
+    "ecs_version": "8.10.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/ecs.json b/generated/elasticsearch/composable/component/ecs.json
index f4d3bffe9d..2d0402f31e 100644
--- a/generated/elasticsearch/composable/component/ecs.json
+++ b/generated/elasticsearch/composable/component/ecs.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html",
-    "ecs_version": "8.9.0-dev"
+    "ecs_version": "8.10.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/email.json b/generated/elasticsearch/composable/component/email.json
index bae0e508ae..db3035b330 100644
--- a/generated/elasticsearch/composable/component/email.json
+++ b/generated/elasticsearch/composable/component/email.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-email.html",
-    "ecs_version": "8.9.0-dev"
+    "ecs_version": "8.10.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/error.json b/generated/elasticsearch/composable/component/error.json
index 62ba908ba5..ca6f0d47ab 100644
--- a/generated/elasticsearch/composable/component/error.json
+++ b/generated/elasticsearch/composable/component/error.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-error.html",
-    "ecs_version": "8.9.0-dev"
+    "ecs_version": "8.10.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/event.json b/generated/elasticsearch/composable/component/event.json
index 2781993608..87465f7171 100644
--- a/generated/elasticsearch/composable/component/event.json
+++ b/generated/elasticsearch/composable/component/event.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html",
-    "ecs_version": "8.9.0-dev"
+    "ecs_version": "8.10.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/faas.json b/generated/elasticsearch/composable/component/faas.json
index 721f97f65f..c9713ac3bb 100644
--- a/generated/elasticsearch/composable/component/faas.json
+++ b/generated/elasticsearch/composable/component/faas.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-faas.html",
-    "ecs_version": "8.9.0-dev"
+    "ecs_version": "8.10.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/file.json b/generated/elasticsearch/composable/component/file.json
index 1132404fa9..10c902ef92 100644
--- a/generated/elasticsearch/composable/component/file.json
+++ b/generated/elasticsearch/composable/component/file.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html",
-    "ecs_version": "8.9.0-dev"
+    "ecs_version": "8.10.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/group.json b/generated/elasticsearch/composable/component/group.json
index 854da6e5c2..5c9eb60bc4 100644
--- a/generated/elasticsearch/composable/component/group.json
+++ b/generated/elasticsearch/composable/component/group.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-group.html",
-    "ecs_version": "8.9.0-dev"
+    "ecs_version": "8.10.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/host.json b/generated/elasticsearch/composable/component/host.json
index 7fc5025611..71ef6627e2 100644
--- a/generated/elasticsearch/composable/component/host.json
+++ b/generated/elasticsearch/composable/component/host.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-host.html",
-    "ecs_version": "8.9.0-dev"
+    "ecs_version": "8.10.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/http.json b/generated/elasticsearch/composable/component/http.json
index 9f6a49215e..534d1b9866 100644
--- a/generated/elasticsearch/composable/component/http.json
+++ b/generated/elasticsearch/composable/component/http.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-http.html",
-    "ecs_version": "8.9.0-dev"
+    "ecs_version": "8.10.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/log.json b/generated/elasticsearch/composable/component/log.json
index 6a8d324021..ba7e86e0b9 100644
--- a/generated/elasticsearch/composable/component/log.json
+++ b/generated/elasticsearch/composable/component/log.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-log.html",
-    "ecs_version": "8.9.0-dev"
+    "ecs_version": "8.10.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/network.json b/generated/elasticsearch/composable/component/network.json
index 8bf777d4ab..500c7d1b16 100644
--- a/generated/elasticsearch/composable/component/network.json
+++ b/generated/elasticsearch/composable/component/network.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html",
-    "ecs_version": "8.9.0-dev"
+    "ecs_version": "8.10.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/observer.json b/generated/elasticsearch/composable/component/observer.json
index 536d646616..b206c37ff5 100644
--- a/generated/elasticsearch/composable/component/observer.json
+++ b/generated/elasticsearch/composable/component/observer.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html",
-    "ecs_version": "8.9.0-dev"
+    "ecs_version": "8.10.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/orchestrator.json b/generated/elasticsearch/composable/component/orchestrator.json
index 8839f4f458..24bf5d4fa5 100644
--- a/generated/elasticsearch/composable/component/orchestrator.json
+++ b/generated/elasticsearch/composable/component/orchestrator.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-orchestrator.html",
-    "ecs_version": "8.9.0-dev"
+    "ecs_version": "8.10.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/organization.json b/generated/elasticsearch/composable/component/organization.json
index be584267bd..4e8f186ac0 100644
--- a/generated/elasticsearch/composable/component/organization.json
+++ b/generated/elasticsearch/composable/component/organization.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-organization.html",
-    "ecs_version": "8.9.0-dev"
+    "ecs_version": "8.10.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/package.json b/generated/elasticsearch/composable/component/package.json
index 15c056cc93..3832bfc704 100644
--- a/generated/elasticsearch/composable/component/package.json
+++ b/generated/elasticsearch/composable/component/package.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-package.html",
-    "ecs_version": "8.9.0-dev"
+    "ecs_version": "8.10.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/process.json b/generated/elasticsearch/composable/component/process.json
index e41a6b83f3..3e18a2e5c1 100644
--- a/generated/elasticsearch/composable/component/process.json
+++ b/generated/elasticsearch/composable/component/process.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-process.html",
-    "ecs_version": "8.9.0-dev"
+    "ecs_version": "8.10.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/registry.json b/generated/elasticsearch/composable/component/registry.json
index cf0b5abddb..26d56f47c9 100644
--- a/generated/elasticsearch/composable/component/registry.json
+++ b/generated/elasticsearch/composable/component/registry.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-registry.html",
-    "ecs_version": "8.9.0-dev"
+    "ecs_version": "8.10.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/related.json b/generated/elasticsearch/composable/component/related.json
index 97ad411d42..ba394a9339 100644
--- a/generated/elasticsearch/composable/component/related.json
+++ b/generated/elasticsearch/composable/component/related.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-related.html",
-    "ecs_version": "8.9.0-dev"
+    "ecs_version": "8.10.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/rule.json b/generated/elasticsearch/composable/component/rule.json
index b3014f0a62..47e31f40e6 100644
--- a/generated/elasticsearch/composable/component/rule.json
+++ b/generated/elasticsearch/composable/component/rule.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-rule.html",
-    "ecs_version": "8.9.0-dev"
+    "ecs_version": "8.10.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/server.json b/generated/elasticsearch/composable/component/server.json
index 7f1b38b12e..77865f325a 100644
--- a/generated/elasticsearch/composable/component/server.json
+++ b/generated/elasticsearch/composable/component/server.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-server.html",
-    "ecs_version": "8.9.0-dev"
+    "ecs_version": "8.10.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/service.json b/generated/elasticsearch/composable/component/service.json
index fc5e8ef73f..e47d108a42 100644
--- a/generated/elasticsearch/composable/component/service.json
+++ b/generated/elasticsearch/composable/component/service.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-service.html",
-    "ecs_version": "8.9.0-dev"
+    "ecs_version": "8.10.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/source.json b/generated/elasticsearch/composable/component/source.json
index 4ca1c8edaf..1400dfc488 100644
--- a/generated/elasticsearch/composable/component/source.json
+++ b/generated/elasticsearch/composable/component/source.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-source.html",
-    "ecs_version": "8.9.0-dev"
+    "ecs_version": "8.10.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/threat.json b/generated/elasticsearch/composable/component/threat.json
index 9b1d930a78..6828c8e510 100644
--- a/generated/elasticsearch/composable/component/threat.json
+++ b/generated/elasticsearch/composable/component/threat.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-threat.html",
-    "ecs_version": "8.9.0-dev"
+    "ecs_version": "8.10.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/tls.json b/generated/elasticsearch/composable/component/tls.json
index 8e8acfcee6..d079ea81ba 100644
--- a/generated/elasticsearch/composable/component/tls.json
+++ b/generated/elasticsearch/composable/component/tls.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tls.html",
-    "ecs_version": "8.9.0-dev"
+    "ecs_version": "8.10.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/tracing.json b/generated/elasticsearch/composable/component/tracing.json
index cd43d65796..7555afd3c2 100644
--- a/generated/elasticsearch/composable/component/tracing.json
+++ b/generated/elasticsearch/composable/component/tracing.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tracing.html",
-    "ecs_version": "8.9.0-dev"
+    "ecs_version": "8.10.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/url.json b/generated/elasticsearch/composable/component/url.json
index ce6c34a8eb..d75ab42f80 100644
--- a/generated/elasticsearch/composable/component/url.json
+++ b/generated/elasticsearch/composable/component/url.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-url.html",
-    "ecs_version": "8.9.0-dev"
+    "ecs_version": "8.10.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/user.json b/generated/elasticsearch/composable/component/user.json
index f17e31e8e0..67e37251c7 100644
--- a/generated/elasticsearch/composable/component/user.json
+++ b/generated/elasticsearch/composable/component/user.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user.html",
-    "ecs_version": "8.9.0-dev"
+    "ecs_version": "8.10.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/user_agent.json b/generated/elasticsearch/composable/component/user_agent.json
index 8fcf0bd0c0..3f3094d078 100644
--- a/generated/elasticsearch/composable/component/user_agent.json
+++ b/generated/elasticsearch/composable/component/user_agent.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html",
-    "ecs_version": "8.9.0-dev"
+    "ecs_version": "8.10.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/vulnerability.json b/generated/elasticsearch/composable/component/vulnerability.json
index f6b8dc81d4..02c8434892 100644
--- a/generated/elasticsearch/composable/component/vulnerability.json
+++ b/generated/elasticsearch/composable/component/vulnerability.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html",
-    "ecs_version": "8.9.0-dev"
+    "ecs_version": "8.10.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/template.json b/generated/elasticsearch/composable/template.json
index d9ad7e34cf..b87775c355 100644
--- a/generated/elasticsearch/composable/template.json
+++ b/generated/elasticsearch/composable/template.json
@@ -1,48 +1,48 @@
 {
   "_meta": {
     "description": "Sample composable template that includes all ECS fields",
-    "ecs_version": "8.9.0-dev"
+    "ecs_version": "8.10.0-dev"
   },
   "composed_of": [
-    "ecs_8.9.0-dev_base",
-    "ecs_8.9.0-dev_agent",
-    "ecs_8.9.0-dev_client",
-    "ecs_8.9.0-dev_cloud",
-    "ecs_8.9.0-dev_container",
-    "ecs_8.9.0-dev_data_stream",
-    "ecs_8.9.0-dev_destination",
-    "ecs_8.9.0-dev_device",
-    "ecs_8.9.0-dev_dll",
-    "ecs_8.9.0-dev_dns",
-    "ecs_8.9.0-dev_ecs",
-    "ecs_8.9.0-dev_email",
-    "ecs_8.9.0-dev_error",
-    "ecs_8.9.0-dev_event",
-    "ecs_8.9.0-dev_faas",
-    "ecs_8.9.0-dev_file",
-    "ecs_8.9.0-dev_group",
-    "ecs_8.9.0-dev_host",
-    "ecs_8.9.0-dev_http",
-    "ecs_8.9.0-dev_log",
-    "ecs_8.9.0-dev_network",
-    "ecs_8.9.0-dev_observer",
-    "ecs_8.9.0-dev_orchestrator",
-    "ecs_8.9.0-dev_organization",
-    "ecs_8.9.0-dev_package",
-    "ecs_8.9.0-dev_process",
-    "ecs_8.9.0-dev_registry",
-    "ecs_8.9.0-dev_related",
-    "ecs_8.9.0-dev_rule",
-    "ecs_8.9.0-dev_server",
-    "ecs_8.9.0-dev_service",
-    "ecs_8.9.0-dev_source",
-    "ecs_8.9.0-dev_threat",
-    "ecs_8.9.0-dev_tls",
-    "ecs_8.9.0-dev_tracing",
-    "ecs_8.9.0-dev_url",
-    "ecs_8.9.0-dev_user_agent",
-    "ecs_8.9.0-dev_user",
-    "ecs_8.9.0-dev_vulnerability"
+    "ecs_8.10.0-dev_base",
+    "ecs_8.10.0-dev_agent",
+    "ecs_8.10.0-dev_client",
+    "ecs_8.10.0-dev_cloud",
+    "ecs_8.10.0-dev_container",
+    "ecs_8.10.0-dev_data_stream",
+    "ecs_8.10.0-dev_destination",
+    "ecs_8.10.0-dev_device",
+    "ecs_8.10.0-dev_dll",
+    "ecs_8.10.0-dev_dns",
+    "ecs_8.10.0-dev_ecs",
+    "ecs_8.10.0-dev_email",
+    "ecs_8.10.0-dev_error",
+    "ecs_8.10.0-dev_event",
+    "ecs_8.10.0-dev_faas",
+    "ecs_8.10.0-dev_file",
+    "ecs_8.10.0-dev_group",
+    "ecs_8.10.0-dev_host",
+    "ecs_8.10.0-dev_http",
+    "ecs_8.10.0-dev_log",
+    "ecs_8.10.0-dev_network",
+    "ecs_8.10.0-dev_observer",
+    "ecs_8.10.0-dev_orchestrator",
+    "ecs_8.10.0-dev_organization",
+    "ecs_8.10.0-dev_package",
+    "ecs_8.10.0-dev_process",
+    "ecs_8.10.0-dev_registry",
+    "ecs_8.10.0-dev_related",
+    "ecs_8.10.0-dev_rule",
+    "ecs_8.10.0-dev_server",
+    "ecs_8.10.0-dev_service",
+    "ecs_8.10.0-dev_source",
+    "ecs_8.10.0-dev_threat",
+    "ecs_8.10.0-dev_tls",
+    "ecs_8.10.0-dev_tracing",
+    "ecs_8.10.0-dev_url",
+    "ecs_8.10.0-dev_user_agent",
+    "ecs_8.10.0-dev_user",
+    "ecs_8.10.0-dev_vulnerability"
   ],
   "index_patterns": [
     "try-ecs-*"
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index bd747c0c7d..0e0297839c 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -4,7 +4,7 @@
   ],
   "mappings": {
     "_meta": {
-      "version": "8.9.0-dev"
+      "version": "8.10.0-dev"
     },
     "date_detection": false,
     "dynamic_templates": [
diff --git a/version b/version
index 38987536ce..388948e05c 100644
--- a/version
+++ b/version
@@ -1 +1 @@
-8.9.0-dev
+8.10.0-dev

From 4ea6f3bca8a264dd0b616d70198b69ec3be6a340 Mon Sep 17 00:00:00 2001
From: Bharat Pasupula <123897612+bhapas@users.noreply.github.com>
Date: Wed, 21 Jun 2023 15:22:47 +0200
Subject: [PATCH 099/186] Add v8.9 to backport tool (#2223)

---
 .backportrc.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.backportrc.json b/.backportrc.json
index 6ecb3ac7a6..2c49a2c575 100644
--- a/.backportrc.json
+++ b/.backportrc.json
@@ -2,6 +2,7 @@
   "upstream": "elastic/ecs",
   "branches": [
     { "name": "main", "checked": true },
+    "8.9",
     "8.8",
     "8.7",
     "8.6",

From a9396bc65d89270c369697dc3e84c9a8d545fbe6 Mon Sep 17 00:00:00 2001
From: Bharat Pasupula <123897612+bhapas@users.noreply.github.com>
Date: Wed, 21 Jun 2023 18:55:02 +0200
Subject: [PATCH 100/186] [main] 8.9 changelog forwardport (#2224)

* 8.9 FF changelog updates

* Update CHANGELOG.next.md

Co-authored-by: Kylie Meli <kylie.geller@gmail.com>

---------

Co-authored-by: Kylie Meli <kylie.geller@gmail.com>
---
 CHANGELOG.next.md | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 57228cc83f..c9bebd73c4 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -15,12 +15,10 @@ Thanks, you're awesome :-) -->
 #### Bugfixes
 
 #### Added
-* Added `process.vpid` for namespaced process ids. #2211
 
 #### Improvements
 
 #### Deprecated
-* Removed `faas.trigger: nested` since we only have one trigger. #2194
 
 ### Tooling and Artifact Changes
 
@@ -34,6 +32,20 @@ Thanks, you're awesome :-) -->
 
 #### Deprecated
 
+## 8.9.0 (Feature Freeze)
+
+### Schema Changes
+
+### Bugfixes
+
+#### Added
+* Added `process.vpid` for namespaced process ids. #2211
+
+### Improvements
+
+#### Deprecated
+* Removed `faas.trigger: nested` since we only have one trigger. #2194
+
 <!-- All empty sections:
 
 ## Unreleased

From d5ea291e40a02eee48c4e6e40e2ecfaf4dd6d2e7 Mon Sep 17 00:00:00 2001
From: Maxwell Borden <Tacklebox@users.noreply.github.com>
Date: Tue, 27 Jun 2023 14:55:52 +0200
Subject: [PATCH 101/186] Added `container.privileged` field (#2219)

* added `container.privileged` field

* Added new field to CHANGELOG.next.md

* Rebuilt artifacts
---
 CHANGELOG.next.md                                |  1 +
 docs/fields/field-details.asciidoc               | 16 ++++++++++++++++
 experimental/generated/beats/fields.ecs.yml      |  5 +++++
 experimental/generated/csv/fields.csv            |  1 +
 experimental/generated/ecs/ecs_flat.yml          |  9 +++++++++
 experimental/generated/ecs/ecs_nested.yml        |  9 +++++++++
 .../composable/component/container.json          |  3 +++
 .../generated/elasticsearch/legacy/template.json |  3 +++
 generated/beats/fields.ecs.yml                   |  5 +++++
 generated/csv/fields.csv                         |  1 +
 generated/ecs/ecs_flat.yml                       |  9 +++++++++
 generated/ecs/ecs_nested.yml                     |  9 +++++++++
 .../composable/component/container.json          |  3 +++
 generated/elasticsearch/legacy/template.json     |  3 +++
 schemas/container.yml                            |  7 +++++++
 15 files changed, 84 insertions(+)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index c9bebd73c4..b527829e84 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -15,6 +15,7 @@ Thanks, you're awesome :-) -->
 #### Bugfixes
 
 #### Added
+* Added `container.privileged` to indicated whether a container was started in privileged mode. #2219
 
 #### Improvements
 
diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index 28d6f700f0..80ec002df7 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -1213,6 +1213,22 @@ type: long
 
 
 
+| extended
+
+// ===============================================================
+
+|
+[[field-container-privileged]]
+<<field-container-privileged, container.privileged>>
+
+a| Indicates whether the container is running in privileged mode.
+
+type: bool
+
+
+
+
+
 | extended
 
 // ===============================================================
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index b7b1360826..8ff00d6980 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -944,6 +944,11 @@
       description: The number of bytes received (gauge) on all network interfaces
         by the container since the last metric collection.
       default_field: false
+    - name: privileged
+      level: extended
+      type: bool
+      description: Indicates whether the container is running in privileged mode.
+      default_field: false
     - name: runtime
       level: extended
       type: keyword
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index 810c86fbb8..2d62bf6910 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -99,6 +99,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.10.0-dev+exp,true,container,container.name,keyword,extended,,,Container name.
 8.10.0-dev+exp,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
 8.10.0-dev+exp,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+8.10.0-dev+exp,true,container,container.privileged,bool,extended,,,Indicates whether the container is running in privileged mode.
 8.10.0-dev+exp,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
 8.10.0-dev+exp,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
 8.10.0-dev+exp,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 8a9b92abef..af895f4dd2 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -1183,6 +1183,15 @@ container.network.ingress.bytes:
   normalize: []
   short: The number of bytes received on all network interfaces.
   type: long
+container.privileged:
+  dashed_name: container-privileged
+  description: Indicates whether the container is running in privileged mode.
+  flat_name: container.privileged
+  level: extended
+  name: privileged
+  normalize: []
+  short: Indicates whether the container is running in privileged mode.
+  type: bool
 container.runtime:
   dashed_name: container-runtime
   description: Runtime managing this container.
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 0847697c3b..9cabccb95a 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -1562,6 +1562,15 @@ container:
       normalize: []
       short: The number of bytes received on all network interfaces.
       type: long
+    container.privileged:
+      dashed_name: container-privileged
+      description: Indicates whether the container is running in privileged mode.
+      flat_name: container.privileged
+      level: extended
+      name: privileged
+      normalize: []
+      short: Indicates whether the container is running in privileged mode.
+      type: bool
     container.runtime:
       dashed_name: container-runtime
       description: Runtime managing this container.
diff --git a/experimental/generated/elasticsearch/composable/component/container.json b/experimental/generated/elasticsearch/composable/component/container.json
index 61b9d3fb50..fa7a0421ef 100644
--- a/experimental/generated/elasticsearch/composable/component/container.json
+++ b/experimental/generated/elasticsearch/composable/component/container.json
@@ -91,6 +91,9 @@
                 }
               }
             },
+            "privileged": {
+              "type": "bool"
+            },
             "runtime": {
               "ignore_above": 1024,
               "type": "keyword"
diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json
index e04671d803..fa866c0253 100644
--- a/experimental/generated/elasticsearch/legacy/template.json
+++ b/experimental/generated/elasticsearch/legacy/template.json
@@ -560,6 +560,9 @@
               }
             }
           },
+          "privileged": {
+            "type": "bool"
+          },
           "runtime": {
             "ignore_above": 1024,
             "type": "keyword"
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 1c99c802b3..958e7d5b05 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -894,6 +894,11 @@
       description: The number of bytes received (gauge) on all network interfaces
         by the container since the last metric collection.
       default_field: false
+    - name: privileged
+      level: extended
+      type: bool
+      description: Indicates whether the container is running in privileged mode.
+      default_field: false
     - name: runtime
       level: extended
       type: keyword
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index 4ccb5f6a15..6d53d28295 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -92,6 +92,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.10.0-dev,true,container,container.name,keyword,extended,,,Container name.
 8.10.0-dev,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
 8.10.0-dev,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+8.10.0-dev,true,container,container.privileged,bool,extended,,,Indicates whether the container is running in privileged mode.
 8.10.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
 8.10.0-dev,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
 8.10.0-dev,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index e042d14ef4..f7c3d56957 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -1114,6 +1114,15 @@ container.network.ingress.bytes:
   normalize: []
   short: The number of bytes received on all network interfaces.
   type: long
+container.privileged:
+  dashed_name: container-privileged
+  description: Indicates whether the container is running in privileged mode.
+  flat_name: container.privileged
+  level: extended
+  name: privileged
+  normalize: []
+  short: Indicates whether the container is running in privileged mode.
+  type: bool
 container.runtime:
   dashed_name: container-runtime
   description: Runtime managing this container.
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index eae3f3498d..3505dd848e 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -1482,6 +1482,15 @@ container:
       normalize: []
       short: The number of bytes received on all network interfaces.
       type: long
+    container.privileged:
+      dashed_name: container-privileged
+      description: Indicates whether the container is running in privileged mode.
+      flat_name: container.privileged
+      level: extended
+      name: privileged
+      normalize: []
+      short: Indicates whether the container is running in privileged mode.
+      type: bool
     container.runtime:
       dashed_name: container-runtime
       description: Runtime managing this container.
diff --git a/generated/elasticsearch/composable/component/container.json b/generated/elasticsearch/composable/component/container.json
index ae8d228433..a840e22ba5 100644
--- a/generated/elasticsearch/composable/component/container.json
+++ b/generated/elasticsearch/composable/component/container.json
@@ -91,6 +91,9 @@
                 }
               }
             },
+            "privileged": {
+              "type": "bool"
+            },
             "runtime": {
               "ignore_above": 1024,
               "type": "keyword"
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index 0e0297839c..c20ce4daef 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -518,6 +518,9 @@
               }
             }
           },
+          "privileged": {
+            "type": "bool"
+          },
           "runtime": {
             "ignore_above": 1024,
             "type": "keyword"
diff --git a/schemas/container.yml b/schemas/container.yml
index b538a4d485..85b888dfce 100644
--- a/schemas/container.yml
+++ b/schemas/container.yml
@@ -121,6 +121,13 @@
         The number of bytes (gauge) sent out on all network interfaces by the
         container since the last metric collection.
 
+    - name: privileged
+      type: bool
+      level: extended
+      short: Indicates whether the container is running in privileged mode.
+      description: >
+        Indicates whether the container is running in privileged mode.
+
     - name: runtime
       level: extended
       type: keyword

From 2abd912a1ac92a8cd968da85f4f7bfb4c742a14c Mon Sep 17 00:00:00 2001
From: Nic <nicpenning@gmail.com>
Date: Wed, 28 Jun 2023 15:32:10 -0500
Subject: [PATCH 102/186] Clean up Event fields (#2226)

---
 docs/fields/field-details.asciidoc          | 14 +++++-----
 docs/fields/field-values.asciidoc           |  2 +-
 experimental/generated/beats/fields.ecs.yml | 18 ++++++------
 experimental/generated/csv/fields.csv       |  4 +--
 experimental/generated/ecs/ecs_flat.yml     | 31 +++++++++++----------
 experimental/generated/ecs/ecs_nested.yml   | 26 ++++++++---------
 generated/beats/fields.ecs.yml              | 18 ++++++------
 generated/csv/fields.csv                    |  4 +--
 generated/ecs/ecs_flat.yml                  | 31 +++++++++++----------
 generated/ecs/ecs_nested.yml                | 26 ++++++++---------
 schemas/event.yml                           | 14 +++++-----
 11 files changed, 95 insertions(+), 93 deletions(-)

diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index 80ec002df7..0d92b86aa2 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -3437,13 +3437,13 @@ example: `4648`
 [[field-event-created]]
 <<field-event-created, event.created>>
 
-a| event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+a| `event.created` contains the date/time when the event was first read by an agent, or by your pipeline.
 
-This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event.
 
 In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
 
-In case the two timestamps are identical, @timestamp should be used.
+In case the two timestamps are identical, `@timestamp` should be used.
 
 type: date
 
@@ -3481,7 +3481,7 @@ example: `apache.access`
 
 a| Duration of the event in nanoseconds.
 
-If event.start and event.end are known this value should be the difference between the end and start time.
+If `event.start` and `event.end` are known this value should be the difference between the end and start time.
 
 type: long
 
@@ -3497,7 +3497,7 @@ type: long
 [[field-event-end]]
 <<field-event-end, event.end>>
 
-a| event.end contains the date when the event ended or when the activity was last observed.
+a| `event.end` contains the date when the event ended or when the activity was last observed.
 
 type: date
 
@@ -3569,7 +3569,7 @@ a| This is one of four ECS Categorization Fields, and indicates the highest leve
 
 `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
 
-The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not.
 
 type: keyword
 
@@ -3785,7 +3785,7 @@ example: `7`
 [[field-event-start]]
 <<field-event-start, event.start>>
 
-a| event.start contains the date when the event started or when the activity was first observed.
+a| `event.start` contains the date when the event started or when the activity was first observed.
 
 type: date
 
diff --git a/docs/fields/field-values.asciidoc b/docs/fields/field-values.asciidoc
index 11356f66b2..0a4030ba06 100644
--- a/docs/fields/field-values.asciidoc
+++ b/docs/fields/field-values.asciidoc
@@ -35,7 +35,7 @@ This is one of four ECS Categorization Fields, and indicates the highest level i
 
 `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
 
-The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not.
 
 *Allowed Values*
 
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 8ff00d6980..b1f439752f 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -2424,10 +2424,10 @@
     - name: created
       level: core
       type: date
-      description: 'event.created contains the date/time when the event was first
+      description: '`event.created` contains the date/time when the event was first
         read by an agent, or by your pipeline.
 
-        This field is distinct from @timestamp in that @timestamp typically contain
+        This field is distinct from `@timestamp` in that `@timestamp` typically contain
         the time extracted from the original event.
 
         In most situations, these two timestamps will be slightly different. The difference
@@ -2435,7 +2435,7 @@
         and the time when your agent first processed it. This can be used to monitor
         your agent''s or pipeline''s ability to keep up with your event source.
 
-        In case the two timestamps are identical, @timestamp should be used.'
+        In case the two timestamps are identical, `@timestamp` should be used.'
       example: '2016-05-23T08:05:34.857Z'
     - name: dataset
       level: core
@@ -2459,13 +2459,13 @@
       output_precision: 1
       description: 'Duration of the event in nanoseconds.
 
-        If event.start and event.end are known this value should be the difference
+        If `event.start` and `event.end` are known this value should be the difference
         between the end and start time.'
     - name: end
       level: extended
       type: date
-      description: event.end contains the date when the event ended or when the activity
-        was last observed.
+      description: '`event.end` contains the date when the event ended or when the
+        activity was last observed.'
     - name: hash
       level: extended
       type: keyword
@@ -2505,7 +2505,7 @@
 
         The value of this field can be used to inform how these kinds of events should
         be handled. They may warrant different retention, different access control,
-        it may also help understand whether the data coming in at a regular interval
+        it may also help understand whether the data is coming in at a regular interval
         or not.'
       example: alert
     - name: module
@@ -2628,8 +2628,8 @@
     - name: start
       level: extended
       type: date
-      description: event.start contains the date when the event started or when the
-        activity was first observed.
+      description: '`event.start` contains the date when the event started or when
+        the activity was first observed.'
     - name: timezone
       level: extended
       type: keyword
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index 2d62bf6910..09b70c2f1a 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -246,7 +246,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.10.0-dev+exp,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
 8.10.0-dev+exp,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
 8.10.0-dev+exp,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
-8.10.0-dev+exp,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed.
+8.10.0-dev+exp,true,event,event.end,date,extended,,,`event.end` contains the date when the event ended or when the activity was last observed.
 8.10.0-dev+exp,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
 8.10.0-dev+exp,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
 8.10.0-dev+exp,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
@@ -261,7 +261,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.10.0-dev+exp,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
 8.10.0-dev+exp,true,event,event.sequence,long,extended,,,Sequence number of the event.
 8.10.0-dev+exp,true,event,event.severity,long,core,,7,Numeric severity of the event.
-8.10.0-dev+exp,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed.
+8.10.0-dev+exp,true,event,event.start,date,extended,,,`event.start` contains the date when the event started or when the activity was first observed.
 8.10.0-dev+exp,true,event,event.timezone,keyword,extended,,,Event time zone.
 8.10.0-dev+exp,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
 8.10.0-dev+exp,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index af895f4dd2..1b8c568342 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -3199,18 +3199,18 @@ event.code:
   type: keyword
 event.created:
   dashed_name: event-created
-  description: 'event.created contains the date/time when the event was first read
+  description: '`event.created` contains the date/time when the event was first read
     by an agent, or by your pipeline.
 
-    This field is distinct from @timestamp in that @timestamp typically contain the
-    time extracted from the original event.
+    This field is distinct from `@timestamp` in that `@timestamp` typically contain
+    the time extracted from the original event.
 
     In most situations, these two timestamps will be slightly different. The difference
     can be used to calculate the delay between your source generating an event, and
     the time when your agent first processed it. This can be used to monitor your
     agent''s or pipeline''s ability to keep up with your event source.
 
-    In case the two timestamps are identical, @timestamp should be used.'
+    In case the two timestamps are identical, `@timestamp` should be used.'
   example: '2016-05-23T08:05:34.857Z'
   flat_name: event.created
   level: core
@@ -3239,8 +3239,8 @@ event.duration:
   dashed_name: event-duration
   description: 'Duration of the event in nanoseconds.
 
-    If event.start and event.end are known this value should be the difference between
-    the end and start time.'
+    If `event.start` and `event.end` are known this value should be the difference
+    between the end and start time.'
   flat_name: event.duration
   format: duration
   input_format: nanoseconds
@@ -3253,14 +3253,14 @@ event.duration:
   type: long
 event.end:
   dashed_name: event-end
-  description: event.end contains the date when the event ended or when the activity
-    was last observed.
+  description: '`event.end` contains the date when the event ended or when the activity
+    was last observed.'
   flat_name: event.end
   level: extended
   name: end
   normalize: []
-  short: event.end contains the date when the event ended or when the activity was
-    last observed.
+  short: '`event.end` contains the date when the event ended or when the activity
+    was last observed.'
   type: date
 event.hash:
   dashed_name: event-hash
@@ -3389,7 +3389,8 @@ event.kind:
 
     The value of this field can be used to inform how these kinds of events should
     be handled. They may warrant different retention, different access control, it
-    may also help understand whether the data coming in at a regular interval or not.'
+    may also help understand whether the data is coming in at a regular interval or
+    not.'
   example: alert
   flat_name: event.kind
   ignore_above: 1024
@@ -3580,14 +3581,14 @@ event.severity:
   type: long
 event.start:
   dashed_name: event-start
-  description: event.start contains the date when the event started or when the activity
-    was first observed.
+  description: '`event.start` contains the date when the event started or when the
+    activity was first observed.'
   flat_name: event.start
   level: extended
   name: start
   normalize: []
-  short: event.start contains the date when the event started or when the activity
-    was first observed.
+  short: '`event.start` contains the date when the event started or when the activity
+    was first observed.'
   type: date
 event.timezone:
   dashed_name: event-timezone
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 9cabccb95a..5dc98a22f8 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -4194,10 +4194,10 @@ event:
       type: keyword
     event.created:
       dashed_name: event-created
-      description: 'event.created contains the date/time when the event was first
+      description: '`event.created` contains the date/time when the event was first
         read by an agent, or by your pipeline.
 
-        This field is distinct from @timestamp in that @timestamp typically contain
+        This field is distinct from `@timestamp` in that `@timestamp` typically contain
         the time extracted from the original event.
 
         In most situations, these two timestamps will be slightly different. The difference
@@ -4205,7 +4205,7 @@ event:
         and the time when your agent first processed it. This can be used to monitor
         your agent''s or pipeline''s ability to keep up with your event source.
 
-        In case the two timestamps are identical, @timestamp should be used.'
+        In case the two timestamps are identical, `@timestamp` should be used.'
       example: '2016-05-23T08:05:34.857Z'
       flat_name: event.created
       level: core
@@ -4235,7 +4235,7 @@ event:
       dashed_name: event-duration
       description: 'Duration of the event in nanoseconds.
 
-        If event.start and event.end are known this value should be the difference
+        If `event.start` and `event.end` are known this value should be the difference
         between the end and start time.'
       flat_name: event.duration
       format: duration
@@ -4249,14 +4249,14 @@ event:
       type: long
     event.end:
       dashed_name: event-end
-      description: event.end contains the date when the event ended or when the activity
-        was last observed.
+      description: '`event.end` contains the date when the event ended or when the
+        activity was last observed.'
       flat_name: event.end
       level: extended
       name: end
       normalize: []
-      short: event.end contains the date when the event ended or when the activity
-        was last observed.
+      short: '`event.end` contains the date when the event ended or when the activity
+        was last observed.'
       type: date
     event.hash:
       dashed_name: event-hash
@@ -4386,7 +4386,7 @@ event:
 
         The value of this field can be used to inform how these kinds of events should
         be handled. They may warrant different retention, different access control,
-        it may also help understand whether the data coming in at a regular interval
+        it may also help understand whether the data is coming in at a regular interval
         or not.'
       example: alert
       flat_name: event.kind
@@ -4582,14 +4582,14 @@ event:
       type: long
     event.start:
       dashed_name: event-start
-      description: event.start contains the date when the event started or when the
-        activity was first observed.
+      description: '`event.start` contains the date when the event started or when
+        the activity was first observed.'
       flat_name: event.start
       level: extended
       name: start
       normalize: []
-      short: event.start contains the date when the event started or when the activity
-        was first observed.
+      short: '`event.start` contains the date when the event started or when the activity
+        was first observed.'
       type: date
     event.timezone:
       dashed_name: event-timezone
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 958e7d5b05..f64dda3f11 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -2374,10 +2374,10 @@
     - name: created
       level: core
       type: date
-      description: 'event.created contains the date/time when the event was first
+      description: '`event.created` contains the date/time when the event was first
         read by an agent, or by your pipeline.
 
-        This field is distinct from @timestamp in that @timestamp typically contain
+        This field is distinct from `@timestamp` in that `@timestamp` typically contain
         the time extracted from the original event.
 
         In most situations, these two timestamps will be slightly different. The difference
@@ -2385,7 +2385,7 @@
         and the time when your agent first processed it. This can be used to monitor
         your agent''s or pipeline''s ability to keep up with your event source.
 
-        In case the two timestamps are identical, @timestamp should be used.'
+        In case the two timestamps are identical, `@timestamp` should be used.'
       example: '2016-05-23T08:05:34.857Z'
     - name: dataset
       level: core
@@ -2409,13 +2409,13 @@
       output_precision: 1
       description: 'Duration of the event in nanoseconds.
 
-        If event.start and event.end are known this value should be the difference
+        If `event.start` and `event.end` are known this value should be the difference
         between the end and start time.'
     - name: end
       level: extended
       type: date
-      description: event.end contains the date when the event ended or when the activity
-        was last observed.
+      description: '`event.end` contains the date when the event ended or when the
+        activity was last observed.'
     - name: hash
       level: extended
       type: keyword
@@ -2455,7 +2455,7 @@
 
         The value of this field can be used to inform how these kinds of events should
         be handled. They may warrant different retention, different access control,
-        it may also help understand whether the data coming in at a regular interval
+        it may also help understand whether the data is coming in at a regular interval
         or not.'
       example: alert
     - name: module
@@ -2578,8 +2578,8 @@
     - name: start
       level: extended
       type: date
-      description: event.start contains the date when the event started or when the
-        activity was first observed.
+      description: '`event.start` contains the date when the event started or when
+        the activity was first observed.'
     - name: timezone
       level: extended
       type: keyword
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index 6d53d28295..c2d9534ddb 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -239,7 +239,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.10.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
 8.10.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
 8.10.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
-8.10.0-dev,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed.
+8.10.0-dev,true,event,event.end,date,extended,,,`event.end` contains the date when the event ended or when the activity was last observed.
 8.10.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
 8.10.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
 8.10.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
@@ -254,7 +254,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.10.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
 8.10.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event.
 8.10.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event.
-8.10.0-dev,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed.
+8.10.0-dev,true,event,event.start,date,extended,,,`event.start` contains the date when the event started or when the activity was first observed.
 8.10.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone.
 8.10.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
 8.10.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index f7c3d56957..1256ae19b4 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -3130,18 +3130,18 @@ event.code:
   type: keyword
 event.created:
   dashed_name: event-created
-  description: 'event.created contains the date/time when the event was first read
+  description: '`event.created` contains the date/time when the event was first read
     by an agent, or by your pipeline.
 
-    This field is distinct from @timestamp in that @timestamp typically contain the
-    time extracted from the original event.
+    This field is distinct from `@timestamp` in that `@timestamp` typically contain
+    the time extracted from the original event.
 
     In most situations, these two timestamps will be slightly different. The difference
     can be used to calculate the delay between your source generating an event, and
     the time when your agent first processed it. This can be used to monitor your
     agent''s or pipeline''s ability to keep up with your event source.
 
-    In case the two timestamps are identical, @timestamp should be used.'
+    In case the two timestamps are identical, `@timestamp` should be used.'
   example: '2016-05-23T08:05:34.857Z'
   flat_name: event.created
   level: core
@@ -3170,8 +3170,8 @@ event.duration:
   dashed_name: event-duration
   description: 'Duration of the event in nanoseconds.
 
-    If event.start and event.end are known this value should be the difference between
-    the end and start time.'
+    If `event.start` and `event.end` are known this value should be the difference
+    between the end and start time.'
   flat_name: event.duration
   format: duration
   input_format: nanoseconds
@@ -3184,14 +3184,14 @@ event.duration:
   type: long
 event.end:
   dashed_name: event-end
-  description: event.end contains the date when the event ended or when the activity
-    was last observed.
+  description: '`event.end` contains the date when the event ended or when the activity
+    was last observed.'
   flat_name: event.end
   level: extended
   name: end
   normalize: []
-  short: event.end contains the date when the event ended or when the activity was
-    last observed.
+  short: '`event.end` contains the date when the event ended or when the activity
+    was last observed.'
   type: date
 event.hash:
   dashed_name: event-hash
@@ -3320,7 +3320,8 @@ event.kind:
 
     The value of this field can be used to inform how these kinds of events should
     be handled. They may warrant different retention, different access control, it
-    may also help understand whether the data coming in at a regular interval or not.'
+    may also help understand whether the data is coming in at a regular interval or
+    not.'
   example: alert
   flat_name: event.kind
   ignore_above: 1024
@@ -3511,14 +3512,14 @@ event.severity:
   type: long
 event.start:
   dashed_name: event-start
-  description: event.start contains the date when the event started or when the activity
-    was first observed.
+  description: '`event.start` contains the date when the event started or when the
+    activity was first observed.'
   flat_name: event.start
   level: extended
   name: start
   normalize: []
-  short: event.start contains the date when the event started or when the activity
-    was first observed.
+  short: '`event.start` contains the date when the event started or when the activity
+    was first observed.'
   type: date
 event.timezone:
   dashed_name: event-timezone
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 3505dd848e..b097520208 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -4114,10 +4114,10 @@ event:
       type: keyword
     event.created:
       dashed_name: event-created
-      description: 'event.created contains the date/time when the event was first
+      description: '`event.created` contains the date/time when the event was first
         read by an agent, or by your pipeline.
 
-        This field is distinct from @timestamp in that @timestamp typically contain
+        This field is distinct from `@timestamp` in that `@timestamp` typically contain
         the time extracted from the original event.
 
         In most situations, these two timestamps will be slightly different. The difference
@@ -4125,7 +4125,7 @@ event:
         and the time when your agent first processed it. This can be used to monitor
         your agent''s or pipeline''s ability to keep up with your event source.
 
-        In case the two timestamps are identical, @timestamp should be used.'
+        In case the two timestamps are identical, `@timestamp` should be used.'
       example: '2016-05-23T08:05:34.857Z'
       flat_name: event.created
       level: core
@@ -4155,7 +4155,7 @@ event:
       dashed_name: event-duration
       description: 'Duration of the event in nanoseconds.
 
-        If event.start and event.end are known this value should be the difference
+        If `event.start` and `event.end` are known this value should be the difference
         between the end and start time.'
       flat_name: event.duration
       format: duration
@@ -4169,14 +4169,14 @@ event:
       type: long
     event.end:
       dashed_name: event-end
-      description: event.end contains the date when the event ended or when the activity
-        was last observed.
+      description: '`event.end` contains the date when the event ended or when the
+        activity was last observed.'
       flat_name: event.end
       level: extended
       name: end
       normalize: []
-      short: event.end contains the date when the event ended or when the activity
-        was last observed.
+      short: '`event.end` contains the date when the event ended or when the activity
+        was last observed.'
       type: date
     event.hash:
       dashed_name: event-hash
@@ -4306,7 +4306,7 @@ event:
 
         The value of this field can be used to inform how these kinds of events should
         be handled. They may warrant different retention, different access control,
-        it may also help understand whether the data coming in at a regular interval
+        it may also help understand whether the data is coming in at a regular interval
         or not.'
       example: alert
       flat_name: event.kind
@@ -4502,14 +4502,14 @@ event:
       type: long
     event.start:
       dashed_name: event-start
-      description: event.start contains the date when the event started or when the
-        activity was first observed.
+      description: '`event.start` contains the date when the event started or when
+        the activity was first observed.'
       flat_name: event.start
       level: extended
       name: start
       normalize: []
-      short: event.start contains the date when the event started or when the activity
-        was first observed.
+      short: '`event.start` contains the date when the event started or when the activity
+        was first observed.'
       type: date
     event.timezone:
       dashed_name: event-timezone
diff --git a/schemas/event.yml b/schemas/event.yml
index 20ae8c756d..cd3a247bbb 100644
--- a/schemas/event.yml
+++ b/schemas/event.yml
@@ -70,7 +70,7 @@
 
         The value of this field can be used to inform how these kinds of events should be handled.
         They may warrant different retention, different access control, it may also
-        help understand whether the data coming in at a regular interval or not.
+        help understand whether the data is coming in at a regular interval or not.
       example: alert
       allowed_values:
         - name: alert
@@ -712,7 +712,7 @@
       description: >
         Duration of the event in nanoseconds.
 
-        If event.start and event.end are known this value should be the
+        If `event.start` and `event.end` are known this value should be the
         difference between the end and start time.
 
     - name: sequence
@@ -744,10 +744,10 @@
       short: Time when the event was first read by an agent or by your pipeline.
       example: '2016-05-23T08:05:34.857Z'
       description: >
-        event.created contains the date/time when the event was first read by an
+        `event.created` contains the date/time when the event was first read by an
         agent, or by your pipeline.
 
-        This field is distinct from @timestamp in that @timestamp typically contain
+        This field is distinct from `@timestamp` in that `@timestamp` typically contain
         the time extracted from the original event.
 
         In most situations, these two timestamps will be slightly different.
@@ -756,20 +756,20 @@
         This can be used to monitor your agent's or pipeline's ability to
         keep up with your event source.
 
-        In case the two timestamps are identical, @timestamp should be used.
+        In case the two timestamps are identical, `@timestamp` should be used.
 
     - name: start
       level: extended
       type: date
       description: >
-        event.start contains the date when the event started or when the
+        `event.start` contains the date when the event started or when the
         activity was first observed.
 
     - name: end
       level: extended
       type: date
       description: >
-        event.end contains the date when the event ended or when the activity
+        `event.end` contains the date when the event ended or when the activity
         was last observed.
 
     - name: risk_score

From 8af589c878aef4b29282eb1cc283f11a7d5f8469 Mon Sep 17 00:00:00 2001
From: Maxwell Borden <Tacklebox@users.noreply.github.com>
Date: Thu, 29 Jun 2023 15:36:19 +0200
Subject: [PATCH 103/186] Fix privileged flag (#2225)

* Move container.privileged to container.security_context.privileged

I did not rebase correctly to resolve conflicts in the previous PR and merged the incorrect initial path to the privileged flag

* Regenerate Artifacts

* Update changelog

* Update CHANGELOG.next.md

Co-authored-by: Eric Beahan <eric.beahan@elastic.co>

---------

Co-authored-by: Eric Beahan <eric.beahan@elastic.co>
---
 CHANGELOG.next.md                             |  2 +-
 docs/fields/field-details.asciidoc            | 20 +++++++++----------
 experimental/generated/beats/fields.ecs.yml   | 10 +++++-----
 experimental/generated/csv/fields.csv         |  2 +-
 experimental/generated/ecs/ecs_flat.yml       | 18 ++++++++---------
 experimental/generated/ecs/ecs_nested.yml     | 18 ++++++++---------
 .../composable/component/container.json       | 10 +++++++---
 .../elasticsearch/legacy/template.json        | 10 +++++++---
 generated/beats/fields.ecs.yml                | 10 +++++-----
 generated/csv/fields.csv                      |  2 +-
 generated/ecs/ecs_flat.yml                    | 18 ++++++++---------
 generated/ecs/ecs_nested.yml                  | 18 ++++++++---------
 .../composable/component/container.json       | 10 +++++++---
 generated/elasticsearch/legacy/template.json  | 10 +++++++---
 schemas/container.yml                         |  2 +-
 15 files changed, 88 insertions(+), 72 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index b527829e84..81824e7f03 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -15,7 +15,7 @@ Thanks, you're awesome :-) -->
 #### Bugfixes
 
 #### Added
-* Added `container.privileged` to indicated whether a container was started in privileged mode. #2219
+* Added `container.security_context.privileged` to indicated whether a container was started in privileged mode. #2219, #2225
 
 #### Improvements
 
diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index 0d92b86aa2..3b75701633 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -1218,32 +1218,32 @@ type: long
 // ===============================================================
 
 |
-[[field-container-privileged]]
-<<field-container-privileged, container.privileged>>
-
-a| Indicates whether the container is running in privileged mode.
+[[field-container-runtime]]
+<<field-container-runtime, container.runtime>>
 
-type: bool
+a| Runtime managing this container.
 
+type: keyword
 
 
 
+example: `docker`
 
 | extended
 
 // ===============================================================
 
 |
-[[field-container-runtime]]
-<<field-container-runtime, container.runtime>>
+[[field-container-security-context-privileged]]
+<<field-container-security-context-privileged, container.security_context.privileged>>
 
-a| Runtime managing this container.
+a| Indicates whether the container is running in privileged mode.
+
+type: bool
 
-type: keyword
 
 
 
-example: `docker`
 
 | extended
 
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index b1f439752f..bddf67659a 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -944,17 +944,17 @@
       description: The number of bytes received (gauge) on all network interfaces
         by the container since the last metric collection.
       default_field: false
-    - name: privileged
-      level: extended
-      type: bool
-      description: Indicates whether the container is running in privileged mode.
-      default_field: false
     - name: runtime
       level: extended
       type: keyword
       ignore_above: 1024
       description: Runtime managing this container.
       example: docker
+    - name: security_context.privileged
+      level: extended
+      type: bool
+      description: Indicates whether the container is running in privileged mode.
+      default_field: false
   - name: data_stream
     title: Data Stream
     group: 2
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index 09b70c2f1a..ea92bdc24a 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -99,8 +99,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.10.0-dev+exp,true,container,container.name,keyword,extended,,,Container name.
 8.10.0-dev+exp,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
 8.10.0-dev+exp,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
-8.10.0-dev+exp,true,container,container.privileged,bool,extended,,,Indicates whether the container is running in privileged mode.
 8.10.0-dev+exp,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
+8.10.0-dev+exp,true,container,container.security_context.privileged,bool,extended,,,Indicates whether the container is running in privileged mode.
 8.10.0-dev+exp,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
 8.10.0-dev+exp,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
 8.10.0-dev+exp,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 1b8c568342..5a9f0cceda 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -1183,15 +1183,6 @@ container.network.ingress.bytes:
   normalize: []
   short: The number of bytes received on all network interfaces.
   type: long
-container.privileged:
-  dashed_name: container-privileged
-  description: Indicates whether the container is running in privileged mode.
-  flat_name: container.privileged
-  level: extended
-  name: privileged
-  normalize: []
-  short: Indicates whether the container is running in privileged mode.
-  type: bool
 container.runtime:
   dashed_name: container-runtime
   description: Runtime managing this container.
@@ -1203,6 +1194,15 @@ container.runtime:
   normalize: []
   short: Runtime managing this container.
   type: keyword
+container.security_context.privileged:
+  dashed_name: container-security-context-privileged
+  description: Indicates whether the container is running in privileged mode.
+  flat_name: container.security_context.privileged
+  level: extended
+  name: security_context.privileged
+  normalize: []
+  short: Indicates whether the container is running in privileged mode.
+  type: bool
 data_stream.dataset:
   dashed_name: data-stream-dataset
   description: "The field can contain anything that makes sense to signify the source\
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 5dc98a22f8..0a4cc7c982 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -1562,15 +1562,6 @@ container:
       normalize: []
       short: The number of bytes received on all network interfaces.
       type: long
-    container.privileged:
-      dashed_name: container-privileged
-      description: Indicates whether the container is running in privileged mode.
-      flat_name: container.privileged
-      level: extended
-      name: privileged
-      normalize: []
-      short: Indicates whether the container is running in privileged mode.
-      type: bool
     container.runtime:
       dashed_name: container-runtime
       description: Runtime managing this container.
@@ -1582,6 +1573,15 @@ container:
       normalize: []
       short: Runtime managing this container.
       type: keyword
+    container.security_context.privileged:
+      dashed_name: container-security-context-privileged
+      description: Indicates whether the container is running in privileged mode.
+      flat_name: container.security_context.privileged
+      level: extended
+      name: security_context.privileged
+      normalize: []
+      short: Indicates whether the container is running in privileged mode.
+      type: bool
   group: 2
   name: container
   prefix: container.
diff --git a/experimental/generated/elasticsearch/composable/component/container.json b/experimental/generated/elasticsearch/composable/component/container.json
index fa7a0421ef..d4c1071e52 100644
--- a/experimental/generated/elasticsearch/composable/component/container.json
+++ b/experimental/generated/elasticsearch/composable/component/container.json
@@ -91,12 +91,16 @@
                 }
               }
             },
-            "privileged": {
-              "type": "bool"
-            },
             "runtime": {
               "ignore_above": 1024,
               "type": "keyword"
+            },
+            "security_context": {
+              "properties": {
+                "privileged": {
+                  "type": "bool"
+                }
+              }
             }
           }
         }
diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json
index fa866c0253..17b103099e 100644
--- a/experimental/generated/elasticsearch/legacy/template.json
+++ b/experimental/generated/elasticsearch/legacy/template.json
@@ -560,12 +560,16 @@
               }
             }
           },
-          "privileged": {
-            "type": "bool"
-          },
           "runtime": {
             "ignore_above": 1024,
             "type": "keyword"
+          },
+          "security_context": {
+            "properties": {
+              "privileged": {
+                "type": "bool"
+              }
+            }
           }
         }
       },
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index f64dda3f11..17d08da261 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -894,17 +894,17 @@
       description: The number of bytes received (gauge) on all network interfaces
         by the container since the last metric collection.
       default_field: false
-    - name: privileged
-      level: extended
-      type: bool
-      description: Indicates whether the container is running in privileged mode.
-      default_field: false
     - name: runtime
       level: extended
       type: keyword
       ignore_above: 1024
       description: Runtime managing this container.
       example: docker
+    - name: security_context.privileged
+      level: extended
+      type: bool
+      description: Indicates whether the container is running in privileged mode.
+      default_field: false
   - name: data_stream
     title: Data Stream
     group: 2
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index c2d9534ddb..c41f611017 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -92,8 +92,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.10.0-dev,true,container,container.name,keyword,extended,,,Container name.
 8.10.0-dev,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
 8.10.0-dev,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
-8.10.0-dev,true,container,container.privileged,bool,extended,,,Indicates whether the container is running in privileged mode.
 8.10.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
+8.10.0-dev,true,container,container.security_context.privileged,bool,extended,,,Indicates whether the container is running in privileged mode.
 8.10.0-dev,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
 8.10.0-dev,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
 8.10.0-dev,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 1256ae19b4..845d61ecef 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -1114,15 +1114,6 @@ container.network.ingress.bytes:
   normalize: []
   short: The number of bytes received on all network interfaces.
   type: long
-container.privileged:
-  dashed_name: container-privileged
-  description: Indicates whether the container is running in privileged mode.
-  flat_name: container.privileged
-  level: extended
-  name: privileged
-  normalize: []
-  short: Indicates whether the container is running in privileged mode.
-  type: bool
 container.runtime:
   dashed_name: container-runtime
   description: Runtime managing this container.
@@ -1134,6 +1125,15 @@ container.runtime:
   normalize: []
   short: Runtime managing this container.
   type: keyword
+container.security_context.privileged:
+  dashed_name: container-security-context-privileged
+  description: Indicates whether the container is running in privileged mode.
+  flat_name: container.security_context.privileged
+  level: extended
+  name: security_context.privileged
+  normalize: []
+  short: Indicates whether the container is running in privileged mode.
+  type: bool
 data_stream.dataset:
   dashed_name: data-stream-dataset
   description: "The field can contain anything that makes sense to signify the source\
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index b097520208..a34185add4 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -1482,15 +1482,6 @@ container:
       normalize: []
       short: The number of bytes received on all network interfaces.
       type: long
-    container.privileged:
-      dashed_name: container-privileged
-      description: Indicates whether the container is running in privileged mode.
-      flat_name: container.privileged
-      level: extended
-      name: privileged
-      normalize: []
-      short: Indicates whether the container is running in privileged mode.
-      type: bool
     container.runtime:
       dashed_name: container-runtime
       description: Runtime managing this container.
@@ -1502,6 +1493,15 @@ container:
       normalize: []
       short: Runtime managing this container.
       type: keyword
+    container.security_context.privileged:
+      dashed_name: container-security-context-privileged
+      description: Indicates whether the container is running in privileged mode.
+      flat_name: container.security_context.privileged
+      level: extended
+      name: security_context.privileged
+      normalize: []
+      short: Indicates whether the container is running in privileged mode.
+      type: bool
   group: 2
   name: container
   prefix: container.
diff --git a/generated/elasticsearch/composable/component/container.json b/generated/elasticsearch/composable/component/container.json
index a840e22ba5..8f479ed72c 100644
--- a/generated/elasticsearch/composable/component/container.json
+++ b/generated/elasticsearch/composable/component/container.json
@@ -91,12 +91,16 @@
                 }
               }
             },
-            "privileged": {
-              "type": "bool"
-            },
             "runtime": {
               "ignore_above": 1024,
               "type": "keyword"
+            },
+            "security_context": {
+              "properties": {
+                "privileged": {
+                  "type": "bool"
+                }
+              }
             }
           }
         }
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index c20ce4daef..c12bbf937c 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -518,12 +518,16 @@
               }
             }
           },
-          "privileged": {
-            "type": "bool"
-          },
           "runtime": {
             "ignore_above": 1024,
             "type": "keyword"
+          },
+          "security_context": {
+            "properties": {
+              "privileged": {
+                "type": "bool"
+              }
+            }
           }
         }
       },
diff --git a/schemas/container.yml b/schemas/container.yml
index 85b888dfce..329a4e627d 100644
--- a/schemas/container.yml
+++ b/schemas/container.yml
@@ -121,7 +121,7 @@
         The number of bytes (gauge) sent out on all network interfaces by the
         container since the last metric collection.
 
-    - name: privileged
+    - name: security_context.privileged
       type: bool
       level: extended
       short: Indicates whether the container is running in privileged mode.

From 0a5b47d29947a3e712b50bb591a67f7d14b38254 Mon Sep 17 00:00:00 2001
From: Sourin Paul <82123779+SourinPaul@users.noreply.github.com>
Date: Fri, 7 Jul 2023 08:59:44 -0700
Subject: [PATCH 104/186] [RFC] Asset Integrations & Entity Store RFC - Stage 0
 (#2215)

---------

Co-authored-by: Eric Beahan <eric.beahan@elastic.co>
---
 rfcs/text/0041-asset-integration.md | 249 ++++++++++++++++++++++++++++
 1 file changed, 249 insertions(+)
 create mode 100644 rfcs/text/0041-asset-integration.md

diff --git a/rfcs/text/0041-asset-integration.md b/rfcs/text/0041-asset-integration.md
new file mode 100644
index 0000000000..7fe8ee9b31
--- /dev/null
+++ b/rfcs/text/0041-asset-integration.md
@@ -0,0 +1,249 @@
+# 0041: Asset Integration
+<!-- Leave this ID at 0000. The ECS team will assign a unique, contiguous RFC number upon merging the initial stage of this RFC. -->
+
+- Stage: **0 (strawperson)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
+- Date: **2023-07-07** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
+
+<!--
+As you work on your RFC, use the "Stage N" comments to guide you in what you should focus on, for the stage you're targeting.
+Feel free to remove these comments as you go along.
+-->
+
+<!--
+Stage 0: Provide a high level summary of the premise of these changes. Briefly describe the nature, purpose, and impact of the changes. ~2-5 sentences.
+-->
+
+This proposal extends the existing ECS field set to store inventory metadata for hosts and users from external application repositories. Using ECS to store such fields will improve metadata querying and retrieval across various use cases.
+
+Terminologies:
+The `Entity Analytics` initiative within Security refers to hosts and users as `entities`. Other generic security and observability use cases may refer to hosts/ users as `assets`. Certain directory services or asset management applications use the term 'device' when referring to a host.  In this RFC, I have simplified these terminologies to `users` and `hosts` and these will represent all the neighboring terms.
+
+This proposal includes the following:
+* Additional fields in the `users` and `os` objects.
+* Introduces a new field set called `assets`.
+<!-- * Additional fields in the `host` object --->
+
+This proposal will also facilitate storing host and user inventory within the security solution (the entity store).
+
+
+<!--
+Stage 1: If the changes include field additions or modifications, please create a folder titled as the RFC number under rfcs/text/. This will be where proposed schema changes as standalone YAML files or extended example mappings and larger source documents will go as the RFC is iterated upon.
+-->
+
+<!--
+Stage X: Provide a brief explanation of why the proposal is being marked as abandoned. This is useful context for anyone revisiting this proposal or considering similar changes later on.
+-->
+
+## Fields
+
+<!--
+Stage 1: Describe at a high level how this change affects fields. Include new or updated yml field definitions for all of the essential fields in this draft. While not exhaustive, the fields documented here should be comprehensive enough to deeply evaluate the technical considerations of this change. The goal here is to validate the technical details for all essential fields and to provide a basis for adding experimental field definitions to the schema. Use GitHub code blocks with yml syntax formatting, and add them to the corresponding RFC folder.
+-->
+
+### Proposed New Fields for User object
+
+Field | Type | Example | Description
+--- | --- | --- | ---
+user.profile.id	| keyword	| 1234	| User ID from the identity datasource.
+user.profile.type	| keyword	| Employee	| Type of user account.
+user.profile.status	| keyword |	On board	| Status of the user account.
+user.profile.first_name	| keyword |	First	| First Name of the User.
+user.profile.last_name	| keyword |	Last	| Last Name of the user.
+user.profile.other_identities	| keyword, text |	first.last@elk.elastic.co	| Array of additional user identities (usually email addresses).
+user.profile.manager	| keyword |	John Doe	| Assigned Manager for the user account.
+user.profile.employee_type	| keyword |	Regular | Further classification type for the user account.
+user.profile.job_family	| keyword |	65-Sales	| Job family associated with the user account.
+user.profile.job_family_group	| keyword |	GTM	| Job family group associated with the user account.
+user.profile.management_level	| keyword |	Individual Contributor	| If the user account is identified as a Manager or Individual contributor.
+user.profile.job_title	| keyword |	Field Sales	| Job title assigned to the user account.
+user.profile.department	| keyword |	x256	| Department name associated with the user account.
+user.profile.organization	| keyword |	Elasticsearch Inc.	| Organization name associated with the account.
+user.profile.location	| keyword |	US - Washington - Distributed	| Assigned location for the user account.
+user.profile.mobile_phone	| keyword |	222-222-2222
+user.profile.primaryPhone	| keyword |	222-222-2222
+user.profile.secondEmail	| keyword |	first.l@elastic.co	| Additional email addresses associated with the user account.
+user.profile.sup_org_id	| keyword |	SUP-ORG-75	| Primary organization ID for the user account.
+user.profile.supervisory_Org	| keyword |	Field Sales	| Primary organization name for the user account.
+user.profile.assigned_mdm_id	| keyword |	2950	| The primary host identifier (usually `asset.id` value) assigned to the user. This field acts as a correlation identifier for the host event document.
+user.account.create_date	| date |	June 5, 2023 @ 18:25:57.000	| Date account was created.
+user.account.activated_date	| date |	June 5, 2023 @ 18:25:57.000	| Date account was activated.
+user.account.change_date	| date |	June 5, 2023 @ 18:25:57.000	| Date user account record was last updated at source
+user.account.status.recovery	| boolean |	true/ false	| A flag indicating if account is in recovery
+user.account.status.locked_out	| boolean |	true/ false	| A flag indicating if account is currently locked out
+user.account.status.suspended	| boolean |	true/ false	| A flag indicating if account has been suspended
+user.account.isAdmin	| boolean |	true/ false	| A flag indicating if account is an Admin account
+user.account.isDelegatedAdmin	| boolean |	true/ false	| A flag indicating if account has Delegated Admin rights
+user.account.isPriviledged	| boolean |	true/ false	| A flag indicating if account is a Privileged account
+user.account.status.password_expired	| boolean |	true/ false	| A flag indicating if account password has expired.
+user.account.status.deprovisioned	| boolean |	true/ false	| A flag indicating if account has been deprovisioned
+user.account.password_change_date	| date |	June 5, 2023 @ 18:25:57.000	| Last date/time when account password was updated
+
+### Proposed New Fields for Asset object
+
+Field | Type | Generic Example |	User Entity Example | Host Entity Example | Description
+--- | --- | --- | --- | --- | ---
+asset.category	| keyword |	-	        | Null	                | hardware	                | A further classification of the asset type beyond event.category. For example, for host assets {hardware, virtual, container, node}. For user assets {NULL ?}
+asset.type	    | keyword |	-	        | Null	                | workstation	            | A sub classification of asset. For host assets {workstation, S3, Compute}. For user assets {NULL?}.
+asset.id	    | keyword |	-	        | 00uhs72c27s6PiK7x1t7	| 2950	                    | A unique ID for the asset. For inventory integrations, it's the id generated from inventory data source.
+asset.name	    | keyword |	-	        | Sourin Paul	        | Sourin Paul Macbook Pro	| A common name for the asset.
+asset.vendor	| keyword |	-           |	-	                | Apple	                    | Used primarily for 'Host' entities, the vendor name or brand associated with the asset.
+asset.product	| keyword |	-           |	-	                | MacBook Pro	            | Used primarily for 'Host' entities, the product name associated with the asset.
+asset.model	    | keyword |	-           |	-	                |TBD	                    | Used primarily for 'Host' entities, the model name or number associated with this asset.
+asset.version	| keyword |	-           |	-	                | TBD	                    | Used primarily for 'Host' entities, the version or year associated with the asset.
+asset.owner	    | keyword |	-           |	-	                | sourin.paul@elastic.co	| The primary user entity identifier (usually an email address) who owns the 'Host' asset.
+asset.priority	| keyword |	Priority 1	| -                     | -                         | A priority classification for the asset obtained from outside the solution, such as from some external CMDB or Directory service.
+asset.criticality	| keyword |	Critical	| - | -                                         | A criticality classification obtained from outside the solution, such as from some external CMDB or Directory service.
+asset.business_unit	| keyword |	Analyst Experience	| - | -                                 | Business Unit associated with the asset (user or host).
+asset.costCenter	| keyword |	Security - Protections | - | -                              | Cost Center associated with the asset (user or host).
+asset.cost_center_hierarchy	| keyword |	Engineering	 | - | -                                | Additional cost center information associated with the asset (user or host).
+asset.status	    | keyword         |	ACTIVE      | - | -                                 | Current status of the asset in the inventory datasource.
+asset.last_status_change_date	| date |	June 5, 2023 @ 18:25:57.000	| - | -             | The most recent date/time when the asset.status was updated.
+asset.create_date	            | date |	June 5, 2023 @ 18:25:57.001	| - | -             | For users, it's the hire date. For other assets, it's the in-service date.
+asset.end_date	                | date |	June 5, 2023 @ 18:25:57.002	| - | -             | For users, it's the termination date; for other assets, it's the out-of-service date.
+asset.first_seen	            | date |	June 5, 2023 @ 18:25:57.003	| - | -             | The first date/time the directory service or the security solution observed this asset.
+asset.last_seen	                | date |	June 5, 2023 @ 18:25:57.004	| - | -             | The most recent date/time the directory service or the security solution observed this asset.
+asset.last_updated	            | date |	June 5, 2023 @ 18:25:57.005	| - | -             | The most recent date/time this asset was updated in directory services.
+asset.serial_number	            | keyword	| C02FG1G1MD6T	| - | -             |		Serial number of the asset.
+asset.tags	                    | keyword	  | watch, mdmaccess		| - | -             |	Tags assigned at the MDM.
+asset.assigned_users	          | keyword	  | user1@email.com, user2@email.com		| - | -             |	List of user ids (usually email addresses) assigned to the asset. The value from the `asset.owner` field should always be included.
+asset.assigned_users_are_admin	| boolean	  | TRUE	| - | -             |		Flag to identify if the assigned users have admin privileges.
+asset.is_managed	              | boolean	  | TRUE			| - | -             | If asset is managed by the organization.
+asset.last_enrolled_date	      | date	    | June 5, 2023 @ 18:25:57.005		| - | -             |	The most recent date/time the asset checked in with MDM.
+asset.data_classification	      | keyword	  | restricted		| - | -             |	Data classification tier for the asset.
+asset.installed_extensions 	| keyword	  | Nested objects	  | List of installed extensions along with their metadata
+asset.installed_applications	| keyword	    | Nested objects	  | List of installed applications along with their metadata
+
+#### Nesting of existing risk.* fields under asset object
+* We have a set of risk.* fields in ECS that can be further nested under the asset.* object. Reference to [Risk RFC](https://github.com/elastic/ecs/blob/main/rfcs/text/0031-risk-fields.md).
+
+
+
+### Proposed New Fields for os.* object
+Field | Type | Example | Description
+--- | --- | --- | ---
+os.build	| keyword		| 22F66   | Host OS Build information
+
+
+
+<!--
+Stage 2: Add or update all remaining field definitions. The list should now be exhaustive. The goal here is to validate the technical details of all remaining fields and to provide a basis for releasing these field definitions as beta in the schema. Use GitHub code blocks with yml syntax formatting, and add them to the corresponding RFC folder.
+-->
+
+## Usage
+
+<!--
+Stage 1: Describe at a high-level how these field changes will be used in practice. Real world examples are encouraged. The goal here is to understand how people would leverage these fields to gain insights or solve problems. ~1-3 paragraphs.
+-->
+
+* As part of Entity Analytics, we are ingesting metadata about Users and from various external vendor applications. We are storing all ingested metadata in Elasticsearch. After we map these fields to ECS, we will enrich these ingested events for risk-scoring scenarios (e.g., context enrichments) and detecting advanced analytics (UBA) use cases.
+
+* This schema will persist `Observed` (queried) entities from the ingested security log dataset in an Entity store. This entity store can be further extended to meet broader Asset Management needs.
+
+* Additional enrichment use cases for existing prebuilt detection rules will leverage these ECS fields.
+
+
+## Source data
+
+<!--
+Stage 1: Provide a high-level description of example sources of data. This does not yet need to be a concrete example of a source document, but instead can simply describe a potential source (e.g. nginx access log). This will ultimately be fleshed out to include literal source examples in a future stage. The goal here is to identify practical sources for these fields in the real world. ~1-3 sentences or unordered list.
+-->
+
+There are many sources of asset inventory repositories. In the mid-term, we are planning to ingest data from the following application providers:
+
+### User (Identity) repository sources:
+* Azure Active Directory
+* Active Directory DS
+* Okta
+* Workday
+* GSuite
+* GitHub
+
+### Host repository sources:
+* Azure Active Directory
+* Jamf
+* Active Directory DS
+* MS Intune
+* ServiceNow Asset CMDB
+
+<!--
+Stage 2: Included a real world example source document. Ideally this example comes from the source(s) identified in stage 1. If not, it should replace them. The goal here is to validate the utility of these field changes in the context of a real world example. Format with the source name as a ### header and the example document in a GitHub code block with json formatting, or if on the larger side, add them to the corresponding RFC folder.
+-->
+
+<!--
+Stage 3: Add more real world example source documents so we have at least 2 total, but ideally 3. Format as described in stage 2.
+-->
+
+## Scope of impact
+
+<!--
+Stage 2: Identifies scope of impact of changes. Are breaking changes required? Should deprecation strategies be adopted? Will significant refactoring be involved? Break the impact down into:
+ * Ingestion mechanisms (e.g. beats/logstash)
+ * Usage mechanisms (e.g. Kibana applications, detections)
+ * ECS project (e.g. docs, tooling)
+The goal here is to research and understand the impact of these changes on users in the community and development teams across Elastic. 2-5 sentences each.
+-->
+
+* Ingestion mechanisms: Entity Analytics fleet integrations are the primary ingesting mechanism for this dataset.
+
+* Usage mechanism: Elastic Security solution (Entity Analytics & Threat Hunting workflows) will be the primary user of the proposed ECS fields and values.
+
+
+
+## Concerns
+
+<!--
+Stage 1: Identify potential concerns, implementation challenges, or complexity. Spend some time on this. Play devil's advocate. Try to identify the sort of non-obvious challenges that tend to surface later. The goal here is to surface risks early, allow everyone the time to work through them, and ultimately document resolution for posterity's sake.
+-->
+
+* We have a couple of fleet integrations under development. We want them to use these proposed ECS before being released.
+* Schema/ field sets defined here focus on asset inventory data sources. Additional fields may need to be appended (ideally within this RFC lifecycle) to support the entity store needs.
+* Due diligence is needed to avoid the proliferation of field sets and validate business requirements.
+* In stage1, @jasonrhodes identified fields from o11y use cases and a potential conflict: https://github.com/elastic/ecs/pull/2215#pullrequestreview-1498781860
+
+<!--
+Stage 2: Document new concerns or resolutions to previously listed concerns. It's not critical that all concerns have resolutions at this point, but it would be helpful if resolutions were taking shape for the most significant concerns.
+-->
+
+<!--
+Stage 3: Document resolutions for all existing concerns. Any new concerns should be documented along with their resolution. The goal here is to eliminate risk of churn and instability by ensuring all concerns have been addressed.
+-->
+
+## People
+
+The following are the people that consulted on the contents of this RFC.
+
+* @sourinpaul | author
+* @andrewkroh | subject matter expert
+* @jamiehynds | subject matter expert
+* @lauravoicu | subject matter expert
+* @MikePaquette | subject matter expert
+* @sourinpaul | sponsor
+* ?
+
+<!--
+Who will be or has been consulted on the contents of this RFC? Identify authorship and sponsorship, and optionally identify the nature of involvement of others. Link to GitHub aliases where possible. This list will likely change or grow stage after stage.
+
+e.g.:
+
+* @Yasmina | author
+* @Monique | sponsor
+* @EunJung | subject matter expert
+* @JaneDoe | grammar, spelling, prose
+* @Mariana
+-->
+
+
+## References
+
+<!-- Insert any links appropriate to this RFC in this section. -->
+
+### RFC Pull Requests
+
+<!-- An RFC should link to the PRs for each of it stage advancements. -->
+
+* Stage 0: https://github.com/elastic/ecs/pull/2215
+
+<!--
+* Stage 1: https://github.com/elastic/ecs/pull/NNN
+...
+-->

From 2fb814f063746a1fac3ff1390d2e9387bdd47a2f Mon Sep 17 00:00:00 2001
From: Ryland Herrick <ryalnd@gmail.com>
Date: Mon, 17 Jul 2023 12:31:31 -0500
Subject: [PATCH 105/186] [RFC] Risk field extensions [Stage 0] (#2232)

* Add initial summary of risk field extensions for stage 0

* set RFC # and date

---------

Co-authored-by: Eric Beahan <eric.beahan@elastic.co>
---
 rfcs/text/0042-risk-score-extensions.md | 124 ++++++++++++++++++++++++
 1 file changed, 124 insertions(+)
 create mode 100644 rfcs/text/0042-risk-score-extensions.md

diff --git a/rfcs/text/0042-risk-score-extensions.md b/rfcs/text/0042-risk-score-extensions.md
new file mode 100644
index 0000000000..329dd38045
--- /dev/null
+++ b/rfcs/text/0042-risk-score-extensions.md
@@ -0,0 +1,124 @@
+# 0042: Risk field extensions
+<!-- Leave this ID at 0000. The ECS team will assign a unique, contiguous RFC number upon merging the initial stage of this RFC. -->
+
+- Stage: **0 (strawperson)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
+- Date: **2023-07-13** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
+
+<!--
+As you work on your RFC, use the "Stage N" comments to guide you in what you should focus on, for the stage you're targeting.
+Feel free to remove these comments as you go along.
+-->
+
+<!--
+Stage 0: Provide a high level summary of the premise of these changes. Briefly describe the nature, purpose, and impact of the changes. ~2-5 sentences.
+-->
+This RFC seeks to extend the [existing risk fields](https://www.elastic.co/guide/en/ecs/current/ecs-risk.html) [(RFC 0031)](https://github.com/elastic/ecs/pull/2048) to support new/extended Risk Score investigation workflows. The workflows that this RFC intends to enable include all those described in 0031, along with the following:
+
+1. Risk Score Explainability
+  * We want to provide more insight into the anatomy of a risk score. The first (and simplest) way we intend to do this is by showing the documents (referred to commonly as Risk Inputs) that contributed to a particular risk score. Given that there may be a large number of these documents, we expect to have to choose a representative subset of these documents to persist along with the score (most obviously: top N riskiest inputs).
+  * Since we cannot realistically persist the _entire_ contributing document along with the risk score (let alone several), we intend to persist just enough information to allow one to uniquely identify those documents at a later point in time (i.e. during investigation/analysis of a risk score), along with any information that would not be present on the original document (e.g. the document's calculated risk score).
+2. Categorical Risk Scores
+  * While the initial iteration of risk scoring ingested Detection Engine Alerts, we intend to expand risk scoring to include more data sources from multiple new categories of data. While we will still present a single risk score for most investigative purposes (composed of all these evaluated data sources), we believe that it will be useful to present individual risk scores _per category_ of data.
+  * These categories (and their definitions) are still being discussed [in this internal ticket](https://github.com/elastic/security-team/issues/5485), we currently know that categories will have the following traits:
+    * There will be a finite (<10) number of categories
+    * These categories' definitions may be _extended_ in the future to include new data sources
+  * Due to the above category traits, we need to come up with a naming convention for these categorical score fields that allows them to be extended without invalidating the existing field names.
+
+<!--
+Stage 1: If the changes include field additions or modifications, please create a folder titled as the RFC number under rfcs/text/. This will be where proposed schema changes as standalone YAML files or extended example mappings and larger source documents will go as the RFC is iterated upon.
+-->
+
+<!--
+Stage X: Provide a brief explanation of why the proposal is being marked as abandoned. This is useful context for anyone revisiting this proposal or considering similar changes later on.
+-->
+
+## Fields
+
+<!--
+Stage 1: Describe at a high level how this change affects fields. Include new or updated yml field definitions for all of the essential fields in this draft. While not exhaustive, the fields documented here should be comprehensive enough to deeply evaluate the technical considerations of this change. The goal here is to validate the technical details for all essential fields and to provide a basis for adding experimental field definitions to the schema. Use GitHub code blocks with yml syntax formatting, and add them to the corresponding RFC folder.
+-->
+
+<!--
+Stage 2: Add or update all remaining field definitions. The list should now be exhaustive. The goal here is to validate the technical details of all remaining fields and to provide a basis for releasing these field definitions as beta in the schema. Use GitHub code blocks with yml syntax formatting, and add them to the corresponding RFC folder.
+-->
+
+## Usage
+
+<!--
+Stage 1: Describe at a high-level how these field changes will be used in practice. Real world examples are encouraged. The goal here is to understand how people would leverage these fields to gain insights or solve problems. ~1-3 paragraphs.
+-->
+
+## Source data
+
+<!--
+Stage 1: Provide a high-level description of example sources of data. This does not yet need to be a concrete example of a source document, but instead can simply describe a potential source (e.g. nginx access log). This will ultimately be fleshed out to include literal source examples in a future stage. The goal here is to identify practical sources for these fields in the real world. ~1-3 sentences or unordered list.
+-->
+
+<!--
+Stage 2: Included a real world example source document. Ideally this example comes from the source(s) identified in stage 1. If not, it should replace them. The goal here is to validate the utility of these field changes in the context of a real world example. Format with the source name as a ### header and the example document in a GitHub code block with json formatting, or if on the larger side, add them to the corresponding RFC folder.
+-->
+
+<!--
+Stage 3: Add more real world example source documents so we have at least 2 total, but ideally 3. Format as described in stage 2.
+-->
+
+## Scope of impact
+
+<!--
+Stage 2: Identifies scope of impact of changes. Are breaking changes required? Should deprecation strategies be adopted? Will significant refactoring be involved? Break the impact down into:
+ * Ingestion mechanisms (e.g. beats/logstash)
+ * Usage mechanisms (e.g. Kibana applications, detections)
+ * ECS project (e.g. docs, tooling)
+The goal here is to research and understand the impact of these changes on users in the community and development teams across Elastic. 2-5 sentences each.
+-->
+
+## Concerns
+
+<!--
+Stage 1: Identify potential concerns, implementation challenges, or complexity. Spend some time on this. Play devil's advocate. Try to identify the sort of non-obvious challenges that tend to surface later. The goal here is to surface risks early, allow everyone the time to work through them, and ultimately document resolution for posterity's sake.
+-->
+
+<!--
+Stage 2: Document new concerns or resolutions to previously listed concerns. It's not critical that all concerns have resolutions at this point, but it would be helpful if resolutions were taking shape for the most significant concerns.
+-->
+
+<!--
+Stage 3: Document resolutions for all existing concerns. Any new concerns should be documented along with their resolution. The goal here is to eliminate risk of churn and instability by ensuring all concerns have been addressed.
+-->
+
+## People
+
+The following are the people that consulted on the contents of this RFC.
+
+* @rylnd | author
+* @SourinPaul | SME / EA product manager
+
+<!--
+Who will be or has been consulted on the contents of this RFC? Identify authorship and sponsorship, and optionally identify the nature of involvement of others. Link to GitHub aliases where possible. This list will likely change or grow stage after stage.
+
+e.g.:
+
+* @Yasmina | author
+* @Monique | sponsor
+* @EunJung | subject matter expert
+* @JaneDoe | grammar, spelling, prose
+* @Mariana
+-->
+
+
+## References
+
+* [existing risk fields](https://www.elastic.co/guide/en/ecs/current/ecs-risk.html)
+* [previous risk fields RFC (stage 3)](https://github.com/elastic/ecs/pull/2048)
+* [internal risk categories epic](https://github.com/elastic/security-team/issues/5485)
+
+### RFC Pull Requests
+
+<!-- An RFC should link to the PRs for each of it stage advancements. -->
+
+* Stage 0: https://github.com/elastic/ecs/pull/2232
+
+<!--
+* Stage 1: https://github.com/elastic/ecs/pull/NNN
+...
+-->

From ee8b1594eb90c8035d6cea1c215361cb2e5236c1 Mon Sep 17 00:00:00 2001
From: Bharat Pasupula <123897612+bhapas@users.noreply.github.com>
Date: Wed, 26 Jul 2023 18:58:19 +0200
Subject: [PATCH 106/186] Finalize 8.9 changelog (#2242)

---
 CHANGELOG.md | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9e2af687a0..e7223fd19d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,20 @@
 # CHANGELOG
 All notable changes to this project will be documented in this file based on the [Keep a Changelog](http://keepachangelog.com/) Standard. This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [8.9.0](https://github.com/elastic/ecs/compare/v8.8.0...v8.9.0)
+
+### Schema Changes
+
+### Bugfixes
+
+#### Added
+* Added `process.vpid` for namespaced process ids. #2211
+
+### Improvements
+
+#### Deprecated
+* Removed `faas.trigger: nested` since we only have one trigger. #2194
+
 ## [8.8.0](https://github.com/elastic/ecs/compare/v8.7.0...v8.8.0)
 
 ### Schema Changes

From 0525ea01e36ddd7315ef1153627dfba7eb3fdf70 Mon Sep 17 00:00:00 2001
From: Bharat Pasupula <123897612+bhapas@users.noreply.github.com>
Date: Wed, 26 Jul 2023 19:16:44 +0200
Subject: [PATCH 107/186] release 8.9 (#2243)

---
 docs/release-notes/8.9.asciidoc   | 18 ++++++++++++++++++
 docs/release-notes/index.asciidoc |  2 ++
 2 files changed, 20 insertions(+)
 create mode 100644 docs/release-notes/8.9.asciidoc

diff --git a/docs/release-notes/8.9.asciidoc b/docs/release-notes/8.9.asciidoc
new file mode 100644
index 0000000000..eafdc36f15
--- /dev/null
+++ b/docs/release-notes/8.9.asciidoc
@@ -0,0 +1,18 @@
+[[ecs-release-notes-8.9.0]]
+=== 8.9.0
+
+[[schema-changes-8.9.0]]
+[float]
+==== Schema changes
+
+[[schema-added-8.9.0]]
+[float]
+===== Added
+
+* Added `process.vpid` for namespaced process ids. {ecs_pull}2211[#2211]
+
+[[schema-deprecated-8.9.0]]
+[float]
+===== Deprecated
+
+* Removed `faas.trigger: nested` since we only have one trigger. {ecs_pull}2194[#2194]
\ No newline at end of file
diff --git a/docs/release-notes/index.asciidoc b/docs/release-notes/index.asciidoc
index 97b6661f08..6a48a2cd62 100644
--- a/docs/release-notes/index.asciidoc
+++ b/docs/release-notes/index.asciidoc
@@ -3,6 +3,7 @@
 
 This section summarizes the changes in each release.
 
+* <<ecs-release-notes-8.9.0, {ecs} version 8.9.0>>
 * <<ecs-release-notes-8.8.0, {ecs} version 8.8.0>>
 * <<ecs-release-notes-8.7.0, {ecs} version 8.7.0>>
 * <<ecs-release-notes-8.6.1, {ecs} version 8.6.1>>
@@ -24,6 +25,7 @@ This section summarizes the changes in each release.
 :issue: https://github.com/elastic/ecs/issues/
 :pull: https://github.com/elastic/ecs/pull/
 
+include::8.9.asciidoc[]
 include::8.8.asciidoc[]
 include::8.7.asciidoc[]
 include::8.6.1.asciidoc[]

From 630429e82f3c76c5174c8fe365cf35135ec93eee Mon Sep 17 00:00:00 2001
From: Yamin Tian <56367679+Trinity2019@users.noreply.github.com>
Date: Fri, 28 Jul 2023 03:55:44 +0800
Subject: [PATCH 108/186] [RFC] Stage 1 for volume device (#2229)

* draft

* rfc1 link update

* adding details

* faill in details

* add source

* review feedback

* review feedback

* correct reviewer GH handle

* set advance date for stage 1

---------

Co-authored-by: Eric Beahan <eric.beahan@elastic.co>
---
 rfcs/text/0040-volume-device.md | 194 ++++++++++++++++++++++++++++++--
 rfcs/text/0040/volume.yml       | 139 +++++++++++++++++++++++
 2 files changed, 325 insertions(+), 8 deletions(-)
 create mode 100644 rfcs/text/0040/volume.yml

diff --git a/rfcs/text/0040-volume-device.md b/rfcs/text/0040-volume-device.md
index ae0d013859..465bdf92ea 100644
--- a/rfcs/text/0040-volume-device.md
+++ b/rfcs/text/0040-volume-device.md
@@ -1,8 +1,8 @@
 # 0040: Volume device
 <!-- Leave this ID at 0000. The ECS team will assign a unique, contiguous RFC number upon merging the initial stage of this RFC. -->
 
-- Stage: **0 (strawperson)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
-- Date: **2023-06-09** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
+- Stage: **1 (draft)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
+- Date: **2023-07-27** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
 
 <!--
 As you work on your RFC, use the "Stage N" comments to guide you in what you should focus on, for the stage you're targeting.
@@ -29,13 +29,8 @@ This RFC propose adding the volume device fieldset to describe volume storage de
  * volume.vendor_name
  * volume.serial_number
  * volume.volume_device_type
- * volume.action
  * volume.size
 
-These volume device fields can be used to describe some events and alerts associated with a volume device, which was proven to be [useful](https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion) for Elastic Defend.
-
-These fields can also be used by the products and features to manage such devices based on their properties such as serial number and vendor name, etc.
-
 <!--
 Stage 1: If the changes include field additions or modifications, please create a folder titled as the RFC number under rfcs/text/. This will be where proposed schema changes as standalone YAML files or extended example mappings and larger source documents will go as the RFC is iterated upon.
 -->
@@ -49,6 +44,133 @@ Stage X: Provide a brief explanation of why the proposal is being marked as aban
 <!--
 Stage 1: Describe at a high level how this change affects fields. Include new or updated yml field definitions for all of the essential fields in this draft. While not exhaustive, the fields documented here should be comprehensive enough to deeply evaluate the technical considerations of this change. The goal here is to validate the technical details for all essential fields and to provide a basis for adding experimental field definitions to the schema. Use GitHub code blocks with yml syntax formatting, and add them to the corresponding RFC folder.
 -->
+Details of the proposed fields:
+
+```
+---
+- name: volume
+  title: Volume
+  group: 2
+  short: Fields relevant to storage volumes.
+  description: >
+    Fields that describe the storage volumes.
+  type: group
+  fields:
+    - name: mount_name
+      level: extended
+      type: keyword
+      description: >
+        Mount name of the volume device.
+        The field is relevant to Posix only.
+
+    - name: device_name
+      level: extended
+      type: keyword
+      description: >
+        Full path of the device.
+        The field is relevant to Posix only.
+
+    - name: dos_name
+      level: extended
+      type: keyword
+      short: DOS name of the device.
+      description: >
+        DOS name of the device.
+        DOS device name is in the format of uppercase driver letter followed by colon, such as C:, D:,...
+        The field is relevant to Windows only.
+
+    - name: nt_name
+      level: custom
+      type: keyword
+      short: NT name of the device.
+      description: >
+        NT name of the device.
+        NT device name is in the format such as:
+        \Device\HarddiskVolume2
+        The field is relevant to Windows only.
+
+    - name: bus_type
+      level: extended
+      type: keyword
+      short: Bus type of the device.
+      description: >
+        Bus type of the device, such as Nvme, Usb, FileBackedVirtual,... etc.
+
+    - name: writable
+      level: extended
+      type: boolean
+      description: >
+        This field indicates if the volume is writable.
+
+    - name: default_access
+      level: extended
+      type: keyword
+      short: Bus type of the device.
+      description: >
+        A string to describe the default access(es) of the volume.
+
+    - name: file_system_type
+      level: custom
+      type: keyword
+      short: Volume device file system type.
+      description: >
+        Volume device file system type.
+
+        Following are examples of the most frequently seen volume device file system types:
+        NTFS
+        UDF
+
+    - name: product_id
+      level: custom
+      type: keyword
+      short: ProductID of the device.
+      description: >
+        ProductID of the device. It is provided by the vendor of the device if any.
+
+    - name: product_name
+      level: extended
+      type: keyword
+      description: >
+        Product name of the volume device. It is provided by the vendor of the device.
+
+    - name: vendor_id
+      level: custom
+      type: keyword
+      short: VendorID of the device.
+      description: >
+        VendorID of the device. It is provided by the vendor of the device.
+
+    - name: vendor_name
+      level: custom
+      type: keyword
+      short: Vendor name of the device.
+      description: >
+        Vendor name of the volume device. It is provided by the vendor of the device.
+
+    - name: serial_number
+      level: custom
+      type: keyword
+      short: Serial Number of the device.
+      description: >
+        Serial Number of the device. It is provided by the vendor of the device if any.
+
+    - name: device_type
+      level: custom
+      type: keyword
+      short: Volume device type.
+      description: >
+        Volume device type.
+
+        Following are examples of the most frequently seen volume device types:
+        Disk File System
+        CD-ROM File System
+
+    - name: size
+      level: custom
+      type: keyword
+      description: >
+        Size of the volume device in bytes.
+```
 
 <!--
 Stage 2: Add or update all remaining field definitions. The list should now be exhaustive. The goal here is to validate the technical details of all remaining fields and to provide a basis for releasing these field definitions as beta in the schema. Use GitHub code blocks with yml syntax formatting, and add them to the corresponding RFC folder.
@@ -59,6 +181,9 @@ Stage 2: Add or update all remaining field definitions. The list should now be e
 <!--
 Stage 1: Describe at a high-level how these field changes will be used in practice. Real world examples are encouraged. The goal here is to understand how people would leverage these fields to gain insights or solve problems. ~1-3 paragraphs.
 -->
+These volume device fields can be used to describe some events and alerts associated with a volume device, which was proven to be [useful](https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion) for Elastic Defend.
+
+These fields can also be used by the products and features to manage such devices based on their properties such as serial number and vendor name, etc.
 
 ## Source data
 
@@ -67,6 +192,55 @@ The source of this data comes from monitoring a host, a Virtual Machine, or a k8
 <!--
 Stage 1: Provide a high-level description of example sources of data. This does not yet need to be a concrete example of a source document, but instead can simply describe a potential source (e.g. nginx access log). This will ultimately be fleshed out to include literal source examples in a future stage. The goal here is to identify practical sources for these fields in the real world. ~1-3 sentences or unordered list.
 -->
+```json
+{
+	"@timestamp": "2023-04-05T18:48:25.7435298Z",
+	"agent": {
+		"id": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
+		"type": "endpoint",
+		"version": "8.8.0-SNAPSHOT"
+	},
+	"data_stream": {
+		"dataset": "endpoint.events.volume_device",
+		"namespace": "default",
+		"type": "logs"
+	},
+	"ecs": {
+		"version": "1.11.0"
+	},
+	"elastic": {
+		"agent": {
+			"id": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
+		}
+	},
+	"event": {
+		"action": "attach",
+		"category": [
+			"volume_device"
+		],
+		"created": "2023-04-05T18:48:25.7435298Z",
+		"dataset": "endpoint.events.volume_device",
+		"id": "N0r0JIPXbQR6J+83++++++PP",
+		"kind": "event",
+		"module": "endpoint",
+		"outcome": "unknown",
+		"sequence": 1281,
+		"type": [
+			"attach"
+		]
+	},
+	"message": "Endpoint volume device event",
+	"volume.bus_type": "FileBackedVirtual",
+	"volume.dos_name": "E:",
+	"volume.file_system_type": "UDF",
+	"volume.nt_name": "\\Device\\CdRom1",
+	"volume.product_name": "Virtual DVD-ROM",
+	"volume.vendor_name": "Msft",
+	"volume.serial_number": "12345",
+	"volume.volume_device_type": "CD-ROM File System",
+	"volume.size": 1000,000,000
+}
+```
 
 <!--
 Stage 2: Included a real world example source document. Ideally this example comes from the source(s) identified in stage 1. If not, it should replace them. The goal here is to validate the utility of these field changes in the context of a real world example. Format with the source name as a ### header and the example document in a GitHub code block with json formatting, or if on the larger side, add them to the corresponding RFC folder.
@@ -91,6 +265,7 @@ The goal here is to research and understand the impact of these changes on users
 <!--
 Stage 1: Identify potential concerns, implementation challenges, or complexity. Spend some time on this. Play devil's advocate. Try to identify the sort of non-obvious challenges that tend to surface later. The goal here is to surface risks early, allow everyone the time to work through them, and ultimately document resolution for posterity's sake.
 -->
+Implementing volume device related functions usually will be relying on low level operating system support. Due to the multitudes of operating system kernels we want to support and the potential stability,compatibility issues, the complexity level of the solution could increase.   Therefore we'll adopt a staged approach to implement it.
 
 <!--
 Stage 2: Document new concerns or resolutions to previously listed concerns. It's not critical that all concerns have resolutions at this point, but it would be helpful if resolutions were taking shape for the most significant concerns.
@@ -105,7 +280,8 @@ Stage 3: Document resolutions for all existing concerns. Any new concerns should
 The following are the people that consulted on the contents of this RFC.
 
  * @Trinity2019    | author
- * @ricardoelastic | reviewer
+ * @ricardoungureanu| reviewer
+ * @stanek-michal  | reviewer
 
 <!--
 Who will be or has been consulted on the contents of this RFC? Identify authorship and sponsorship, and optionally identify the nature of involvement of others. Link to GitHub aliases where possible. This list will likely change or grow stage after stage.
@@ -132,6 +308,8 @@ https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%2
 
 * Stage 0: https://github.com/elastic/ecs/pull/2201
 
+* Stage 1: https://github.com/elastic/ecs/pull/2229
+
 <!--
 * Stage 1: https://github.com/elastic/ecs/pull/NNN
 ...
diff --git a/rfcs/text/0040/volume.yml b/rfcs/text/0040/volume.yml
new file mode 100644
index 0000000000..a85f575c50
--- /dev/null
+++ b/rfcs/text/0040/volume.yml
@@ -0,0 +1,139 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+---
+- name: volume
+  title: Volume
+  group: 2
+  short: Fields relevant to storage volumes.
+  description: >
+    Fields that describe the storage volumes.
+  type: group
+  fields:          
+    - name: mount_name
+      level: extended
+      type: keyword
+      description: >
+        Mount name of the volume device.
+        The field is relevant to Posix only.
+ 
+    - name: device_name
+      level: extended
+      type: keyword
+      description: >
+        Full path of the device.
+        The field is relevant to Posix only.
+
+    - name: dos_name
+      level: extended
+      type: keyword
+      short: DOS name of the device.
+      description: >
+        DOS name of the device.
+        DOS device name is in the format of driver letters such as C:, D:,...
+        The field is relevant to Windows only.
+
+    - name: nt_name
+      level: custom
+      type: keyword
+      short: NT name of the device.
+      description: >
+        NT name of the device.
+        NT device name is in the format such as:
+        \Device\HarddiskVolume2
+        The field is relevant to Windows only.
+
+    - name: bus_type
+      level: extended
+      type: keyword
+      short: Bus type of the device.
+      description: >
+        Bus type of the device, such as Nvme, Usb, FileBackedVirtual,... etc.
+
+    - name: writable
+      level: extended
+      type: boolean
+      description: >
+        This field indicates if the volume is writable.
+
+    - name: default_access
+      level: extended
+      type: keyword
+      short: Bus type of the device.
+      description: >
+        A string to describe the default access(es) of the volume.
+        
+    - name: file_system_type
+      level: custom
+      type: keyword
+      short: Volume device file system type.
+      description: >
+        Volume device file system type.
+
+        Following are examples of the most frequently seen volume device file system types:
+        NTFS
+        UDF
+
+    - name: product_id
+      level: custom
+      type: keyword
+      short: ProductID of the device.
+      description: >
+        ProductID of the device. It is provided by the vendor of the device if any.
+        
+    - name: product_name
+      level: extended
+      type: keyword
+      description: >
+        Product name of the volume device. It is provided by the vendor of the device.
+
+    - name: vendor_id
+      level: custom
+      type: keyword
+      short: VendorID of the device.
+      description: >
+        VendorID of the device. It is provided by the vendor of the device.
+
+    - name: vendor_name
+      level: custom
+      type: keyword
+      short: Vendor name of the device.
+      description: >
+        Vendor name of the volume device. It is provided by the vendor of the device.
+
+    - name: serial_number
+      level: custom
+      type: keyword
+      short: Serial Number of the device.
+      description: >
+        Serial Number of the device. It is provided by the vendor of the device if any.
+
+    - name: device_type
+      level: custom
+      type: keyword
+      short: Volume device type.
+      description: >
+        Volume device type.
+
+        Following are examples of the most frequently seen volume device types:
+        Disk File System
+        CD-ROM File System
+
+    - name: size
+      level: custom
+      type: keyword
+      description: >
+        Size of the volume device in MB.

From b19f392683af8f3c6d98e06f019b0cc1cae07620 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Tue, 8 Aug 2023 10:25:06 -0500
Subject: [PATCH 109/186] Respect `ignore_above` if set for a `flattened` type
 field (#2248)

* respect ignore_above if set for a flattened type field

* changelog
---
 CHANGELOG.next.md                 |  1 +
 scripts/generators/es_template.py |  2 +-
 scripts/tests/test_es_template.py | 38 +++++++++++++++++++++++++++++++
 3 files changed, 40 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 81824e7f03..20cb1a94a6 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -18,6 +18,7 @@ Thanks, you're awesome :-) -->
 * Added `container.security_context.privileged` to indicated whether a container was started in privileged mode. #2219, #2225
 
 #### Improvements
+* Permit `ignore_above` if explicitly set on a `flattened` field. #2248
 
 #### Deprecated
 
diff --git a/scripts/generators/es_template.py b/scripts/generators/es_template.py
index 1a3b25c31f..4c78b9ff6f 100644
--- a/scripts/generators/es_template.py
+++ b/scripts/generators/es_template.py
@@ -191,7 +191,7 @@ def entry_for(field: Field) -> Dict:
         elif 'index' in field and not field['index']:
             ecs_helpers.dict_copy_existing_keys(field, field_entry, ['index', 'doc_values'])
 
-        if field['type'] == 'keyword':
+        if field['type'] == 'keyword' or field['type'] == 'flattened':
             ecs_helpers.dict_copy_existing_keys(field, field_entry, ['ignore_above'])
         elif field['type'] == 'constant_keyword':
             ecs_helpers.dict_copy_existing_keys(field, field_entry, ['value'])
diff --git a/scripts/tests/test_es_template.py b/scripts/tests/test_es_template.py
index 56f7a27072..24db749028 100644
--- a/scripts/tests/test_es_template.py
+++ b/scripts/tests/test_es_template.py
@@ -174,6 +174,44 @@ def test_constant_keyword_no_value(self):
         exp = {'type': 'constant_keyword'}
         self.assertEqual(es_template.entry_for(test_map), exp)
 
+    def test_keyword_pass_ignore_above(self):
+        test_map = {
+            'name': 'field_with_ignore_above_set',
+            'type': 'keyword',
+            'ignore_above': 1024
+        }
+
+        exp = {
+            'type': 'keyword',
+            'ignore_above': 1024
+        }
+        self.assertEqual(es_template.entry_for(test_map), exp)
+
+    def test_flattened_pass_ignore_above(self):
+        test_map = {
+            'name': 'field_with_ignore_above_set',
+            'type': 'flattened',
+            'ignore_above': 1024
+        }
+
+        exp = {
+            'type': 'flattened',
+            'ignore_above': 1024
+        }
+        self.assertEqual(es_template.entry_for(test_map), exp)
+
+    def test_other_types_not_pass_ignore_above(self):
+        test_map = {
+            'name': 'field_should_not_have_ignore_above_set',
+            'type': 'text',
+            'ignore_above': 1024
+        }
+
+        exp = {
+            'type': 'text'
+        }
+        self.assertEqual(es_template.entry_for(test_map), exp)
+
     def test_parameters(self):
         test_map = {
             'name': 'field_with_parameters',

From b08a33c51f2c85bc3663b784464361681e9d1798 Mon Sep 17 00:00:00 2001
From: Nicholas Berlin <56366649+nicholasberlin@users.noreply.github.com>
Date: Wed, 9 Aug 2023 09:03:58 -0400
Subject: [PATCH 110/186] Add process.thread.capabilities (#2245)

* Add process.thread.capabilities
* Add CHANGELOG.next.md entries
* Add regex pattern
* Add fields schema subset
* Adding the result of make after updating the subset
* Add capabilities to process.parent.thread
* Add make results after adding caps to parent.thread
---
 CHANGELOG.next.md                             |  2 +
 docs/fields/field-details.asciidoc            | 38 ++++++++++++
 experimental/generated/beats/fields.ecs.yml   | 36 ++++++++++++
 experimental/generated/csv/fields.csv         |  4 ++
 experimental/generated/ecs/ecs_flat.yml       | 58 +++++++++++++++++++
 experimental/generated/ecs/ecs_nested.yml     | 58 +++++++++++++++++++
 .../composable/component/process.json         | 24 ++++++++
 .../elasticsearch/legacy/template.json        | 24 ++++++++
 generated/beats/fields.ecs.yml                | 36 ++++++++++++
 generated/csv/fields.csv                      |  4 ++
 generated/ecs/ecs_flat.yml                    | 58 +++++++++++++++++++
 generated/ecs/ecs_nested.yml                  | 58 +++++++++++++++++++
 .../composable/component/process.json         | 24 ++++++++
 generated/elasticsearch/legacy/template.json  | 24 ++++++++
 schemas/process.yml                           | 24 ++++++++
 schemas/subsets/main.yml                      |  8 +++
 16 files changed, 480 insertions(+)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 20cb1a94a6..31b18ae84f 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -16,6 +16,8 @@ Thanks, you're awesome :-) -->
 
 #### Added
 * Added `container.security_context.privileged` to indicated whether a container was started in privileged mode. #2219, #2225
+* Added `process.thread.capabilities.permitted` to contain the current thread's possible capabilities. #2245
+* Added `process.thread.capabilities.effective` to contain the current thread's effective capabilities. #2245
 
 #### Improvements
 * Permit `ignore_above` if explicitly set on a `flattened` field. #2248
diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index 3b75701633..e86e2f1582 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -8449,6 +8449,44 @@ example: `2016-05-23T08:05:34.853Z`
 
 // ===============================================================
 
+|
+[[field-process-thread-capabilities-effective]]
+<<field-process-thread-capabilities-effective, process.thread.capabilities.effective>>
+
+a| This is the set of capabilities used by the kernel to perform permission checks for the thread.
+
+type: keyword
+
+
+Note: this field should contain an array of values.
+
+
+
+example: `["CAP_BPF", "CAP_SYS_ADMIN"]`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-process-thread-capabilities-permitted]]
+<<field-process-thread-capabilities-permitted, process.thread.capabilities.permitted>>
+
+a| This is a limiting superset for the effective capabilities that the thread may assume.
+
+type: keyword
+
+
+Note: this field should contain an array of values.
+
+
+
+example: `["CAP_BPF", "CAP_SYS_ADMIN"]`
+
+| extended
+
+// ===============================================================
+
 |
 [[field-process-thread-id]]
 <<field-process-thread-id, process.thread.id>>
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index bddf67659a..79fc1fae3d 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -7799,6 +7799,24 @@
       ignore_above: 1024
       description: Name of the group.
       default_field: false
+    - name: parent.thread.capabilities.effective
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: parent.thread.capabilities.permitted
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
     - name: parent.thread.id
       level: extended
       type: long
@@ -8524,6 +8542,24 @@
       ignore_above: 1024
       description: Name of the group.
       default_field: false
+    - name: thread.capabilities.effective
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: thread.capabilities.permitted
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
     - name: thread.id
       level: extended
       type: long
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index ea92bdc24a..ca3343bc7c 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -887,6 +887,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.10.0-dev+exp,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
 8.10.0-dev+exp,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 8.10.0-dev+exp,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.10.0-dev+exp,true,process,process.parent.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
+8.10.0-dev+exp,true,process,process.parent.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
 8.10.0-dev+exp,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
 8.10.0-dev+exp,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
 8.10.0-dev+exp,true,process,process.parent.title,keyword,extended,,,Process title.
@@ -987,6 +989,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.10.0-dev+exp,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
 8.10.0-dev+exp,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 8.10.0-dev+exp,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.10.0-dev+exp,true,process,process.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
+8.10.0-dev+exp,true,process,process.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
 8.10.0-dev+exp,true,process,process.thread.id,long,extended,,4242,Thread ID.
 8.10.0-dev+exp,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
 8.10.0-dev+exp,true,process,process.title,keyword,extended,,,Process title.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 5a9f0cceda..600e15123d 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -11290,6 +11290,36 @@ process.parent.supplemental_groups.name:
   original_fieldset: group
   short: Name of the group.
   type: keyword
+process.parent.thread.capabilities.effective:
+  dashed_name: process-parent-thread-capabilities-effective
+  description: This is the set of capabilities used by the kernel to perform permission
+    checks for the thread.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.parent.thread.capabilities.effective
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.effective
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities used for permission checks.
+  type: keyword
+process.parent.thread.capabilities.permitted:
+  dashed_name: process-parent-thread-capabilities-permitted
+  description: This is a limiting superset for the effective capabilities that the
+    thread may assume.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.parent.thread.capabilities.permitted
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.permitted
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities a thread could assume.
+  type: keyword
 process.parent.thread.id:
   dashed_name: process-parent-thread-id
   description: Thread ID.
@@ -12469,6 +12499,34 @@ process.supplemental_groups.name:
   original_fieldset: group
   short: Name of the group.
   type: keyword
+process.thread.capabilities.effective:
+  dashed_name: process-thread-capabilities-effective
+  description: This is the set of capabilities used by the kernel to perform permission
+    checks for the thread.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.thread.capabilities.effective
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.effective
+  normalize:
+  - array
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities used for permission checks.
+  type: keyword
+process.thread.capabilities.permitted:
+  dashed_name: process-thread-capabilities-permitted
+  description: This is a limiting superset for the effective capabilities that the
+    thread may assume.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.thread.capabilities.permitted
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.permitted
+  normalize:
+  - array
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities a thread could assume.
+  type: keyword
 process.thread.id:
   dashed_name: process-thread-id
   description: Thread ID.
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 0a4cc7c982..22a415ce4f 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -13507,6 +13507,36 @@ process:
       original_fieldset: group
       short: Name of the group.
       type: keyword
+    process.parent.thread.capabilities.effective:
+      dashed_name: process-parent-thread-capabilities-effective
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.parent.thread.capabilities.effective
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.effective
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities used for permission checks.
+      type: keyword
+    process.parent.thread.capabilities.permitted:
+      dashed_name: process-parent-thread-capabilities-permitted
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.parent.thread.capabilities.permitted
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.permitted
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities a thread could assume.
+      type: keyword
     process.parent.thread.id:
       dashed_name: process-parent-thread-id
       description: Thread ID.
@@ -14687,6 +14717,34 @@ process:
       original_fieldset: group
       short: Name of the group.
       type: keyword
+    process.thread.capabilities.effective:
+      dashed_name: process-thread-capabilities-effective
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.thread.capabilities.effective
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.effective
+      normalize:
+      - array
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities used for permission checks.
+      type: keyword
+    process.thread.capabilities.permitted:
+      dashed_name: process-thread-capabilities-permitted
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.thread.capabilities.permitted
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.permitted
+      normalize:
+      - array
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities a thread could assume.
+      type: keyword
     process.thread.id:
       dashed_name: process-thread-id
       description: Thread ID.
diff --git a/experimental/generated/elasticsearch/composable/component/process.json b/experimental/generated/elasticsearch/composable/component/process.json
index 2bba95883f..47e088ad09 100644
--- a/experimental/generated/elasticsearch/composable/component/process.json
+++ b/experimental/generated/elasticsearch/composable/component/process.json
@@ -1310,6 +1310,18 @@
                 },
                 "thread": {
                   "properties": {
+                    "capabilities": {
+                      "properties": {
+                        "effective": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "permitted": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
                     "id": {
                       "type": "long"
                     },
@@ -1777,6 +1789,18 @@
             },
             "thread": {
               "properties": {
+                "capabilities": {
+                  "properties": {
+                    "effective": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "permitted": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
                 "id": {
                   "type": "long"
                 },
diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json
index 17b103099e..c205a87886 100644
--- a/experimental/generated/elasticsearch/legacy/template.json
+++ b/experimental/generated/elasticsearch/legacy/template.json
@@ -4031,6 +4031,18 @@
               },
               "thread": {
                 "properties": {
+                  "capabilities": {
+                    "properties": {
+                      "effective": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "permitted": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
                   "id": {
                     "type": "long"
                   },
@@ -4498,6 +4510,18 @@
           },
           "thread": {
             "properties": {
+              "capabilities": {
+                "properties": {
+                  "effective": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "permitted": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
               "id": {
                 "type": "long"
               },
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 17d08da261..377b2cae5b 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -7749,6 +7749,24 @@
       ignore_above: 1024
       description: Name of the group.
       default_field: false
+    - name: parent.thread.capabilities.effective
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: parent.thread.capabilities.permitted
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
     - name: parent.thread.id
       level: extended
       type: long
@@ -8474,6 +8492,24 @@
       ignore_above: 1024
       description: Name of the group.
       default_field: false
+    - name: thread.capabilities.effective
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: thread.capabilities.permitted
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
     - name: thread.id
       level: extended
       type: long
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index c41f611017..ae87c2044a 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -880,6 +880,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.10.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
 8.10.0-dev,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 8.10.0-dev,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.10.0-dev,true,process,process.parent.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
+8.10.0-dev,true,process,process.parent.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
 8.10.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
 8.10.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
 8.10.0-dev,true,process,process.parent.title,keyword,extended,,,Process title.
@@ -980,6 +982,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.10.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
 8.10.0-dev,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 8.10.0-dev,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.10.0-dev,true,process,process.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
+8.10.0-dev,true,process,process.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
 8.10.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID.
 8.10.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
 8.10.0-dev,true,process,process.title,keyword,extended,,,Process title.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 845d61ecef..a0379a21b6 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -11221,6 +11221,36 @@ process.parent.supplemental_groups.name:
   original_fieldset: group
   short: Name of the group.
   type: keyword
+process.parent.thread.capabilities.effective:
+  dashed_name: process-parent-thread-capabilities-effective
+  description: This is the set of capabilities used by the kernel to perform permission
+    checks for the thread.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.parent.thread.capabilities.effective
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.effective
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities used for permission checks.
+  type: keyword
+process.parent.thread.capabilities.permitted:
+  dashed_name: process-parent-thread-capabilities-permitted
+  description: This is a limiting superset for the effective capabilities that the
+    thread may assume.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.parent.thread.capabilities.permitted
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.permitted
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities a thread could assume.
+  type: keyword
 process.parent.thread.id:
   dashed_name: process-parent-thread-id
   description: Thread ID.
@@ -12400,6 +12430,34 @@ process.supplemental_groups.name:
   original_fieldset: group
   short: Name of the group.
   type: keyword
+process.thread.capabilities.effective:
+  dashed_name: process-thread-capabilities-effective
+  description: This is the set of capabilities used by the kernel to perform permission
+    checks for the thread.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.thread.capabilities.effective
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.effective
+  normalize:
+  - array
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities used for permission checks.
+  type: keyword
+process.thread.capabilities.permitted:
+  dashed_name: process-thread-capabilities-permitted
+  description: This is a limiting superset for the effective capabilities that the
+    thread may assume.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.thread.capabilities.permitted
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.permitted
+  normalize:
+  - array
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities a thread could assume.
+  type: keyword
 process.thread.id:
   dashed_name: process-thread-id
   description: Thread ID.
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index a34185add4..4f8291e4a5 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -13427,6 +13427,36 @@ process:
       original_fieldset: group
       short: Name of the group.
       type: keyword
+    process.parent.thread.capabilities.effective:
+      dashed_name: process-parent-thread-capabilities-effective
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.parent.thread.capabilities.effective
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.effective
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities used for permission checks.
+      type: keyword
+    process.parent.thread.capabilities.permitted:
+      dashed_name: process-parent-thread-capabilities-permitted
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.parent.thread.capabilities.permitted
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.permitted
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities a thread could assume.
+      type: keyword
     process.parent.thread.id:
       dashed_name: process-parent-thread-id
       description: Thread ID.
@@ -14607,6 +14637,34 @@ process:
       original_fieldset: group
       short: Name of the group.
       type: keyword
+    process.thread.capabilities.effective:
+      dashed_name: process-thread-capabilities-effective
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.thread.capabilities.effective
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.effective
+      normalize:
+      - array
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities used for permission checks.
+      type: keyword
+    process.thread.capabilities.permitted:
+      dashed_name: process-thread-capabilities-permitted
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.thread.capabilities.permitted
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.permitted
+      normalize:
+      - array
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities a thread could assume.
+      type: keyword
     process.thread.id:
       dashed_name: process-thread-id
       description: Thread ID.
diff --git a/generated/elasticsearch/composable/component/process.json b/generated/elasticsearch/composable/component/process.json
index 3e18a2e5c1..219e8aae4c 100644
--- a/generated/elasticsearch/composable/component/process.json
+++ b/generated/elasticsearch/composable/component/process.json
@@ -1310,6 +1310,18 @@
                 },
                 "thread": {
                   "properties": {
+                    "capabilities": {
+                      "properties": {
+                        "effective": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "permitted": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
                     "id": {
                       "type": "long"
                     },
@@ -1777,6 +1789,18 @@
             },
             "thread": {
               "properties": {
+                "capabilities": {
+                  "properties": {
+                    "effective": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "permitted": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
                 "id": {
                   "type": "long"
                 },
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index c12bbf937c..203e7b89dd 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -3989,6 +3989,18 @@
               },
               "thread": {
                 "properties": {
+                  "capabilities": {
+                    "properties": {
+                      "effective": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "permitted": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
                   "id": {
                     "type": "long"
                   },
@@ -4456,6 +4468,18 @@
           },
           "thread": {
             "properties": {
+              "capabilities": {
+                "properties": {
+                  "effective": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "permitted": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
               "id": {
                 "type": "long"
               },
diff --git a/schemas/process.yml b/schemas/process.yml
index 9b42a21d4a..674cfae2b6 100644
--- a/schemas/process.yml
+++ b/schemas/process.yml
@@ -202,6 +202,30 @@
       description: >
         Thread name.
 
+    - name: thread.capabilities.permitted
+      level: extended
+      type: keyword
+      short: Array of capabilities a thread could assume.
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      description: >
+        This is a limiting superset for the effective capabilities that the
+        thread may assume.
+      example: "[\"CAP_BPF\", \"CAP_SYS_ADMIN\"]"
+      normalize:
+        - array
+
+    - name: thread.capabilities.effective
+      level: extended
+      type: keyword
+      short: Array of capabilities used for permission checks.
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      description: >
+        This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: "[\"CAP_BPF\", \"CAP_SYS_ADMIN\"]"
+      normalize:
+        - array
+
     - name: start
       level: extended
       type: date
diff --git a/schemas/subsets/main.yml b/schemas/subsets/main.yml
index 50312f7b0d..0b953e321f 100644
--- a/schemas/subsets/main.yml
+++ b/schemas/subsets/main.yml
@@ -309,6 +309,10 @@ fields:
             fields:
               id: {}
               name: {}
+              capabilities:
+                fields:
+                  effective: {}
+                  permitted: {}
           title: {}
           tty:
             fields:
@@ -443,6 +447,10 @@ fields:
         fields:
           id: {}
           name: {}
+          capabilities:
+            fields:
+              effective: {}
+              permitted: {}
       title: {}
       tty:
         fields: "*"

From a51f3ba335e4ecb044ba6ba1ede7c991f99fcde1 Mon Sep 17 00:00:00 2001
From: Maxwell Borden <Tacklebox@users.noreply.github.com>
Date: Thu, 10 Aug 2023 18:26:43 +0200
Subject: [PATCH 111/186] container.security context.privileged boolean (#2246)

* Fixed container.security_context.privileged type bool -> boolean

* Reference type fix in CHANGELOG.next.md

---------

Co-authored-by: Kylie Meli <kylie.geller@elastic.co>
---
 CHANGELOG.next.md                                               | 2 +-
 docs/fields/field-details.asciidoc                              | 2 +-
 experimental/generated/beats/fields.ecs.yml                     | 2 +-
 experimental/generated/csv/fields.csv                           | 2 +-
 experimental/generated/ecs/ecs_flat.yml                         | 2 +-
 experimental/generated/ecs/ecs_nested.yml                       | 2 +-
 .../generated/elasticsearch/composable/component/container.json | 2 +-
 experimental/generated/elasticsearch/legacy/template.json       | 2 +-
 generated/beats/fields.ecs.yml                                  | 2 +-
 generated/csv/fields.csv                                        | 2 +-
 generated/ecs/ecs_flat.yml                                      | 2 +-
 generated/ecs/ecs_nested.yml                                    | 2 +-
 generated/elasticsearch/composable/component/container.json     | 2 +-
 generated/elasticsearch/legacy/template.json                    | 2 +-
 schemas/container.yml                                           | 2 +-
 15 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 31b18ae84f..3e8169f97b 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -15,7 +15,7 @@ Thanks, you're awesome :-) -->
 #### Bugfixes
 
 #### Added
-* Added `container.security_context.privileged` to indicated whether a container was started in privileged mode. #2219, #2225
+* Added `container.security_context.privileged` to indicated whether a container was started in privileged mode. #2219, #2225, #2246
 * Added `process.thread.capabilities.permitted` to contain the current thread's possible capabilities. #2245
 * Added `process.thread.capabilities.effective` to contain the current thread's effective capabilities. #2245
 
diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index e86e2f1582..b5d67924ff 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -1239,7 +1239,7 @@ example: `docker`
 
 a| Indicates whether the container is running in privileged mode.
 
-type: bool
+type: boolean
 
 
 
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 79fc1fae3d..82f87a1b06 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -952,7 +952,7 @@
       example: docker
     - name: security_context.privileged
       level: extended
-      type: bool
+      type: boolean
       description: Indicates whether the container is running in privileged mode.
       default_field: false
   - name: data_stream
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index ca3343bc7c..094c5cef8b 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -100,7 +100,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.10.0-dev+exp,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
 8.10.0-dev+exp,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
 8.10.0-dev+exp,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
-8.10.0-dev+exp,true,container,container.security_context.privileged,bool,extended,,,Indicates whether the container is running in privileged mode.
+8.10.0-dev+exp,true,container,container.security_context.privileged,boolean,extended,,,Indicates whether the container is running in privileged mode.
 8.10.0-dev+exp,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
 8.10.0-dev+exp,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
 8.10.0-dev+exp,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 600e15123d..151c000712 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -1202,7 +1202,7 @@ container.security_context.privileged:
   name: security_context.privileged
   normalize: []
   short: Indicates whether the container is running in privileged mode.
-  type: bool
+  type: boolean
 data_stream.dataset:
   dashed_name: data-stream-dataset
   description: "The field can contain anything that makes sense to signify the source\
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 22a415ce4f..326f4a15e3 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -1581,7 +1581,7 @@ container:
       name: security_context.privileged
       normalize: []
       short: Indicates whether the container is running in privileged mode.
-      type: bool
+      type: boolean
   group: 2
   name: container
   prefix: container.
diff --git a/experimental/generated/elasticsearch/composable/component/container.json b/experimental/generated/elasticsearch/composable/component/container.json
index d4c1071e52..40af94f16f 100644
--- a/experimental/generated/elasticsearch/composable/component/container.json
+++ b/experimental/generated/elasticsearch/composable/component/container.json
@@ -98,7 +98,7 @@
             "security_context": {
               "properties": {
                 "privileged": {
-                  "type": "bool"
+                  "type": "boolean"
                 }
               }
             }
diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json
index c205a87886..08f0f8df9b 100644
--- a/experimental/generated/elasticsearch/legacy/template.json
+++ b/experimental/generated/elasticsearch/legacy/template.json
@@ -567,7 +567,7 @@
           "security_context": {
             "properties": {
               "privileged": {
-                "type": "bool"
+                "type": "boolean"
               }
             }
           }
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 377b2cae5b..99c2b5d1d9 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -902,7 +902,7 @@
       example: docker
     - name: security_context.privileged
       level: extended
-      type: bool
+      type: boolean
       description: Indicates whether the container is running in privileged mode.
       default_field: false
   - name: data_stream
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index ae87c2044a..3a3d9cd30e 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -93,7 +93,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.10.0-dev,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
 8.10.0-dev,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
 8.10.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
-8.10.0-dev,true,container,container.security_context.privileged,bool,extended,,,Indicates whether the container is running in privileged mode.
+8.10.0-dev,true,container,container.security_context.privileged,boolean,extended,,,Indicates whether the container is running in privileged mode.
 8.10.0-dev,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
 8.10.0-dev,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
 8.10.0-dev,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index a0379a21b6..d38886a565 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -1133,7 +1133,7 @@ container.security_context.privileged:
   name: security_context.privileged
   normalize: []
   short: Indicates whether the container is running in privileged mode.
-  type: bool
+  type: boolean
 data_stream.dataset:
   dashed_name: data-stream-dataset
   description: "The field can contain anything that makes sense to signify the source\
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 4f8291e4a5..d8affec2da 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -1501,7 +1501,7 @@ container:
       name: security_context.privileged
       normalize: []
       short: Indicates whether the container is running in privileged mode.
-      type: bool
+      type: boolean
   group: 2
   name: container
   prefix: container.
diff --git a/generated/elasticsearch/composable/component/container.json b/generated/elasticsearch/composable/component/container.json
index 8f479ed72c..82d44f4ffb 100644
--- a/generated/elasticsearch/composable/component/container.json
+++ b/generated/elasticsearch/composable/component/container.json
@@ -98,7 +98,7 @@
             "security_context": {
               "properties": {
                 "privileged": {
-                  "type": "bool"
+                  "type": "boolean"
                 }
               }
             }
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index 203e7b89dd..73833069e8 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -525,7 +525,7 @@
           "security_context": {
             "properties": {
               "privileged": {
-                "type": "bool"
+                "type": "boolean"
               }
             }
           }
diff --git a/schemas/container.yml b/schemas/container.yml
index 329a4e627d..7cdbdac8f4 100644
--- a/schemas/container.yml
+++ b/schemas/container.yml
@@ -122,7 +122,7 @@
         container since the last metric collection.
 
     - name: security_context.privileged
-      type: bool
+      type: boolean
       level: extended
       short: Indicates whether the container is running in privileged mode.
       description: >

From a096d5cabed7535ec80232771199378d0799deea Mon Sep 17 00:00:00 2001
From: Ryland Herrick <ryalnd@gmail.com>
Date: Mon, 14 Aug 2023 14:05:41 -0500
Subject: [PATCH 112/186] [RFC] Risk Score Extensions - Stage 1 (#2236)

* Risk Score Extensions, Stage 1

* Add Stage 1 link

* Rename riskiest_inputs -> risk_inputs

More general naming to allow for modifying/extending the definition of
these fields in the future.

* Incorporate @SourinPaul's feedback for category field descriptions

* Whoops

* Add match_only_text multi-field to risk.inputs.description

This will be useful if we have need to search on this field.

* Shorten risk field names

With the context/nesting of these fields under the `risk` namespace,
most of the `risk_` prefixes are redundant.

Also shortens `identifier_*` to `id_*` as the verbosity does not help
with the distinction with the `id` field. Luckily, we have ECS
descriptions to disambiguate :)

* Nest inputs.* fields under risk.inputs

We have YAML here, let's actually leverage its features!

* More helpful category field descriptions

* Adds category-specific description to _count fields
* Conslidates the general description of Risk Categories with the
  category-specific definition

* Declare Sourin the RFC sponsor
---
 rfcs/text/0042-risk-score-extensions.md |  74 +++++++----
 rfcs/text/0042/risk.yml                 | 161 ++++++++++++++++++++++++
 2 files changed, 210 insertions(+), 25 deletions(-)
 create mode 100644 rfcs/text/0042/risk.yml

diff --git a/rfcs/text/0042-risk-score-extensions.md b/rfcs/text/0042-risk-score-extensions.md
index 329dd38045..4446807c43 100644
--- a/rfcs/text/0042-risk-score-extensions.md
+++ b/rfcs/text/0042-risk-score-extensions.md
@@ -9,9 +9,6 @@ As you work on your RFC, use the "Stage N" comments to guide you in what you sho
 Feel free to remove these comments as you go along.
 -->
 
-<!--
-Stage 0: Provide a high level summary of the premise of these changes. Briefly describe the nature, purpose, and impact of the changes. ~2-5 sentences.
--->
 This RFC seeks to extend the [existing risk fields](https://www.elastic.co/guide/en/ecs/current/ecs-risk.html) [(RFC 0031)](https://github.com/elastic/ecs/pull/2048) to support new/extended Risk Score investigation workflows. The workflows that this RFC intends to enable include all those described in 0031, along with the following:
 
 1. Risk Score Explainability
@@ -24,9 +21,6 @@ This RFC seeks to extend the [existing risk fields](https://www.elastic.co/guide
     * These categories' definitions may be _extended_ in the future to include new data sources
   * Due to the above category traits, we need to come up with a naming convention for these categorical score fields that allows them to be extended without invalidating the existing field names.
 
-<!--
-Stage 1: If the changes include field additions or modifications, please create a folder titled as the RFC number under rfcs/text/. This will be where proposed schema changes as standalone YAML files or extended example mappings and larger source documents will go as the RFC is iterated upon.
--->
 
 <!--
 Stage X: Provide a brief explanation of why the proposal is being marked as abandoned. This is useful context for anyone revisiting this proposal or considering similar changes later on.
@@ -34,6 +28,43 @@ Stage X: Provide a brief explanation of why the proposal is being marked as aban
 
 ## Fields
 
+I'll enumerate the fields being introduced here grouped by their motivation/goal:
+
+### Identifier Fields
+These fields are intended to allow future extensibility of our concept of an "identifier." Currently, we leverage two such fields: `host.name` and `user.name`, to group documents for the purposes of risk scoring, but we definitely imagine this being extended in the future to allow multiple such fields for hosts and users, or more simply to allow administrators to configure fields other than those above. The presence of these two fields allows us to audit/explain how a particular risk score was identified.
+
+* `id_field`
+* `id_value`
+
+
+### Risk Category Fields
+Some of the context here was discussed in Stage 0; please read the above for that. More specifically, these fields seek to provide the category contributions to the score, and the number of risk inputs in that category, across each of the five proposed categories:
+
+* `category_1_score`
+* `category_1_count`
+* `category_2_score`
+* `category_2_count`
+* `category_3_score`
+* `category_3_count`
+* `category_4_score`
+* `category_4_count`
+* `category_5_score`
+* `category_5_count`
+
+### Risk Explainability
+Beyond the per-category explanations, these fields' purpose is to provide more insight/data for the analyst to further investigate the components of the risk score.
+
+* `risk.inputs`
+  * Generally, these objects are meant as a convenience for one investigating risk; they are the "most risky" inputs as determined by the risk engine, and serve as a shortcut to further investigation.
+* `inputs.id`, `inputs.index`
+  * These fields allow one to uniquely identify the original risk input document.
+* `inputs.category`, `inputs.risk_score`
+  * More "convenience" fields that could also be discovered in the original risk input document.
+* `inputs.description`
+  * These field is intended to be a precursor to what we are referring to as "Risk Reasons," which seek to aggregate/present multiple risk inputs in an easier to consume/analyze format.
+* `notes`
+  * Miscellaneous text field intended to provide more details that cannot be presented in the other fields.
+
 <!--
 Stage 1: Describe at a high level how this change affects fields. Include new or updated yml field definitions for all of the essential fields in this draft. While not exhaustive, the fields documented here should be comprehensive enough to deeply evaluate the technical considerations of this change. The goal here is to validate the technical details for all essential fields and to provide a basis for adding experimental field definitions to the schema. Use GitHub code blocks with yml syntax formatting, and add them to the corresponding RFC folder.
 -->
@@ -44,15 +75,11 @@ Stage 2: Add or update all remaining field definitions. The list should now be e
 
 ## Usage
 
-<!--
-Stage 1: Describe at a high-level how these field changes will be used in practice. Real world examples are encouraged. The goal here is to understand how people would leverage these fields to gain insights or solve problems. ~1-3 paragraphs.
--->
+We intend to leverage these new fields as part of the new implementation of the Risk Engine within Kibana. In fact, we have already written [the code that uses these fields](https://github.com/elastic/kibana/pull/161503/files#diff-75c9ad5c7d4b56459148fd9c08cb6cb229e932ea00f3e39725134ba429ad2915R66-R85), albeit not in the exact form described here. Beyond the existing ECS `risk` fields, the new implementation mainly seeks to improve explainability of individual risk scores.
 
 ## Source data
 
-<!--
-Stage 1: Provide a high-level description of example sources of data. This does not yet need to be a concrete example of a source document, but instead can simply describe a potential source (e.g. nginx access log). This will ultimately be fleshed out to include literal source examples in a future stage. The goal here is to identify practical sources for these fields in the real world. ~1-3 sentences or unordered list.
--->
+The new Risk Engine will initially use Detection Engine Alerts as inputs to its scoring mechanism. However, we intend also to allow ingestion from the other Risk Categories described here, provided that they conform to the appropriate schema. Said schema is outside of the scope of this RFC, but based on the current implementation all we will need are a `score` field and a `category` field in order to ingest any arbitrary document.
 
 <!--
 Stage 2: Included a real world example source document. Ideally this example comes from the source(s) identified in stage 1. If not, it should replace them. The goal here is to validate the utility of these field changes in the context of a real world example. Format with the source name as a ### header and the example document in a GitHub code block with json formatting, or if on the larger side, add them to the corresponding RFC folder.
@@ -74,6 +101,13 @@ The goal here is to research and understand the impact of these changes on users
 
 ## Concerns
 
+There are two broad concerns at this stage:
+
+1. Category fields introducing a new "ordered" pattern
+  * Rather than having either an array of objects, or an explicit `nested` field type, both of which allow an arbitrary number of items, we're instead opting to add 10 explicit fields (five explicit categories, each with two fields) under the _assumption_ that we won't extend the number of categories further. We have a bit of wiggle room (i.e. six categories, 12 fields wouldn't be out of question), but this is not a scalable solution if we need a large number of categories. However, that is only a potential future issue, and we can likely reevaluate and address it if/when it arises.
+2. Mapping of `inputs` as a simple `object`
+  * The biggest motivation for this choice is to avoid the performance/storage/syntax complexities that come with a `nested` mapping, but we also don't have any feature requirements that would currently necessitate `inputs` being `nested`.
+
 <!--
 Stage 1: Identify potential concerns, implementation challenges, or complexity. Spend some time on this. Play devil's advocate. Try to identify the sort of non-obvious challenges that tend to surface later. The goal here is to surface risks early, allow everyone the time to work through them, and ultimately document resolution for posterity's sake.
 -->
@@ -91,19 +125,8 @@ Stage 3: Document resolutions for all existing concerns. Any new concerns should
 The following are the people that consulted on the contents of this RFC.
 
 * @rylnd | author
-* @SourinPaul | SME / EA product manager
-
-<!--
-Who will be or has been consulted on the contents of this RFC? Identify authorship and sponsorship, and optionally identify the nature of involvement of others. Link to GitHub aliases where possible. This list will likely change or grow stage after stage.
-
-e.g.:
-
-* @Yasmina | author
-* @Monique | sponsor
-* @EunJung | subject matter expert
-* @JaneDoe | grammar, spelling, prose
-* @Mariana
--->
+* @SourinPaul | sponsor
+* @ebeahan | reviewer
 
 
 ## References
@@ -117,6 +140,7 @@ e.g.:
 <!-- An RFC should link to the PRs for each of it stage advancements. -->
 
 * Stage 0: https://github.com/elastic/ecs/pull/2232
+* Stage 1: https://github.com/elastic/ecs/pull/2236
 
 <!--
 * Stage 1: https://github.com/elastic/ecs/pull/NNN
diff --git a/rfcs/text/0042/risk.yml b/rfcs/text/0042/risk.yml
new file mode 100644
index 0000000000..4ee75b866b
--- /dev/null
+++ b/rfcs/text/0042/risk.yml
@@ -0,0 +1,161 @@
+---
+- name: risk
+  title: Risk information
+  group: 2
+  short: Fields for describing risk score and level.
+  beta: >
+    These fields are in beta and are subject to change.
+  description: >
+    Fields for describing risk score and risk level of entities such as hosts and users.
+    These fields are not allowed to be nested under `event.*`. Please continue to use
+    `event.risk_score` and `event.risk_score_norm` for event risk.
+  reusable:
+    top_level: false
+    expected:
+      - host
+      - user
+  type: group
+  fields:
+    - name: id_field
+      level: extended
+      type: keyword
+      example: host.name
+      description: >
+        The name of the ECS field that identifies the entity. Typically, hosts use `host.name` and users use `user.name`.
+    - name: id_value
+      level: extended
+      type: keyword
+      example: host-001.local
+      description: >
+        The entity's identifier value that was used to calculate risk. Typically, hosts use values from `host.name` and users use values from `user.name`.
+    - name: category_1_score
+      level: extended
+      type: float
+      example: 33.0
+      description: >
+        The contribution of Category 1 to the overall risk score (`calculated_score`).
+
+        Risk Categories logically group risk inputs from various domain use cases. Category 1 includes Alerts, namely from Kibana's Detection Engine.
+    - name: category_1_count
+      level: extended
+      type: long
+      example: 3291
+      description: >
+        The number of risk input documents that contributed to the Category 1 score.
+
+        Risk Categories logically group risk inputs from various domain use cases. Category 1 includes Alerts, namely from Kibana's Detection Engine.
+    - name: category_2_score
+      level: extended
+      type: float
+      example: 35.0
+      description: >
+        The contribution of Category 2 to the overall risk score (`calculated_score`).
+
+        Risk Categories logically group risk inputs from various domain use cases. Category 2 includes inputs from Posture Management.
+    - name: category_2_count
+      level: extended
+      type: long
+      example: 1921
+      description: >
+        The number of risk input documents that contributed to the Category 2 score.
+
+        Risk Categories logically group risk inputs from various domain use cases. Category 2 includes inputs from Posture Management.
+    - name: category_3_score
+      level: extended
+      type: float
+      example: 25.0
+      description: >
+        The contribution of Category 3 to the overall risk score (`calculated_score`).
+
+        Risk Categories logically group risk inputs from various domain use cases. Category 3 includes inputs from Vulnerabilities.
+    - name: category_3_count
+      level: extended
+      type: long
+      example: 4920
+      description: >
+        The number of risk input documents that contributed to the Category 3 score.
+
+        Risk Categories logically group risk inputs from various domain use cases. Category 3 includes inputs from Vulnerabilities.
+    - name: category_4_score
+      level: extended
+      type: float
+      example: 55.0
+      description: >
+        The contribution of Category 4 to the overall risk score (`calculated_score`).
+
+        Risk Categories logically group risk inputs from various domain use cases. Category 4 includes Entity Contexts.
+    - name: category_4_count
+      level: extended
+      type: long
+      example: 1308
+      description: >
+        The number of risk input documents that contributed to the Category 4 score.
+
+        Risk Categories logically group risk inputs from various domain use cases. Category 4 includes Entity Contexts.
+    - name: category_5_score
+      level: extended
+      type: float
+      example: 75.0
+      description: >
+        The contribution of Category 5 to the overall risk score (`calculated_score`).
+
+        Risk Categories logically group risk inputs from various domain use cases. Category 5 contains inputs from Anomalies.
+    - name: category_5_count
+      level: extended
+      type: long
+      example: 14922
+      description: >
+        The number of risk input documents that contributed to the Category 5 score.
+
+        Risk Categories logically group risk inputs from various domain use cases. Category 5 contains inputs from Anomalies.
+    - name: inputs
+      level: extended
+      type: object
+      normalize: array
+      description: >
+        An array of the top risk input documents that contributed to the overall risk score.
+      fields:
+        - name: id
+          level: extended
+          type: keyword
+          description: >
+            The identifier (_id) of the risk input document.
+        - name: index
+          level: extended
+          type: keyword
+          description: >
+            The index (`_index`) of the risk input document.
+        - name: category
+          level: extended
+          type: keyword
+          example: category_1
+          description: >
+            The risk category of the risk input document.
+        - name: description
+          level: extended
+          type: keyword
+          example: "Generated from Detection Engine Rule: Malware Prevention Alert"
+          description: >
+            A human-readable description of the risk input document.
+          multi_fields:
+            - type: match_only_text
+              name: text
+        - name: risk_score
+          level: extended
+          type: float
+          example: 30.0
+          description: >
+            The weighted risk score of the risk input document.
+        - name: timestamp
+          level: extended
+          type: date
+          example: '2019-08-16T01:40:25Z'
+          description: >
+            The @timestamp of the risk input document.
+    - name: notes
+      level: extended
+      type: keyword
+      normalize: array
+      example: ["This score was boosted due to the entity being a host."]
+      description: >
+        Notes about the risk score and/or its calculation.

From c48c1daa20f893f42e0390f472351707ed6b4191 Mon Sep 17 00:00:00 2001
From: Chris Berkhout <chris.berkhout@elastic.co>
Date: Tue, 15 Aug 2023 18:46:43 +0200
Subject: [PATCH 113/186] Bump version to 8.11.0-dev for 8.10 FF (#2253)

---
 docs/fields/fields.asciidoc                   |    2 +-
 docs/index.asciidoc                           |    2 +-
 experimental/generated/beats/fields.ecs.yml   |    2 +-
 experimental/generated/csv/fields.csv         | 3508 ++++++++---------
 .../composable/component/agent.json           |    2 +-
 .../composable/component/base.json            |    2 +-
 .../composable/component/cgroup.json          |    2 +-
 .../composable/component/client.json          |    2 +-
 .../composable/component/cloud.json           |    2 +-
 .../composable/component/container.json       |    2 +-
 .../composable/component/data_stream.json     |    2 +-
 .../composable/component/destination.json     |    2 +-
 .../composable/component/device.json          |    2 +-
 .../composable/component/dll.json             |    2 +-
 .../composable/component/dns.json             |    2 +-
 .../composable/component/ecs.json             |    2 +-
 .../composable/component/email.json           |    2 +-
 .../composable/component/error.json           |    2 +-
 .../composable/component/event.json           |    2 +-
 .../composable/component/faas.json            |    2 +-
 .../composable/component/file.json            |    2 +-
 .../composable/component/group.json           |    2 +-
 .../composable/component/host.json            |    2 +-
 .../composable/component/http.json            |    2 +-
 .../composable/component/log.json             |    2 +-
 .../composable/component/network.json         |    2 +-
 .../composable/component/observer.json        |    2 +-
 .../composable/component/orchestrator.json    |    2 +-
 .../composable/component/organization.json    |    2 +-
 .../composable/component/package.json         |    2 +-
 .../composable/component/process.json         |    2 +-
 .../composable/component/registry.json        |    2 +-
 .../composable/component/related.json         |    2 +-
 .../composable/component/rule.json            |    2 +-
 .../composable/component/server.json          |    2 +-
 .../composable/component/service.json         |    2 +-
 .../composable/component/source.json          |    2 +-
 .../composable/component/threat.json          |    2 +-
 .../composable/component/tls.json             |    2 +-
 .../composable/component/tracing.json         |    2 +-
 .../composable/component/url.json             |    2 +-
 .../composable/component/user.json            |    2 +-
 .../composable/component/user_agent.json      |    2 +-
 .../composable/component/vulnerability.json   |    2 +-
 .../elasticsearch/composable/template.json    |   82 +-
 .../elasticsearch/legacy/template.json        |    2 +-
 generated/beats/fields.ecs.yml                |    2 +-
 generated/csv/fields.csv                      | 3494 ++++++++--------
 .../composable/component/agent.json           |    2 +-
 .../composable/component/base.json            |    2 +-
 .../composable/component/client.json          |    2 +-
 .../composable/component/cloud.json           |    2 +-
 .../composable/component/container.json       |    2 +-
 .../composable/component/data_stream.json     |    2 +-
 .../composable/component/destination.json     |    2 +-
 .../composable/component/device.json          |    2 +-
 .../composable/component/dll.json             |    2 +-
 .../composable/component/dns.json             |    2 +-
 .../composable/component/ecs.json             |    2 +-
 .../composable/component/email.json           |    2 +-
 .../composable/component/error.json           |    2 +-
 .../composable/component/event.json           |    2 +-
 .../composable/component/faas.json            |    2 +-
 .../composable/component/file.json            |    2 +-
 .../composable/component/group.json           |    2 +-
 .../composable/component/host.json            |    2 +-
 .../composable/component/http.json            |    2 +-
 .../composable/component/log.json             |    2 +-
 .../composable/component/network.json         |    2 +-
 .../composable/component/observer.json        |    2 +-
 .../composable/component/orchestrator.json    |    2 +-
 .../composable/component/organization.json    |    2 +-
 .../composable/component/package.json         |    2 +-
 .../composable/component/process.json         |    2 +-
 .../composable/component/registry.json        |    2 +-
 .../composable/component/related.json         |    2 +-
 .../composable/component/rule.json            |    2 +-
 .../composable/component/server.json          |    2 +-
 .../composable/component/service.json         |    2 +-
 .../composable/component/source.json          |    2 +-
 .../composable/component/threat.json          |    2 +-
 .../composable/component/tls.json             |    2 +-
 .../composable/component/tracing.json         |    2 +-
 .../composable/component/url.json             |    2 +-
 .../composable/component/user.json            |    2 +-
 .../composable/component/user_agent.json      |    2 +-
 .../composable/component/vulnerability.json   |    2 +-
 .../elasticsearch/composable/template.json    |   80 +-
 generated/elasticsearch/legacy/template.json  |    2 +-
 version                                       |    2 +-
 90 files changed, 3668 insertions(+), 3668 deletions(-)

diff --git a/docs/fields/fields.asciidoc b/docs/fields/fields.asciidoc
index a4fac87e72..2cc4207fac 100644
--- a/docs/fields/fields.asciidoc
+++ b/docs/fields/fields.asciidoc
@@ -1,7 +1,7 @@
 [[ecs-field-reference]]
 == {ecs} Field Reference
 
-This is the documentation of ECS version 8.10.0-dev.
+This is the documentation of ECS version 8.11.0-dev.
 
 ECS defines multiple groups of related fields. They are called "field sets".
 The <<ecs-base,Base>> field set is the only one whose fields are defined
diff --git a/docs/index.asciidoc b/docs/index.asciidoc
index cdcd2968b0..145146852d 100644
--- a/docs/index.asciidoc
+++ b/docs/index.asciidoc
@@ -13,7 +13,7 @@ include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
 [[ecs-reference]]
 == Overview
 
-This is the documentation of ECS version 8.10.0-dev.
+This is the documentation of ECS version 8.11.0-dev.
 
 [float]
 === What is ECS?
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 82f87a1b06..0eb0ccec7f 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -1,5 +1,5 @@
 # WARNING! Do not edit this file directly, it was generated by the ECS project,
-# based on ECS version 8.10.0-dev+exp.
+# based on ECS version 8.11.0-dev+exp.
 # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields.
 
 - key: ecs
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index 094c5cef8b..cc25b761db 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -1,1755 +1,1755 @@
 ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
-8.10.0-dev+exp,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
-8.10.0-dev+exp,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
-8.10.0-dev+exp,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer.
-8.10.0-dev+exp,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
-8.10.0-dev+exp,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
-8.10.0-dev+exp,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
-8.10.0-dev+exp,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
-8.10.0-dev+exp,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
-8.10.0-dev+exp,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
-8.10.0-dev+exp,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
-8.10.0-dev+exp,true,cgroup,cgroup.cpu.periods,long,extended,,454839343,Number of period intervals that have elapsed.
-8.10.0-dev+exp,true,cgroup,cgroup.cpu.throttled.us,long,extended,,15000,Microseconds of CPU throttled time.
-8.10.0-dev+exp,true,cgroup,cgroup.cpu.usage,scaled_float,extended,,,"CPU usage, normalized by the CPU count."
-8.10.0-dev+exp,true,cgroup,cgroup.memory.limit,long,extended,,256,Memory limit within the cgroup.
-8.10.0-dev+exp,true,cgroup,cgroup.memory.swap.usage,long,extended,,5600,The amount of cgroup memory in swap.
-8.10.0-dev+exp,true,cgroup,cgroup.memory.usage,long,extended,,25600,Memory usage in bytes
-8.10.0-dev+exp,true,cgroup,cgroup.version,long,extended,,,The cgroup version linked to the metrics
-8.10.0-dev+exp,true,client,client.address,keyword,extended,,,Client network address.
-8.10.0-dev+exp,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.10.0-dev+exp,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.10.0-dev+exp,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.10.0-dev+exp,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
-8.10.0-dev+exp,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client.
-8.10.0-dev+exp,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
-8.10.0-dev+exp,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
-8.10.0-dev+exp,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.10.0-dev+exp,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.10.0-dev+exp,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
-8.10.0-dev+exp,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.10.0-dev+exp,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.10.0-dev+exp,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
-8.10.0-dev+exp,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.10.0-dev+exp,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
-8.10.0-dev+exp,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.10.0-dev+exp,true,client,client.ip,ip,core,,,IP address of the client.
-8.10.0-dev+exp,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
-8.10.0-dev+exp,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
-8.10.0-dev+exp,true,client,client.nat.port,long,extended,,,Client NAT port
-8.10.0-dev+exp,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
-8.10.0-dev+exp,true,client,client.port,long,core,,,Port of the client.
-8.10.0-dev+exp,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
-8.10.0-dev+exp,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.10.0-dev+exp,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.10.0-dev+exp,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.10.0-dev+exp,true,client,client.user.email,keyword,extended,,,User email address.
-8.10.0-dev+exp,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.10.0-dev+exp,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.10.0-dev+exp,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.10.0-dev+exp,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev+exp,true,client,client.user.group.name,keyword,extended,,,Name of the group.
-8.10.0-dev+exp,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.10.0-dev+exp,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev+exp,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.10.0-dev+exp,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.10.0-dev+exp,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.10.0-dev+exp,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.10.0-dev+exp,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.10.0-dev+exp,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
-8.10.0-dev+exp,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.10.0-dev+exp,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.10.0-dev+exp,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.10.0-dev+exp,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.10.0-dev+exp,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.10.0-dev+exp,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine.
-8.10.0-dev+exp,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.10.0-dev+exp,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id.
-8.10.0-dev+exp,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name.
-8.10.0-dev+exp,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider.
-8.10.0-dev+exp,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.10.0-dev+exp,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name.
-8.10.0-dev+exp,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
-8.10.0-dev+exp,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
-8.10.0-dev+exp,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
-8.10.0-dev+exp,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.10.0-dev+exp,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name.
-8.10.0-dev+exp,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.10.0-dev+exp,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.10.0-dev+exp,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.10.0-dev+exp,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.10.0-dev+exp,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine.
-8.10.0-dev+exp,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.10.0-dev+exp,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id.
-8.10.0-dev+exp,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name.
-8.10.0-dev+exp,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider.
-8.10.0-dev+exp,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.10.0-dev+exp,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name.
-8.10.0-dev+exp,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
-8.10.0-dev+exp,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
-8.10.0-dev+exp,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
-8.10.0-dev+exp,true,container,container.id,keyword,core,,,Unique container id.
-8.10.0-dev+exp,true,container,container.image.hash.all,keyword,extended,array,[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26],An array of digests of the image the container was built on.
-8.10.0-dev+exp,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
-8.10.0-dev+exp,true,container,container.image.tag,keyword,extended,array,,Container image tags.
-8.10.0-dev+exp,true,container,container.labels,object,extended,,,Image labels.
-8.10.0-dev+exp,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1."
-8.10.0-dev+exp,true,container,container.name,keyword,extended,,,Container name.
-8.10.0-dev+exp,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
-8.10.0-dev+exp,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
-8.10.0-dev+exp,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
-8.10.0-dev+exp,true,container,container.security_context.privileged,boolean,extended,,,Indicates whether the container is running in privileged mode.
-8.10.0-dev+exp,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
-8.10.0-dev+exp,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
-8.10.0-dev+exp,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
-8.10.0-dev+exp,true,destination,destination.address,keyword,extended,,,Destination network address.
-8.10.0-dev+exp,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.10.0-dev+exp,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.10.0-dev+exp,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.10.0-dev+exp,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
-8.10.0-dev+exp,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination.
-8.10.0-dev+exp,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
-8.10.0-dev+exp,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
-8.10.0-dev+exp,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.10.0-dev+exp,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.10.0-dev+exp,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
-8.10.0-dev+exp,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.10.0-dev+exp,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.10.0-dev+exp,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
-8.10.0-dev+exp,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.10.0-dev+exp,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
-8.10.0-dev+exp,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.10.0-dev+exp,true,destination,destination.ip,ip,core,,,IP address of the destination.
-8.10.0-dev+exp,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
-8.10.0-dev+exp,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
-8.10.0-dev+exp,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
-8.10.0-dev+exp,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
-8.10.0-dev+exp,true,destination,destination.port,long,core,,,Port of the destination.
-8.10.0-dev+exp,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
-8.10.0-dev+exp,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.10.0-dev+exp,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.10.0-dev+exp,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.10.0-dev+exp,true,destination,destination.user.email,keyword,extended,,,User email address.
-8.10.0-dev+exp,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.10.0-dev+exp,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.10.0-dev+exp,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.10.0-dev+exp,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev+exp,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
-8.10.0-dev+exp,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.10.0-dev+exp,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev+exp,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.10.0-dev+exp,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device.
-8.10.0-dev+exp,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer.
-8.10.0-dev+exp,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model.
-8.10.0-dev+exp,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model.
-8.10.0-dev+exp,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.10.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.10.0-dev+exp,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.10.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.10.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.10.0-dev+exp,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.10.0-dev+exp,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.10.0-dev+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.10.0-dev+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.10.0-dev+exp,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
-8.10.0-dev+exp,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
-8.10.0-dev+exp,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
-8.10.0-dev+exp,true,dll,dll.hash.sha384,keyword,extended,,,SHA384 hash.
-8.10.0-dev+exp,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
-8.10.0-dev+exp,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.10.0-dev+exp,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash.
-8.10.0-dev+exp,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
-8.10.0-dev+exp,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
-8.10.0-dev+exp,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.10.0-dev+exp,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.10.0-dev+exp,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.10.0-dev+exp,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.10.0-dev+exp,true,dll,dll.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.10.0-dev+exp,true,dll,dll.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.10.0-dev+exp,true,dll,dll.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.10.0-dev+exp,true,dll,dll.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.10.0-dev+exp,true,dll,dll.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.10.0-dev+exp,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.10.0-dev+exp,true,dll,dll.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.10.0-dev+exp,true,dll,dll.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.10.0-dev+exp,true,dll,dll.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev+exp,true,dll,dll.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev+exp,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.10.0-dev+exp,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.10.0-dev+exp,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.10.0-dev+exp,true,dll,dll.pe.sections,nested,extended,array,,Section information of the PE file.
-8.10.0-dev+exp,true,dll,dll.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.10.0-dev+exp,true,dll,dll.pe.sections.name,keyword,extended,,,PE Section List name.
-8.10.0-dev+exp,true,dll,dll.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.10.0-dev+exp,true,dll,dll.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.10.0-dev+exp,true,dll,dll.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.10.0-dev+exp,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
-8.10.0-dev+exp,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
-8.10.0-dev+exp,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
-8.10.0-dev+exp,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
-8.10.0-dev+exp,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
-8.10.0-dev+exp,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
-8.10.0-dev+exp,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
-8.10.0-dev+exp,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
-8.10.0-dev+exp,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
-8.10.0-dev+exp,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
-8.10.0-dev+exp,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
-8.10.0-dev+exp,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
-8.10.0-dev+exp,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
-8.10.0-dev+exp,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.10.0-dev+exp,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
-8.10.0-dev+exp,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
-8.10.0-dev+exp,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
-8.10.0-dev+exp,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
-8.10.0-dev+exp,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
-8.10.0-dev+exp,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
-8.10.0-dev+exp,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
-8.10.0-dev+exp,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash.
-8.10.0-dev+exp,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.10.0-dev+exp,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.10.0-dev+exp,true,email,email.attachments.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.10.0-dev+exp,true,email,email.attachments.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.10.0-dev+exp,true,email,email.attachments.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.10.0-dev+exp,true,email,email.attachments.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.10.0-dev+exp,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file.
-8.10.0-dev+exp,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file.
-8.10.0-dev+exp,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size.
-8.10.0-dev+exp,true,email,email.bcc.address,keyword,extended,array,bcc.user1@example.com,Email address of BCC recipient
-8.10.0-dev+exp,true,email,email.cc.address,keyword,extended,array,cc.user1@example.com,Email address of CC recipient
-8.10.0-dev+exp,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message.
-8.10.0-dev+exp,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered.
-8.10.0-dev+exp,true,email,email.direction,keyword,extended,,inbound,Direction of the message.
-8.10.0-dev+exp,true,email,email.from.address,keyword,extended,array,sender@example.com,The sender's email address.
-8.10.0-dev+exp,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source.
-8.10.0-dev+exp,true,email,email.message_id,wildcard,extended,,81ce15$8r2j59@mail01.example.com,Value from the Message-ID header.
-8.10.0-dev+exp,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed.
-8.10.0-dev+exp,true,email,email.reply_to.address,keyword,extended,array,reply.here@example.com,Address replies should be delivered to.
-8.10.0-dev+exp,true,email,email.sender.address,keyword,extended,,,Address of the message sender.
-8.10.0-dev+exp,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message.
-8.10.0-dev+exp,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
-8.10.0-dev+exp,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient
-8.10.0-dev+exp,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
-8.10.0-dev+exp,true,error,error.code,keyword,core,,,Error code describing the error.
-8.10.0-dev+exp,true,error,error.id,keyword,core,,,Unique identifier for the error.
-8.10.0-dev+exp,true,error,error.message,match_only_text,core,,,Error message.
-8.10.0-dev+exp,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
-8.10.0-dev+exp,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text.
-8.10.0-dev+exp,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
-8.10.0-dev+exp,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
-8.10.0-dev+exp,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field.
-8.10.0-dev+exp,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
-8.10.0-dev+exp,true,event,event.code,keyword,extended,,4648,Identification code for this event.
-8.10.0-dev+exp,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
-8.10.0-dev+exp,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
-8.10.0-dev+exp,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
-8.10.0-dev+exp,true,event,event.end,date,extended,,,`event.end` contains the date when the event ended or when the activity was last observed.
-8.10.0-dev+exp,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
-8.10.0-dev+exp,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
-8.10.0-dev+exp,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
-8.10.0-dev+exp,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
-8.10.0-dev+exp,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
-8.10.0-dev+exp,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
-8.10.0-dev+exp,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
-8.10.0-dev+exp,true,event,event.provider,keyword,extended,,kernel,Source of the event.
-8.10.0-dev+exp,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
-8.10.0-dev+exp,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
-8.10.0-dev+exp,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
-8.10.0-dev+exp,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
-8.10.0-dev+exp,true,event,event.sequence,long,extended,,,Sequence number of the event.
-8.10.0-dev+exp,true,event,event.severity,long,core,,7,Numeric severity of the event.
-8.10.0-dev+exp,true,event,event.start,date,extended,,,`event.start` contains the date when the event started or when the activity was first observed.
-8.10.0-dev+exp,true,event,event.timezone,keyword,extended,,,Event time zone.
-8.10.0-dev+exp,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
-8.10.0-dev+exp,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
-8.10.0-dev+exp,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function.
-8.10.0-dev+exp,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution.
-8.10.0-dev+exp,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function.
-8.10.0-dev+exp,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function.
-8.10.0-dev+exp,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc."
-8.10.0-dev+exp,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution.
-8.10.0-dev+exp,true,faas,faas.version,keyword,extended,,123,The version of a serverless function.
-8.10.0-dev+exp,true,file,file.accessed,date,extended,,,Last time the file was accessed.
-8.10.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.10.0-dev+exp,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.10.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.10.0-dev+exp,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.10.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.10.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.10.0-dev+exp,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.10.0-dev+exp,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.10.0-dev+exp,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.10.0-dev+exp,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.10.0-dev+exp,true,file,file.created,date,extended,,,File creation time.
-8.10.0-dev+exp,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.10.0-dev+exp,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
-8.10.0-dev+exp,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.10.0-dev+exp,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.10.0-dev+exp,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.10.0-dev+exp,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.10.0-dev+exp,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.10.0-dev+exp,true,file,file.elf.creation_date,date,extended,,,Build or compile date.
-8.10.0-dev+exp,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.10.0-dev+exp,true,file,file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.10.0-dev+exp,true,file,file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.10.0-dev+exp,true,file,file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.10.0-dev+exp,true,file,file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.10.0-dev+exp,true,file,file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.10.0-dev+exp,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.10.0-dev+exp,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.10.0-dev+exp,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.10.0-dev+exp,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.10.0-dev+exp,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.10.0-dev+exp,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.10.0-dev+exp,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.10.0-dev+exp,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.10.0-dev+exp,true,file,file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.10.0-dev+exp,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.10.0-dev+exp,true,file,file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev+exp,true,file,file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev+exp,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.10.0-dev+exp,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.10.0-dev+exp,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.10.0-dev+exp,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.10.0-dev+exp,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.10.0-dev+exp,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.10.0-dev+exp,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.10.0-dev+exp,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.10.0-dev+exp,true,file,file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.10.0-dev+exp,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.10.0-dev+exp,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.10.0-dev+exp,true,file,file.elf.segments,nested,extended,array,,ELF object segment list.
-8.10.0-dev+exp,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.10.0-dev+exp,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.10.0-dev+exp,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.10.0-dev+exp,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.10.0-dev+exp,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.10.0-dev+exp,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.10.0-dev+exp,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.10.0-dev+exp,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
-8.10.0-dev+exp,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
-8.10.0-dev+exp,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.10.0-dev+exp,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.10.0-dev+exp,true,file,file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.10.0-dev+exp,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.10.0-dev+exp,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.10.0-dev+exp,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.10.0-dev+exp,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.10.0-dev+exp,true,file,file.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-8.10.0-dev+exp,true,file,file.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.10.0-dev+exp,true,file,file.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.10.0-dev+exp,true,file,file.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.10.0-dev+exp,true,file,file.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.10.0-dev+exp,true,file,file.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-8.10.0-dev+exp,true,file,file.macho.imports,flattened,extended,array,,List of imported element names and types.
-8.10.0-dev+exp,true,file,file.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev+exp,true,file,file.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev+exp,true,file,file.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-8.10.0-dev+exp,true,file,file.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.10.0-dev+exp,true,file,file.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-8.10.0-dev+exp,true,file,file.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-8.10.0-dev+exp,true,file,file.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.10.0-dev+exp,true,file,file.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-8.10.0-dev+exp,true,file,file.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-8.10.0-dev+exp,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.10.0-dev+exp,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.10.0-dev+exp,true,file,file.mtime,date,extended,,,Last time the file content was modified.
-8.10.0-dev+exp,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.10.0-dev+exp,true,file,file.owner,keyword,extended,,alice,File owner's username.
-8.10.0-dev+exp,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.10.0-dev+exp,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.10.0-dev+exp,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.10.0-dev+exp,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.10.0-dev+exp,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.10.0-dev+exp,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.10.0-dev+exp,true,file,file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.10.0-dev+exp,true,file,file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.10.0-dev+exp,true,file,file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.10.0-dev+exp,true,file,file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.10.0-dev+exp,true,file,file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.10.0-dev+exp,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.10.0-dev+exp,true,file,file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.10.0-dev+exp,true,file,file.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.10.0-dev+exp,true,file,file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev+exp,true,file,file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev+exp,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.10.0-dev+exp,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.10.0-dev+exp,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.10.0-dev+exp,true,file,file.pe.sections,nested,extended,array,,Section information of the PE file.
-8.10.0-dev+exp,true,file,file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.10.0-dev+exp,true,file,file.pe.sections.name,keyword,extended,,,PE Section List name.
-8.10.0-dev+exp,true,file,file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.10.0-dev+exp,true,file,file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.10.0-dev+exp,true,file,file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.10.0-dev+exp,true,file,file.size,long,extended,,16384,File size in bytes.
-8.10.0-dev+exp,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
-8.10.0-dev+exp,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.10.0-dev+exp,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.10.0-dev+exp,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.10.0-dev+exp,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.10.0-dev+exp,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.10.0-dev+exp,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.10.0-dev+exp,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.10.0-dev+exp,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.10.0-dev+exp,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.10.0-dev+exp,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.10.0-dev+exp,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.10.0-dev+exp,true,file,file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.10.0-dev+exp,true,file,file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.10.0-dev+exp,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.10.0-dev+exp,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.10.0-dev+exp,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.10.0-dev+exp,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.10.0-dev+exp,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.10.0-dev+exp,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.10.0-dev+exp,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.10.0-dev+exp,true,file,file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.10.0-dev+exp,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.10.0-dev+exp,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.10.0-dev+exp,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.10.0-dev+exp,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.10.0-dev+exp,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.10.0-dev+exp,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.10.0-dev+exp,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.10.0-dev+exp,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev+exp,true,group,group.name,keyword,extended,,,Name of the group.
-8.10.0-dev+exp,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
-8.10.0-dev+exp,true,host,host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id
-8.10.0-dev+exp,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
-8.10.0-dev+exp,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
-8.10.0-dev+exp,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
-8.10.0-dev+exp,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
-8.10.0-dev+exp,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
-8.10.0-dev+exp,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
-8.10.0-dev+exp,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.10.0-dev+exp,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.10.0-dev+exp,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
-8.10.0-dev+exp,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.10.0-dev+exp,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.10.0-dev+exp,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
-8.10.0-dev+exp,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.10.0-dev+exp,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
-8.10.0-dev+exp,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.10.0-dev+exp,true,host,host.hostname,keyword,core,,,Hostname of the host.
-8.10.0-dev+exp,true,host,host.id,keyword,core,,,Unique host id.
-8.10.0-dev+exp,true,host,host.ip,ip,core,array,,Host ip addresses.
-8.10.0-dev+exp,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
-8.10.0-dev+exp,true,host,host.name,keyword,core,,,Name of the host.
-8.10.0-dev+exp,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
-8.10.0-dev+exp,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
-8.10.0-dev+exp,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
-8.10.0-dev+exp,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
-8.10.0-dev+exp,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.10.0-dev+exp,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.10.0-dev+exp,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.10.0-dev+exp,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.10.0-dev+exp,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.10.0-dev+exp,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.10.0-dev+exp,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.10.0-dev+exp,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-8.10.0-dev+exp,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.10.0-dev+exp,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode
-8.10.0-dev+exp,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.10.0-dev+exp,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.10.0-dev+exp,true,host,host.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.10.0-dev+exp,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.10.0-dev+exp,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.10.0-dev+exp,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-8.10.0-dev+exp,true,host,host.type,keyword,core,,,Type of host.
-8.10.0-dev+exp,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
-8.10.0-dev+exp,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
-8.10.0-dev+exp,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
-8.10.0-dev+exp,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body.
-8.10.0-dev+exp,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
-8.10.0-dev+exp,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
-8.10.0-dev+exp,true,http,http.request.method,keyword,extended,,POST,HTTP request method.
-8.10.0-dev+exp,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
-8.10.0-dev+exp,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
-8.10.0-dev+exp,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
-8.10.0-dev+exp,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
-8.10.0-dev+exp,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body.
-8.10.0-dev+exp,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
-8.10.0-dev+exp,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
-8.10.0-dev+exp,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
-8.10.0-dev+exp,true,http,http.version,keyword,extended,,1.1,HTTP version.
-8.10.0-dev+exp,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
-8.10.0-dev+exp,true,log,log.level,keyword,core,,error,Log level of the log event.
-8.10.0-dev+exp,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
-8.10.0-dev+exp,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event.
-8.10.0-dev+exp,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
-8.10.0-dev+exp,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
-8.10.0-dev+exp,true,log,log.syslog,object,extended,,,Syslog metadata
-8.10.0-dev+exp,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message.
-8.10.0-dev+exp,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
-8.10.0-dev+exp,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
-8.10.0-dev+exp,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message.
-8.10.0-dev+exp,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message.
-8.10.0-dev+exp,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
-8.10.0-dev+exp,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message.
-8.10.0-dev+exp,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
-8.10.0-dev+exp,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
-8.10.0-dev+exp,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages.
-8.10.0-dev+exp,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version.
-8.10.0-dev+exp,true,network,network.application,keyword,extended,,aim,Application level protocol name.
-8.10.0-dev+exp,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
-8.10.0-dev+exp,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
-8.10.0-dev+exp,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
-8.10.0-dev+exp,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
-8.10.0-dev+exp,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
-8.10.0-dev+exp,true,network,network.inner,object,extended,,,Inner VLAN tag information
-8.10.0-dev+exp,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.10.0-dev+exp,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.10.0-dev+exp,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
-8.10.0-dev+exp,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
-8.10.0-dev+exp,true,network,network.protocol,keyword,core,,http,Application protocol name.
-8.10.0-dev+exp,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
-8.10.0-dev+exp,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
-8.10.0-dev+exp,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.10.0-dev+exp,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.10.0-dev+exp,true,observer,observer.egress,object,extended,,,Object field for egress information
-8.10.0-dev+exp,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
-8.10.0-dev+exp,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
-8.10.0-dev+exp,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
-8.10.0-dev+exp,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.10.0-dev+exp,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.10.0-dev+exp,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
-8.10.0-dev+exp,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
-8.10.0-dev+exp,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code.
-8.10.0-dev+exp,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.10.0-dev+exp,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.10.0-dev+exp,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
-8.10.0-dev+exp,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.10.0-dev+exp,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.10.0-dev+exp,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code.
-8.10.0-dev+exp,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.10.0-dev+exp,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
-8.10.0-dev+exp,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.10.0-dev+exp,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
-8.10.0-dev+exp,true,observer,observer.ingress,object,extended,,,Object field for ingress information
-8.10.0-dev+exp,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
-8.10.0-dev+exp,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
-8.10.0-dev+exp,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
-8.10.0-dev+exp,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.10.0-dev+exp,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.10.0-dev+exp,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
-8.10.0-dev+exp,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
-8.10.0-dev+exp,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer.
-8.10.0-dev+exp,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
-8.10.0-dev+exp,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.10.0-dev+exp,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.10.0-dev+exp,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.10.0-dev+exp,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.10.0-dev+exp,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.10.0-dev+exp,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.10.0-dev+exp,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.10.0-dev+exp,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-8.10.0-dev+exp,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.10.0-dev+exp,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
-8.10.0-dev+exp,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
-8.10.0-dev+exp,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
-8.10.0-dev+exp,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
-8.10.0-dev+exp,true,observer,observer.version,keyword,core,,,Observer version.
-8.10.0-dev+exp,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action
-8.10.0-dev+exp,true,orchestrator,orchestrator.cluster.id,keyword,extended,,,Unique ID of the cluster.
-8.10.0-dev+exp,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster.
-8.10.0-dev+exp,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster.
-8.10.0-dev+exp,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster.
-8.10.0-dev+exp,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place.
-8.10.0-dev+exp,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups).
-8.10.0-dev+exp,true,orchestrator,orchestrator.resource.annotation,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of annotations added to the resource.
-8.10.0-dev+exp,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon.
-8.10.0-dev+exp,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed.
-8.10.0-dev+exp,true,orchestrator,orchestrator.resource.label,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of labels added to the resource.
-8.10.0-dev+exp,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon.
-8.10.0-dev+exp,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed.
-8.10.0-dev+exp,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon.
-8.10.0-dev+exp,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)."
-8.10.0-dev+exp,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
-8.10.0-dev+exp,true,organization,organization.name,keyword,extended,,,Organization name.
-8.10.0-dev+exp,true,organization,organization.name.text,match_only_text,extended,,,Organization name.
-8.10.0-dev+exp,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
-8.10.0-dev+exp,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
-8.10.0-dev+exp,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
-8.10.0-dev+exp,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
-8.10.0-dev+exp,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
-8.10.0-dev+exp,true,package,package.installed,date,extended,,,Time when package was installed.
-8.10.0-dev+exp,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
-8.10.0-dev+exp,true,package,package.name,keyword,extended,,go,Package name
-8.10.0-dev+exp,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
-8.10.0-dev+exp,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
-8.10.0-dev+exp,true,package,package.size,long,extended,,62231,Package size in bytes.
-8.10.0-dev+exp,true,package,package.type,keyword,extended,,rpm,Package type
-8.10.0-dev+exp,true,package,package.version,keyword,extended,,1.12.9,Package version
-8.10.0-dev+exp,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.10.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array.
-8.10.0-dev+exp,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.10.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.10.0-dev+exp,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.10.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.10.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.10.0-dev+exp,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.10.0-dev+exp,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.10.0-dev+exp,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.10.0-dev+exp,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.10.0-dev+exp,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.10.0-dev+exp,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.10.0-dev+exp,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.10.0-dev+exp,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.10.0-dev+exp,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.10.0-dev+exp,true,process,process.elf.creation_date,date,extended,,,Build or compile date.
-8.10.0-dev+exp,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.10.0-dev+exp,true,process,process.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.10.0-dev+exp,true,process,process.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.10.0-dev+exp,true,process,process.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.10.0-dev+exp,true,process,process.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.10.0-dev+exp,true,process,process.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.10.0-dev+exp,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.10.0-dev+exp,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.10.0-dev+exp,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.10.0-dev+exp,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.10.0-dev+exp,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.10.0-dev+exp,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.10.0-dev+exp,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.10.0-dev+exp,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.10.0-dev+exp,true,process,process.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.10.0-dev+exp,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.10.0-dev+exp,true,process,process.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev+exp,true,process,process.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev+exp,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.10.0-dev+exp,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.10.0-dev+exp,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.10.0-dev+exp,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.10.0-dev+exp,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.10.0-dev+exp,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.10.0-dev+exp,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.10.0-dev+exp,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.10.0-dev+exp,true,process,process.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.10.0-dev+exp,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.10.0-dev+exp,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.10.0-dev+exp,true,process,process.elf.segments,nested,extended,array,,ELF object segment list.
-8.10.0-dev+exp,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.10.0-dev+exp,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.10.0-dev+exp,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.10.0-dev+exp,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.10.0-dev+exp,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-8.10.0-dev+exp,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.10.0-dev+exp,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.10.0-dev+exp,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array.
-8.10.0-dev+exp,true,process,process.entry_leader.attested_groups.name,keyword,extended,,,Name of the group.
-8.10.0-dev+exp,true,process,process.entry_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev+exp,true,process,process.entry_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,process,process.entry_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.10.0-dev+exp,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.10.0-dev+exp,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.10.0-dev+exp,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
-8.10.0-dev+exp,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
-8.10.0-dev+exp,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.10.0-dev+exp,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.10.0-dev+exp,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev+exp,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group.
-8.10.0-dev+exp,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.10.0-dev+exp,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name.
-8.10.0-dev+exp,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.10.0-dev+exp,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.10.0-dev+exp,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id.
-8.10.0-dev+exp,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.10.0-dev+exp,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id.
-8.10.0-dev+exp,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.10.0-dev+exp,true,process,process.entry_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
-8.10.0-dev+exp,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.10.0-dev+exp,true,process,process.entry_leader.parent.vpid,long,core,,4242,Virtual process id.
-8.10.0-dev+exp,true,process,process.entry_leader.pid,long,core,,4242,Process id.
-8.10.0-dev+exp,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev+exp,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group.
-8.10.0-dev+exp,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev+exp,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,process,process.entry_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.10.0-dev+exp,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev+exp,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.10.0-dev+exp,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev+exp,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,process,process.entry_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.10.0-dev+exp,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev+exp,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.10.0-dev+exp,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.10.0-dev+exp,true,process,process.entry_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.10.0-dev+exp,true,process,process.entry_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.10.0-dev+exp,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev+exp,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,process,process.entry_leader.vpid,long,core,,4242,Virtual process id.
-8.10.0-dev+exp,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.10.0-dev+exp,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.10.0-dev+exp,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
-8.10.0-dev+exp,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.10.0-dev+exp,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.10.0-dev+exp,true,process,process.exit_code,long,extended,,137,The exit code of the process.
-8.10.0-dev+exp,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.10.0-dev+exp,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array.
-8.10.0-dev+exp,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.10.0-dev+exp,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.10.0-dev+exp,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.10.0-dev+exp,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.10.0-dev+exp,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.10.0-dev+exp,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev+exp,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group.
-8.10.0-dev+exp,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.10.0-dev+exp,true,process,process.group_leader.name,keyword,extended,,ssh,Process name.
-8.10.0-dev+exp,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.10.0-dev+exp,true,process,process.group_leader.pid,long,core,,4242,Process id.
-8.10.0-dev+exp,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev+exp,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group.
-8.10.0-dev+exp,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev+exp,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,process,process.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.10.0-dev+exp,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev+exp,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.10.0-dev+exp,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev+exp,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,process,process.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.10.0-dev+exp,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev+exp,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.10.0-dev+exp,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.10.0-dev+exp,true,process,process.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.10.0-dev+exp,true,process,process.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.10.0-dev+exp,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev+exp,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,process,process.group_leader.vpid,long,core,,4242,Virtual process id.
-8.10.0-dev+exp,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.10.0-dev+exp,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.10.0-dev+exp,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
-8.10.0-dev+exp,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
-8.10.0-dev+exp,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
-8.10.0-dev+exp,true,process,process.hash.sha384,keyword,extended,,,SHA384 hash.
-8.10.0-dev+exp,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
-8.10.0-dev+exp,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.10.0-dev+exp,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash.
-8.10.0-dev+exp,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.10.0-dev+exp,true,process,process.io,object,extended,,,A chunk of input or output (IO) from a single process.
-8.10.0-dev+exp,true,process,process.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
-8.10.0-dev+exp,true,process,process.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
-8.10.0-dev+exp,true,process,process.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
-8.10.0-dev+exp,true,process,process.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
-8.10.0-dev+exp,true,process,process.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
-8.10.0-dev+exp,true,process,process.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
-8.10.0-dev+exp,true,process,process.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
-8.10.0-dev+exp,true,process,process.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
-8.10.0-dev+exp,true,process,process.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-8.10.0-dev+exp,true,process,process.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.10.0-dev+exp,true,process,process.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.10.0-dev+exp,true,process,process.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.10.0-dev+exp,true,process,process.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.10.0-dev+exp,true,process,process.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-8.10.0-dev+exp,true,process,process.macho.imports,flattened,extended,array,,List of imported element names and types.
-8.10.0-dev+exp,true,process,process.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev+exp,true,process,process.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev+exp,true,process,process.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-8.10.0-dev+exp,true,process,process.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.10.0-dev+exp,true,process,process.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-8.10.0-dev+exp,true,process,process.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-8.10.0-dev+exp,true,process,process.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.10.0-dev+exp,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-8.10.0-dev+exp,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-8.10.0-dev+exp,true,process,process.name,keyword,extended,,ssh,Process name.
-8.10.0-dev+exp,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
-8.10.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.10.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
-8.10.0-dev+exp,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.10.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.10.0-dev+exp,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.10.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.10.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.10.0-dev+exp,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.10.0-dev+exp,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.10.0-dev+exp,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.10.0-dev+exp,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.10.0-dev+exp,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.10.0-dev+exp,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.10.0-dev+exp,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.10.0-dev+exp,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.10.0-dev+exp,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.10.0-dev+exp,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date.
-8.10.0-dev+exp,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.10.0-dev+exp,true,process,process.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.10.0-dev+exp,true,process,process.parent.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.10.0-dev+exp,true,process,process.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.10.0-dev+exp,true,process,process.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.10.0-dev+exp,true,process,process.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.10.0-dev+exp,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.10.0-dev+exp,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.10.0-dev+exp,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.10.0-dev+exp,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.10.0-dev+exp,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.10.0-dev+exp,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.10.0-dev+exp,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.10.0-dev+exp,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.10.0-dev+exp,true,process,process.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.10.0-dev+exp,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.10.0-dev+exp,true,process,process.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev+exp,true,process,process.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev+exp,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.10.0-dev+exp,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.10.0-dev+exp,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.10.0-dev+exp,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.10.0-dev+exp,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.10.0-dev+exp,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.10.0-dev+exp,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.10.0-dev+exp,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.10.0-dev+exp,true,process,process.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.10.0-dev+exp,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.10.0-dev+exp,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.10.0-dev+exp,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list.
-8.10.0-dev+exp,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.10.0-dev+exp,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.10.0-dev+exp,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.10.0-dev+exp,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.10.0-dev+exp,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-8.10.0-dev+exp,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.10.0-dev+exp,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.10.0-dev+exp,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.10.0-dev+exp,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
-8.10.0-dev+exp,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev+exp,true,process,process.parent.group.name,keyword,extended,,,Name of the group.
-8.10.0-dev+exp,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.10.0-dev+exp,true,process,process.parent.group_leader.pid,long,core,,4242,Process id.
-8.10.0-dev+exp,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.10.0-dev+exp,true,process,process.parent.group_leader.vpid,long,core,,4242,Virtual process id.
-8.10.0-dev+exp,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
-8.10.0-dev+exp,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
-8.10.0-dev+exp,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
-8.10.0-dev+exp,true,process,process.parent.hash.sha384,keyword,extended,,,SHA384 hash.
-8.10.0-dev+exp,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
-8.10.0-dev+exp,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.10.0-dev+exp,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash.
-8.10.0-dev+exp,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.10.0-dev+exp,true,process,process.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-8.10.0-dev+exp,true,process,process.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.10.0-dev+exp,true,process,process.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.10.0-dev+exp,true,process,process.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.10.0-dev+exp,true,process,process.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.10.0-dev+exp,true,process,process.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-8.10.0-dev+exp,true,process,process.parent.macho.imports,flattened,extended,array,,List of imported element names and types.
-8.10.0-dev+exp,true,process,process.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev+exp,true,process,process.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev+exp,true,process,process.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-8.10.0-dev+exp,true,process,process.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.10.0-dev+exp,true,process,process.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-8.10.0-dev+exp,true,process,process.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-8.10.0-dev+exp,true,process,process.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.10.0-dev+exp,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-8.10.0-dev+exp,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-8.10.0-dev+exp,true,process,process.parent.name,keyword,extended,,ssh,Process name.
-8.10.0-dev+exp,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
-8.10.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.10.0-dev+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.10.0-dev+exp,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.10.0-dev+exp,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.10.0-dev+exp,true,process,process.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.10.0-dev+exp,true,process,process.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.10.0-dev+exp,true,process,process.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.10.0-dev+exp,true,process,process.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.10.0-dev+exp,true,process,process.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.10.0-dev+exp,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.10.0-dev+exp,true,process,process.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.10.0-dev+exp,true,process,process.parent.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.10.0-dev+exp,true,process,process.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev+exp,true,process,process.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev+exp,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.10.0-dev+exp,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.10.0-dev+exp,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.10.0-dev+exp,true,process,process.parent.pe.sections,nested,extended,array,,Section information of the PE file.
-8.10.0-dev+exp,true,process,process.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.10.0-dev+exp,true,process,process.parent.pe.sections.name,keyword,extended,,,PE Section List name.
-8.10.0-dev+exp,true,process,process.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.10.0-dev+exp,true,process,process.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.10.0-dev+exp,true,process,process.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.10.0-dev+exp,true,process,process.parent.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
-8.10.0-dev+exp,true,process,process.parent.pid,long,core,,4242,Process id.
-8.10.0-dev+exp,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev+exp,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group.
-8.10.0-dev+exp,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev+exp,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,process,process.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev+exp,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group.
-8.10.0-dev+exp,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev+exp,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,process,process.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.10.0-dev+exp,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev+exp,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.10.0-dev+exp,true,process,process.parent.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
-8.10.0-dev+exp,true,process,process.parent.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
-8.10.0-dev+exp,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
-8.10.0-dev+exp,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
-8.10.0-dev+exp,true,process,process.parent.title,keyword,extended,,,Process title.
-8.10.0-dev+exp,true,process,process.parent.title.text,match_only_text,extended,,,Process title.
-8.10.0-dev+exp,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device.
-8.10.0-dev+exp,true,process,process.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.10.0-dev+exp,true,process,process.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.10.0-dev+exp,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
-8.10.0-dev+exp,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev+exp,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,process,process.parent.vpid,long,core,,4242,Virtual process id.
-8.10.0-dev+exp,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.10.0-dev+exp,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.10.0-dev+exp,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.10.0-dev+exp,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.10.0-dev+exp,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.10.0-dev+exp,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.10.0-dev+exp,true,process,process.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.10.0-dev+exp,true,process,process.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.10.0-dev+exp,true,process,process.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.10.0-dev+exp,true,process,process.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.10.0-dev+exp,true,process,process.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.10.0-dev+exp,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.10.0-dev+exp,true,process,process.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.10.0-dev+exp,true,process,process.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.10.0-dev+exp,true,process,process.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev+exp,true,process,process.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev+exp,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.10.0-dev+exp,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.10.0-dev+exp,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.10.0-dev+exp,true,process,process.pe.sections,nested,extended,array,,Section information of the PE file.
-8.10.0-dev+exp,true,process,process.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.10.0-dev+exp,true,process,process.pe.sections.name,keyword,extended,,,PE Section List name.
-8.10.0-dev+exp,true,process,process.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.10.0-dev+exp,true,process,process.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.10.0-dev+exp,true,process,process.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.10.0-dev+exp,true,process,process.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
-8.10.0-dev+exp,true,process,process.pid,long,core,,4242,Process id.
-8.10.0-dev+exp,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.10.0-dev+exp,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array.
-8.10.0-dev+exp,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.10.0-dev+exp,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.10.0-dev+exp,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev+exp,true,process,process.real_group.name,keyword,extended,,,Name of the group.
-8.10.0-dev+exp,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev+exp,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,process,process.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev+exp,true,process,process.saved_group.name,keyword,extended,,,Name of the group.
-8.10.0-dev+exp,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev+exp,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,process,process.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.10.0-dev+exp,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array.
-8.10.0-dev+exp,true,process,process.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.10.0-dev+exp,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.10.0-dev+exp,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.10.0-dev+exp,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.10.0-dev+exp,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.10.0-dev+exp,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev+exp,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group.
-8.10.0-dev+exp,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.10.0-dev+exp,true,process,process.session_leader.name,keyword,extended,,ssh,Process name.
-8.10.0-dev+exp,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.10.0-dev+exp,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.10.0-dev+exp,true,process,process.session_leader.parent.pid,long,core,,4242,Process id.
-8.10.0-dev+exp,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.10.0-dev+exp,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id.
-8.10.0-dev+exp,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.10.0-dev+exp,true,process,process.session_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
-8.10.0-dev+exp,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.10.0-dev+exp,true,process,process.session_leader.parent.vpid,long,core,,4242,Virtual process id.
-8.10.0-dev+exp,true,process,process.session_leader.pid,long,core,,4242,Process id.
-8.10.0-dev+exp,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev+exp,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group.
-8.10.0-dev+exp,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev+exp,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,process,process.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.10.0-dev+exp,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev+exp,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.10.0-dev+exp,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev+exp,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,process,process.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.10.0-dev+exp,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev+exp,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.10.0-dev+exp,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.10.0-dev+exp,true,process,process.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.10.0-dev+exp,true,process,process.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.10.0-dev+exp,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev+exp,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,process,process.session_leader.vpid,long,core,,4242,Virtual process id.
-8.10.0-dev+exp,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.10.0-dev+exp,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.10.0-dev+exp,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.10.0-dev+exp,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev+exp,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.10.0-dev+exp,true,process,process.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
-8.10.0-dev+exp,true,process,process.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
-8.10.0-dev+exp,true,process,process.thread.id,long,extended,,4242,Thread ID.
-8.10.0-dev+exp,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
-8.10.0-dev+exp,true,process,process.title,keyword,extended,,,Process title.
-8.10.0-dev+exp,true,process,process.title.text,match_only_text,extended,,,Process title.
-8.10.0-dev+exp,true,process,process.tty,object,extended,,,Information about the controlling TTY device.
-8.10.0-dev+exp,true,process,process.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.10.0-dev+exp,true,process,process.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.10.0-dev+exp,true,process,process.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
-8.10.0-dev+exp,true,process,process.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
-8.10.0-dev+exp,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
-8.10.0-dev+exp,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev+exp,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,process,process.vpid,long,core,,4242,Virtual process id.
-8.10.0-dev+exp,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.10.0-dev+exp,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.10.0-dev+exp,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.10.0-dev+exp,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.10.0-dev+exp,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.10.0-dev+exp,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.10.0-dev+exp,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.10.0-dev+exp,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.10.0-dev+exp,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
-8.10.0-dev+exp,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
-8.10.0-dev+exp,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
-8.10.0-dev+exp,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
-8.10.0-dev+exp,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event.
-8.10.0-dev+exp,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
-8.10.0-dev+exp,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
-8.10.0-dev+exp,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
-8.10.0-dev+exp,true,rule,rule.id,keyword,extended,,101,Rule ID
-8.10.0-dev+exp,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
-8.10.0-dev+exp,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
-8.10.0-dev+exp,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
-8.10.0-dev+exp,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
-8.10.0-dev+exp,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
-8.10.0-dev+exp,true,rule,rule.version,keyword,extended,,1.1,Rule version
-8.10.0-dev+exp,true,server,server.address,keyword,extended,,,Server network address.
-8.10.0-dev+exp,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.10.0-dev+exp,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.10.0-dev+exp,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.10.0-dev+exp,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
-8.10.0-dev+exp,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server.
-8.10.0-dev+exp,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
-8.10.0-dev+exp,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
-8.10.0-dev+exp,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.10.0-dev+exp,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.10.0-dev+exp,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
-8.10.0-dev+exp,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.10.0-dev+exp,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.10.0-dev+exp,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
-8.10.0-dev+exp,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.10.0-dev+exp,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
-8.10.0-dev+exp,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.10.0-dev+exp,true,server,server.ip,ip,core,,,IP address of the server.
-8.10.0-dev+exp,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
-8.10.0-dev+exp,true,server,server.nat.ip,ip,extended,,,Server NAT ip
-8.10.0-dev+exp,true,server,server.nat.port,long,extended,,,Server NAT port
-8.10.0-dev+exp,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
-8.10.0-dev+exp,true,server,server.port,long,core,,,Port of the server.
-8.10.0-dev+exp,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
-8.10.0-dev+exp,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.10.0-dev+exp,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.10.0-dev+exp,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.10.0-dev+exp,true,server,server.user.email,keyword,extended,,,User email address.
-8.10.0-dev+exp,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.10.0-dev+exp,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.10.0-dev+exp,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.10.0-dev+exp,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev+exp,true,server,server.user.group.name,keyword,extended,,,Name of the group.
-8.10.0-dev+exp,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.10.0-dev+exp,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev+exp,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.10.0-dev+exp,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.10.0-dev+exp,true,service,service.environment,keyword,extended,,production,Environment of the service.
-8.10.0-dev+exp,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.10.0-dev+exp,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.10.0-dev+exp,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.10.0-dev+exp,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.10.0-dev+exp,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.10.0-dev+exp,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.10.0-dev+exp,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.10.0-dev+exp,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
-8.10.0-dev+exp,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.10.0-dev+exp,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.10.0-dev+exp,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.10.0-dev+exp,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.10.0-dev+exp,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.10.0-dev+exp,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.10.0-dev+exp,true,service,service.origin.state,keyword,core,,,Current state of the service.
-8.10.0-dev+exp,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service.
-8.10.0-dev+exp,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service.
-8.10.0-dev+exp,true,service,service.state,keyword,core,,,Current state of the service.
-8.10.0-dev+exp,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.10.0-dev+exp,true,service,service.target.environment,keyword,extended,,production,Environment of the service.
-8.10.0-dev+exp,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.10.0-dev+exp,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.10.0-dev+exp,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.10.0-dev+exp,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.10.0-dev+exp,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.10.0-dev+exp,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.10.0-dev+exp,true,service,service.target.state,keyword,core,,,Current state of the service.
-8.10.0-dev+exp,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service.
-8.10.0-dev+exp,true,service,service.target.version,keyword,core,,3.2.4,Version of the service.
-8.10.0-dev+exp,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
-8.10.0-dev+exp,true,service,service.version,keyword,core,,3.2.4,Version of the service.
-8.10.0-dev+exp,true,source,source.address,keyword,extended,,,Source network address.
-8.10.0-dev+exp,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.10.0-dev+exp,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.10.0-dev+exp,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.10.0-dev+exp,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
-8.10.0-dev+exp,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source.
-8.10.0-dev+exp,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
-8.10.0-dev+exp,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
-8.10.0-dev+exp,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.10.0-dev+exp,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.10.0-dev+exp,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
-8.10.0-dev+exp,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.10.0-dev+exp,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.10.0-dev+exp,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
-8.10.0-dev+exp,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.10.0-dev+exp,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
-8.10.0-dev+exp,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.10.0-dev+exp,true,source,source.ip,ip,core,,,IP address of the source.
-8.10.0-dev+exp,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
-8.10.0-dev+exp,true,source,source.nat.ip,ip,extended,,,Source NAT ip
-8.10.0-dev+exp,true,source,source.nat.port,long,extended,,,Source NAT port
-8.10.0-dev+exp,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
-8.10.0-dev+exp,true,source,source.port,long,core,,,Port of the source.
-8.10.0-dev+exp,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-8.10.0-dev+exp,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.10.0-dev+exp,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.10.0-dev+exp,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.10.0-dev+exp,true,source,source.user.email,keyword,extended,,,User email address.
-8.10.0-dev+exp,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.10.0-dev+exp,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.10.0-dev+exp,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.10.0-dev+exp,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev+exp,true,source,source.user.group.name,keyword,extended,,,Name of the group.
-8.10.0-dev+exp,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.10.0-dev+exp,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev+exp,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.10.0-dev+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
-8.10.0-dev+exp,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.10.0-dev+exp,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.10.0-dev+exp,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.10.0-dev+exp,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.10.0-dev+exp,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value
-8.10.0-dev+exp,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field
-8.10.0-dev+exp,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier
-8.10.0-dev+exp,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index
-8.10.0-dev+exp,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05T17:00:58.326Z,Date of match
-8.10.0-dev+exp,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match
-8.10.0-dev+exp,true,threat,threat.feed.dashboard_id,keyword,extended,,5ba16340-72e6-11eb-a3e3-b3cc7c78a70f,Feed dashboard ID.
-8.10.0-dev+exp,true,threat,threat.feed.description,keyword,extended,,Threat feed from the AlienVault Open Threat eXchange network.,Description of the threat feed.
-8.10.0-dev+exp,true,threat,threat.feed.name,keyword,extended,,AlienVault OTX,Name of the threat feed.
-8.10.0-dev+exp,true,threat,threat.feed.reference,keyword,extended,,https://otx.alienvault.com,Reference for the threat feed.
-8.10.0-dev+exp,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
-8.10.0-dev+exp,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group.
-8.10.0-dev+exp,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group.
-8.10.0-dev+exp,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group.
-8.10.0-dev+exp,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group.
-8.10.0-dev+exp,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.10.0-dev+exp,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.10.0-dev+exp,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.10.0-dev+exp,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
-8.10.0-dev+exp,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
-8.10.0-dev+exp,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
-8.10.0-dev+exp,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed.
-8.10.0-dev+exp,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.10.0-dev+exp,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.10.0-dev+exp,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.10.0-dev+exp,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.10.0-dev+exp,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.10.0-dev+exp,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.10.0-dev+exp,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.10.0-dev+exp,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.10.0-dev+exp,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.10.0-dev+exp,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.10.0-dev+exp,true,threat,threat.indicator.file.created,date,extended,,,File creation time.
-8.10.0-dev+exp,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.10.0-dev+exp,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
-8.10.0-dev+exp,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.10.0-dev+exp,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.10.0-dev+exp,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.10.0-dev+exp,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.10.0-dev+exp,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.10.0-dev+exp,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
-8.10.0-dev+exp,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.10.0-dev+exp,true,threat,threat.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.10.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.10.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.10.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.10.0-dev+exp,true,threat,threat.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.10.0-dev+exp,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.10.0-dev+exp,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.10.0-dev+exp,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.10.0-dev+exp,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.10.0-dev+exp,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.10.0-dev+exp,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.10.0-dev+exp,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.10.0-dev+exp,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.10.0-dev+exp,true,threat,threat.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.10.0-dev+exp,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.10.0-dev+exp,true,threat,threat.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev+exp,true,threat,threat.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev+exp,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.10.0-dev+exp,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.10.0-dev+exp,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.10.0-dev+exp,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.10.0-dev+exp,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.10.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.10.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.10.0-dev+exp,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.10.0-dev+exp,true,threat,threat.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.10.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.10.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.10.0-dev+exp,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
-8.10.0-dev+exp,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.10.0-dev+exp,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.10.0-dev+exp,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.10.0-dev+exp,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.10.0-dev+exp,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.10.0-dev+exp,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.10.0-dev+exp,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.10.0-dev+exp,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
-8.10.0-dev+exp,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
-8.10.0-dev+exp,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.10.0-dev+exp,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.10.0-dev+exp,true,threat,threat.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.10.0-dev+exp,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.10.0-dev+exp,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.10.0-dev+exp,true,threat,threat.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.10.0-dev+exp,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.10.0-dev+exp,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.10.0-dev+exp,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.10.0-dev+exp,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified.
-8.10.0-dev+exp,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.10.0-dev+exp,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username.
-8.10.0-dev+exp,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.10.0-dev+exp,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.10.0-dev+exp,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.10.0-dev+exp,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.10.0-dev+exp,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.10.0-dev+exp,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.10.0-dev+exp,true,threat,threat.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.10.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.10.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.10.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.10.0-dev+exp,true,threat,threat.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.10.0-dev+exp,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.10.0-dev+exp,true,threat,threat.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.10.0-dev+exp,true,threat,threat.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.10.0-dev+exp,true,threat,threat.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev+exp,true,threat,threat.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev+exp,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.10.0-dev+exp,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.10.0-dev+exp,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.10.0-dev+exp,true,threat,threat.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
-8.10.0-dev+exp,true,threat,threat.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.10.0-dev+exp,true,threat,threat.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
-8.10.0-dev+exp,true,threat,threat.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.10.0-dev+exp,true,threat,threat.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.10.0-dev+exp,true,threat,threat.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.10.0-dev+exp,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes.
-8.10.0-dev+exp,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
-8.10.0-dev+exp,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.10.0-dev+exp,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.10.0-dev+exp,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.10.0-dev+exp,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.10.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.10.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.10.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.10.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.10.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.10.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.10.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.10.0-dev+exp,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.10.0-dev+exp,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.10.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.10.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.10.0-dev+exp,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.10.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.10.0-dev+exp,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.10.0-dev+exp,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.10.0-dev+exp,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.10.0-dev+exp,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.10.0-dev+exp,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.10.0-dev+exp,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.10.0-dev+exp,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.10.0-dev+exp,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.10.0-dev+exp,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.10.0-dev+exp,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.10.0-dev+exp,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
-8.10.0-dev+exp,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name.
-8.10.0-dev+exp,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code.
-8.10.0-dev+exp,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.10.0-dev+exp,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.10.0-dev+exp,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name.
-8.10.0-dev+exp,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.10.0-dev+exp,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.10.0-dev+exp,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code.
-8.10.0-dev+exp,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.10.0-dev+exp,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name.
-8.10.0-dev+exp,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.10.0-dev+exp,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
-8.10.0-dev+exp,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-8.10.0-dev+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
-8.10.0-dev+exp,true,threat,threat.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
-8.10.0-dev+exp,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
-8.10.0-dev+exp,true,threat,threat.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
-8.10.0-dev+exp,true,threat,threat.indicator.port,long,extended,,443,Indicator port
-8.10.0-dev+exp,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
-8.10.0-dev+exp,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
-8.10.0-dev+exp,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.10.0-dev+exp,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.10.0-dev+exp,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.10.0-dev+exp,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.10.0-dev+exp,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.10.0-dev+exp,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.10.0-dev+exp,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
-8.10.0-dev+exp,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics
-8.10.0-dev+exp,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed
-8.10.0-dev+exp,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
-8.10.0-dev+exp,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.10.0-dev+exp,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.10.0-dev+exp,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.10.0-dev+exp,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.10.0-dev+exp,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.10.0-dev+exp,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.10.0-dev+exp,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.10.0-dev+exp,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request.
-8.10.0-dev+exp,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.10.0-dev+exp,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
-8.10.0-dev+exp,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request.
-8.10.0-dev+exp,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.10.0-dev+exp,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
-8.10.0-dev+exp,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.10.0-dev+exp,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.10.0-dev+exp,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request.
-8.10.0-dev+exp,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.10.0-dev+exp,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.10.0-dev+exp,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.10.0-dev+exp,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.10.0-dev+exp,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.10.0-dev+exp,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.10.0-dev+exp,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.10.0-dev+exp,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.10.0-dev+exp,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.10.0-dev+exp,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.10.0-dev+exp,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.10.0-dev+exp,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.10.0-dev+exp,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.10.0-dev+exp,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.10.0-dev+exp,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.10.0-dev+exp,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.10.0-dev+exp,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.10.0-dev+exp,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.10.0-dev+exp,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.10.0-dev+exp,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.10.0-dev+exp,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.10.0-dev+exp,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.10.0-dev+exp,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.10.0-dev+exp,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.10.0-dev+exp,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software
-8.10.0-dev+exp,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software
-8.10.0-dev+exp,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software.
-8.10.0-dev+exp,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software.
-8.10.0-dev+exp,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL.
-8.10.0-dev+exp,true,threat,threat.software.type,keyword,extended,,Tool,Software type.
-8.10.0-dev+exp,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
-8.10.0-dev+exp,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
-8.10.0-dev+exp,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
-8.10.0-dev+exp,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
-8.10.0-dev+exp,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
-8.10.0-dev+exp,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name.
-8.10.0-dev+exp,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
-8.10.0-dev+exp,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
-8.10.0-dev+exp,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
-8.10.0-dev+exp,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
-8.10.0-dev+exp,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
-8.10.0-dev+exp,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
-8.10.0-dev+exp,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
-8.10.0-dev+exp,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
-8.10.0-dev+exp,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
-8.10.0-dev+exp,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
-8.10.0-dev+exp,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
-8.10.0-dev+exp,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
-8.10.0-dev+exp,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
-8.10.0-dev+exp,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
-8.10.0-dev+exp,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
-8.10.0-dev+exp,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
-8.10.0-dev+exp,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
-8.10.0-dev+exp,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
-8.10.0-dev+exp,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.10.0-dev+exp,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.10.0-dev+exp,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.10.0-dev+exp,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.10.0-dev+exp,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.10.0-dev+exp,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.10.0-dev+exp,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.10.0-dev+exp,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.10.0-dev+exp,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.10.0-dev+exp,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.10.0-dev+exp,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.10.0-dev+exp,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.10.0-dev+exp,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.10.0-dev+exp,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.10.0-dev+exp,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.10.0-dev+exp,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.10.0-dev+exp,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.10.0-dev+exp,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.10.0-dev+exp,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.10.0-dev+exp,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.10.0-dev+exp,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.10.0-dev+exp,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.10.0-dev+exp,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.10.0-dev+exp,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.10.0-dev+exp,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
-8.10.0-dev+exp,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
-8.10.0-dev+exp,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
-8.10.0-dev+exp,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
-8.10.0-dev+exp,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
-8.10.0-dev+exp,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
-8.10.0-dev+exp,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
-8.10.0-dev+exp,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
-8.10.0-dev+exp,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
-8.10.0-dev+exp,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
-8.10.0-dev+exp,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
-8.10.0-dev+exp,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
-8.10.0-dev+exp,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
-8.10.0-dev+exp,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
-8.10.0-dev+exp,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.10.0-dev+exp,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.10.0-dev+exp,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.10.0-dev+exp,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.10.0-dev+exp,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.10.0-dev+exp,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.10.0-dev+exp,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.10.0-dev+exp,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.10.0-dev+exp,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.10.0-dev+exp,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.10.0-dev+exp,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.10.0-dev+exp,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.10.0-dev+exp,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.10.0-dev+exp,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.10.0-dev+exp,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.10.0-dev+exp,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.10.0-dev+exp,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.10.0-dev+exp,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.10.0-dev+exp,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.10.0-dev+exp,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.10.0-dev+exp,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.10.0-dev+exp,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.10.0-dev+exp,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.10.0-dev+exp,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.10.0-dev+exp,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
-8.10.0-dev+exp,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
-8.10.0-dev+exp,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
-8.10.0-dev+exp,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
-8.10.0-dev+exp,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.10.0-dev+exp,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.10.0-dev+exp,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.10.0-dev+exp,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.10.0-dev+exp,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.10.0-dev+exp,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.10.0-dev+exp,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.10.0-dev+exp,true,url,url.password,keyword,extended,,,Password of the request.
-8.10.0-dev+exp,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.10.0-dev+exp,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
-8.10.0-dev+exp,true,url,url.query,keyword,extended,,,Query string of the request.
-8.10.0-dev+exp,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.10.0-dev+exp,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
-8.10.0-dev+exp,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.10.0-dev+exp,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.10.0-dev+exp,true,url,url.username,keyword,extended,,,Username of the request.
-8.10.0-dev+exp,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.10.0-dev+exp,true,user,user.changes.email,keyword,extended,,,User email address.
-8.10.0-dev+exp,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.10.0-dev+exp,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.10.0-dev+exp,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.10.0-dev+exp,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev+exp,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
-8.10.0-dev+exp,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.10.0-dev+exp,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev+exp,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.10.0-dev+exp,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.10.0-dev+exp,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.10.0-dev+exp,true,user,user.effective.email,keyword,extended,,,User email address.
-8.10.0-dev+exp,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.10.0-dev+exp,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.10.0-dev+exp,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.10.0-dev+exp,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev+exp,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
-8.10.0-dev+exp,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.10.0-dev+exp,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev+exp,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.10.0-dev+exp,true,user,user.email,keyword,extended,,,User email address.
-8.10.0-dev+exp,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.10.0-dev+exp,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.10.0-dev+exp,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.10.0-dev+exp,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev+exp,true,user,user.group.name,keyword,extended,,,Name of the group.
-8.10.0-dev+exp,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.10.0-dev+exp,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev+exp,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.10.0-dev+exp,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.10.0-dev+exp,true,user,user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.10.0-dev+exp,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.10.0-dev+exp,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.10.0-dev+exp,true,user,user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-8.10.0-dev+exp,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.10.0-dev+exp,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.10.0-dev+exp,true,user,user.target.email,keyword,extended,,,User email address.
-8.10.0-dev+exp,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.10.0-dev+exp,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.10.0-dev+exp,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.10.0-dev+exp,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev+exp,true,user,user.target.group.name,keyword,extended,,,Name of the group.
-8.10.0-dev+exp,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.10.0-dev+exp,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev+exp,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev+exp,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.10.0-dev+exp,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
-8.10.0-dev+exp,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
-8.10.0-dev+exp,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-8.10.0-dev+exp,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-8.10.0-dev+exp,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.10.0-dev+exp,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.10.0-dev+exp,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.10.0-dev+exp,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.10.0-dev+exp,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.10.0-dev+exp,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.10.0-dev+exp,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.10.0-dev+exp,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-8.10.0-dev+exp,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.10.0-dev+exp,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
-8.10.0-dev+exp,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
-8.10.0-dev+exp,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
-8.10.0-dev+exp,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-8.10.0-dev+exp,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-8.10.0-dev+exp,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
-8.10.0-dev+exp,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
-8.10.0-dev+exp,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
-8.10.0-dev+exp,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
-8.10.0-dev+exp,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
-8.10.0-dev+exp,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
-8.10.0-dev+exp,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
-8.10.0-dev+exp,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
-8.10.0-dev+exp,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
-8.10.0-dev+exp,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
+8.11.0-dev+exp,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
+8.11.0-dev+exp,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
+8.11.0-dev+exp,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer.
+8.11.0-dev+exp,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
+8.11.0-dev+exp,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
+8.11.0-dev+exp,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
+8.11.0-dev+exp,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
+8.11.0-dev+exp,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
+8.11.0-dev+exp,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
+8.11.0-dev+exp,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
+8.11.0-dev+exp,true,cgroup,cgroup.cpu.periods,long,extended,,454839343,Number of period intervals that have elapsed.
+8.11.0-dev+exp,true,cgroup,cgroup.cpu.throttled.us,long,extended,,15000,Microseconds of CPU throttled time.
+8.11.0-dev+exp,true,cgroup,cgroup.cpu.usage,scaled_float,extended,,,"CPU usage, normalized by the CPU count."
+8.11.0-dev+exp,true,cgroup,cgroup.memory.limit,long,extended,,256,Memory limit within the cgroup.
+8.11.0-dev+exp,true,cgroup,cgroup.memory.swap.usage,long,extended,,5600,The amount of cgroup memory in swap.
+8.11.0-dev+exp,true,cgroup,cgroup.memory.usage,long,extended,,25600,Memory usage in bytes
+8.11.0-dev+exp,true,cgroup,cgroup.version,long,extended,,,The cgroup version linked to the metrics
+8.11.0-dev+exp,true,client,client.address,keyword,extended,,,Client network address.
+8.11.0-dev+exp,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.11.0-dev+exp,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.11.0-dev+exp,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.11.0-dev+exp,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
+8.11.0-dev+exp,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client.
+8.11.0-dev+exp,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
+8.11.0-dev+exp,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
+8.11.0-dev+exp,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.11.0-dev+exp,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.11.0-dev+exp,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
+8.11.0-dev+exp,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.11.0-dev+exp,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.11.0-dev+exp,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
+8.11.0-dev+exp,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.11.0-dev+exp,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
+8.11.0-dev+exp,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.11.0-dev+exp,true,client,client.ip,ip,core,,,IP address of the client.
+8.11.0-dev+exp,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
+8.11.0-dev+exp,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
+8.11.0-dev+exp,true,client,client.nat.port,long,extended,,,Client NAT port
+8.11.0-dev+exp,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
+8.11.0-dev+exp,true,client,client.port,long,core,,,Port of the client.
+8.11.0-dev+exp,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
+8.11.0-dev+exp,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.11.0-dev+exp,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.11.0-dev+exp,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.11.0-dev+exp,true,client,client.user.email,keyword,extended,,,User email address.
+8.11.0-dev+exp,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.11.0-dev+exp,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.11.0-dev+exp,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.11.0-dev+exp,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev+exp,true,client,client.user.group.name,keyword,extended,,,Name of the group.
+8.11.0-dev+exp,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.11.0-dev+exp,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev+exp,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.11.0-dev+exp,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.11.0-dev+exp,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.11.0-dev+exp,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.11.0-dev+exp,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.11.0-dev+exp,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
+8.11.0-dev+exp,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.11.0-dev+exp,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.11.0-dev+exp,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.11.0-dev+exp,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.11.0-dev+exp,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.11.0-dev+exp,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine.
+8.11.0-dev+exp,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.11.0-dev+exp,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id.
+8.11.0-dev+exp,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name.
+8.11.0-dev+exp,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider.
+8.11.0-dev+exp,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.11.0-dev+exp,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name.
+8.11.0-dev+exp,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
+8.11.0-dev+exp,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
+8.11.0-dev+exp,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
+8.11.0-dev+exp,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.11.0-dev+exp,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name.
+8.11.0-dev+exp,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.11.0-dev+exp,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.11.0-dev+exp,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.11.0-dev+exp,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.11.0-dev+exp,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine.
+8.11.0-dev+exp,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.11.0-dev+exp,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id.
+8.11.0-dev+exp,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name.
+8.11.0-dev+exp,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider.
+8.11.0-dev+exp,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.11.0-dev+exp,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name.
+8.11.0-dev+exp,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
+8.11.0-dev+exp,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
+8.11.0-dev+exp,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
+8.11.0-dev+exp,true,container,container.id,keyword,core,,,Unique container id.
+8.11.0-dev+exp,true,container,container.image.hash.all,keyword,extended,array,[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26],An array of digests of the image the container was built on.
+8.11.0-dev+exp,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
+8.11.0-dev+exp,true,container,container.image.tag,keyword,extended,array,,Container image tags.
+8.11.0-dev+exp,true,container,container.labels,object,extended,,,Image labels.
+8.11.0-dev+exp,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1."
+8.11.0-dev+exp,true,container,container.name,keyword,extended,,,Container name.
+8.11.0-dev+exp,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
+8.11.0-dev+exp,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+8.11.0-dev+exp,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
+8.11.0-dev+exp,true,container,container.security_context.privileged,boolean,extended,,,Indicates whether the container is running in privileged mode.
+8.11.0-dev+exp,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
+8.11.0-dev+exp,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
+8.11.0-dev+exp,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
+8.11.0-dev+exp,true,destination,destination.address,keyword,extended,,,Destination network address.
+8.11.0-dev+exp,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.11.0-dev+exp,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.11.0-dev+exp,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.11.0-dev+exp,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
+8.11.0-dev+exp,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination.
+8.11.0-dev+exp,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
+8.11.0-dev+exp,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
+8.11.0-dev+exp,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.11.0-dev+exp,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.11.0-dev+exp,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
+8.11.0-dev+exp,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.11.0-dev+exp,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.11.0-dev+exp,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
+8.11.0-dev+exp,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.11.0-dev+exp,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
+8.11.0-dev+exp,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.11.0-dev+exp,true,destination,destination.ip,ip,core,,,IP address of the destination.
+8.11.0-dev+exp,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
+8.11.0-dev+exp,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
+8.11.0-dev+exp,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
+8.11.0-dev+exp,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
+8.11.0-dev+exp,true,destination,destination.port,long,core,,,Port of the destination.
+8.11.0-dev+exp,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
+8.11.0-dev+exp,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.11.0-dev+exp,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.11.0-dev+exp,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.11.0-dev+exp,true,destination,destination.user.email,keyword,extended,,,User email address.
+8.11.0-dev+exp,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.11.0-dev+exp,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.11.0-dev+exp,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.11.0-dev+exp,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev+exp,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
+8.11.0-dev+exp,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.11.0-dev+exp,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev+exp,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.11.0-dev+exp,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device.
+8.11.0-dev+exp,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer.
+8.11.0-dev+exp,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model.
+8.11.0-dev+exp,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model.
+8.11.0-dev+exp,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.11.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.11.0-dev+exp,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.11.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.11.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.11.0-dev+exp,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.11.0-dev+exp,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.11.0-dev+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.11.0-dev+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.11.0-dev+exp,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
+8.11.0-dev+exp,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
+8.11.0-dev+exp,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
+8.11.0-dev+exp,true,dll,dll.hash.sha384,keyword,extended,,,SHA384 hash.
+8.11.0-dev+exp,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
+8.11.0-dev+exp,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.11.0-dev+exp,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash.
+8.11.0-dev+exp,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
+8.11.0-dev+exp,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
+8.11.0-dev+exp,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.11.0-dev+exp,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.11.0-dev+exp,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.11.0-dev+exp,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.11.0-dev+exp,true,dll,dll.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.11.0-dev+exp,true,dll,dll.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.11.0-dev+exp,true,dll,dll.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.11.0-dev+exp,true,dll,dll.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.11.0-dev+exp,true,dll,dll.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.11.0-dev+exp,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.11.0-dev+exp,true,dll,dll.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.11.0-dev+exp,true,dll,dll.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.11.0-dev+exp,true,dll,dll.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev+exp,true,dll,dll.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev+exp,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.11.0-dev+exp,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.11.0-dev+exp,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.11.0-dev+exp,true,dll,dll.pe.sections,nested,extended,array,,Section information of the PE file.
+8.11.0-dev+exp,true,dll,dll.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.11.0-dev+exp,true,dll,dll.pe.sections.name,keyword,extended,,,PE Section List name.
+8.11.0-dev+exp,true,dll,dll.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.11.0-dev+exp,true,dll,dll.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.11.0-dev+exp,true,dll,dll.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.11.0-dev+exp,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
+8.11.0-dev+exp,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
+8.11.0-dev+exp,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
+8.11.0-dev+exp,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
+8.11.0-dev+exp,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
+8.11.0-dev+exp,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
+8.11.0-dev+exp,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
+8.11.0-dev+exp,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
+8.11.0-dev+exp,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
+8.11.0-dev+exp,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
+8.11.0-dev+exp,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
+8.11.0-dev+exp,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
+8.11.0-dev+exp,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
+8.11.0-dev+exp,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.11.0-dev+exp,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
+8.11.0-dev+exp,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
+8.11.0-dev+exp,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
+8.11.0-dev+exp,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
+8.11.0-dev+exp,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
+8.11.0-dev+exp,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
+8.11.0-dev+exp,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
+8.11.0-dev+exp,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash.
+8.11.0-dev+exp,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.11.0-dev+exp,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.11.0-dev+exp,true,email,email.attachments.file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.11.0-dev+exp,true,email,email.attachments.file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.11.0-dev+exp,true,email,email.attachments.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.11.0-dev+exp,true,email,email.attachments.file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.11.0-dev+exp,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file.
+8.11.0-dev+exp,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file.
+8.11.0-dev+exp,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size.
+8.11.0-dev+exp,true,email,email.bcc.address,keyword,extended,array,bcc.user1@example.com,Email address of BCC recipient
+8.11.0-dev+exp,true,email,email.cc.address,keyword,extended,array,cc.user1@example.com,Email address of CC recipient
+8.11.0-dev+exp,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message.
+8.11.0-dev+exp,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered.
+8.11.0-dev+exp,true,email,email.direction,keyword,extended,,inbound,Direction of the message.
+8.11.0-dev+exp,true,email,email.from.address,keyword,extended,array,sender@example.com,The sender's email address.
+8.11.0-dev+exp,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source.
+8.11.0-dev+exp,true,email,email.message_id,wildcard,extended,,81ce15$8r2j59@mail01.example.com,Value from the Message-ID header.
+8.11.0-dev+exp,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed.
+8.11.0-dev+exp,true,email,email.reply_to.address,keyword,extended,array,reply.here@example.com,Address replies should be delivered to.
+8.11.0-dev+exp,true,email,email.sender.address,keyword,extended,,,Address of the message sender.
+8.11.0-dev+exp,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message.
+8.11.0-dev+exp,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
+8.11.0-dev+exp,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient
+8.11.0-dev+exp,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
+8.11.0-dev+exp,true,error,error.code,keyword,core,,,Error code describing the error.
+8.11.0-dev+exp,true,error,error.id,keyword,core,,,Unique identifier for the error.
+8.11.0-dev+exp,true,error,error.message,match_only_text,core,,,Error message.
+8.11.0-dev+exp,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
+8.11.0-dev+exp,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text.
+8.11.0-dev+exp,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
+8.11.0-dev+exp,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
+8.11.0-dev+exp,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field.
+8.11.0-dev+exp,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
+8.11.0-dev+exp,true,event,event.code,keyword,extended,,4648,Identification code for this event.
+8.11.0-dev+exp,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
+8.11.0-dev+exp,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
+8.11.0-dev+exp,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
+8.11.0-dev+exp,true,event,event.end,date,extended,,,`event.end` contains the date when the event ended or when the activity was last observed.
+8.11.0-dev+exp,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
+8.11.0-dev+exp,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
+8.11.0-dev+exp,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
+8.11.0-dev+exp,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
+8.11.0-dev+exp,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
+8.11.0-dev+exp,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
+8.11.0-dev+exp,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
+8.11.0-dev+exp,true,event,event.provider,keyword,extended,,kernel,Source of the event.
+8.11.0-dev+exp,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
+8.11.0-dev+exp,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
+8.11.0-dev+exp,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
+8.11.0-dev+exp,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
+8.11.0-dev+exp,true,event,event.sequence,long,extended,,,Sequence number of the event.
+8.11.0-dev+exp,true,event,event.severity,long,core,,7,Numeric severity of the event.
+8.11.0-dev+exp,true,event,event.start,date,extended,,,`event.start` contains the date when the event started or when the activity was first observed.
+8.11.0-dev+exp,true,event,event.timezone,keyword,extended,,,Event time zone.
+8.11.0-dev+exp,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
+8.11.0-dev+exp,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
+8.11.0-dev+exp,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function.
+8.11.0-dev+exp,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution.
+8.11.0-dev+exp,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function.
+8.11.0-dev+exp,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function.
+8.11.0-dev+exp,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc."
+8.11.0-dev+exp,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution.
+8.11.0-dev+exp,true,faas,faas.version,keyword,extended,,123,The version of a serverless function.
+8.11.0-dev+exp,true,file,file.accessed,date,extended,,,Last time the file was accessed.
+8.11.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.11.0-dev+exp,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.11.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.11.0-dev+exp,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.11.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.11.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.11.0-dev+exp,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.11.0-dev+exp,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.11.0-dev+exp,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.11.0-dev+exp,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.11.0-dev+exp,true,file,file.created,date,extended,,,File creation time.
+8.11.0-dev+exp,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.11.0-dev+exp,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
+8.11.0-dev+exp,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.11.0-dev+exp,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.11.0-dev+exp,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.11.0-dev+exp,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.11.0-dev+exp,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.11.0-dev+exp,true,file,file.elf.creation_date,date,extended,,,Build or compile date.
+8.11.0-dev+exp,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.11.0-dev+exp,true,file,file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.11.0-dev+exp,true,file,file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.11.0-dev+exp,true,file,file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.11.0-dev+exp,true,file,file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.11.0-dev+exp,true,file,file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.11.0-dev+exp,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.11.0-dev+exp,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.11.0-dev+exp,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.11.0-dev+exp,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.11.0-dev+exp,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.11.0-dev+exp,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.11.0-dev+exp,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.11.0-dev+exp,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.11.0-dev+exp,true,file,file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.11.0-dev+exp,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.11.0-dev+exp,true,file,file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev+exp,true,file,file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev+exp,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.11.0-dev+exp,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.11.0-dev+exp,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.11.0-dev+exp,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.11.0-dev+exp,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.11.0-dev+exp,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.11.0-dev+exp,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.11.0-dev+exp,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.11.0-dev+exp,true,file,file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.11.0-dev+exp,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.11.0-dev+exp,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.11.0-dev+exp,true,file,file.elf.segments,nested,extended,array,,ELF object segment list.
+8.11.0-dev+exp,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.11.0-dev+exp,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.11.0-dev+exp,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.11.0-dev+exp,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.11.0-dev+exp,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.11.0-dev+exp,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.11.0-dev+exp,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.11.0-dev+exp,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
+8.11.0-dev+exp,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
+8.11.0-dev+exp,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.11.0-dev+exp,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.11.0-dev+exp,true,file,file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.11.0-dev+exp,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.11.0-dev+exp,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.11.0-dev+exp,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.11.0-dev+exp,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.11.0-dev+exp,true,file,file.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+8.11.0-dev+exp,true,file,file.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.11.0-dev+exp,true,file,file.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.11.0-dev+exp,true,file,file.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.11.0-dev+exp,true,file,file.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.11.0-dev+exp,true,file,file.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+8.11.0-dev+exp,true,file,file.macho.imports,flattened,extended,array,,List of imported element names and types.
+8.11.0-dev+exp,true,file,file.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev+exp,true,file,file.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev+exp,true,file,file.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+8.11.0-dev+exp,true,file,file.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.11.0-dev+exp,true,file,file.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+8.11.0-dev+exp,true,file,file.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+8.11.0-dev+exp,true,file,file.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.11.0-dev+exp,true,file,file.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+8.11.0-dev+exp,true,file,file.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+8.11.0-dev+exp,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.11.0-dev+exp,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.11.0-dev+exp,true,file,file.mtime,date,extended,,,Last time the file content was modified.
+8.11.0-dev+exp,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.11.0-dev+exp,true,file,file.owner,keyword,extended,,alice,File owner's username.
+8.11.0-dev+exp,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.11.0-dev+exp,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.11.0-dev+exp,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.11.0-dev+exp,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.11.0-dev+exp,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.11.0-dev+exp,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.11.0-dev+exp,true,file,file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.11.0-dev+exp,true,file,file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.11.0-dev+exp,true,file,file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.11.0-dev+exp,true,file,file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.11.0-dev+exp,true,file,file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.11.0-dev+exp,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.11.0-dev+exp,true,file,file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.11.0-dev+exp,true,file,file.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.11.0-dev+exp,true,file,file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev+exp,true,file,file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev+exp,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.11.0-dev+exp,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.11.0-dev+exp,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.11.0-dev+exp,true,file,file.pe.sections,nested,extended,array,,Section information of the PE file.
+8.11.0-dev+exp,true,file,file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.11.0-dev+exp,true,file,file.pe.sections.name,keyword,extended,,,PE Section List name.
+8.11.0-dev+exp,true,file,file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.11.0-dev+exp,true,file,file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.11.0-dev+exp,true,file,file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.11.0-dev+exp,true,file,file.size,long,extended,,16384,File size in bytes.
+8.11.0-dev+exp,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
+8.11.0-dev+exp,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.11.0-dev+exp,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.11.0-dev+exp,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.11.0-dev+exp,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.11.0-dev+exp,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.11.0-dev+exp,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.11.0-dev+exp,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.11.0-dev+exp,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.11.0-dev+exp,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.11.0-dev+exp,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.11.0-dev+exp,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.11.0-dev+exp,true,file,file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.11.0-dev+exp,true,file,file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.11.0-dev+exp,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.11.0-dev+exp,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.11.0-dev+exp,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.11.0-dev+exp,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.11.0-dev+exp,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.11.0-dev+exp,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.11.0-dev+exp,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.11.0-dev+exp,true,file,file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.11.0-dev+exp,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.11.0-dev+exp,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.11.0-dev+exp,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.11.0-dev+exp,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.11.0-dev+exp,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.11.0-dev+exp,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.11.0-dev+exp,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.11.0-dev+exp,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev+exp,true,group,group.name,keyword,extended,,,Name of the group.
+8.11.0-dev+exp,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
+8.11.0-dev+exp,true,host,host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id
+8.11.0-dev+exp,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
+8.11.0-dev+exp,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
+8.11.0-dev+exp,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
+8.11.0-dev+exp,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
+8.11.0-dev+exp,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
+8.11.0-dev+exp,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
+8.11.0-dev+exp,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.11.0-dev+exp,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.11.0-dev+exp,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
+8.11.0-dev+exp,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.11.0-dev+exp,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.11.0-dev+exp,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
+8.11.0-dev+exp,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.11.0-dev+exp,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
+8.11.0-dev+exp,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.11.0-dev+exp,true,host,host.hostname,keyword,core,,,Hostname of the host.
+8.11.0-dev+exp,true,host,host.id,keyword,core,,,Unique host id.
+8.11.0-dev+exp,true,host,host.ip,ip,core,array,,Host ip addresses.
+8.11.0-dev+exp,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
+8.11.0-dev+exp,true,host,host.name,keyword,core,,,Name of the host.
+8.11.0-dev+exp,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
+8.11.0-dev+exp,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
+8.11.0-dev+exp,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+8.11.0-dev+exp,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
+8.11.0-dev+exp,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.11.0-dev+exp,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.11.0-dev+exp,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.11.0-dev+exp,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.11.0-dev+exp,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.11.0-dev+exp,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.11.0-dev+exp,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.11.0-dev+exp,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+8.11.0-dev+exp,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.11.0-dev+exp,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode
+8.11.0-dev+exp,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.11.0-dev+exp,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.11.0-dev+exp,true,host,host.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.11.0-dev+exp,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.11.0-dev+exp,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.11.0-dev+exp,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+8.11.0-dev+exp,true,host,host.type,keyword,core,,,Type of host.
+8.11.0-dev+exp,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
+8.11.0-dev+exp,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
+8.11.0-dev+exp,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
+8.11.0-dev+exp,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body.
+8.11.0-dev+exp,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
+8.11.0-dev+exp,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
+8.11.0-dev+exp,true,http,http.request.method,keyword,extended,,POST,HTTP request method.
+8.11.0-dev+exp,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
+8.11.0-dev+exp,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
+8.11.0-dev+exp,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
+8.11.0-dev+exp,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
+8.11.0-dev+exp,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body.
+8.11.0-dev+exp,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
+8.11.0-dev+exp,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
+8.11.0-dev+exp,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
+8.11.0-dev+exp,true,http,http.version,keyword,extended,,1.1,HTTP version.
+8.11.0-dev+exp,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
+8.11.0-dev+exp,true,log,log.level,keyword,core,,error,Log level of the log event.
+8.11.0-dev+exp,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
+8.11.0-dev+exp,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event.
+8.11.0-dev+exp,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
+8.11.0-dev+exp,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
+8.11.0-dev+exp,true,log,log.syslog,object,extended,,,Syslog metadata
+8.11.0-dev+exp,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message.
+8.11.0-dev+exp,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
+8.11.0-dev+exp,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
+8.11.0-dev+exp,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message.
+8.11.0-dev+exp,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message.
+8.11.0-dev+exp,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
+8.11.0-dev+exp,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message.
+8.11.0-dev+exp,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
+8.11.0-dev+exp,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
+8.11.0-dev+exp,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages.
+8.11.0-dev+exp,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version.
+8.11.0-dev+exp,true,network,network.application,keyword,extended,,aim,Application level protocol name.
+8.11.0-dev+exp,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
+8.11.0-dev+exp,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
+8.11.0-dev+exp,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
+8.11.0-dev+exp,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
+8.11.0-dev+exp,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
+8.11.0-dev+exp,true,network,network.inner,object,extended,,,Inner VLAN tag information
+8.11.0-dev+exp,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.11.0-dev+exp,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.11.0-dev+exp,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
+8.11.0-dev+exp,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
+8.11.0-dev+exp,true,network,network.protocol,keyword,core,,http,Application protocol name.
+8.11.0-dev+exp,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
+8.11.0-dev+exp,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
+8.11.0-dev+exp,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.11.0-dev+exp,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.11.0-dev+exp,true,observer,observer.egress,object,extended,,,Object field for egress information
+8.11.0-dev+exp,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
+8.11.0-dev+exp,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
+8.11.0-dev+exp,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
+8.11.0-dev+exp,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.11.0-dev+exp,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.11.0-dev+exp,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
+8.11.0-dev+exp,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
+8.11.0-dev+exp,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code.
+8.11.0-dev+exp,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.11.0-dev+exp,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.11.0-dev+exp,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
+8.11.0-dev+exp,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.11.0-dev+exp,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.11.0-dev+exp,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code.
+8.11.0-dev+exp,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.11.0-dev+exp,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
+8.11.0-dev+exp,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.11.0-dev+exp,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
+8.11.0-dev+exp,true,observer,observer.ingress,object,extended,,,Object field for ingress information
+8.11.0-dev+exp,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
+8.11.0-dev+exp,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
+8.11.0-dev+exp,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
+8.11.0-dev+exp,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.11.0-dev+exp,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.11.0-dev+exp,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
+8.11.0-dev+exp,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
+8.11.0-dev+exp,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer.
+8.11.0-dev+exp,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
+8.11.0-dev+exp,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.11.0-dev+exp,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.11.0-dev+exp,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.11.0-dev+exp,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.11.0-dev+exp,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.11.0-dev+exp,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.11.0-dev+exp,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.11.0-dev+exp,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+8.11.0-dev+exp,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.11.0-dev+exp,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
+8.11.0-dev+exp,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
+8.11.0-dev+exp,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
+8.11.0-dev+exp,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
+8.11.0-dev+exp,true,observer,observer.version,keyword,core,,,Observer version.
+8.11.0-dev+exp,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action
+8.11.0-dev+exp,true,orchestrator,orchestrator.cluster.id,keyword,extended,,,Unique ID of the cluster.
+8.11.0-dev+exp,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster.
+8.11.0-dev+exp,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster.
+8.11.0-dev+exp,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster.
+8.11.0-dev+exp,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place.
+8.11.0-dev+exp,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups).
+8.11.0-dev+exp,true,orchestrator,orchestrator.resource.annotation,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of annotations added to the resource.
+8.11.0-dev+exp,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon.
+8.11.0-dev+exp,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed.
+8.11.0-dev+exp,true,orchestrator,orchestrator.resource.label,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of labels added to the resource.
+8.11.0-dev+exp,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon.
+8.11.0-dev+exp,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed.
+8.11.0-dev+exp,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon.
+8.11.0-dev+exp,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)."
+8.11.0-dev+exp,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
+8.11.0-dev+exp,true,organization,organization.name,keyword,extended,,,Organization name.
+8.11.0-dev+exp,true,organization,organization.name.text,match_only_text,extended,,,Organization name.
+8.11.0-dev+exp,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
+8.11.0-dev+exp,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
+8.11.0-dev+exp,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
+8.11.0-dev+exp,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
+8.11.0-dev+exp,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
+8.11.0-dev+exp,true,package,package.installed,date,extended,,,Time when package was installed.
+8.11.0-dev+exp,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
+8.11.0-dev+exp,true,package,package.name,keyword,extended,,go,Package name
+8.11.0-dev+exp,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
+8.11.0-dev+exp,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
+8.11.0-dev+exp,true,package,package.size,long,extended,,62231,Package size in bytes.
+8.11.0-dev+exp,true,package,package.type,keyword,extended,,rpm,Package type
+8.11.0-dev+exp,true,package,package.version,keyword,extended,,1.12.9,Package version
+8.11.0-dev+exp,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.11.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array.
+8.11.0-dev+exp,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.11.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.11.0-dev+exp,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.11.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.11.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.11.0-dev+exp,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.11.0-dev+exp,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.11.0-dev+exp,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.11.0-dev+exp,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.11.0-dev+exp,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.11.0-dev+exp,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.11.0-dev+exp,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.11.0-dev+exp,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.11.0-dev+exp,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.11.0-dev+exp,true,process,process.elf.creation_date,date,extended,,,Build or compile date.
+8.11.0-dev+exp,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.11.0-dev+exp,true,process,process.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.11.0-dev+exp,true,process,process.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.11.0-dev+exp,true,process,process.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.11.0-dev+exp,true,process,process.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.11.0-dev+exp,true,process,process.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.11.0-dev+exp,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.11.0-dev+exp,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.11.0-dev+exp,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.11.0-dev+exp,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.11.0-dev+exp,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.11.0-dev+exp,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.11.0-dev+exp,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.11.0-dev+exp,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.11.0-dev+exp,true,process,process.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.11.0-dev+exp,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.11.0-dev+exp,true,process,process.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev+exp,true,process,process.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev+exp,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.11.0-dev+exp,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.11.0-dev+exp,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.11.0-dev+exp,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.11.0-dev+exp,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.11.0-dev+exp,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.11.0-dev+exp,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.11.0-dev+exp,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.11.0-dev+exp,true,process,process.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.11.0-dev+exp,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.11.0-dev+exp,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.11.0-dev+exp,true,process,process.elf.segments,nested,extended,array,,ELF object segment list.
+8.11.0-dev+exp,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.11.0-dev+exp,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.11.0-dev+exp,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.11.0-dev+exp,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.11.0-dev+exp,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+8.11.0-dev+exp,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.11.0-dev+exp,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.11.0-dev+exp,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array.
+8.11.0-dev+exp,true,process,process.entry_leader.attested_groups.name,keyword,extended,,,Name of the group.
+8.11.0-dev+exp,true,process,process.entry_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev+exp,true,process,process.entry_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,process,process.entry_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.11.0-dev+exp,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.11.0-dev+exp,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.11.0-dev+exp,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
+8.11.0-dev+exp,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
+8.11.0-dev+exp,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.11.0-dev+exp,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.11.0-dev+exp,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev+exp,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group.
+8.11.0-dev+exp,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.11.0-dev+exp,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name.
+8.11.0-dev+exp,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name.
+8.11.0-dev+exp,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.11.0-dev+exp,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id.
+8.11.0-dev+exp,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.11.0-dev+exp,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id.
+8.11.0-dev+exp,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.11.0-dev+exp,true,process,process.entry_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
+8.11.0-dev+exp,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.11.0-dev+exp,true,process,process.entry_leader.parent.vpid,long,core,,4242,Virtual process id.
+8.11.0-dev+exp,true,process,process.entry_leader.pid,long,core,,4242,Process id.
+8.11.0-dev+exp,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev+exp,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group.
+8.11.0-dev+exp,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev+exp,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,process,process.entry_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+8.11.0-dev+exp,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev+exp,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group.
+8.11.0-dev+exp,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev+exp,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,process,process.entry_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.11.0-dev+exp,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev+exp,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.11.0-dev+exp,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device.
+8.11.0-dev+exp,true,process,process.entry_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.11.0-dev+exp,true,process,process.entry_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.11.0-dev+exp,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev+exp,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,process,process.entry_leader.vpid,long,core,,4242,Virtual process id.
+8.11.0-dev+exp,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.11.0-dev+exp,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.11.0-dev+exp,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
+8.11.0-dev+exp,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.11.0-dev+exp,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.11.0-dev+exp,true,process,process.exit_code,long,extended,,137,The exit code of the process.
+8.11.0-dev+exp,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.11.0-dev+exp,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array.
+8.11.0-dev+exp,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.11.0-dev+exp,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.11.0-dev+exp,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.11.0-dev+exp,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.11.0-dev+exp,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.11.0-dev+exp,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev+exp,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group.
+8.11.0-dev+exp,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.11.0-dev+exp,true,process,process.group_leader.name,keyword,extended,,ssh,Process name.
+8.11.0-dev+exp,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name.
+8.11.0-dev+exp,true,process,process.group_leader.pid,long,core,,4242,Process id.
+8.11.0-dev+exp,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev+exp,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group.
+8.11.0-dev+exp,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev+exp,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,process,process.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+8.11.0-dev+exp,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev+exp,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group.
+8.11.0-dev+exp,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev+exp,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,process,process.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.11.0-dev+exp,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev+exp,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.11.0-dev+exp,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device.
+8.11.0-dev+exp,true,process,process.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.11.0-dev+exp,true,process,process.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.11.0-dev+exp,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev+exp,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,process,process.group_leader.vpid,long,core,,4242,Virtual process id.
+8.11.0-dev+exp,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.11.0-dev+exp,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.11.0-dev+exp,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
+8.11.0-dev+exp,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
+8.11.0-dev+exp,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
+8.11.0-dev+exp,true,process,process.hash.sha384,keyword,extended,,,SHA384 hash.
+8.11.0-dev+exp,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
+8.11.0-dev+exp,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.11.0-dev+exp,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash.
+8.11.0-dev+exp,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.11.0-dev+exp,true,process,process.io,object,extended,,,A chunk of input or output (IO) from a single process.
+8.11.0-dev+exp,true,process,process.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
+8.11.0-dev+exp,true,process,process.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
+8.11.0-dev+exp,true,process,process.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
+8.11.0-dev+exp,true,process,process.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
+8.11.0-dev+exp,true,process,process.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
+8.11.0-dev+exp,true,process,process.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
+8.11.0-dev+exp,true,process,process.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
+8.11.0-dev+exp,true,process,process.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
+8.11.0-dev+exp,true,process,process.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+8.11.0-dev+exp,true,process,process.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.11.0-dev+exp,true,process,process.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.11.0-dev+exp,true,process,process.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.11.0-dev+exp,true,process,process.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.11.0-dev+exp,true,process,process.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+8.11.0-dev+exp,true,process,process.macho.imports,flattened,extended,array,,List of imported element names and types.
+8.11.0-dev+exp,true,process,process.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev+exp,true,process,process.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev+exp,true,process,process.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+8.11.0-dev+exp,true,process,process.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.11.0-dev+exp,true,process,process.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+8.11.0-dev+exp,true,process,process.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+8.11.0-dev+exp,true,process,process.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.11.0-dev+exp,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+8.11.0-dev+exp,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+8.11.0-dev+exp,true,process,process.name,keyword,extended,,ssh,Process name.
+8.11.0-dev+exp,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
+8.11.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.11.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
+8.11.0-dev+exp,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.11.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.11.0-dev+exp,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.11.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.11.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.11.0-dev+exp,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.11.0-dev+exp,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.11.0-dev+exp,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.11.0-dev+exp,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.11.0-dev+exp,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.11.0-dev+exp,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.11.0-dev+exp,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.11.0-dev+exp,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.11.0-dev+exp,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.11.0-dev+exp,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date.
+8.11.0-dev+exp,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.11.0-dev+exp,true,process,process.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.11.0-dev+exp,true,process,process.parent.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.11.0-dev+exp,true,process,process.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.11.0-dev+exp,true,process,process.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.11.0-dev+exp,true,process,process.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.11.0-dev+exp,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.11.0-dev+exp,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.11.0-dev+exp,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.11.0-dev+exp,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.11.0-dev+exp,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.11.0-dev+exp,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.11.0-dev+exp,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.11.0-dev+exp,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.11.0-dev+exp,true,process,process.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.11.0-dev+exp,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.11.0-dev+exp,true,process,process.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev+exp,true,process,process.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev+exp,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.11.0-dev+exp,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.11.0-dev+exp,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.11.0-dev+exp,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.11.0-dev+exp,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.11.0-dev+exp,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.11.0-dev+exp,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.11.0-dev+exp,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.11.0-dev+exp,true,process,process.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.11.0-dev+exp,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.11.0-dev+exp,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.11.0-dev+exp,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list.
+8.11.0-dev+exp,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.11.0-dev+exp,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.11.0-dev+exp,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.11.0-dev+exp,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.11.0-dev+exp,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+8.11.0-dev+exp,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.11.0-dev+exp,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.11.0-dev+exp,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.11.0-dev+exp,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
+8.11.0-dev+exp,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev+exp,true,process,process.parent.group.name,keyword,extended,,,Name of the group.
+8.11.0-dev+exp,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.11.0-dev+exp,true,process,process.parent.group_leader.pid,long,core,,4242,Process id.
+8.11.0-dev+exp,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.11.0-dev+exp,true,process,process.parent.group_leader.vpid,long,core,,4242,Virtual process id.
+8.11.0-dev+exp,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
+8.11.0-dev+exp,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
+8.11.0-dev+exp,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
+8.11.0-dev+exp,true,process,process.parent.hash.sha384,keyword,extended,,,SHA384 hash.
+8.11.0-dev+exp,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
+8.11.0-dev+exp,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.11.0-dev+exp,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash.
+8.11.0-dev+exp,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.11.0-dev+exp,true,process,process.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+8.11.0-dev+exp,true,process,process.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.11.0-dev+exp,true,process,process.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.11.0-dev+exp,true,process,process.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.11.0-dev+exp,true,process,process.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.11.0-dev+exp,true,process,process.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+8.11.0-dev+exp,true,process,process.parent.macho.imports,flattened,extended,array,,List of imported element names and types.
+8.11.0-dev+exp,true,process,process.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev+exp,true,process,process.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev+exp,true,process,process.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+8.11.0-dev+exp,true,process,process.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.11.0-dev+exp,true,process,process.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+8.11.0-dev+exp,true,process,process.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+8.11.0-dev+exp,true,process,process.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.11.0-dev+exp,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+8.11.0-dev+exp,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+8.11.0-dev+exp,true,process,process.parent.name,keyword,extended,,ssh,Process name.
+8.11.0-dev+exp,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
+8.11.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.11.0-dev+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.11.0-dev+exp,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.11.0-dev+exp,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.11.0-dev+exp,true,process,process.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.11.0-dev+exp,true,process,process.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.11.0-dev+exp,true,process,process.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.11.0-dev+exp,true,process,process.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.11.0-dev+exp,true,process,process.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.11.0-dev+exp,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.11.0-dev+exp,true,process,process.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.11.0-dev+exp,true,process,process.parent.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.11.0-dev+exp,true,process,process.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev+exp,true,process,process.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev+exp,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.11.0-dev+exp,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.11.0-dev+exp,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.11.0-dev+exp,true,process,process.parent.pe.sections,nested,extended,array,,Section information of the PE file.
+8.11.0-dev+exp,true,process,process.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.11.0-dev+exp,true,process,process.parent.pe.sections.name,keyword,extended,,,PE Section List name.
+8.11.0-dev+exp,true,process,process.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.11.0-dev+exp,true,process,process.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.11.0-dev+exp,true,process,process.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.11.0-dev+exp,true,process,process.parent.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
+8.11.0-dev+exp,true,process,process.parent.pid,long,core,,4242,Process id.
+8.11.0-dev+exp,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev+exp,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group.
+8.11.0-dev+exp,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev+exp,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,process,process.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev+exp,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group.
+8.11.0-dev+exp,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev+exp,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,process,process.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.11.0-dev+exp,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev+exp,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.11.0-dev+exp,true,process,process.parent.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
+8.11.0-dev+exp,true,process,process.parent.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
+8.11.0-dev+exp,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
+8.11.0-dev+exp,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
+8.11.0-dev+exp,true,process,process.parent.title,keyword,extended,,,Process title.
+8.11.0-dev+exp,true,process,process.parent.title.text,match_only_text,extended,,,Process title.
+8.11.0-dev+exp,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device.
+8.11.0-dev+exp,true,process,process.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.11.0-dev+exp,true,process,process.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.11.0-dev+exp,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
+8.11.0-dev+exp,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev+exp,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,process,process.parent.vpid,long,core,,4242,Virtual process id.
+8.11.0-dev+exp,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.11.0-dev+exp,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.11.0-dev+exp,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.11.0-dev+exp,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.11.0-dev+exp,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.11.0-dev+exp,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.11.0-dev+exp,true,process,process.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.11.0-dev+exp,true,process,process.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.11.0-dev+exp,true,process,process.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.11.0-dev+exp,true,process,process.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.11.0-dev+exp,true,process,process.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.11.0-dev+exp,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.11.0-dev+exp,true,process,process.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.11.0-dev+exp,true,process,process.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.11.0-dev+exp,true,process,process.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev+exp,true,process,process.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev+exp,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.11.0-dev+exp,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.11.0-dev+exp,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.11.0-dev+exp,true,process,process.pe.sections,nested,extended,array,,Section information of the PE file.
+8.11.0-dev+exp,true,process,process.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.11.0-dev+exp,true,process,process.pe.sections.name,keyword,extended,,,PE Section List name.
+8.11.0-dev+exp,true,process,process.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.11.0-dev+exp,true,process,process.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.11.0-dev+exp,true,process,process.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.11.0-dev+exp,true,process,process.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
+8.11.0-dev+exp,true,process,process.pid,long,core,,4242,Process id.
+8.11.0-dev+exp,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.11.0-dev+exp,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array.
+8.11.0-dev+exp,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.11.0-dev+exp,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.11.0-dev+exp,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev+exp,true,process,process.real_group.name,keyword,extended,,,Name of the group.
+8.11.0-dev+exp,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev+exp,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,process,process.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev+exp,true,process,process.saved_group.name,keyword,extended,,,Name of the group.
+8.11.0-dev+exp,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev+exp,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,process,process.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.11.0-dev+exp,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array.
+8.11.0-dev+exp,true,process,process.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.11.0-dev+exp,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.11.0-dev+exp,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.11.0-dev+exp,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.11.0-dev+exp,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.11.0-dev+exp,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev+exp,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group.
+8.11.0-dev+exp,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.11.0-dev+exp,true,process,process.session_leader.name,keyword,extended,,ssh,Process name.
+8.11.0-dev+exp,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name.
+8.11.0-dev+exp,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.11.0-dev+exp,true,process,process.session_leader.parent.pid,long,core,,4242,Process id.
+8.11.0-dev+exp,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.11.0-dev+exp,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id.
+8.11.0-dev+exp,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.11.0-dev+exp,true,process,process.session_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
+8.11.0-dev+exp,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.11.0-dev+exp,true,process,process.session_leader.parent.vpid,long,core,,4242,Virtual process id.
+8.11.0-dev+exp,true,process,process.session_leader.pid,long,core,,4242,Process id.
+8.11.0-dev+exp,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev+exp,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group.
+8.11.0-dev+exp,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev+exp,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,process,process.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+8.11.0-dev+exp,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev+exp,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group.
+8.11.0-dev+exp,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev+exp,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,process,process.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.11.0-dev+exp,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev+exp,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.11.0-dev+exp,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device.
+8.11.0-dev+exp,true,process,process.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.11.0-dev+exp,true,process,process.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.11.0-dev+exp,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev+exp,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,process,process.session_leader.vpid,long,core,,4242,Virtual process id.
+8.11.0-dev+exp,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.11.0-dev+exp,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.11.0-dev+exp,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.11.0-dev+exp,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev+exp,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.11.0-dev+exp,true,process,process.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
+8.11.0-dev+exp,true,process,process.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
+8.11.0-dev+exp,true,process,process.thread.id,long,extended,,4242,Thread ID.
+8.11.0-dev+exp,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
+8.11.0-dev+exp,true,process,process.title,keyword,extended,,,Process title.
+8.11.0-dev+exp,true,process,process.title.text,match_only_text,extended,,,Process title.
+8.11.0-dev+exp,true,process,process.tty,object,extended,,,Information about the controlling TTY device.
+8.11.0-dev+exp,true,process,process.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.11.0-dev+exp,true,process,process.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.11.0-dev+exp,true,process,process.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
+8.11.0-dev+exp,true,process,process.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
+8.11.0-dev+exp,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
+8.11.0-dev+exp,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev+exp,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,process,process.vpid,long,core,,4242,Virtual process id.
+8.11.0-dev+exp,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.11.0-dev+exp,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.11.0-dev+exp,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.11.0-dev+exp,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.11.0-dev+exp,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.11.0-dev+exp,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.11.0-dev+exp,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.11.0-dev+exp,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.11.0-dev+exp,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
+8.11.0-dev+exp,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
+8.11.0-dev+exp,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
+8.11.0-dev+exp,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
+8.11.0-dev+exp,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event.
+8.11.0-dev+exp,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
+8.11.0-dev+exp,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
+8.11.0-dev+exp,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
+8.11.0-dev+exp,true,rule,rule.id,keyword,extended,,101,Rule ID
+8.11.0-dev+exp,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
+8.11.0-dev+exp,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
+8.11.0-dev+exp,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
+8.11.0-dev+exp,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
+8.11.0-dev+exp,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
+8.11.0-dev+exp,true,rule,rule.version,keyword,extended,,1.1,Rule version
+8.11.0-dev+exp,true,server,server.address,keyword,extended,,,Server network address.
+8.11.0-dev+exp,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.11.0-dev+exp,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.11.0-dev+exp,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.11.0-dev+exp,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
+8.11.0-dev+exp,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server.
+8.11.0-dev+exp,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
+8.11.0-dev+exp,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
+8.11.0-dev+exp,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.11.0-dev+exp,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.11.0-dev+exp,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
+8.11.0-dev+exp,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.11.0-dev+exp,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.11.0-dev+exp,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
+8.11.0-dev+exp,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.11.0-dev+exp,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
+8.11.0-dev+exp,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.11.0-dev+exp,true,server,server.ip,ip,core,,,IP address of the server.
+8.11.0-dev+exp,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
+8.11.0-dev+exp,true,server,server.nat.ip,ip,extended,,,Server NAT ip
+8.11.0-dev+exp,true,server,server.nat.port,long,extended,,,Server NAT port
+8.11.0-dev+exp,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
+8.11.0-dev+exp,true,server,server.port,long,core,,,Port of the server.
+8.11.0-dev+exp,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
+8.11.0-dev+exp,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.11.0-dev+exp,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.11.0-dev+exp,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.11.0-dev+exp,true,server,server.user.email,keyword,extended,,,User email address.
+8.11.0-dev+exp,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.11.0-dev+exp,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.11.0-dev+exp,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.11.0-dev+exp,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev+exp,true,server,server.user.group.name,keyword,extended,,,Name of the group.
+8.11.0-dev+exp,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.11.0-dev+exp,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev+exp,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.11.0-dev+exp,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.11.0-dev+exp,true,service,service.environment,keyword,extended,,production,Environment of the service.
+8.11.0-dev+exp,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.11.0-dev+exp,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.11.0-dev+exp,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.11.0-dev+exp,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.11.0-dev+exp,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.11.0-dev+exp,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+8.11.0-dev+exp,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.11.0-dev+exp,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
+8.11.0-dev+exp,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.11.0-dev+exp,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.11.0-dev+exp,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.11.0-dev+exp,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.11.0-dev+exp,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.11.0-dev+exp,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+8.11.0-dev+exp,true,service,service.origin.state,keyword,core,,,Current state of the service.
+8.11.0-dev+exp,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service.
+8.11.0-dev+exp,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service.
+8.11.0-dev+exp,true,service,service.state,keyword,core,,,Current state of the service.
+8.11.0-dev+exp,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.11.0-dev+exp,true,service,service.target.environment,keyword,extended,,production,Environment of the service.
+8.11.0-dev+exp,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.11.0-dev+exp,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.11.0-dev+exp,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.11.0-dev+exp,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.11.0-dev+exp,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.11.0-dev+exp,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+8.11.0-dev+exp,true,service,service.target.state,keyword,core,,,Current state of the service.
+8.11.0-dev+exp,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service.
+8.11.0-dev+exp,true,service,service.target.version,keyword,core,,3.2.4,Version of the service.
+8.11.0-dev+exp,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
+8.11.0-dev+exp,true,service,service.version,keyword,core,,3.2.4,Version of the service.
+8.11.0-dev+exp,true,source,source.address,keyword,extended,,,Source network address.
+8.11.0-dev+exp,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.11.0-dev+exp,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.11.0-dev+exp,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.11.0-dev+exp,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
+8.11.0-dev+exp,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source.
+8.11.0-dev+exp,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
+8.11.0-dev+exp,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
+8.11.0-dev+exp,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.11.0-dev+exp,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.11.0-dev+exp,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
+8.11.0-dev+exp,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.11.0-dev+exp,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.11.0-dev+exp,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
+8.11.0-dev+exp,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.11.0-dev+exp,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
+8.11.0-dev+exp,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.11.0-dev+exp,true,source,source.ip,ip,core,,,IP address of the source.
+8.11.0-dev+exp,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
+8.11.0-dev+exp,true,source,source.nat.ip,ip,extended,,,Source NAT ip
+8.11.0-dev+exp,true,source,source.nat.port,long,extended,,,Source NAT port
+8.11.0-dev+exp,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
+8.11.0-dev+exp,true,source,source.port,long,core,,,Port of the source.
+8.11.0-dev+exp,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+8.11.0-dev+exp,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.11.0-dev+exp,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.11.0-dev+exp,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.11.0-dev+exp,true,source,source.user.email,keyword,extended,,,User email address.
+8.11.0-dev+exp,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.11.0-dev+exp,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.11.0-dev+exp,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.11.0-dev+exp,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev+exp,true,source,source.user.group.name,keyword,extended,,,Name of the group.
+8.11.0-dev+exp,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.11.0-dev+exp,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev+exp,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.11.0-dev+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
+8.11.0-dev+exp,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.11.0-dev+exp,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.11.0-dev+exp,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.11.0-dev+exp,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value
+8.11.0-dev+exp,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field
+8.11.0-dev+exp,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier
+8.11.0-dev+exp,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index
+8.11.0-dev+exp,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05T17:00:58.326Z,Date of match
+8.11.0-dev+exp,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match
+8.11.0-dev+exp,true,threat,threat.feed.dashboard_id,keyword,extended,,5ba16340-72e6-11eb-a3e3-b3cc7c78a70f,Feed dashboard ID.
+8.11.0-dev+exp,true,threat,threat.feed.description,keyword,extended,,Threat feed from the AlienVault Open Threat eXchange network.,Description of the threat feed.
+8.11.0-dev+exp,true,threat,threat.feed.name,keyword,extended,,AlienVault OTX,Name of the threat feed.
+8.11.0-dev+exp,true,threat,threat.feed.reference,keyword,extended,,https://otx.alienvault.com,Reference for the threat feed.
+8.11.0-dev+exp,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
+8.11.0-dev+exp,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group.
+8.11.0-dev+exp,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group.
+8.11.0-dev+exp,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group.
+8.11.0-dev+exp,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group.
+8.11.0-dev+exp,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.11.0-dev+exp,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.11.0-dev+exp,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.11.0-dev+exp,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
+8.11.0-dev+exp,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
+8.11.0-dev+exp,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
+8.11.0-dev+exp,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed.
+8.11.0-dev+exp,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.11.0-dev+exp,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.11.0-dev+exp,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.11.0-dev+exp,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.11.0-dev+exp,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.11.0-dev+exp,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.11.0-dev+exp,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.11.0-dev+exp,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.11.0-dev+exp,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.11.0-dev+exp,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.11.0-dev+exp,true,threat,threat.indicator.file.created,date,extended,,,File creation time.
+8.11.0-dev+exp,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.11.0-dev+exp,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
+8.11.0-dev+exp,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.11.0-dev+exp,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.11.0-dev+exp,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.11.0-dev+exp,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.11.0-dev+exp,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.11.0-dev+exp,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
+8.11.0-dev+exp,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.11.0-dev+exp,true,threat,threat.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.11.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.11.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.11.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.11.0-dev+exp,true,threat,threat.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.11.0-dev+exp,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.11.0-dev+exp,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.11.0-dev+exp,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.11.0-dev+exp,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.11.0-dev+exp,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.11.0-dev+exp,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.11.0-dev+exp,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.11.0-dev+exp,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.11.0-dev+exp,true,threat,threat.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.11.0-dev+exp,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.11.0-dev+exp,true,threat,threat.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev+exp,true,threat,threat.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev+exp,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.11.0-dev+exp,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.11.0-dev+exp,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.11.0-dev+exp,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.11.0-dev+exp,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.11.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.11.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.11.0-dev+exp,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.11.0-dev+exp,true,threat,threat.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.11.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.11.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.11.0-dev+exp,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
+8.11.0-dev+exp,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.11.0-dev+exp,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.11.0-dev+exp,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.11.0-dev+exp,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.11.0-dev+exp,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.11.0-dev+exp,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.11.0-dev+exp,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.11.0-dev+exp,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
+8.11.0-dev+exp,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
+8.11.0-dev+exp,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.11.0-dev+exp,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.11.0-dev+exp,true,threat,threat.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.11.0-dev+exp,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.11.0-dev+exp,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.11.0-dev+exp,true,threat,threat.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.11.0-dev+exp,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.11.0-dev+exp,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.11.0-dev+exp,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.11.0-dev+exp,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified.
+8.11.0-dev+exp,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.11.0-dev+exp,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username.
+8.11.0-dev+exp,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.11.0-dev+exp,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.11.0-dev+exp,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.11.0-dev+exp,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.11.0-dev+exp,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.11.0-dev+exp,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.11.0-dev+exp,true,threat,threat.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.11.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.11.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.11.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.11.0-dev+exp,true,threat,threat.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.11.0-dev+exp,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.11.0-dev+exp,true,threat,threat.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.11.0-dev+exp,true,threat,threat.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.11.0-dev+exp,true,threat,threat.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev+exp,true,threat,threat.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev+exp,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.11.0-dev+exp,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.11.0-dev+exp,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.11.0-dev+exp,true,threat,threat.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
+8.11.0-dev+exp,true,threat,threat.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.11.0-dev+exp,true,threat,threat.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
+8.11.0-dev+exp,true,threat,threat.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.11.0-dev+exp,true,threat,threat.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.11.0-dev+exp,true,threat,threat.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.11.0-dev+exp,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes.
+8.11.0-dev+exp,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
+8.11.0-dev+exp,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.11.0-dev+exp,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.11.0-dev+exp,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.11.0-dev+exp,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.11.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.11.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.11.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.11.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.11.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.11.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.11.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.11.0-dev+exp,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.11.0-dev+exp,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.11.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.11.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.11.0-dev+exp,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.11.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.11.0-dev+exp,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.11.0-dev+exp,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.11.0-dev+exp,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.11.0-dev+exp,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.11.0-dev+exp,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.11.0-dev+exp,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.11.0-dev+exp,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.11.0-dev+exp,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.11.0-dev+exp,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.11.0-dev+exp,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.11.0-dev+exp,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
+8.11.0-dev+exp,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name.
+8.11.0-dev+exp,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code.
+8.11.0-dev+exp,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.11.0-dev+exp,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.11.0-dev+exp,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name.
+8.11.0-dev+exp,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.11.0-dev+exp,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.11.0-dev+exp,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code.
+8.11.0-dev+exp,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.11.0-dev+exp,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name.
+8.11.0-dev+exp,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.11.0-dev+exp,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
+8.11.0-dev+exp,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
+8.11.0-dev+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
+8.11.0-dev+exp,true,threat,threat.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
+8.11.0-dev+exp,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
+8.11.0-dev+exp,true,threat,threat.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
+8.11.0-dev+exp,true,threat,threat.indicator.port,long,extended,,443,Indicator port
+8.11.0-dev+exp,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
+8.11.0-dev+exp,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
+8.11.0-dev+exp,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.11.0-dev+exp,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.11.0-dev+exp,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.11.0-dev+exp,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.11.0-dev+exp,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.11.0-dev+exp,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.11.0-dev+exp,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
+8.11.0-dev+exp,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics
+8.11.0-dev+exp,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed
+8.11.0-dev+exp,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
+8.11.0-dev+exp,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.11.0-dev+exp,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.11.0-dev+exp,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.11.0-dev+exp,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.11.0-dev+exp,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.11.0-dev+exp,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.11.0-dev+exp,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.11.0-dev+exp,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request.
+8.11.0-dev+exp,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.11.0-dev+exp,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
+8.11.0-dev+exp,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request.
+8.11.0-dev+exp,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.11.0-dev+exp,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
+8.11.0-dev+exp,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.11.0-dev+exp,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.11.0-dev+exp,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request.
+8.11.0-dev+exp,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.11.0-dev+exp,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.11.0-dev+exp,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.11.0-dev+exp,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.11.0-dev+exp,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.11.0-dev+exp,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.11.0-dev+exp,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.11.0-dev+exp,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.11.0-dev+exp,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.11.0-dev+exp,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.11.0-dev+exp,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.11.0-dev+exp,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.11.0-dev+exp,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.11.0-dev+exp,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.11.0-dev+exp,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.11.0-dev+exp,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.11.0-dev+exp,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.11.0-dev+exp,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.11.0-dev+exp,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.11.0-dev+exp,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.11.0-dev+exp,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.11.0-dev+exp,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.11.0-dev+exp,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.11.0-dev+exp,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.11.0-dev+exp,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software
+8.11.0-dev+exp,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software
+8.11.0-dev+exp,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software.
+8.11.0-dev+exp,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software.
+8.11.0-dev+exp,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL.
+8.11.0-dev+exp,true,threat,threat.software.type,keyword,extended,,Tool,Software type.
+8.11.0-dev+exp,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
+8.11.0-dev+exp,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
+8.11.0-dev+exp,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
+8.11.0-dev+exp,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
+8.11.0-dev+exp,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
+8.11.0-dev+exp,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name.
+8.11.0-dev+exp,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
+8.11.0-dev+exp,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
+8.11.0-dev+exp,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
+8.11.0-dev+exp,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
+8.11.0-dev+exp,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
+8.11.0-dev+exp,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
+8.11.0-dev+exp,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
+8.11.0-dev+exp,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
+8.11.0-dev+exp,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
+8.11.0-dev+exp,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
+8.11.0-dev+exp,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
+8.11.0-dev+exp,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
+8.11.0-dev+exp,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
+8.11.0-dev+exp,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
+8.11.0-dev+exp,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
+8.11.0-dev+exp,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
+8.11.0-dev+exp,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
+8.11.0-dev+exp,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
+8.11.0-dev+exp,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.11.0-dev+exp,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.11.0-dev+exp,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.11.0-dev+exp,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.11.0-dev+exp,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.11.0-dev+exp,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.11.0-dev+exp,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.11.0-dev+exp,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.11.0-dev+exp,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.11.0-dev+exp,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.11.0-dev+exp,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.11.0-dev+exp,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.11.0-dev+exp,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.11.0-dev+exp,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.11.0-dev+exp,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.11.0-dev+exp,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.11.0-dev+exp,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.11.0-dev+exp,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.11.0-dev+exp,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.11.0-dev+exp,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.11.0-dev+exp,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.11.0-dev+exp,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.11.0-dev+exp,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.11.0-dev+exp,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.11.0-dev+exp,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
+8.11.0-dev+exp,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
+8.11.0-dev+exp,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
+8.11.0-dev+exp,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
+8.11.0-dev+exp,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
+8.11.0-dev+exp,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
+8.11.0-dev+exp,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
+8.11.0-dev+exp,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
+8.11.0-dev+exp,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
+8.11.0-dev+exp,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
+8.11.0-dev+exp,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
+8.11.0-dev+exp,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
+8.11.0-dev+exp,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
+8.11.0-dev+exp,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
+8.11.0-dev+exp,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.11.0-dev+exp,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.11.0-dev+exp,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.11.0-dev+exp,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.11.0-dev+exp,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.11.0-dev+exp,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.11.0-dev+exp,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.11.0-dev+exp,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.11.0-dev+exp,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.11.0-dev+exp,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.11.0-dev+exp,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.11.0-dev+exp,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.11.0-dev+exp,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.11.0-dev+exp,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.11.0-dev+exp,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.11.0-dev+exp,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.11.0-dev+exp,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.11.0-dev+exp,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.11.0-dev+exp,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.11.0-dev+exp,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.11.0-dev+exp,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.11.0-dev+exp,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.11.0-dev+exp,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.11.0-dev+exp,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.11.0-dev+exp,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
+8.11.0-dev+exp,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
+8.11.0-dev+exp,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
+8.11.0-dev+exp,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
+8.11.0-dev+exp,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.11.0-dev+exp,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.11.0-dev+exp,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.11.0-dev+exp,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.11.0-dev+exp,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.11.0-dev+exp,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.11.0-dev+exp,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.11.0-dev+exp,true,url,url.password,keyword,extended,,,Password of the request.
+8.11.0-dev+exp,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.11.0-dev+exp,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
+8.11.0-dev+exp,true,url,url.query,keyword,extended,,,Query string of the request.
+8.11.0-dev+exp,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.11.0-dev+exp,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
+8.11.0-dev+exp,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.11.0-dev+exp,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.11.0-dev+exp,true,url,url.username,keyword,extended,,,Username of the request.
+8.11.0-dev+exp,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.11.0-dev+exp,true,user,user.changes.email,keyword,extended,,,User email address.
+8.11.0-dev+exp,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.11.0-dev+exp,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.11.0-dev+exp,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.11.0-dev+exp,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev+exp,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
+8.11.0-dev+exp,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.11.0-dev+exp,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev+exp,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.11.0-dev+exp,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.11.0-dev+exp,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.11.0-dev+exp,true,user,user.effective.email,keyword,extended,,,User email address.
+8.11.0-dev+exp,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.11.0-dev+exp,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.11.0-dev+exp,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.11.0-dev+exp,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev+exp,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
+8.11.0-dev+exp,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.11.0-dev+exp,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev+exp,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.11.0-dev+exp,true,user,user.email,keyword,extended,,,User email address.
+8.11.0-dev+exp,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.11.0-dev+exp,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.11.0-dev+exp,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.11.0-dev+exp,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev+exp,true,user,user.group.name,keyword,extended,,,Name of the group.
+8.11.0-dev+exp,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.11.0-dev+exp,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev+exp,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.11.0-dev+exp,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.11.0-dev+exp,true,user,user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.11.0-dev+exp,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.11.0-dev+exp,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.11.0-dev+exp,true,user,user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+8.11.0-dev+exp,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.11.0-dev+exp,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.11.0-dev+exp,true,user,user.target.email,keyword,extended,,,User email address.
+8.11.0-dev+exp,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.11.0-dev+exp,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.11.0-dev+exp,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.11.0-dev+exp,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev+exp,true,user,user.target.group.name,keyword,extended,,,Name of the group.
+8.11.0-dev+exp,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.11.0-dev+exp,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev+exp,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev+exp,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.11.0-dev+exp,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
+8.11.0-dev+exp,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
+8.11.0-dev+exp,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+8.11.0-dev+exp,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+8.11.0-dev+exp,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.11.0-dev+exp,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.11.0-dev+exp,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.11.0-dev+exp,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.11.0-dev+exp,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.11.0-dev+exp,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.11.0-dev+exp,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.11.0-dev+exp,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+8.11.0-dev+exp,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.11.0-dev+exp,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
+8.11.0-dev+exp,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
+8.11.0-dev+exp,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
+8.11.0-dev+exp,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+8.11.0-dev+exp,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+8.11.0-dev+exp,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
+8.11.0-dev+exp,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
+8.11.0-dev+exp,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
+8.11.0-dev+exp,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
+8.11.0-dev+exp,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
+8.11.0-dev+exp,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
+8.11.0-dev+exp,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
+8.11.0-dev+exp,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
+8.11.0-dev+exp,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
+8.11.0-dev+exp,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
diff --git a/experimental/generated/elasticsearch/composable/component/agent.json b/experimental/generated/elasticsearch/composable/component/agent.json
index 78388b1100..c705b83c61 100644
--- a/experimental/generated/elasticsearch/composable/component/agent.json
+++ b/experimental/generated/elasticsearch/composable/component/agent.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html",
-    "ecs_version": "8.10.0-dev+exp"
+    "ecs_version": "8.11.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/base.json b/experimental/generated/elasticsearch/composable/component/base.json
index fecaea681f..aca1117d8d 100644
--- a/experimental/generated/elasticsearch/composable/component/base.json
+++ b/experimental/generated/elasticsearch/composable/component/base.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
-    "ecs_version": "8.10.0-dev+exp"
+    "ecs_version": "8.11.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/cgroup.json b/experimental/generated/elasticsearch/composable/component/cgroup.json
index 5d8f391825..051104d805 100644
--- a/experimental/generated/elasticsearch/composable/component/cgroup.json
+++ b/experimental/generated/elasticsearch/composable/component/cgroup.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cgroup.html",
-    "ecs_version": "8.10.0-dev+exp"
+    "ecs_version": "8.11.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/client.json b/experimental/generated/elasticsearch/composable/component/client.json
index acf7b3df54..5126bbcf57 100644
--- a/experimental/generated/elasticsearch/composable/component/client.json
+++ b/experimental/generated/elasticsearch/composable/component/client.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-client.html",
-    "ecs_version": "8.10.0-dev+exp"
+    "ecs_version": "8.11.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/cloud.json b/experimental/generated/elasticsearch/composable/component/cloud.json
index 0a6fb2bf1b..686b49f367 100644
--- a/experimental/generated/elasticsearch/composable/component/cloud.json
+++ b/experimental/generated/elasticsearch/composable/component/cloud.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cloud.html",
-    "ecs_version": "8.10.0-dev+exp"
+    "ecs_version": "8.11.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/container.json b/experimental/generated/elasticsearch/composable/component/container.json
index 40af94f16f..abde645c63 100644
--- a/experimental/generated/elasticsearch/composable/component/container.json
+++ b/experimental/generated/elasticsearch/composable/component/container.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-container.html",
-    "ecs_version": "8.10.0-dev+exp"
+    "ecs_version": "8.11.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/data_stream.json b/experimental/generated/elasticsearch/composable/component/data_stream.json
index fa237cfa57..fb689dbe04 100644
--- a/experimental/generated/elasticsearch/composable/component/data_stream.json
+++ b/experimental/generated/elasticsearch/composable/component/data_stream.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-data_stream.html",
-    "ecs_version": "8.10.0-dev+exp"
+    "ecs_version": "8.11.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/destination.json b/experimental/generated/elasticsearch/composable/component/destination.json
index 94b2c25c4e..98d8476de0 100644
--- a/experimental/generated/elasticsearch/composable/component/destination.json
+++ b/experimental/generated/elasticsearch/composable/component/destination.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-destination.html",
-    "ecs_version": "8.10.0-dev+exp"
+    "ecs_version": "8.11.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/device.json b/experimental/generated/elasticsearch/composable/component/device.json
index 6f76dd04a7..03b9792933 100644
--- a/experimental/generated/elasticsearch/composable/component/device.json
+++ b/experimental/generated/elasticsearch/composable/component/device.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-device.html",
-    "ecs_version": "8.10.0-dev+exp"
+    "ecs_version": "8.11.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/dll.json b/experimental/generated/elasticsearch/composable/component/dll.json
index 9f67d33fb1..c507fe14d8 100644
--- a/experimental/generated/elasticsearch/composable/component/dll.json
+++ b/experimental/generated/elasticsearch/composable/component/dll.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dll.html",
-    "ecs_version": "8.10.0-dev+exp"
+    "ecs_version": "8.11.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/dns.json b/experimental/generated/elasticsearch/composable/component/dns.json
index f7f4941d8a..fc68bcb657 100644
--- a/experimental/generated/elasticsearch/composable/component/dns.json
+++ b/experimental/generated/elasticsearch/composable/component/dns.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html",
-    "ecs_version": "8.10.0-dev+exp"
+    "ecs_version": "8.11.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/ecs.json b/experimental/generated/elasticsearch/composable/component/ecs.json
index e365369299..b5c28444f0 100644
--- a/experimental/generated/elasticsearch/composable/component/ecs.json
+++ b/experimental/generated/elasticsearch/composable/component/ecs.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html",
-    "ecs_version": "8.10.0-dev+exp"
+    "ecs_version": "8.11.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/email.json b/experimental/generated/elasticsearch/composable/component/email.json
index fa9c6ba80a..625f722a2a 100644
--- a/experimental/generated/elasticsearch/composable/component/email.json
+++ b/experimental/generated/elasticsearch/composable/component/email.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-email.html",
-    "ecs_version": "8.10.0-dev+exp"
+    "ecs_version": "8.11.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/error.json b/experimental/generated/elasticsearch/composable/component/error.json
index 347914573d..95305a532a 100644
--- a/experimental/generated/elasticsearch/composable/component/error.json
+++ b/experimental/generated/elasticsearch/composable/component/error.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-error.html",
-    "ecs_version": "8.10.0-dev+exp"
+    "ecs_version": "8.11.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/event.json b/experimental/generated/elasticsearch/composable/component/event.json
index ecd51fc535..c63ebb78e1 100644
--- a/experimental/generated/elasticsearch/composable/component/event.json
+++ b/experimental/generated/elasticsearch/composable/component/event.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html",
-    "ecs_version": "8.10.0-dev+exp"
+    "ecs_version": "8.11.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/faas.json b/experimental/generated/elasticsearch/composable/component/faas.json
index 4dbe1af5ed..7572524786 100644
--- a/experimental/generated/elasticsearch/composable/component/faas.json
+++ b/experimental/generated/elasticsearch/composable/component/faas.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-faas.html",
-    "ecs_version": "8.10.0-dev+exp"
+    "ecs_version": "8.11.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/file.json b/experimental/generated/elasticsearch/composable/component/file.json
index 7edda7c20b..97150ec5b2 100644
--- a/experimental/generated/elasticsearch/composable/component/file.json
+++ b/experimental/generated/elasticsearch/composable/component/file.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html",
-    "ecs_version": "8.10.0-dev+exp"
+    "ecs_version": "8.11.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/group.json b/experimental/generated/elasticsearch/composable/component/group.json
index 2c25549e80..e64b20614b 100644
--- a/experimental/generated/elasticsearch/composable/component/group.json
+++ b/experimental/generated/elasticsearch/composable/component/group.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-group.html",
-    "ecs_version": "8.10.0-dev+exp"
+    "ecs_version": "8.11.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/host.json b/experimental/generated/elasticsearch/composable/component/host.json
index 3be8016d8b..931b8e9797 100644
--- a/experimental/generated/elasticsearch/composable/component/host.json
+++ b/experimental/generated/elasticsearch/composable/component/host.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-host.html",
-    "ecs_version": "8.10.0-dev+exp"
+    "ecs_version": "8.11.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/http.json b/experimental/generated/elasticsearch/composable/component/http.json
index fd9bfc8e60..958d97bac4 100644
--- a/experimental/generated/elasticsearch/composable/component/http.json
+++ b/experimental/generated/elasticsearch/composable/component/http.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-http.html",
-    "ecs_version": "8.10.0-dev+exp"
+    "ecs_version": "8.11.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/log.json b/experimental/generated/elasticsearch/composable/component/log.json
index 6bd8603319..b0ae568f36 100644
--- a/experimental/generated/elasticsearch/composable/component/log.json
+++ b/experimental/generated/elasticsearch/composable/component/log.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-log.html",
-    "ecs_version": "8.10.0-dev+exp"
+    "ecs_version": "8.11.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/network.json b/experimental/generated/elasticsearch/composable/component/network.json
index d402ba78bb..a0ca529c0c 100644
--- a/experimental/generated/elasticsearch/composable/component/network.json
+++ b/experimental/generated/elasticsearch/composable/component/network.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html",
-    "ecs_version": "8.10.0-dev+exp"
+    "ecs_version": "8.11.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/observer.json b/experimental/generated/elasticsearch/composable/component/observer.json
index 7686e9a604..19c44771be 100644
--- a/experimental/generated/elasticsearch/composable/component/observer.json
+++ b/experimental/generated/elasticsearch/composable/component/observer.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html",
-    "ecs_version": "8.10.0-dev+exp"
+    "ecs_version": "8.11.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/orchestrator.json b/experimental/generated/elasticsearch/composable/component/orchestrator.json
index 38531f3d75..c4fe907974 100644
--- a/experimental/generated/elasticsearch/composable/component/orchestrator.json
+++ b/experimental/generated/elasticsearch/composable/component/orchestrator.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-orchestrator.html",
-    "ecs_version": "8.10.0-dev+exp"
+    "ecs_version": "8.11.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/organization.json b/experimental/generated/elasticsearch/composable/component/organization.json
index 8a2a2d8b05..86fea86dd8 100644
--- a/experimental/generated/elasticsearch/composable/component/organization.json
+++ b/experimental/generated/elasticsearch/composable/component/organization.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-organization.html",
-    "ecs_version": "8.10.0-dev+exp"
+    "ecs_version": "8.11.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/package.json b/experimental/generated/elasticsearch/composable/component/package.json
index eeedf1914f..384389383b 100644
--- a/experimental/generated/elasticsearch/composable/component/package.json
+++ b/experimental/generated/elasticsearch/composable/component/package.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-package.html",
-    "ecs_version": "8.10.0-dev+exp"
+    "ecs_version": "8.11.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/process.json b/experimental/generated/elasticsearch/composable/component/process.json
index 47e088ad09..034901bc2a 100644
--- a/experimental/generated/elasticsearch/composable/component/process.json
+++ b/experimental/generated/elasticsearch/composable/component/process.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-process.html",
-    "ecs_version": "8.10.0-dev+exp"
+    "ecs_version": "8.11.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/registry.json b/experimental/generated/elasticsearch/composable/component/registry.json
index 5ea2af86ec..e760bd4b98 100644
--- a/experimental/generated/elasticsearch/composable/component/registry.json
+++ b/experimental/generated/elasticsearch/composable/component/registry.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-registry.html",
-    "ecs_version": "8.10.0-dev+exp"
+    "ecs_version": "8.11.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/related.json b/experimental/generated/elasticsearch/composable/component/related.json
index 7f13db613a..ecb28636ef 100644
--- a/experimental/generated/elasticsearch/composable/component/related.json
+++ b/experimental/generated/elasticsearch/composable/component/related.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-related.html",
-    "ecs_version": "8.10.0-dev+exp"
+    "ecs_version": "8.11.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/rule.json b/experimental/generated/elasticsearch/composable/component/rule.json
index 434c426d59..efef030345 100644
--- a/experimental/generated/elasticsearch/composable/component/rule.json
+++ b/experimental/generated/elasticsearch/composable/component/rule.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-rule.html",
-    "ecs_version": "8.10.0-dev+exp"
+    "ecs_version": "8.11.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/server.json b/experimental/generated/elasticsearch/composable/component/server.json
index 0428a7bb07..19278c6b94 100644
--- a/experimental/generated/elasticsearch/composable/component/server.json
+++ b/experimental/generated/elasticsearch/composable/component/server.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-server.html",
-    "ecs_version": "8.10.0-dev+exp"
+    "ecs_version": "8.11.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/service.json b/experimental/generated/elasticsearch/composable/component/service.json
index 72718bc224..6cfdd222f1 100644
--- a/experimental/generated/elasticsearch/composable/component/service.json
+++ b/experimental/generated/elasticsearch/composable/component/service.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-service.html",
-    "ecs_version": "8.10.0-dev+exp"
+    "ecs_version": "8.11.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/source.json b/experimental/generated/elasticsearch/composable/component/source.json
index d5d7bce3eb..61803cbab3 100644
--- a/experimental/generated/elasticsearch/composable/component/source.json
+++ b/experimental/generated/elasticsearch/composable/component/source.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-source.html",
-    "ecs_version": "8.10.0-dev+exp"
+    "ecs_version": "8.11.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/threat.json b/experimental/generated/elasticsearch/composable/component/threat.json
index 7b652d6791..766fec3adf 100644
--- a/experimental/generated/elasticsearch/composable/component/threat.json
+++ b/experimental/generated/elasticsearch/composable/component/threat.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-threat.html",
-    "ecs_version": "8.10.0-dev+exp"
+    "ecs_version": "8.11.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/tls.json b/experimental/generated/elasticsearch/composable/component/tls.json
index 512f95a6e8..c55861ba80 100644
--- a/experimental/generated/elasticsearch/composable/component/tls.json
+++ b/experimental/generated/elasticsearch/composable/component/tls.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tls.html",
-    "ecs_version": "8.10.0-dev+exp"
+    "ecs_version": "8.11.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/tracing.json b/experimental/generated/elasticsearch/composable/component/tracing.json
index 55e6a8d986..089a67cd15 100644
--- a/experimental/generated/elasticsearch/composable/component/tracing.json
+++ b/experimental/generated/elasticsearch/composable/component/tracing.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tracing.html",
-    "ecs_version": "8.10.0-dev+exp"
+    "ecs_version": "8.11.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/url.json b/experimental/generated/elasticsearch/composable/component/url.json
index 67619ff74f..f8d4e05d86 100644
--- a/experimental/generated/elasticsearch/composable/component/url.json
+++ b/experimental/generated/elasticsearch/composable/component/url.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-url.html",
-    "ecs_version": "8.10.0-dev+exp"
+    "ecs_version": "8.11.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/user.json b/experimental/generated/elasticsearch/composable/component/user.json
index 3da71b9cbd..32ba199710 100644
--- a/experimental/generated/elasticsearch/composable/component/user.json
+++ b/experimental/generated/elasticsearch/composable/component/user.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user.html",
-    "ecs_version": "8.10.0-dev+exp"
+    "ecs_version": "8.11.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/user_agent.json b/experimental/generated/elasticsearch/composable/component/user_agent.json
index 3a181766bd..a5ad6c0245 100644
--- a/experimental/generated/elasticsearch/composable/component/user_agent.json
+++ b/experimental/generated/elasticsearch/composable/component/user_agent.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html",
-    "ecs_version": "8.10.0-dev+exp"
+    "ecs_version": "8.11.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/vulnerability.json b/experimental/generated/elasticsearch/composable/component/vulnerability.json
index 5b358e5921..aa21bb97b5 100644
--- a/experimental/generated/elasticsearch/composable/component/vulnerability.json
+++ b/experimental/generated/elasticsearch/composable/component/vulnerability.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html",
-    "ecs_version": "8.10.0-dev+exp"
+    "ecs_version": "8.11.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/template.json b/experimental/generated/elasticsearch/composable/template.json
index 0b774a2c32..b1e055b426 100644
--- a/experimental/generated/elasticsearch/composable/template.json
+++ b/experimental/generated/elasticsearch/composable/template.json
@@ -1,49 +1,49 @@
 {
   "_meta": {
     "description": "Sample composable template that includes all ECS fields",
-    "ecs_version": "8.10.0-dev+exp"
+    "ecs_version": "8.11.0-dev+exp"
   },
   "composed_of": [
-    "ecs_8.10.0-dev-exp_cgroup",
-    "ecs_8.10.0-dev-exp_base",
-    "ecs_8.10.0-dev-exp_agent",
-    "ecs_8.10.0-dev-exp_client",
-    "ecs_8.10.0-dev-exp_cloud",
-    "ecs_8.10.0-dev-exp_container",
-    "ecs_8.10.0-dev-exp_data_stream",
-    "ecs_8.10.0-dev-exp_destination",
-    "ecs_8.10.0-dev-exp_device",
-    "ecs_8.10.0-dev-exp_dll",
-    "ecs_8.10.0-dev-exp_dns",
-    "ecs_8.10.0-dev-exp_ecs",
-    "ecs_8.10.0-dev-exp_email",
-    "ecs_8.10.0-dev-exp_error",
-    "ecs_8.10.0-dev-exp_event",
-    "ecs_8.10.0-dev-exp_faas",
-    "ecs_8.10.0-dev-exp_file",
-    "ecs_8.10.0-dev-exp_group",
-    "ecs_8.10.0-dev-exp_host",
-    "ecs_8.10.0-dev-exp_http",
-    "ecs_8.10.0-dev-exp_log",
-    "ecs_8.10.0-dev-exp_network",
-    "ecs_8.10.0-dev-exp_observer",
-    "ecs_8.10.0-dev-exp_orchestrator",
-    "ecs_8.10.0-dev-exp_organization",
-    "ecs_8.10.0-dev-exp_package",
-    "ecs_8.10.0-dev-exp_process",
-    "ecs_8.10.0-dev-exp_registry",
-    "ecs_8.10.0-dev-exp_related",
-    "ecs_8.10.0-dev-exp_rule",
-    "ecs_8.10.0-dev-exp_server",
-    "ecs_8.10.0-dev-exp_service",
-    "ecs_8.10.0-dev-exp_source",
-    "ecs_8.10.0-dev-exp_threat",
-    "ecs_8.10.0-dev-exp_tls",
-    "ecs_8.10.0-dev-exp_tracing",
-    "ecs_8.10.0-dev-exp_url",
-    "ecs_8.10.0-dev-exp_user_agent",
-    "ecs_8.10.0-dev-exp_user",
-    "ecs_8.10.0-dev-exp_vulnerability"
+    "ecs_8.11.0-dev-exp_cgroup",
+    "ecs_8.11.0-dev-exp_base",
+    "ecs_8.11.0-dev-exp_agent",
+    "ecs_8.11.0-dev-exp_client",
+    "ecs_8.11.0-dev-exp_cloud",
+    "ecs_8.11.0-dev-exp_container",
+    "ecs_8.11.0-dev-exp_data_stream",
+    "ecs_8.11.0-dev-exp_destination",
+    "ecs_8.11.0-dev-exp_device",
+    "ecs_8.11.0-dev-exp_dll",
+    "ecs_8.11.0-dev-exp_dns",
+    "ecs_8.11.0-dev-exp_ecs",
+    "ecs_8.11.0-dev-exp_email",
+    "ecs_8.11.0-dev-exp_error",
+    "ecs_8.11.0-dev-exp_event",
+    "ecs_8.11.0-dev-exp_faas",
+    "ecs_8.11.0-dev-exp_file",
+    "ecs_8.11.0-dev-exp_group",
+    "ecs_8.11.0-dev-exp_host",
+    "ecs_8.11.0-dev-exp_http",
+    "ecs_8.11.0-dev-exp_log",
+    "ecs_8.11.0-dev-exp_network",
+    "ecs_8.11.0-dev-exp_observer",
+    "ecs_8.11.0-dev-exp_orchestrator",
+    "ecs_8.11.0-dev-exp_organization",
+    "ecs_8.11.0-dev-exp_package",
+    "ecs_8.11.0-dev-exp_process",
+    "ecs_8.11.0-dev-exp_registry",
+    "ecs_8.11.0-dev-exp_related",
+    "ecs_8.11.0-dev-exp_rule",
+    "ecs_8.11.0-dev-exp_server",
+    "ecs_8.11.0-dev-exp_service",
+    "ecs_8.11.0-dev-exp_source",
+    "ecs_8.11.0-dev-exp_threat",
+    "ecs_8.11.0-dev-exp_tls",
+    "ecs_8.11.0-dev-exp_tracing",
+    "ecs_8.11.0-dev-exp_url",
+    "ecs_8.11.0-dev-exp_user_agent",
+    "ecs_8.11.0-dev-exp_user",
+    "ecs_8.11.0-dev-exp_vulnerability"
   ],
   "index_patterns": [
     "try-ecs-*"
diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json
index 08f0f8df9b..1c71c9c150 100644
--- a/experimental/generated/elasticsearch/legacy/template.json
+++ b/experimental/generated/elasticsearch/legacy/template.json
@@ -4,7 +4,7 @@
   ],
   "mappings": {
     "_meta": {
-      "version": "8.10.0-dev+exp"
+      "version": "8.11.0-dev+exp"
     },
     "date_detection": false,
     "dynamic_templates": [
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 99c2b5d1d9..c13db67d1a 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -1,5 +1,5 @@
 # WARNING! Do not edit this file directly, it was generated by the ECS project,
-# based on ECS version 8.10.0-dev.
+# based on ECS version 8.11.0-dev.
 # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields.
 
 - key: ecs
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index 3a3d9cd30e..f47e61efa2 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -1,1748 +1,1748 @@
 ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
-8.10.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
-8.10.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
-8.10.0-dev,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer.
-8.10.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
-8.10.0-dev,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
-8.10.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
-8.10.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
-8.10.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
-8.10.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
-8.10.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
-8.10.0-dev,true,client,client.address,keyword,extended,,,Client network address.
-8.10.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.10.0-dev,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.10.0-dev,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.10.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
-8.10.0-dev,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client.
-8.10.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
-8.10.0-dev,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
-8.10.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.10.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.10.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
-8.10.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.10.0-dev,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.10.0-dev,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
-8.10.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.10.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
-8.10.0-dev,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.10.0-dev,true,client,client.ip,ip,core,,,IP address of the client.
-8.10.0-dev,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
-8.10.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
-8.10.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port
-8.10.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
-8.10.0-dev,true,client,client.port,long,core,,,Port of the client.
-8.10.0-dev,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
-8.10.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.10.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.10.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.10.0-dev,true,client,client.user.email,keyword,extended,,,User email address.
-8.10.0-dev,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.10.0-dev,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.10.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.10.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group.
-8.10.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.10.0-dev,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.10.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.10.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.10.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.10.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.10.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
-8.10.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.10.0-dev,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.10.0-dev,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.10.0-dev,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.10.0-dev,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.10.0-dev,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine.
-8.10.0-dev,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.10.0-dev,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id.
-8.10.0-dev,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name.
-8.10.0-dev,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider.
-8.10.0-dev,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.10.0-dev,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name.
-8.10.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
-8.10.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
-8.10.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
-8.10.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.10.0-dev,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name.
-8.10.0-dev,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.10.0-dev,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.10.0-dev,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.10.0-dev,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.10.0-dev,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine.
-8.10.0-dev,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.10.0-dev,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id.
-8.10.0-dev,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name.
-8.10.0-dev,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider.
-8.10.0-dev,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.10.0-dev,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name.
-8.10.0-dev,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
-8.10.0-dev,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
-8.10.0-dev,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
-8.10.0-dev,true,container,container.id,keyword,core,,,Unique container id.
-8.10.0-dev,true,container,container.image.hash.all,keyword,extended,array,[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26],An array of digests of the image the container was built on.
-8.10.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
-8.10.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags.
-8.10.0-dev,true,container,container.labels,object,extended,,,Image labels.
-8.10.0-dev,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1."
-8.10.0-dev,true,container,container.name,keyword,extended,,,Container name.
-8.10.0-dev,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
-8.10.0-dev,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
-8.10.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
-8.10.0-dev,true,container,container.security_context.privileged,boolean,extended,,,Indicates whether the container is running in privileged mode.
-8.10.0-dev,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
-8.10.0-dev,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
-8.10.0-dev,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
-8.10.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address.
-8.10.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.10.0-dev,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.10.0-dev,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.10.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
-8.10.0-dev,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination.
-8.10.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
-8.10.0-dev,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
-8.10.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.10.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.10.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
-8.10.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.10.0-dev,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.10.0-dev,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
-8.10.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.10.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
-8.10.0-dev,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.10.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination.
-8.10.0-dev,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
-8.10.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
-8.10.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
-8.10.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
-8.10.0-dev,true,destination,destination.port,long,core,,,Port of the destination.
-8.10.0-dev,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
-8.10.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.10.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.10.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.10.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address.
-8.10.0-dev,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.10.0-dev,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.10.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.10.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
-8.10.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.10.0-dev,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.10.0-dev,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device.
-8.10.0-dev,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer.
-8.10.0-dev,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model.
-8.10.0-dev,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model.
-8.10.0-dev,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.10.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.10.0-dev,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.10.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.10.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.10.0-dev,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.10.0-dev,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.10.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.10.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.10.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
-8.10.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
-8.10.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
-8.10.0-dev,true,dll,dll.hash.sha384,keyword,extended,,,SHA384 hash.
-8.10.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
-8.10.0-dev,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.10.0-dev,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash.
-8.10.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
-8.10.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
-8.10.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.10.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.10.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.10.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.10.0-dev,true,dll,dll.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.10.0-dev,true,dll,dll.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.10.0-dev,true,dll,dll.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.10.0-dev,true,dll,dll.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.10.0-dev,true,dll,dll.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.10.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.10.0-dev,true,dll,dll.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.10.0-dev,true,dll,dll.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.10.0-dev,true,dll,dll.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev,true,dll,dll.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.10.0-dev,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.10.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.10.0-dev,true,dll,dll.pe.sections,nested,extended,array,,Section information of the PE file.
-8.10.0-dev,true,dll,dll.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.10.0-dev,true,dll,dll.pe.sections.name,keyword,extended,,,PE Section List name.
-8.10.0-dev,true,dll,dll.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.10.0-dev,true,dll,dll.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.10.0-dev,true,dll,dll.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.10.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
-8.10.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
-8.10.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
-8.10.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
-8.10.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
-8.10.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
-8.10.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
-8.10.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
-8.10.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
-8.10.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
-8.10.0-dev,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
-8.10.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
-8.10.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
-8.10.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.10.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
-8.10.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
-8.10.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
-8.10.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
-8.10.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
-8.10.0-dev,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
-8.10.0-dev,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
-8.10.0-dev,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash.
-8.10.0-dev,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.10.0-dev,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.10.0-dev,true,email,email.attachments.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.10.0-dev,true,email,email.attachments.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.10.0-dev,true,email,email.attachments.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.10.0-dev,true,email,email.attachments.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.10.0-dev,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file.
-8.10.0-dev,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file.
-8.10.0-dev,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size.
-8.10.0-dev,true,email,email.bcc.address,keyword,extended,array,bcc.user1@example.com,Email address of BCC recipient
-8.10.0-dev,true,email,email.cc.address,keyword,extended,array,cc.user1@example.com,Email address of CC recipient
-8.10.0-dev,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message.
-8.10.0-dev,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered.
-8.10.0-dev,true,email,email.direction,keyword,extended,,inbound,Direction of the message.
-8.10.0-dev,true,email,email.from.address,keyword,extended,array,sender@example.com,The sender's email address.
-8.10.0-dev,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source.
-8.10.0-dev,true,email,email.message_id,wildcard,extended,,81ce15$8r2j59@mail01.example.com,Value from the Message-ID header.
-8.10.0-dev,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed.
-8.10.0-dev,true,email,email.reply_to.address,keyword,extended,array,reply.here@example.com,Address replies should be delivered to.
-8.10.0-dev,true,email,email.sender.address,keyword,extended,,,Address of the message sender.
-8.10.0-dev,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message.
-8.10.0-dev,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
-8.10.0-dev,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient
-8.10.0-dev,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
-8.10.0-dev,true,error,error.code,keyword,core,,,Error code describing the error.
-8.10.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error.
-8.10.0-dev,true,error,error.message,match_only_text,core,,,Error message.
-8.10.0-dev,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
-8.10.0-dev,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text.
-8.10.0-dev,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
-8.10.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
-8.10.0-dev,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field.
-8.10.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
-8.10.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event.
-8.10.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
-8.10.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
-8.10.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
-8.10.0-dev,true,event,event.end,date,extended,,,`event.end` contains the date when the event ended or when the activity was last observed.
-8.10.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
-8.10.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
-8.10.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
-8.10.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
-8.10.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
-8.10.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
-8.10.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
-8.10.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event.
-8.10.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
-8.10.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
-8.10.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
-8.10.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
-8.10.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event.
-8.10.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event.
-8.10.0-dev,true,event,event.start,date,extended,,,`event.start` contains the date when the event started or when the activity was first observed.
-8.10.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone.
-8.10.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
-8.10.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
-8.10.0-dev,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function.
-8.10.0-dev,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution.
-8.10.0-dev,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function.
-8.10.0-dev,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function.
-8.10.0-dev,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc."
-8.10.0-dev,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution.
-8.10.0-dev,true,faas,faas.version,keyword,extended,,123,The version of a serverless function.
-8.10.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed.
-8.10.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.10.0-dev,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.10.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.10.0-dev,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.10.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.10.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.10.0-dev,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.10.0-dev,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.10.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.10.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.10.0-dev,true,file,file.created,date,extended,,,File creation time.
-8.10.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.10.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
-8.10.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.10.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.10.0-dev,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.10.0-dev,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.10.0-dev,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.10.0-dev,true,file,file.elf.creation_date,date,extended,,,Build or compile date.
-8.10.0-dev,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.10.0-dev,true,file,file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.10.0-dev,true,file,file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.10.0-dev,true,file,file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.10.0-dev,true,file,file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.10.0-dev,true,file,file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.10.0-dev,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.10.0-dev,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.10.0-dev,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.10.0-dev,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.10.0-dev,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.10.0-dev,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.10.0-dev,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.10.0-dev,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.10.0-dev,true,file,file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.10.0-dev,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.10.0-dev,true,file,file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev,true,file,file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.10.0-dev,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.10.0-dev,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.10.0-dev,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.10.0-dev,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.10.0-dev,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.10.0-dev,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.10.0-dev,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.10.0-dev,true,file,file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.10.0-dev,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.10.0-dev,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.10.0-dev,true,file,file.elf.segments,nested,extended,array,,ELF object segment list.
-8.10.0-dev,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.10.0-dev,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.10.0-dev,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.10.0-dev,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.10.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.10.0-dev,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.10.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.10.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
-8.10.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
-8.10.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.10.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.10.0-dev,true,file,file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.10.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.10.0-dev,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.10.0-dev,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.10.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.10.0-dev,true,file,file.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-8.10.0-dev,true,file,file.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.10.0-dev,true,file,file.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.10.0-dev,true,file,file.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.10.0-dev,true,file,file.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.10.0-dev,true,file,file.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-8.10.0-dev,true,file,file.macho.imports,flattened,extended,array,,List of imported element names and types.
-8.10.0-dev,true,file,file.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev,true,file,file.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev,true,file,file.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-8.10.0-dev,true,file,file.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.10.0-dev,true,file,file.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-8.10.0-dev,true,file,file.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-8.10.0-dev,true,file,file.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.10.0-dev,true,file,file.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-8.10.0-dev,true,file,file.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-8.10.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.10.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.10.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified.
-8.10.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.10.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username.
-8.10.0-dev,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.10.0-dev,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.10.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.10.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.10.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.10.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.10.0-dev,true,file,file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.10.0-dev,true,file,file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.10.0-dev,true,file,file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.10.0-dev,true,file,file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.10.0-dev,true,file,file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.10.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.10.0-dev,true,file,file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.10.0-dev,true,file,file.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.10.0-dev,true,file,file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev,true,file,file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.10.0-dev,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.10.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.10.0-dev,true,file,file.pe.sections,nested,extended,array,,Section information of the PE file.
-8.10.0-dev,true,file,file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.10.0-dev,true,file,file.pe.sections.name,keyword,extended,,,PE Section List name.
-8.10.0-dev,true,file,file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.10.0-dev,true,file,file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.10.0-dev,true,file,file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.10.0-dev,true,file,file.size,long,extended,,16384,File size in bytes.
-8.10.0-dev,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
-8.10.0-dev,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.10.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.10.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.10.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.10.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.10.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.10.0-dev,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.10.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.10.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.10.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.10.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.10.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.10.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.10.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.10.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.10.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.10.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.10.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.10.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.10.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.10.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.10.0-dev,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.10.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.10.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.10.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.10.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.10.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.10.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.10.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev,true,group,group.name,keyword,extended,,,Name of the group.
-8.10.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
-8.10.0-dev,true,host,host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id
-8.10.0-dev,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
-8.10.0-dev,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
-8.10.0-dev,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
-8.10.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
-8.10.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
-8.10.0-dev,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
-8.10.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.10.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.10.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
-8.10.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.10.0-dev,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.10.0-dev,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
-8.10.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.10.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
-8.10.0-dev,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.10.0-dev,true,host,host.hostname,keyword,core,,,Hostname of the host.
-8.10.0-dev,true,host,host.id,keyword,core,,,Unique host id.
-8.10.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses.
-8.10.0-dev,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
-8.10.0-dev,true,host,host.name,keyword,core,,,Name of the host.
-8.10.0-dev,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
-8.10.0-dev,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
-8.10.0-dev,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
-8.10.0-dev,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
-8.10.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.10.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.10.0-dev,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.10.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.10.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.10.0-dev,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.10.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.10.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-8.10.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.10.0-dev,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode
-8.10.0-dev,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.10.0-dev,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.10.0-dev,true,host,host.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.10.0-dev,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.10.0-dev,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.10.0-dev,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-8.10.0-dev,true,host,host.type,keyword,core,,,Type of host.
-8.10.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
-8.10.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
-8.10.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
-8.10.0-dev,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body.
-8.10.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
-8.10.0-dev,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
-8.10.0-dev,true,http,http.request.method,keyword,extended,,POST,HTTP request method.
-8.10.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
-8.10.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
-8.10.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
-8.10.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
-8.10.0-dev,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body.
-8.10.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
-8.10.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
-8.10.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
-8.10.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version.
-8.10.0-dev,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
-8.10.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event.
-8.10.0-dev,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
-8.10.0-dev,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event.
-8.10.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
-8.10.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
-8.10.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata
-8.10.0-dev,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message.
-8.10.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
-8.10.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
-8.10.0-dev,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message.
-8.10.0-dev,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message.
-8.10.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
-8.10.0-dev,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message.
-8.10.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
-8.10.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
-8.10.0-dev,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages.
-8.10.0-dev,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version.
-8.10.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name.
-8.10.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
-8.10.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
-8.10.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
-8.10.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
-8.10.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
-8.10.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information
-8.10.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.10.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.10.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
-8.10.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
-8.10.0-dev,true,network,network.protocol,keyword,core,,http,Application protocol name.
-8.10.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
-8.10.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
-8.10.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.10.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.10.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information
-8.10.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
-8.10.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
-8.10.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
-8.10.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.10.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.10.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
-8.10.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
-8.10.0-dev,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code.
-8.10.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.10.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.10.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
-8.10.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.10.0-dev,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.10.0-dev,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code.
-8.10.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.10.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
-8.10.0-dev,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.10.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
-8.10.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information
-8.10.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
-8.10.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
-8.10.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
-8.10.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.10.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.10.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
-8.10.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
-8.10.0-dev,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer.
-8.10.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
-8.10.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.10.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.10.0-dev,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.10.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.10.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.10.0-dev,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.10.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.10.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-8.10.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.10.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
-8.10.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
-8.10.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
-8.10.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
-8.10.0-dev,true,observer,observer.version,keyword,core,,,Observer version.
-8.10.0-dev,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action
-8.10.0-dev,true,orchestrator,orchestrator.cluster.id,keyword,extended,,,Unique ID of the cluster.
-8.10.0-dev,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster.
-8.10.0-dev,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster.
-8.10.0-dev,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster.
-8.10.0-dev,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place.
-8.10.0-dev,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups).
-8.10.0-dev,true,orchestrator,orchestrator.resource.annotation,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of annotations added to the resource.
-8.10.0-dev,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon.
-8.10.0-dev,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed.
-8.10.0-dev,true,orchestrator,orchestrator.resource.label,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of labels added to the resource.
-8.10.0-dev,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon.
-8.10.0-dev,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed.
-8.10.0-dev,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon.
-8.10.0-dev,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)."
-8.10.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
-8.10.0-dev,true,organization,organization.name,keyword,extended,,,Organization name.
-8.10.0-dev,true,organization,organization.name.text,match_only_text,extended,,,Organization name.
-8.10.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
-8.10.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
-8.10.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
-8.10.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
-8.10.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
-8.10.0-dev,true,package,package.installed,date,extended,,,Time when package was installed.
-8.10.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
-8.10.0-dev,true,package,package.name,keyword,extended,,go,Package name
-8.10.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
-8.10.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
-8.10.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes.
-8.10.0-dev,true,package,package.type,keyword,extended,,rpm,Package type
-8.10.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version
-8.10.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.10.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array.
-8.10.0-dev,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.10.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.10.0-dev,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.10.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.10.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.10.0-dev,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.10.0-dev,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.10.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.10.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.10.0-dev,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.10.0-dev,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.10.0-dev,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.10.0-dev,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.10.0-dev,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.10.0-dev,true,process,process.elf.creation_date,date,extended,,,Build or compile date.
-8.10.0-dev,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.10.0-dev,true,process,process.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.10.0-dev,true,process,process.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.10.0-dev,true,process,process.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.10.0-dev,true,process,process.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.10.0-dev,true,process,process.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.10.0-dev,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.10.0-dev,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.10.0-dev,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.10.0-dev,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.10.0-dev,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.10.0-dev,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.10.0-dev,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.10.0-dev,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.10.0-dev,true,process,process.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.10.0-dev,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.10.0-dev,true,process,process.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev,true,process,process.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.10.0-dev,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.10.0-dev,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.10.0-dev,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.10.0-dev,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.10.0-dev,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.10.0-dev,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.10.0-dev,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.10.0-dev,true,process,process.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.10.0-dev,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.10.0-dev,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.10.0-dev,true,process,process.elf.segments,nested,extended,array,,ELF object segment list.
-8.10.0-dev,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.10.0-dev,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.10.0-dev,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.10.0-dev,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.10.0-dev,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-8.10.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.10.0-dev,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.10.0-dev,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array.
-8.10.0-dev,true,process,process.entry_leader.attested_groups.name,keyword,extended,,,Name of the group.
-8.10.0-dev,true,process,process.entry_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev,true,process,process.entry_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,process,process.entry_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.10.0-dev,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.10.0-dev,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.10.0-dev,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
-8.10.0-dev,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
-8.10.0-dev,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.10.0-dev,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.10.0-dev,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group.
-8.10.0-dev,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.10.0-dev,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name.
-8.10.0-dev,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.10.0-dev,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.10.0-dev,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id.
-8.10.0-dev,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.10.0-dev,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id.
-8.10.0-dev,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.10.0-dev,true,process,process.entry_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
-8.10.0-dev,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.10.0-dev,true,process,process.entry_leader.parent.vpid,long,core,,4242,Virtual process id.
-8.10.0-dev,true,process,process.entry_leader.pid,long,core,,4242,Process id.
-8.10.0-dev,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group.
-8.10.0-dev,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,process,process.entry_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.10.0-dev,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.10.0-dev,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,process,process.entry_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.10.0-dev,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.10.0-dev,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.10.0-dev,true,process,process.entry_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.10.0-dev,true,process,process.entry_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.10.0-dev,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,process,process.entry_leader.vpid,long,core,,4242,Virtual process id.
-8.10.0-dev,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.10.0-dev,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.10.0-dev,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
-8.10.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.10.0-dev,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.10.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process.
-8.10.0-dev,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.10.0-dev,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array.
-8.10.0-dev,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.10.0-dev,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.10.0-dev,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.10.0-dev,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.10.0-dev,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.10.0-dev,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group.
-8.10.0-dev,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.10.0-dev,true,process,process.group_leader.name,keyword,extended,,ssh,Process name.
-8.10.0-dev,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.10.0-dev,true,process,process.group_leader.pid,long,core,,4242,Process id.
-8.10.0-dev,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group.
-8.10.0-dev,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,process,process.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.10.0-dev,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.10.0-dev,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,process,process.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.10.0-dev,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.10.0-dev,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.10.0-dev,true,process,process.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.10.0-dev,true,process,process.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.10.0-dev,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,process,process.group_leader.vpid,long,core,,4242,Virtual process id.
-8.10.0-dev,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.10.0-dev,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.10.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
-8.10.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
-8.10.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
-8.10.0-dev,true,process,process.hash.sha384,keyword,extended,,,SHA384 hash.
-8.10.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
-8.10.0-dev,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.10.0-dev,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash.
-8.10.0-dev,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.10.0-dev,true,process,process.io,object,extended,,,A chunk of input or output (IO) from a single process.
-8.10.0-dev,true,process,process.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
-8.10.0-dev,true,process,process.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
-8.10.0-dev,true,process,process.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
-8.10.0-dev,true,process,process.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
-8.10.0-dev,true,process,process.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
-8.10.0-dev,true,process,process.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
-8.10.0-dev,true,process,process.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
-8.10.0-dev,true,process,process.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
-8.10.0-dev,true,process,process.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-8.10.0-dev,true,process,process.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.10.0-dev,true,process,process.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.10.0-dev,true,process,process.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.10.0-dev,true,process,process.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.10.0-dev,true,process,process.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-8.10.0-dev,true,process,process.macho.imports,flattened,extended,array,,List of imported element names and types.
-8.10.0-dev,true,process,process.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev,true,process,process.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev,true,process,process.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-8.10.0-dev,true,process,process.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.10.0-dev,true,process,process.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-8.10.0-dev,true,process,process.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-8.10.0-dev,true,process,process.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.10.0-dev,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-8.10.0-dev,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-8.10.0-dev,true,process,process.name,keyword,extended,,ssh,Process name.
-8.10.0-dev,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
-8.10.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.10.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
-8.10.0-dev,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.10.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.10.0-dev,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.10.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.10.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.10.0-dev,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.10.0-dev,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.10.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.10.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.10.0-dev,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.10.0-dev,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.10.0-dev,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.10.0-dev,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.10.0-dev,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.10.0-dev,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date.
-8.10.0-dev,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.10.0-dev,true,process,process.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.10.0-dev,true,process,process.parent.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.10.0-dev,true,process,process.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.10.0-dev,true,process,process.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.10.0-dev,true,process,process.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.10.0-dev,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.10.0-dev,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.10.0-dev,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.10.0-dev,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.10.0-dev,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.10.0-dev,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.10.0-dev,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.10.0-dev,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.10.0-dev,true,process,process.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.10.0-dev,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.10.0-dev,true,process,process.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev,true,process,process.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.10.0-dev,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.10.0-dev,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.10.0-dev,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.10.0-dev,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.10.0-dev,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.10.0-dev,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.10.0-dev,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.10.0-dev,true,process,process.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.10.0-dev,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.10.0-dev,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.10.0-dev,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list.
-8.10.0-dev,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.10.0-dev,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.10.0-dev,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.10.0-dev,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.10.0-dev,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-8.10.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.10.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.10.0-dev,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.10.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
-8.10.0-dev,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev,true,process,process.parent.group.name,keyword,extended,,,Name of the group.
-8.10.0-dev,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.10.0-dev,true,process,process.parent.group_leader.pid,long,core,,4242,Process id.
-8.10.0-dev,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.10.0-dev,true,process,process.parent.group_leader.vpid,long,core,,4242,Virtual process id.
-8.10.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
-8.10.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
-8.10.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
-8.10.0-dev,true,process,process.parent.hash.sha384,keyword,extended,,,SHA384 hash.
-8.10.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
-8.10.0-dev,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.10.0-dev,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash.
-8.10.0-dev,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.10.0-dev,true,process,process.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-8.10.0-dev,true,process,process.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.10.0-dev,true,process,process.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.10.0-dev,true,process,process.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.10.0-dev,true,process,process.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.10.0-dev,true,process,process.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-8.10.0-dev,true,process,process.parent.macho.imports,flattened,extended,array,,List of imported element names and types.
-8.10.0-dev,true,process,process.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev,true,process,process.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev,true,process,process.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-8.10.0-dev,true,process,process.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.10.0-dev,true,process,process.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-8.10.0-dev,true,process,process.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-8.10.0-dev,true,process,process.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.10.0-dev,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-8.10.0-dev,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-8.10.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name.
-8.10.0-dev,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
-8.10.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.10.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.10.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.10.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.10.0-dev,true,process,process.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.10.0-dev,true,process,process.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.10.0-dev,true,process,process.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.10.0-dev,true,process,process.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.10.0-dev,true,process,process.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.10.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.10.0-dev,true,process,process.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.10.0-dev,true,process,process.parent.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.10.0-dev,true,process,process.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev,true,process,process.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.10.0-dev,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.10.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.10.0-dev,true,process,process.parent.pe.sections,nested,extended,array,,Section information of the PE file.
-8.10.0-dev,true,process,process.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.10.0-dev,true,process,process.parent.pe.sections.name,keyword,extended,,,PE Section List name.
-8.10.0-dev,true,process,process.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.10.0-dev,true,process,process.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.10.0-dev,true,process,process.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.10.0-dev,true,process,process.parent.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
-8.10.0-dev,true,process,process.parent.pid,long,core,,4242,Process id.
-8.10.0-dev,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group.
-8.10.0-dev,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,process,process.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group.
-8.10.0-dev,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,process,process.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.10.0-dev,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.10.0-dev,true,process,process.parent.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
-8.10.0-dev,true,process,process.parent.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
-8.10.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
-8.10.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
-8.10.0-dev,true,process,process.parent.title,keyword,extended,,,Process title.
-8.10.0-dev,true,process,process.parent.title.text,match_only_text,extended,,,Process title.
-8.10.0-dev,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device.
-8.10.0-dev,true,process,process.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.10.0-dev,true,process,process.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.10.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
-8.10.0-dev,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,process,process.parent.vpid,long,core,,4242,Virtual process id.
-8.10.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.10.0-dev,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.10.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.10.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.10.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.10.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.10.0-dev,true,process,process.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.10.0-dev,true,process,process.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.10.0-dev,true,process,process.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.10.0-dev,true,process,process.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.10.0-dev,true,process,process.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.10.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.10.0-dev,true,process,process.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.10.0-dev,true,process,process.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.10.0-dev,true,process,process.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev,true,process,process.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.10.0-dev,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.10.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.10.0-dev,true,process,process.pe.sections,nested,extended,array,,Section information of the PE file.
-8.10.0-dev,true,process,process.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.10.0-dev,true,process,process.pe.sections.name,keyword,extended,,,PE Section List name.
-8.10.0-dev,true,process,process.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.10.0-dev,true,process,process.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.10.0-dev,true,process,process.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.10.0-dev,true,process,process.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
-8.10.0-dev,true,process,process.pid,long,core,,4242,Process id.
-8.10.0-dev,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.10.0-dev,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array.
-8.10.0-dev,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.10.0-dev,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.10.0-dev,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev,true,process,process.real_group.name,keyword,extended,,,Name of the group.
-8.10.0-dev,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,process,process.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev,true,process,process.saved_group.name,keyword,extended,,,Name of the group.
-8.10.0-dev,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,process,process.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.10.0-dev,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array.
-8.10.0-dev,true,process,process.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.10.0-dev,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.10.0-dev,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.10.0-dev,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.10.0-dev,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.10.0-dev,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group.
-8.10.0-dev,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.10.0-dev,true,process,process.session_leader.name,keyword,extended,,ssh,Process name.
-8.10.0-dev,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.10.0-dev,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.10.0-dev,true,process,process.session_leader.parent.pid,long,core,,4242,Process id.
-8.10.0-dev,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.10.0-dev,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id.
-8.10.0-dev,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.10.0-dev,true,process,process.session_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
-8.10.0-dev,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.10.0-dev,true,process,process.session_leader.parent.vpid,long,core,,4242,Virtual process id.
-8.10.0-dev,true,process,process.session_leader.pid,long,core,,4242,Process id.
-8.10.0-dev,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group.
-8.10.0-dev,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,process,process.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.10.0-dev,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.10.0-dev,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,process,process.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.10.0-dev,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.10.0-dev,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.10.0-dev,true,process,process.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.10.0-dev,true,process,process.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.10.0-dev,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,process,process.session_leader.vpid,long,core,,4242,Virtual process id.
-8.10.0-dev,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.10.0-dev,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.10.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.10.0-dev,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.10.0-dev,true,process,process.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
-8.10.0-dev,true,process,process.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
-8.10.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID.
-8.10.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
-8.10.0-dev,true,process,process.title,keyword,extended,,,Process title.
-8.10.0-dev,true,process,process.title.text,match_only_text,extended,,,Process title.
-8.10.0-dev,true,process,process.tty,object,extended,,,Information about the controlling TTY device.
-8.10.0-dev,true,process,process.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.10.0-dev,true,process,process.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.10.0-dev,true,process,process.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
-8.10.0-dev,true,process,process.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
-8.10.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
-8.10.0-dev,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,process,process.vpid,long,core,,4242,Virtual process id.
-8.10.0-dev,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.10.0-dev,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.10.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.10.0-dev,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.10.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.10.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.10.0-dev,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.10.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.10.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
-8.10.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
-8.10.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
-8.10.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
-8.10.0-dev,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event.
-8.10.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
-8.10.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
-8.10.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
-8.10.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID
-8.10.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
-8.10.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
-8.10.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
-8.10.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
-8.10.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
-8.10.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version
-8.10.0-dev,true,server,server.address,keyword,extended,,,Server network address.
-8.10.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.10.0-dev,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.10.0-dev,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.10.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
-8.10.0-dev,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server.
-8.10.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
-8.10.0-dev,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
-8.10.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.10.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.10.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
-8.10.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.10.0-dev,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.10.0-dev,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
-8.10.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.10.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
-8.10.0-dev,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.10.0-dev,true,server,server.ip,ip,core,,,IP address of the server.
-8.10.0-dev,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
-8.10.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip
-8.10.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port
-8.10.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
-8.10.0-dev,true,server,server.port,long,core,,,Port of the server.
-8.10.0-dev,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
-8.10.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.10.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.10.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.10.0-dev,true,server,server.user.email,keyword,extended,,,User email address.
-8.10.0-dev,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.10.0-dev,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.10.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.10.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group.
-8.10.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.10.0-dev,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.10.0-dev,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.10.0-dev,true,service,service.environment,keyword,extended,,production,Environment of the service.
-8.10.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.10.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.10.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.10.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.10.0-dev,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.10.0-dev,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.10.0-dev,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.10.0-dev,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
-8.10.0-dev,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.10.0-dev,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.10.0-dev,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.10.0-dev,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.10.0-dev,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.10.0-dev,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.10.0-dev,true,service,service.origin.state,keyword,core,,,Current state of the service.
-8.10.0-dev,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service.
-8.10.0-dev,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service.
-8.10.0-dev,true,service,service.state,keyword,core,,,Current state of the service.
-8.10.0-dev,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.10.0-dev,true,service,service.target.environment,keyword,extended,,production,Environment of the service.
-8.10.0-dev,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.10.0-dev,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.10.0-dev,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.10.0-dev,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.10.0-dev,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.10.0-dev,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.10.0-dev,true,service,service.target.state,keyword,core,,,Current state of the service.
-8.10.0-dev,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service.
-8.10.0-dev,true,service,service.target.version,keyword,core,,3.2.4,Version of the service.
-8.10.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
-8.10.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service.
-8.10.0-dev,true,source,source.address,keyword,extended,,,Source network address.
-8.10.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.10.0-dev,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.10.0-dev,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.10.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
-8.10.0-dev,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source.
-8.10.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
-8.10.0-dev,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
-8.10.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.10.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.10.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
-8.10.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.10.0-dev,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.10.0-dev,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
-8.10.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.10.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
-8.10.0-dev,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.10.0-dev,true,source,source.ip,ip,core,,,IP address of the source.
-8.10.0-dev,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
-8.10.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip
-8.10.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port
-8.10.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
-8.10.0-dev,true,source,source.port,long,core,,,Port of the source.
-8.10.0-dev,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-8.10.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.10.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.10.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.10.0-dev,true,source,source.user.email,keyword,extended,,,User email address.
-8.10.0-dev,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.10.0-dev,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.10.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.10.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group.
-8.10.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.10.0-dev,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.10.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
-8.10.0-dev,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event.
-8.10.0-dev,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event.
-8.10.0-dev,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.10.0-dev,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.10.0-dev,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.10.0-dev,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
-8.10.0-dev,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
-8.10.0-dev,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.10.0-dev,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.10.0-dev,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.10.0-dev,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
-8.10.0-dev,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name.
-8.10.0-dev,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code.
-8.10.0-dev,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.10.0-dev,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.10.0-dev,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name.
-8.10.0-dev,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.10.0-dev,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.10.0-dev,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code.
-8.10.0-dev,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.10.0-dev,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name.
-8.10.0-dev,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.10.0-dev,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
-8.10.0-dev,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-8.10.0-dev,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
-8.10.0-dev,true,threat,threat.enrichments.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
-8.10.0-dev,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
-8.10.0-dev,true,threat,threat.enrichments.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
-8.10.0-dev,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
-8.10.0-dev,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
-8.10.0-dev,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
-8.10.0-dev,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.10.0-dev,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.10.0-dev,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.10.0-dev,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.10.0-dev,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.10.0-dev,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.10.0-dev,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
-8.10.0-dev,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics
-8.10.0-dev,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed
-8.10.0-dev,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
-8.10.0-dev,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.10.0-dev,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.10.0-dev,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.10.0-dev,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.10.0-dev,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.10.0-dev,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.10.0-dev,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.10.0-dev,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request.
-8.10.0-dev,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.10.0-dev,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
-8.10.0-dev,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request.
-8.10.0-dev,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.10.0-dev,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
-8.10.0-dev,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.10.0-dev,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.10.0-dev,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request.
-8.10.0-dev,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.10.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.10.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.10.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.10.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.10.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.10.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.10.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.10.0-dev,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.10.0-dev,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.10.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.10.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.10.0-dev,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.10.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.10.0-dev,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.10.0-dev,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.10.0-dev,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.10.0-dev,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.10.0-dev,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.10.0-dev,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.10.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.10.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.10.0-dev,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.10.0-dev,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.10.0-dev,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value
-8.10.0-dev,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field
-8.10.0-dev,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier
-8.10.0-dev,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index
-8.10.0-dev,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05T17:00:58.326Z,Date of match
-8.10.0-dev,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match
-8.10.0-dev,true,threat,threat.feed.dashboard_id,keyword,extended,,5ba16340-72e6-11eb-a3e3-b3cc7c78a70f,Feed dashboard ID.
-8.10.0-dev,true,threat,threat.feed.description,keyword,extended,,Threat feed from the AlienVault Open Threat eXchange network.,Description of the threat feed.
-8.10.0-dev,true,threat,threat.feed.name,keyword,extended,,AlienVault OTX,Name of the threat feed.
-8.10.0-dev,true,threat,threat.feed.reference,keyword,extended,,https://otx.alienvault.com,Reference for the threat feed.
-8.10.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
-8.10.0-dev,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group.
-8.10.0-dev,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group.
-8.10.0-dev,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group.
-8.10.0-dev,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group.
-8.10.0-dev,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.10.0-dev,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.10.0-dev,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.10.0-dev,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
-8.10.0-dev,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
-8.10.0-dev,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
-8.10.0-dev,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed.
-8.10.0-dev,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.10.0-dev,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.10.0-dev,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.10.0-dev,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.10.0-dev,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.10.0-dev,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.10.0-dev,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.10.0-dev,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.10.0-dev,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.10.0-dev,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.10.0-dev,true,threat,threat.indicator.file.created,date,extended,,,File creation time.
-8.10.0-dev,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.10.0-dev,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
-8.10.0-dev,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.10.0-dev,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.10.0-dev,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.10.0-dev,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.10.0-dev,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.10.0-dev,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
-8.10.0-dev,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.10.0-dev,true,threat,threat.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.10.0-dev,true,threat,threat.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.10.0-dev,true,threat,threat.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.10.0-dev,true,threat,threat.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.10.0-dev,true,threat,threat.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.10.0-dev,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.10.0-dev,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.10.0-dev,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.10.0-dev,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.10.0-dev,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.10.0-dev,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.10.0-dev,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.10.0-dev,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.10.0-dev,true,threat,threat.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.10.0-dev,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.10.0-dev,true,threat,threat.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev,true,threat,threat.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.10.0-dev,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.10.0-dev,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.10.0-dev,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.10.0-dev,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.10.0-dev,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.10.0-dev,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.10.0-dev,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.10.0-dev,true,threat,threat.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.10.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.10.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.10.0-dev,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
-8.10.0-dev,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.10.0-dev,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.10.0-dev,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.10.0-dev,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.10.0-dev,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.10.0-dev,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.10.0-dev,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.10.0-dev,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
-8.10.0-dev,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
-8.10.0-dev,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.10.0-dev,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.10.0-dev,true,threat,threat.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.10.0-dev,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.10.0-dev,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.10.0-dev,true,threat,threat.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.10.0-dev,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.10.0-dev,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.10.0-dev,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.10.0-dev,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified.
-8.10.0-dev,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.10.0-dev,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username.
-8.10.0-dev,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.10.0-dev,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.10.0-dev,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.10.0-dev,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.10.0-dev,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.10.0-dev,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.10.0-dev,true,threat,threat.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.10.0-dev,true,threat,threat.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.10.0-dev,true,threat,threat.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.10.0-dev,true,threat,threat.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.10.0-dev,true,threat,threat.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.10.0-dev,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.10.0-dev,true,threat,threat.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.10.0-dev,true,threat,threat.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.10.0-dev,true,threat,threat.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev,true,threat,threat.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.10.0-dev,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.10.0-dev,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.10.0-dev,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.10.0-dev,true,threat,threat.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
-8.10.0-dev,true,threat,threat.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.10.0-dev,true,threat,threat.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
-8.10.0-dev,true,threat,threat.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.10.0-dev,true,threat,threat.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.10.0-dev,true,threat,threat.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.10.0-dev,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes.
-8.10.0-dev,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
-8.10.0-dev,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.10.0-dev,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.10.0-dev,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.10.0-dev,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.10.0-dev,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.10.0-dev,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.10.0-dev,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.10.0-dev,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.10.0-dev,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.10.0-dev,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.10.0-dev,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.10.0-dev,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.10.0-dev,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.10.0-dev,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.10.0-dev,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.10.0-dev,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.10.0-dev,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.10.0-dev,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.10.0-dev,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.10.0-dev,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.10.0-dev,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.10.0-dev,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.10.0-dev,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.10.0-dev,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.10.0-dev,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.10.0-dev,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.10.0-dev,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.10.0-dev,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
-8.10.0-dev,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name.
-8.10.0-dev,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code.
-8.10.0-dev,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.10.0-dev,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.10.0-dev,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name.
-8.10.0-dev,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.10.0-dev,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.10.0-dev,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code.
-8.10.0-dev,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.10.0-dev,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name.
-8.10.0-dev,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.10.0-dev,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
-8.10.0-dev,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-8.10.0-dev,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
-8.10.0-dev,true,threat,threat.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
-8.10.0-dev,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
-8.10.0-dev,true,threat,threat.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
-8.10.0-dev,true,threat,threat.indicator.port,long,extended,,443,Indicator port
-8.10.0-dev,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
-8.10.0-dev,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
-8.10.0-dev,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.10.0-dev,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.10.0-dev,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.10.0-dev,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.10.0-dev,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.10.0-dev,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.10.0-dev,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
-8.10.0-dev,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics
-8.10.0-dev,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed
-8.10.0-dev,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
-8.10.0-dev,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.10.0-dev,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.10.0-dev,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.10.0-dev,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.10.0-dev,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.10.0-dev,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.10.0-dev,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.10.0-dev,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request.
-8.10.0-dev,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.10.0-dev,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
-8.10.0-dev,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request.
-8.10.0-dev,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.10.0-dev,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
-8.10.0-dev,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.10.0-dev,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.10.0-dev,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request.
-8.10.0-dev,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.10.0-dev,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.10.0-dev,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.10.0-dev,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.10.0-dev,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.10.0-dev,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.10.0-dev,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.10.0-dev,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.10.0-dev,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.10.0-dev,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.10.0-dev,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.10.0-dev,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.10.0-dev,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.10.0-dev,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.10.0-dev,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.10.0-dev,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.10.0-dev,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.10.0-dev,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.10.0-dev,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.10.0-dev,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.10.0-dev,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.10.0-dev,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.10.0-dev,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.10.0-dev,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.10.0-dev,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software
-8.10.0-dev,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software
-8.10.0-dev,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software.
-8.10.0-dev,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software.
-8.10.0-dev,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL.
-8.10.0-dev,true,threat,threat.software.type,keyword,extended,,Tool,Software type.
-8.10.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
-8.10.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
-8.10.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
-8.10.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
-8.10.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
-8.10.0-dev,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name.
-8.10.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
-8.10.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
-8.10.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
-8.10.0-dev,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
-8.10.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
-8.10.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
-8.10.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
-8.10.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
-8.10.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
-8.10.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
-8.10.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
-8.10.0-dev,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
-8.10.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
-8.10.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
-8.10.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
-8.10.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
-8.10.0-dev,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
-8.10.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
-8.10.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.10.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.10.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.10.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.10.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.10.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.10.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.10.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.10.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.10.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.10.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.10.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.10.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.10.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.10.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.10.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.10.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.10.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.10.0-dev,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.10.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.10.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.10.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.10.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.10.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.10.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
-8.10.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
-8.10.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
-8.10.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
-8.10.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
-8.10.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
-8.10.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
-8.10.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
-8.10.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
-8.10.0-dev,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
-8.10.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
-8.10.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
-8.10.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
-8.10.0-dev,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
-8.10.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.10.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.10.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.10.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.10.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.10.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.10.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.10.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.10.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.10.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.10.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.10.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.10.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.10.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.10.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.10.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.10.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.10.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.10.0-dev,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.10.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.10.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.10.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.10.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.10.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.10.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
-8.10.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
-8.10.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
-8.10.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
-8.10.0-dev,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.10.0-dev,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.10.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.10.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.10.0-dev,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.10.0-dev,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.10.0-dev,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.10.0-dev,true,url,url.password,keyword,extended,,,Password of the request.
-8.10.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.10.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
-8.10.0-dev,true,url,url.query,keyword,extended,,,Query string of the request.
-8.10.0-dev,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.10.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
-8.10.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.10.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.10.0-dev,true,url,url.username,keyword,extended,,,Username of the request.
-8.10.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.10.0-dev,true,user,user.changes.email,keyword,extended,,,User email address.
-8.10.0-dev,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.10.0-dev,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.10.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.10.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
-8.10.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.10.0-dev,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.10.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.10.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.10.0-dev,true,user,user.effective.email,keyword,extended,,,User email address.
-8.10.0-dev,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.10.0-dev,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.10.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.10.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
-8.10.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.10.0-dev,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.10.0-dev,true,user,user.email,keyword,extended,,,User email address.
-8.10.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.10.0-dev,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.10.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.10.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group.
-8.10.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.10.0-dev,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.10.0-dev,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.10.0-dev,true,user,user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.10.0-dev,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.10.0-dev,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.10.0-dev,true,user,user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-8.10.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.10.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.10.0-dev,true,user,user.target.email,keyword,extended,,,User email address.
-8.10.0-dev,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.10.0-dev,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.10.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.10.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.10.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group.
-8.10.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.10.0-dev,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.10.0-dev,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.10.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.10.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
-8.10.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
-8.10.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-8.10.0-dev,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-8.10.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.10.0-dev,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.10.0-dev,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.10.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.10.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.10.0-dev,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.10.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.10.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-8.10.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.10.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
-8.10.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
-8.10.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
-8.10.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-8.10.0-dev,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-8.10.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
-8.10.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
-8.10.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
-8.10.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
-8.10.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
-8.10.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
-8.10.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
-8.10.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
-8.10.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
-8.10.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
+8.11.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
+8.11.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
+8.11.0-dev,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer.
+8.11.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
+8.11.0-dev,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
+8.11.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
+8.11.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
+8.11.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
+8.11.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
+8.11.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
+8.11.0-dev,true,client,client.address,keyword,extended,,,Client network address.
+8.11.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.11.0-dev,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.11.0-dev,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.11.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
+8.11.0-dev,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client.
+8.11.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
+8.11.0-dev,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
+8.11.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.11.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.11.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
+8.11.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.11.0-dev,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.11.0-dev,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
+8.11.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.11.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
+8.11.0-dev,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.11.0-dev,true,client,client.ip,ip,core,,,IP address of the client.
+8.11.0-dev,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
+8.11.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
+8.11.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port
+8.11.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
+8.11.0-dev,true,client,client.port,long,core,,,Port of the client.
+8.11.0-dev,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
+8.11.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.11.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.11.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.11.0-dev,true,client,client.user.email,keyword,extended,,,User email address.
+8.11.0-dev,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.11.0-dev,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.11.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.11.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group.
+8.11.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.11.0-dev,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.11.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.11.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.11.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.11.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.11.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
+8.11.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.11.0-dev,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.11.0-dev,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.11.0-dev,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.11.0-dev,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.11.0-dev,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine.
+8.11.0-dev,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.11.0-dev,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id.
+8.11.0-dev,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name.
+8.11.0-dev,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider.
+8.11.0-dev,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.11.0-dev,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name.
+8.11.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
+8.11.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
+8.11.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
+8.11.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.11.0-dev,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name.
+8.11.0-dev,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.11.0-dev,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.11.0-dev,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.11.0-dev,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.11.0-dev,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine.
+8.11.0-dev,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.11.0-dev,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id.
+8.11.0-dev,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name.
+8.11.0-dev,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider.
+8.11.0-dev,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.11.0-dev,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name.
+8.11.0-dev,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
+8.11.0-dev,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
+8.11.0-dev,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
+8.11.0-dev,true,container,container.id,keyword,core,,,Unique container id.
+8.11.0-dev,true,container,container.image.hash.all,keyword,extended,array,[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26],An array of digests of the image the container was built on.
+8.11.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
+8.11.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags.
+8.11.0-dev,true,container,container.labels,object,extended,,,Image labels.
+8.11.0-dev,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1."
+8.11.0-dev,true,container,container.name,keyword,extended,,,Container name.
+8.11.0-dev,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
+8.11.0-dev,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+8.11.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
+8.11.0-dev,true,container,container.security_context.privileged,boolean,extended,,,Indicates whether the container is running in privileged mode.
+8.11.0-dev,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
+8.11.0-dev,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
+8.11.0-dev,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
+8.11.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address.
+8.11.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.11.0-dev,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.11.0-dev,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.11.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
+8.11.0-dev,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination.
+8.11.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
+8.11.0-dev,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
+8.11.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.11.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.11.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
+8.11.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.11.0-dev,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.11.0-dev,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
+8.11.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.11.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
+8.11.0-dev,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.11.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination.
+8.11.0-dev,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
+8.11.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
+8.11.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
+8.11.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
+8.11.0-dev,true,destination,destination.port,long,core,,,Port of the destination.
+8.11.0-dev,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
+8.11.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.11.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.11.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.11.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address.
+8.11.0-dev,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.11.0-dev,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.11.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.11.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
+8.11.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.11.0-dev,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.11.0-dev,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device.
+8.11.0-dev,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer.
+8.11.0-dev,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model.
+8.11.0-dev,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model.
+8.11.0-dev,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.11.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.11.0-dev,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.11.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.11.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.11.0-dev,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.11.0-dev,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.11.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.11.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.11.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
+8.11.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
+8.11.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
+8.11.0-dev,true,dll,dll.hash.sha384,keyword,extended,,,SHA384 hash.
+8.11.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
+8.11.0-dev,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.11.0-dev,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash.
+8.11.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
+8.11.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
+8.11.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.11.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.11.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.11.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.11.0-dev,true,dll,dll.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.11.0-dev,true,dll,dll.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.11.0-dev,true,dll,dll.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.11.0-dev,true,dll,dll.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.11.0-dev,true,dll,dll.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.11.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.11.0-dev,true,dll,dll.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.11.0-dev,true,dll,dll.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.11.0-dev,true,dll,dll.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev,true,dll,dll.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.11.0-dev,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.11.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.11.0-dev,true,dll,dll.pe.sections,nested,extended,array,,Section information of the PE file.
+8.11.0-dev,true,dll,dll.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.11.0-dev,true,dll,dll.pe.sections.name,keyword,extended,,,PE Section List name.
+8.11.0-dev,true,dll,dll.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.11.0-dev,true,dll,dll.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.11.0-dev,true,dll,dll.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.11.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
+8.11.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
+8.11.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
+8.11.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
+8.11.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
+8.11.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
+8.11.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
+8.11.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
+8.11.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
+8.11.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
+8.11.0-dev,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
+8.11.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
+8.11.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
+8.11.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.11.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
+8.11.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
+8.11.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
+8.11.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
+8.11.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
+8.11.0-dev,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
+8.11.0-dev,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
+8.11.0-dev,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash.
+8.11.0-dev,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.11.0-dev,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.11.0-dev,true,email,email.attachments.file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.11.0-dev,true,email,email.attachments.file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.11.0-dev,true,email,email.attachments.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.11.0-dev,true,email,email.attachments.file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.11.0-dev,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file.
+8.11.0-dev,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file.
+8.11.0-dev,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size.
+8.11.0-dev,true,email,email.bcc.address,keyword,extended,array,bcc.user1@example.com,Email address of BCC recipient
+8.11.0-dev,true,email,email.cc.address,keyword,extended,array,cc.user1@example.com,Email address of CC recipient
+8.11.0-dev,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message.
+8.11.0-dev,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered.
+8.11.0-dev,true,email,email.direction,keyword,extended,,inbound,Direction of the message.
+8.11.0-dev,true,email,email.from.address,keyword,extended,array,sender@example.com,The sender's email address.
+8.11.0-dev,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source.
+8.11.0-dev,true,email,email.message_id,wildcard,extended,,81ce15$8r2j59@mail01.example.com,Value from the Message-ID header.
+8.11.0-dev,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed.
+8.11.0-dev,true,email,email.reply_to.address,keyword,extended,array,reply.here@example.com,Address replies should be delivered to.
+8.11.0-dev,true,email,email.sender.address,keyword,extended,,,Address of the message sender.
+8.11.0-dev,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message.
+8.11.0-dev,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
+8.11.0-dev,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient
+8.11.0-dev,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
+8.11.0-dev,true,error,error.code,keyword,core,,,Error code describing the error.
+8.11.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error.
+8.11.0-dev,true,error,error.message,match_only_text,core,,,Error message.
+8.11.0-dev,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
+8.11.0-dev,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text.
+8.11.0-dev,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
+8.11.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
+8.11.0-dev,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field.
+8.11.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
+8.11.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event.
+8.11.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
+8.11.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
+8.11.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
+8.11.0-dev,true,event,event.end,date,extended,,,`event.end` contains the date when the event ended or when the activity was last observed.
+8.11.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
+8.11.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
+8.11.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
+8.11.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
+8.11.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
+8.11.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
+8.11.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
+8.11.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event.
+8.11.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
+8.11.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
+8.11.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
+8.11.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
+8.11.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event.
+8.11.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event.
+8.11.0-dev,true,event,event.start,date,extended,,,`event.start` contains the date when the event started or when the activity was first observed.
+8.11.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone.
+8.11.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
+8.11.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
+8.11.0-dev,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function.
+8.11.0-dev,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution.
+8.11.0-dev,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function.
+8.11.0-dev,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function.
+8.11.0-dev,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc."
+8.11.0-dev,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution.
+8.11.0-dev,true,faas,faas.version,keyword,extended,,123,The version of a serverless function.
+8.11.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed.
+8.11.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.11.0-dev,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.11.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.11.0-dev,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.11.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.11.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.11.0-dev,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.11.0-dev,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.11.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.11.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.11.0-dev,true,file,file.created,date,extended,,,File creation time.
+8.11.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.11.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
+8.11.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.11.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.11.0-dev,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.11.0-dev,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.11.0-dev,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.11.0-dev,true,file,file.elf.creation_date,date,extended,,,Build or compile date.
+8.11.0-dev,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.11.0-dev,true,file,file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.11.0-dev,true,file,file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.11.0-dev,true,file,file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.11.0-dev,true,file,file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.11.0-dev,true,file,file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.11.0-dev,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.11.0-dev,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.11.0-dev,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.11.0-dev,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.11.0-dev,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.11.0-dev,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.11.0-dev,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.11.0-dev,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.11.0-dev,true,file,file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.11.0-dev,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.11.0-dev,true,file,file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev,true,file,file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.11.0-dev,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.11.0-dev,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.11.0-dev,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.11.0-dev,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.11.0-dev,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.11.0-dev,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.11.0-dev,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.11.0-dev,true,file,file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.11.0-dev,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.11.0-dev,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.11.0-dev,true,file,file.elf.segments,nested,extended,array,,ELF object segment list.
+8.11.0-dev,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.11.0-dev,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.11.0-dev,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.11.0-dev,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.11.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.11.0-dev,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.11.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.11.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
+8.11.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
+8.11.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.11.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.11.0-dev,true,file,file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.11.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.11.0-dev,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.11.0-dev,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.11.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.11.0-dev,true,file,file.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+8.11.0-dev,true,file,file.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.11.0-dev,true,file,file.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.11.0-dev,true,file,file.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.11.0-dev,true,file,file.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.11.0-dev,true,file,file.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+8.11.0-dev,true,file,file.macho.imports,flattened,extended,array,,List of imported element names and types.
+8.11.0-dev,true,file,file.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev,true,file,file.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev,true,file,file.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+8.11.0-dev,true,file,file.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.11.0-dev,true,file,file.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+8.11.0-dev,true,file,file.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+8.11.0-dev,true,file,file.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.11.0-dev,true,file,file.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+8.11.0-dev,true,file,file.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+8.11.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.11.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.11.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified.
+8.11.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.11.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username.
+8.11.0-dev,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.11.0-dev,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.11.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.11.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.11.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.11.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.11.0-dev,true,file,file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.11.0-dev,true,file,file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.11.0-dev,true,file,file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.11.0-dev,true,file,file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.11.0-dev,true,file,file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.11.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.11.0-dev,true,file,file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.11.0-dev,true,file,file.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.11.0-dev,true,file,file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev,true,file,file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.11.0-dev,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.11.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.11.0-dev,true,file,file.pe.sections,nested,extended,array,,Section information of the PE file.
+8.11.0-dev,true,file,file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.11.0-dev,true,file,file.pe.sections.name,keyword,extended,,,PE Section List name.
+8.11.0-dev,true,file,file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.11.0-dev,true,file,file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.11.0-dev,true,file,file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.11.0-dev,true,file,file.size,long,extended,,16384,File size in bytes.
+8.11.0-dev,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
+8.11.0-dev,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.11.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.11.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.11.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.11.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.11.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.11.0-dev,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.11.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.11.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.11.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.11.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.11.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.11.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.11.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.11.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.11.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.11.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.11.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.11.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.11.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.11.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.11.0-dev,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.11.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.11.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.11.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.11.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.11.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.11.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.11.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev,true,group,group.name,keyword,extended,,,Name of the group.
+8.11.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
+8.11.0-dev,true,host,host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id
+8.11.0-dev,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
+8.11.0-dev,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
+8.11.0-dev,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
+8.11.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
+8.11.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
+8.11.0-dev,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
+8.11.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.11.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.11.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
+8.11.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.11.0-dev,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.11.0-dev,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
+8.11.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.11.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
+8.11.0-dev,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.11.0-dev,true,host,host.hostname,keyword,core,,,Hostname of the host.
+8.11.0-dev,true,host,host.id,keyword,core,,,Unique host id.
+8.11.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses.
+8.11.0-dev,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
+8.11.0-dev,true,host,host.name,keyword,core,,,Name of the host.
+8.11.0-dev,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
+8.11.0-dev,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
+8.11.0-dev,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+8.11.0-dev,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
+8.11.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.11.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.11.0-dev,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.11.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.11.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.11.0-dev,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.11.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.11.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+8.11.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.11.0-dev,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode
+8.11.0-dev,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.11.0-dev,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.11.0-dev,true,host,host.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.11.0-dev,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.11.0-dev,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.11.0-dev,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+8.11.0-dev,true,host,host.type,keyword,core,,,Type of host.
+8.11.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
+8.11.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
+8.11.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
+8.11.0-dev,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body.
+8.11.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
+8.11.0-dev,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
+8.11.0-dev,true,http,http.request.method,keyword,extended,,POST,HTTP request method.
+8.11.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
+8.11.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
+8.11.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
+8.11.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
+8.11.0-dev,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body.
+8.11.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
+8.11.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
+8.11.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
+8.11.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version.
+8.11.0-dev,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
+8.11.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event.
+8.11.0-dev,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
+8.11.0-dev,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event.
+8.11.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
+8.11.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
+8.11.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata
+8.11.0-dev,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message.
+8.11.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
+8.11.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
+8.11.0-dev,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message.
+8.11.0-dev,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message.
+8.11.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
+8.11.0-dev,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message.
+8.11.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
+8.11.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
+8.11.0-dev,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages.
+8.11.0-dev,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version.
+8.11.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name.
+8.11.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
+8.11.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
+8.11.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
+8.11.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
+8.11.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
+8.11.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information
+8.11.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.11.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.11.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
+8.11.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
+8.11.0-dev,true,network,network.protocol,keyword,core,,http,Application protocol name.
+8.11.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
+8.11.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
+8.11.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.11.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.11.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information
+8.11.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
+8.11.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
+8.11.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
+8.11.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.11.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.11.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
+8.11.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
+8.11.0-dev,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code.
+8.11.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.11.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.11.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
+8.11.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.11.0-dev,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.11.0-dev,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code.
+8.11.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.11.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
+8.11.0-dev,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.11.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
+8.11.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information
+8.11.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
+8.11.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
+8.11.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
+8.11.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.11.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.11.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
+8.11.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
+8.11.0-dev,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer.
+8.11.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
+8.11.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.11.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.11.0-dev,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.11.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.11.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.11.0-dev,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.11.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.11.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+8.11.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.11.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
+8.11.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
+8.11.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
+8.11.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
+8.11.0-dev,true,observer,observer.version,keyword,core,,,Observer version.
+8.11.0-dev,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action
+8.11.0-dev,true,orchestrator,orchestrator.cluster.id,keyword,extended,,,Unique ID of the cluster.
+8.11.0-dev,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster.
+8.11.0-dev,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster.
+8.11.0-dev,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster.
+8.11.0-dev,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place.
+8.11.0-dev,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups).
+8.11.0-dev,true,orchestrator,orchestrator.resource.annotation,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of annotations added to the resource.
+8.11.0-dev,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon.
+8.11.0-dev,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed.
+8.11.0-dev,true,orchestrator,orchestrator.resource.label,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of labels added to the resource.
+8.11.0-dev,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon.
+8.11.0-dev,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed.
+8.11.0-dev,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon.
+8.11.0-dev,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)."
+8.11.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
+8.11.0-dev,true,organization,organization.name,keyword,extended,,,Organization name.
+8.11.0-dev,true,organization,organization.name.text,match_only_text,extended,,,Organization name.
+8.11.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
+8.11.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
+8.11.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
+8.11.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
+8.11.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
+8.11.0-dev,true,package,package.installed,date,extended,,,Time when package was installed.
+8.11.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
+8.11.0-dev,true,package,package.name,keyword,extended,,go,Package name
+8.11.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
+8.11.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
+8.11.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes.
+8.11.0-dev,true,package,package.type,keyword,extended,,rpm,Package type
+8.11.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version
+8.11.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.11.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array.
+8.11.0-dev,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.11.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.11.0-dev,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.11.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.11.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.11.0-dev,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.11.0-dev,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.11.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.11.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.11.0-dev,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.11.0-dev,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.11.0-dev,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.11.0-dev,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.11.0-dev,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.11.0-dev,true,process,process.elf.creation_date,date,extended,,,Build or compile date.
+8.11.0-dev,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.11.0-dev,true,process,process.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.11.0-dev,true,process,process.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.11.0-dev,true,process,process.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.11.0-dev,true,process,process.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.11.0-dev,true,process,process.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.11.0-dev,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.11.0-dev,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.11.0-dev,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.11.0-dev,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.11.0-dev,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.11.0-dev,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.11.0-dev,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.11.0-dev,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.11.0-dev,true,process,process.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.11.0-dev,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.11.0-dev,true,process,process.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev,true,process,process.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.11.0-dev,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.11.0-dev,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.11.0-dev,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.11.0-dev,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.11.0-dev,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.11.0-dev,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.11.0-dev,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.11.0-dev,true,process,process.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.11.0-dev,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.11.0-dev,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.11.0-dev,true,process,process.elf.segments,nested,extended,array,,ELF object segment list.
+8.11.0-dev,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.11.0-dev,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.11.0-dev,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.11.0-dev,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.11.0-dev,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+8.11.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.11.0-dev,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.11.0-dev,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array.
+8.11.0-dev,true,process,process.entry_leader.attested_groups.name,keyword,extended,,,Name of the group.
+8.11.0-dev,true,process,process.entry_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev,true,process,process.entry_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,process,process.entry_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.11.0-dev,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.11.0-dev,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.11.0-dev,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
+8.11.0-dev,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
+8.11.0-dev,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.11.0-dev,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.11.0-dev,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group.
+8.11.0-dev,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.11.0-dev,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name.
+8.11.0-dev,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name.
+8.11.0-dev,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.11.0-dev,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id.
+8.11.0-dev,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.11.0-dev,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id.
+8.11.0-dev,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.11.0-dev,true,process,process.entry_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
+8.11.0-dev,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.11.0-dev,true,process,process.entry_leader.parent.vpid,long,core,,4242,Virtual process id.
+8.11.0-dev,true,process,process.entry_leader.pid,long,core,,4242,Process id.
+8.11.0-dev,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group.
+8.11.0-dev,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,process,process.entry_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+8.11.0-dev,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group.
+8.11.0-dev,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,process,process.entry_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.11.0-dev,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.11.0-dev,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device.
+8.11.0-dev,true,process,process.entry_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.11.0-dev,true,process,process.entry_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.11.0-dev,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,process,process.entry_leader.vpid,long,core,,4242,Virtual process id.
+8.11.0-dev,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.11.0-dev,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.11.0-dev,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
+8.11.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.11.0-dev,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.11.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process.
+8.11.0-dev,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.11.0-dev,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array.
+8.11.0-dev,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.11.0-dev,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.11.0-dev,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.11.0-dev,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.11.0-dev,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.11.0-dev,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group.
+8.11.0-dev,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.11.0-dev,true,process,process.group_leader.name,keyword,extended,,ssh,Process name.
+8.11.0-dev,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name.
+8.11.0-dev,true,process,process.group_leader.pid,long,core,,4242,Process id.
+8.11.0-dev,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group.
+8.11.0-dev,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,process,process.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+8.11.0-dev,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group.
+8.11.0-dev,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,process,process.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.11.0-dev,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.11.0-dev,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device.
+8.11.0-dev,true,process,process.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.11.0-dev,true,process,process.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.11.0-dev,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,process,process.group_leader.vpid,long,core,,4242,Virtual process id.
+8.11.0-dev,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.11.0-dev,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.11.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
+8.11.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
+8.11.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
+8.11.0-dev,true,process,process.hash.sha384,keyword,extended,,,SHA384 hash.
+8.11.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
+8.11.0-dev,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.11.0-dev,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash.
+8.11.0-dev,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.11.0-dev,true,process,process.io,object,extended,,,A chunk of input or output (IO) from a single process.
+8.11.0-dev,true,process,process.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
+8.11.0-dev,true,process,process.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
+8.11.0-dev,true,process,process.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
+8.11.0-dev,true,process,process.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
+8.11.0-dev,true,process,process.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
+8.11.0-dev,true,process,process.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
+8.11.0-dev,true,process,process.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
+8.11.0-dev,true,process,process.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
+8.11.0-dev,true,process,process.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+8.11.0-dev,true,process,process.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.11.0-dev,true,process,process.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.11.0-dev,true,process,process.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.11.0-dev,true,process,process.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.11.0-dev,true,process,process.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+8.11.0-dev,true,process,process.macho.imports,flattened,extended,array,,List of imported element names and types.
+8.11.0-dev,true,process,process.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev,true,process,process.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev,true,process,process.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+8.11.0-dev,true,process,process.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.11.0-dev,true,process,process.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+8.11.0-dev,true,process,process.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+8.11.0-dev,true,process,process.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.11.0-dev,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+8.11.0-dev,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+8.11.0-dev,true,process,process.name,keyword,extended,,ssh,Process name.
+8.11.0-dev,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
+8.11.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.11.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
+8.11.0-dev,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.11.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.11.0-dev,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.11.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.11.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.11.0-dev,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.11.0-dev,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.11.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.11.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.11.0-dev,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.11.0-dev,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.11.0-dev,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.11.0-dev,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.11.0-dev,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.11.0-dev,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date.
+8.11.0-dev,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.11.0-dev,true,process,process.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.11.0-dev,true,process,process.parent.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.11.0-dev,true,process,process.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.11.0-dev,true,process,process.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.11.0-dev,true,process,process.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.11.0-dev,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.11.0-dev,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.11.0-dev,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.11.0-dev,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.11.0-dev,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.11.0-dev,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.11.0-dev,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.11.0-dev,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.11.0-dev,true,process,process.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.11.0-dev,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.11.0-dev,true,process,process.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev,true,process,process.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.11.0-dev,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.11.0-dev,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.11.0-dev,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.11.0-dev,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.11.0-dev,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.11.0-dev,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.11.0-dev,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.11.0-dev,true,process,process.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.11.0-dev,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.11.0-dev,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.11.0-dev,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list.
+8.11.0-dev,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.11.0-dev,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.11.0-dev,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.11.0-dev,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.11.0-dev,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+8.11.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.11.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.11.0-dev,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.11.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
+8.11.0-dev,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev,true,process,process.parent.group.name,keyword,extended,,,Name of the group.
+8.11.0-dev,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.11.0-dev,true,process,process.parent.group_leader.pid,long,core,,4242,Process id.
+8.11.0-dev,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.11.0-dev,true,process,process.parent.group_leader.vpid,long,core,,4242,Virtual process id.
+8.11.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
+8.11.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
+8.11.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
+8.11.0-dev,true,process,process.parent.hash.sha384,keyword,extended,,,SHA384 hash.
+8.11.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
+8.11.0-dev,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.11.0-dev,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash.
+8.11.0-dev,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.11.0-dev,true,process,process.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+8.11.0-dev,true,process,process.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.11.0-dev,true,process,process.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.11.0-dev,true,process,process.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.11.0-dev,true,process,process.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.11.0-dev,true,process,process.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+8.11.0-dev,true,process,process.parent.macho.imports,flattened,extended,array,,List of imported element names and types.
+8.11.0-dev,true,process,process.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev,true,process,process.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev,true,process,process.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+8.11.0-dev,true,process,process.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.11.0-dev,true,process,process.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+8.11.0-dev,true,process,process.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+8.11.0-dev,true,process,process.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.11.0-dev,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+8.11.0-dev,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+8.11.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name.
+8.11.0-dev,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
+8.11.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.11.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.11.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.11.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.11.0-dev,true,process,process.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.11.0-dev,true,process,process.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.11.0-dev,true,process,process.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.11.0-dev,true,process,process.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.11.0-dev,true,process,process.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.11.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.11.0-dev,true,process,process.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.11.0-dev,true,process,process.parent.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.11.0-dev,true,process,process.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev,true,process,process.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.11.0-dev,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.11.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.11.0-dev,true,process,process.parent.pe.sections,nested,extended,array,,Section information of the PE file.
+8.11.0-dev,true,process,process.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.11.0-dev,true,process,process.parent.pe.sections.name,keyword,extended,,,PE Section List name.
+8.11.0-dev,true,process,process.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.11.0-dev,true,process,process.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.11.0-dev,true,process,process.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.11.0-dev,true,process,process.parent.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
+8.11.0-dev,true,process,process.parent.pid,long,core,,4242,Process id.
+8.11.0-dev,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group.
+8.11.0-dev,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,process,process.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group.
+8.11.0-dev,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,process,process.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.11.0-dev,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.11.0-dev,true,process,process.parent.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
+8.11.0-dev,true,process,process.parent.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
+8.11.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
+8.11.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
+8.11.0-dev,true,process,process.parent.title,keyword,extended,,,Process title.
+8.11.0-dev,true,process,process.parent.title.text,match_only_text,extended,,,Process title.
+8.11.0-dev,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device.
+8.11.0-dev,true,process,process.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.11.0-dev,true,process,process.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.11.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
+8.11.0-dev,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,process,process.parent.vpid,long,core,,4242,Virtual process id.
+8.11.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.11.0-dev,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.11.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.11.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.11.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.11.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.11.0-dev,true,process,process.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.11.0-dev,true,process,process.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.11.0-dev,true,process,process.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.11.0-dev,true,process,process.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.11.0-dev,true,process,process.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.11.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.11.0-dev,true,process,process.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.11.0-dev,true,process,process.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.11.0-dev,true,process,process.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev,true,process,process.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.11.0-dev,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.11.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.11.0-dev,true,process,process.pe.sections,nested,extended,array,,Section information of the PE file.
+8.11.0-dev,true,process,process.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.11.0-dev,true,process,process.pe.sections.name,keyword,extended,,,PE Section List name.
+8.11.0-dev,true,process,process.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.11.0-dev,true,process,process.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.11.0-dev,true,process,process.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.11.0-dev,true,process,process.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
+8.11.0-dev,true,process,process.pid,long,core,,4242,Process id.
+8.11.0-dev,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.11.0-dev,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array.
+8.11.0-dev,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.11.0-dev,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.11.0-dev,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev,true,process,process.real_group.name,keyword,extended,,,Name of the group.
+8.11.0-dev,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,process,process.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev,true,process,process.saved_group.name,keyword,extended,,,Name of the group.
+8.11.0-dev,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,process,process.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.11.0-dev,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array.
+8.11.0-dev,true,process,process.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.11.0-dev,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.11.0-dev,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.11.0-dev,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.11.0-dev,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.11.0-dev,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group.
+8.11.0-dev,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.11.0-dev,true,process,process.session_leader.name,keyword,extended,,ssh,Process name.
+8.11.0-dev,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name.
+8.11.0-dev,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.11.0-dev,true,process,process.session_leader.parent.pid,long,core,,4242,Process id.
+8.11.0-dev,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.11.0-dev,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id.
+8.11.0-dev,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.11.0-dev,true,process,process.session_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
+8.11.0-dev,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.11.0-dev,true,process,process.session_leader.parent.vpid,long,core,,4242,Virtual process id.
+8.11.0-dev,true,process,process.session_leader.pid,long,core,,4242,Process id.
+8.11.0-dev,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group.
+8.11.0-dev,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,process,process.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+8.11.0-dev,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group.
+8.11.0-dev,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,process,process.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.11.0-dev,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.11.0-dev,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device.
+8.11.0-dev,true,process,process.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.11.0-dev,true,process,process.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.11.0-dev,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,process,process.session_leader.vpid,long,core,,4242,Virtual process id.
+8.11.0-dev,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.11.0-dev,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.11.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.11.0-dev,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.11.0-dev,true,process,process.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
+8.11.0-dev,true,process,process.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
+8.11.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID.
+8.11.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
+8.11.0-dev,true,process,process.title,keyword,extended,,,Process title.
+8.11.0-dev,true,process,process.title.text,match_only_text,extended,,,Process title.
+8.11.0-dev,true,process,process.tty,object,extended,,,Information about the controlling TTY device.
+8.11.0-dev,true,process,process.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.11.0-dev,true,process,process.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.11.0-dev,true,process,process.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
+8.11.0-dev,true,process,process.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
+8.11.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
+8.11.0-dev,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,process,process.vpid,long,core,,4242,Virtual process id.
+8.11.0-dev,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.11.0-dev,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.11.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.11.0-dev,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.11.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.11.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.11.0-dev,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.11.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.11.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
+8.11.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
+8.11.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
+8.11.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
+8.11.0-dev,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event.
+8.11.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
+8.11.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
+8.11.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
+8.11.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID
+8.11.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
+8.11.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
+8.11.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
+8.11.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
+8.11.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
+8.11.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version
+8.11.0-dev,true,server,server.address,keyword,extended,,,Server network address.
+8.11.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.11.0-dev,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.11.0-dev,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.11.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
+8.11.0-dev,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server.
+8.11.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
+8.11.0-dev,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
+8.11.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.11.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.11.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
+8.11.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.11.0-dev,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.11.0-dev,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
+8.11.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.11.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
+8.11.0-dev,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.11.0-dev,true,server,server.ip,ip,core,,,IP address of the server.
+8.11.0-dev,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
+8.11.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip
+8.11.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port
+8.11.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
+8.11.0-dev,true,server,server.port,long,core,,,Port of the server.
+8.11.0-dev,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
+8.11.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.11.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.11.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.11.0-dev,true,server,server.user.email,keyword,extended,,,User email address.
+8.11.0-dev,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.11.0-dev,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.11.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.11.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group.
+8.11.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.11.0-dev,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.11.0-dev,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.11.0-dev,true,service,service.environment,keyword,extended,,production,Environment of the service.
+8.11.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.11.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.11.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.11.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.11.0-dev,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.11.0-dev,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+8.11.0-dev,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.11.0-dev,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
+8.11.0-dev,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.11.0-dev,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.11.0-dev,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.11.0-dev,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.11.0-dev,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.11.0-dev,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+8.11.0-dev,true,service,service.origin.state,keyword,core,,,Current state of the service.
+8.11.0-dev,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service.
+8.11.0-dev,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service.
+8.11.0-dev,true,service,service.state,keyword,core,,,Current state of the service.
+8.11.0-dev,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.11.0-dev,true,service,service.target.environment,keyword,extended,,production,Environment of the service.
+8.11.0-dev,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.11.0-dev,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.11.0-dev,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.11.0-dev,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.11.0-dev,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.11.0-dev,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+8.11.0-dev,true,service,service.target.state,keyword,core,,,Current state of the service.
+8.11.0-dev,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service.
+8.11.0-dev,true,service,service.target.version,keyword,core,,3.2.4,Version of the service.
+8.11.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
+8.11.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service.
+8.11.0-dev,true,source,source.address,keyword,extended,,,Source network address.
+8.11.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.11.0-dev,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.11.0-dev,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.11.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
+8.11.0-dev,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source.
+8.11.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
+8.11.0-dev,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
+8.11.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.11.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.11.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
+8.11.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.11.0-dev,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.11.0-dev,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
+8.11.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.11.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
+8.11.0-dev,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.11.0-dev,true,source,source.ip,ip,core,,,IP address of the source.
+8.11.0-dev,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
+8.11.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip
+8.11.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port
+8.11.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
+8.11.0-dev,true,source,source.port,long,core,,,Port of the source.
+8.11.0-dev,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+8.11.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.11.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.11.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.11.0-dev,true,source,source.user.email,keyword,extended,,,User email address.
+8.11.0-dev,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.11.0-dev,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.11.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.11.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group.
+8.11.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.11.0-dev,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.11.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
+8.11.0-dev,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event.
+8.11.0-dev,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event.
+8.11.0-dev,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.11.0-dev,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.11.0-dev,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.11.0-dev,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
+8.11.0-dev,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
+8.11.0-dev,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.11.0-dev,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.11.0-dev,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.11.0-dev,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
+8.11.0-dev,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name.
+8.11.0-dev,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code.
+8.11.0-dev,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.11.0-dev,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.11.0-dev,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name.
+8.11.0-dev,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.11.0-dev,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.11.0-dev,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code.
+8.11.0-dev,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.11.0-dev,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name.
+8.11.0-dev,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.11.0-dev,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
+8.11.0-dev,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
+8.11.0-dev,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
+8.11.0-dev,true,threat,threat.enrichments.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
+8.11.0-dev,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
+8.11.0-dev,true,threat,threat.enrichments.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
+8.11.0-dev,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
+8.11.0-dev,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
+8.11.0-dev,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
+8.11.0-dev,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.11.0-dev,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.11.0-dev,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.11.0-dev,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.11.0-dev,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.11.0-dev,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.11.0-dev,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
+8.11.0-dev,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics
+8.11.0-dev,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed
+8.11.0-dev,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
+8.11.0-dev,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.11.0-dev,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.11.0-dev,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.11.0-dev,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.11.0-dev,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.11.0-dev,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.11.0-dev,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.11.0-dev,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request.
+8.11.0-dev,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.11.0-dev,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
+8.11.0-dev,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request.
+8.11.0-dev,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.11.0-dev,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
+8.11.0-dev,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.11.0-dev,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.11.0-dev,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request.
+8.11.0-dev,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.11.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.11.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.11.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.11.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.11.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.11.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.11.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.11.0-dev,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.11.0-dev,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.11.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.11.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.11.0-dev,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.11.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.11.0-dev,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.11.0-dev,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.11.0-dev,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.11.0-dev,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.11.0-dev,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.11.0-dev,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.11.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.11.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.11.0-dev,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.11.0-dev,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.11.0-dev,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value
+8.11.0-dev,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field
+8.11.0-dev,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier
+8.11.0-dev,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index
+8.11.0-dev,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05T17:00:58.326Z,Date of match
+8.11.0-dev,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match
+8.11.0-dev,true,threat,threat.feed.dashboard_id,keyword,extended,,5ba16340-72e6-11eb-a3e3-b3cc7c78a70f,Feed dashboard ID.
+8.11.0-dev,true,threat,threat.feed.description,keyword,extended,,Threat feed from the AlienVault Open Threat eXchange network.,Description of the threat feed.
+8.11.0-dev,true,threat,threat.feed.name,keyword,extended,,AlienVault OTX,Name of the threat feed.
+8.11.0-dev,true,threat,threat.feed.reference,keyword,extended,,https://otx.alienvault.com,Reference for the threat feed.
+8.11.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
+8.11.0-dev,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group.
+8.11.0-dev,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group.
+8.11.0-dev,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group.
+8.11.0-dev,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group.
+8.11.0-dev,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.11.0-dev,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.11.0-dev,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.11.0-dev,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
+8.11.0-dev,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
+8.11.0-dev,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
+8.11.0-dev,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed.
+8.11.0-dev,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.11.0-dev,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.11.0-dev,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.11.0-dev,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.11.0-dev,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.11.0-dev,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.11.0-dev,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.11.0-dev,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.11.0-dev,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.11.0-dev,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.11.0-dev,true,threat,threat.indicator.file.created,date,extended,,,File creation time.
+8.11.0-dev,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.11.0-dev,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
+8.11.0-dev,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.11.0-dev,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.11.0-dev,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.11.0-dev,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.11.0-dev,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.11.0-dev,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
+8.11.0-dev,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.11.0-dev,true,threat,threat.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.11.0-dev,true,threat,threat.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.11.0-dev,true,threat,threat.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.11.0-dev,true,threat,threat.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.11.0-dev,true,threat,threat.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.11.0-dev,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.11.0-dev,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.11.0-dev,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.11.0-dev,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.11.0-dev,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.11.0-dev,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.11.0-dev,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.11.0-dev,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.11.0-dev,true,threat,threat.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.11.0-dev,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.11.0-dev,true,threat,threat.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev,true,threat,threat.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.11.0-dev,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.11.0-dev,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.11.0-dev,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.11.0-dev,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.11.0-dev,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.11.0-dev,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.11.0-dev,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.11.0-dev,true,threat,threat.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.11.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.11.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.11.0-dev,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
+8.11.0-dev,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.11.0-dev,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.11.0-dev,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.11.0-dev,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.11.0-dev,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.11.0-dev,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.11.0-dev,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.11.0-dev,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
+8.11.0-dev,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
+8.11.0-dev,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.11.0-dev,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.11.0-dev,true,threat,threat.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.11.0-dev,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.11.0-dev,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.11.0-dev,true,threat,threat.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.11.0-dev,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.11.0-dev,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.11.0-dev,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.11.0-dev,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified.
+8.11.0-dev,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.11.0-dev,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username.
+8.11.0-dev,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.11.0-dev,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.11.0-dev,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.11.0-dev,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.11.0-dev,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.11.0-dev,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.11.0-dev,true,threat,threat.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.11.0-dev,true,threat,threat.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.11.0-dev,true,threat,threat.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.11.0-dev,true,threat,threat.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.11.0-dev,true,threat,threat.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.11.0-dev,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.11.0-dev,true,threat,threat.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.11.0-dev,true,threat,threat.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.11.0-dev,true,threat,threat.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev,true,threat,threat.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.11.0-dev,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.11.0-dev,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.11.0-dev,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.11.0-dev,true,threat,threat.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
+8.11.0-dev,true,threat,threat.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.11.0-dev,true,threat,threat.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
+8.11.0-dev,true,threat,threat.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.11.0-dev,true,threat,threat.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.11.0-dev,true,threat,threat.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.11.0-dev,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes.
+8.11.0-dev,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
+8.11.0-dev,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.11.0-dev,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.11.0-dev,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.11.0-dev,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.11.0-dev,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.11.0-dev,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.11.0-dev,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.11.0-dev,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.11.0-dev,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.11.0-dev,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.11.0-dev,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.11.0-dev,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.11.0-dev,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.11.0-dev,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.11.0-dev,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.11.0-dev,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.11.0-dev,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.11.0-dev,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.11.0-dev,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.11.0-dev,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.11.0-dev,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.11.0-dev,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.11.0-dev,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.11.0-dev,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.11.0-dev,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.11.0-dev,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.11.0-dev,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.11.0-dev,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
+8.11.0-dev,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name.
+8.11.0-dev,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code.
+8.11.0-dev,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.11.0-dev,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.11.0-dev,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name.
+8.11.0-dev,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.11.0-dev,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.11.0-dev,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code.
+8.11.0-dev,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.11.0-dev,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name.
+8.11.0-dev,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.11.0-dev,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
+8.11.0-dev,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
+8.11.0-dev,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
+8.11.0-dev,true,threat,threat.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
+8.11.0-dev,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
+8.11.0-dev,true,threat,threat.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
+8.11.0-dev,true,threat,threat.indicator.port,long,extended,,443,Indicator port
+8.11.0-dev,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
+8.11.0-dev,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
+8.11.0-dev,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.11.0-dev,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.11.0-dev,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.11.0-dev,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.11.0-dev,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.11.0-dev,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.11.0-dev,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
+8.11.0-dev,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics
+8.11.0-dev,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed
+8.11.0-dev,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
+8.11.0-dev,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.11.0-dev,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.11.0-dev,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.11.0-dev,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.11.0-dev,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.11.0-dev,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.11.0-dev,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.11.0-dev,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request.
+8.11.0-dev,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.11.0-dev,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
+8.11.0-dev,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request.
+8.11.0-dev,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.11.0-dev,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
+8.11.0-dev,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.11.0-dev,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.11.0-dev,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request.
+8.11.0-dev,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.11.0-dev,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.11.0-dev,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.11.0-dev,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.11.0-dev,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.11.0-dev,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.11.0-dev,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.11.0-dev,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.11.0-dev,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.11.0-dev,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.11.0-dev,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.11.0-dev,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.11.0-dev,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.11.0-dev,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.11.0-dev,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.11.0-dev,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.11.0-dev,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.11.0-dev,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.11.0-dev,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.11.0-dev,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.11.0-dev,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.11.0-dev,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.11.0-dev,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.11.0-dev,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.11.0-dev,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software
+8.11.0-dev,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software
+8.11.0-dev,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software.
+8.11.0-dev,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software.
+8.11.0-dev,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL.
+8.11.0-dev,true,threat,threat.software.type,keyword,extended,,Tool,Software type.
+8.11.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
+8.11.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
+8.11.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
+8.11.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
+8.11.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
+8.11.0-dev,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name.
+8.11.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
+8.11.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
+8.11.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
+8.11.0-dev,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
+8.11.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
+8.11.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
+8.11.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
+8.11.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
+8.11.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
+8.11.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
+8.11.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
+8.11.0-dev,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
+8.11.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
+8.11.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
+8.11.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
+8.11.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
+8.11.0-dev,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
+8.11.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
+8.11.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.11.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.11.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.11.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.11.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.11.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.11.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.11.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.11.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.11.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.11.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.11.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.11.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.11.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.11.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.11.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.11.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.11.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.11.0-dev,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.11.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.11.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.11.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.11.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.11.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.11.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
+8.11.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
+8.11.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
+8.11.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
+8.11.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
+8.11.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
+8.11.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
+8.11.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
+8.11.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
+8.11.0-dev,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
+8.11.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
+8.11.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
+8.11.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
+8.11.0-dev,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
+8.11.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.11.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.11.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.11.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.11.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.11.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.11.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.11.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.11.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.11.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.11.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.11.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.11.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.11.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.11.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.11.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.11.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.11.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.11.0-dev,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.11.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.11.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.11.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.11.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.11.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.11.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
+8.11.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
+8.11.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
+8.11.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
+8.11.0-dev,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.11.0-dev,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.11.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.11.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.11.0-dev,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.11.0-dev,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.11.0-dev,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.11.0-dev,true,url,url.password,keyword,extended,,,Password of the request.
+8.11.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.11.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
+8.11.0-dev,true,url,url.query,keyword,extended,,,Query string of the request.
+8.11.0-dev,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.11.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
+8.11.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.11.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.11.0-dev,true,url,url.username,keyword,extended,,,Username of the request.
+8.11.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.11.0-dev,true,user,user.changes.email,keyword,extended,,,User email address.
+8.11.0-dev,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.11.0-dev,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.11.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.11.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
+8.11.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.11.0-dev,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.11.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.11.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.11.0-dev,true,user,user.effective.email,keyword,extended,,,User email address.
+8.11.0-dev,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.11.0-dev,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.11.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.11.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
+8.11.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.11.0-dev,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.11.0-dev,true,user,user.email,keyword,extended,,,User email address.
+8.11.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.11.0-dev,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.11.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.11.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group.
+8.11.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.11.0-dev,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.11.0-dev,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.11.0-dev,true,user,user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.11.0-dev,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.11.0-dev,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.11.0-dev,true,user,user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+8.11.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.11.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.11.0-dev,true,user,user.target.email,keyword,extended,,,User email address.
+8.11.0-dev,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.11.0-dev,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.11.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.11.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.11.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group.
+8.11.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.11.0-dev,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.11.0-dev,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.11.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.11.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
+8.11.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
+8.11.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+8.11.0-dev,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+8.11.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.11.0-dev,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.11.0-dev,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.11.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.11.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.11.0-dev,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.11.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.11.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+8.11.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.11.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
+8.11.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
+8.11.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
+8.11.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+8.11.0-dev,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+8.11.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
+8.11.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
+8.11.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
+8.11.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
+8.11.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
+8.11.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
+8.11.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
+8.11.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
+8.11.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
+8.11.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
diff --git a/generated/elasticsearch/composable/component/agent.json b/generated/elasticsearch/composable/component/agent.json
index 3989ed428b..e207406596 100644
--- a/generated/elasticsearch/composable/component/agent.json
+++ b/generated/elasticsearch/composable/component/agent.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html",
-    "ecs_version": "8.10.0-dev"
+    "ecs_version": "8.11.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/base.json b/generated/elasticsearch/composable/component/base.json
index 137ce99572..9c16288bcc 100644
--- a/generated/elasticsearch/composable/component/base.json
+++ b/generated/elasticsearch/composable/component/base.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
-    "ecs_version": "8.10.0-dev"
+    "ecs_version": "8.11.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/client.json b/generated/elasticsearch/composable/component/client.json
index 71d14570a1..24913a8580 100644
--- a/generated/elasticsearch/composable/component/client.json
+++ b/generated/elasticsearch/composable/component/client.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-client.html",
-    "ecs_version": "8.10.0-dev"
+    "ecs_version": "8.11.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/cloud.json b/generated/elasticsearch/composable/component/cloud.json
index 9c532a1f79..6e0be85020 100644
--- a/generated/elasticsearch/composable/component/cloud.json
+++ b/generated/elasticsearch/composable/component/cloud.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cloud.html",
-    "ecs_version": "8.10.0-dev"
+    "ecs_version": "8.11.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/container.json b/generated/elasticsearch/composable/component/container.json
index 82d44f4ffb..dfdf4e007e 100644
--- a/generated/elasticsearch/composable/component/container.json
+++ b/generated/elasticsearch/composable/component/container.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-container.html",
-    "ecs_version": "8.10.0-dev"
+    "ecs_version": "8.11.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/data_stream.json b/generated/elasticsearch/composable/component/data_stream.json
index 65043ae47b..e2faeb9785 100644
--- a/generated/elasticsearch/composable/component/data_stream.json
+++ b/generated/elasticsearch/composable/component/data_stream.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-data_stream.html",
-    "ecs_version": "8.10.0-dev"
+    "ecs_version": "8.11.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/destination.json b/generated/elasticsearch/composable/component/destination.json
index 6f4dd0278f..70dadaec07 100644
--- a/generated/elasticsearch/composable/component/destination.json
+++ b/generated/elasticsearch/composable/component/destination.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-destination.html",
-    "ecs_version": "8.10.0-dev"
+    "ecs_version": "8.11.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/device.json b/generated/elasticsearch/composable/component/device.json
index 4e026e2c97..bf44b66897 100644
--- a/generated/elasticsearch/composable/component/device.json
+++ b/generated/elasticsearch/composable/component/device.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-device.html",
-    "ecs_version": "8.10.0-dev"
+    "ecs_version": "8.11.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/dll.json b/generated/elasticsearch/composable/component/dll.json
index 203da51d2a..4873d9aaf1 100644
--- a/generated/elasticsearch/composable/component/dll.json
+++ b/generated/elasticsearch/composable/component/dll.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dll.html",
-    "ecs_version": "8.10.0-dev"
+    "ecs_version": "8.11.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/dns.json b/generated/elasticsearch/composable/component/dns.json
index d02766c153..4b1450b55e 100644
--- a/generated/elasticsearch/composable/component/dns.json
+++ b/generated/elasticsearch/composable/component/dns.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html",
-    "ecs_version": "8.10.0-dev"
+    "ecs_version": "8.11.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/ecs.json b/generated/elasticsearch/composable/component/ecs.json
index 2d0402f31e..064553bc8b 100644
--- a/generated/elasticsearch/composable/component/ecs.json
+++ b/generated/elasticsearch/composable/component/ecs.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html",
-    "ecs_version": "8.10.0-dev"
+    "ecs_version": "8.11.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/email.json b/generated/elasticsearch/composable/component/email.json
index db3035b330..59964f24e3 100644
--- a/generated/elasticsearch/composable/component/email.json
+++ b/generated/elasticsearch/composable/component/email.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-email.html",
-    "ecs_version": "8.10.0-dev"
+    "ecs_version": "8.11.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/error.json b/generated/elasticsearch/composable/component/error.json
index ca6f0d47ab..b064151cb3 100644
--- a/generated/elasticsearch/composable/component/error.json
+++ b/generated/elasticsearch/composable/component/error.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-error.html",
-    "ecs_version": "8.10.0-dev"
+    "ecs_version": "8.11.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/event.json b/generated/elasticsearch/composable/component/event.json
index 87465f7171..ad7a59e32b 100644
--- a/generated/elasticsearch/composable/component/event.json
+++ b/generated/elasticsearch/composable/component/event.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html",
-    "ecs_version": "8.10.0-dev"
+    "ecs_version": "8.11.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/faas.json b/generated/elasticsearch/composable/component/faas.json
index c9713ac3bb..5b2eba8e0f 100644
--- a/generated/elasticsearch/composable/component/faas.json
+++ b/generated/elasticsearch/composable/component/faas.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-faas.html",
-    "ecs_version": "8.10.0-dev"
+    "ecs_version": "8.11.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/file.json b/generated/elasticsearch/composable/component/file.json
index 10c902ef92..07900489e8 100644
--- a/generated/elasticsearch/composable/component/file.json
+++ b/generated/elasticsearch/composable/component/file.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html",
-    "ecs_version": "8.10.0-dev"
+    "ecs_version": "8.11.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/group.json b/generated/elasticsearch/composable/component/group.json
index 5c9eb60bc4..37dc0ff4c0 100644
--- a/generated/elasticsearch/composable/component/group.json
+++ b/generated/elasticsearch/composable/component/group.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-group.html",
-    "ecs_version": "8.10.0-dev"
+    "ecs_version": "8.11.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/host.json b/generated/elasticsearch/composable/component/host.json
index 71ef6627e2..e15b54b955 100644
--- a/generated/elasticsearch/composable/component/host.json
+++ b/generated/elasticsearch/composable/component/host.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-host.html",
-    "ecs_version": "8.10.0-dev"
+    "ecs_version": "8.11.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/http.json b/generated/elasticsearch/composable/component/http.json
index 534d1b9866..962c0df94e 100644
--- a/generated/elasticsearch/composable/component/http.json
+++ b/generated/elasticsearch/composable/component/http.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-http.html",
-    "ecs_version": "8.10.0-dev"
+    "ecs_version": "8.11.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/log.json b/generated/elasticsearch/composable/component/log.json
index ba7e86e0b9..639e9572ac 100644
--- a/generated/elasticsearch/composable/component/log.json
+++ b/generated/elasticsearch/composable/component/log.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-log.html",
-    "ecs_version": "8.10.0-dev"
+    "ecs_version": "8.11.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/network.json b/generated/elasticsearch/composable/component/network.json
index 500c7d1b16..f9e9ba169e 100644
--- a/generated/elasticsearch/composable/component/network.json
+++ b/generated/elasticsearch/composable/component/network.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html",
-    "ecs_version": "8.10.0-dev"
+    "ecs_version": "8.11.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/observer.json b/generated/elasticsearch/composable/component/observer.json
index b206c37ff5..fb99b023d4 100644
--- a/generated/elasticsearch/composable/component/observer.json
+++ b/generated/elasticsearch/composable/component/observer.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html",
-    "ecs_version": "8.10.0-dev"
+    "ecs_version": "8.11.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/orchestrator.json b/generated/elasticsearch/composable/component/orchestrator.json
index 24bf5d4fa5..23f91636b8 100644
--- a/generated/elasticsearch/composable/component/orchestrator.json
+++ b/generated/elasticsearch/composable/component/orchestrator.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-orchestrator.html",
-    "ecs_version": "8.10.0-dev"
+    "ecs_version": "8.11.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/organization.json b/generated/elasticsearch/composable/component/organization.json
index 4e8f186ac0..bf120cd532 100644
--- a/generated/elasticsearch/composable/component/organization.json
+++ b/generated/elasticsearch/composable/component/organization.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-organization.html",
-    "ecs_version": "8.10.0-dev"
+    "ecs_version": "8.11.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/package.json b/generated/elasticsearch/composable/component/package.json
index 3832bfc704..974dc9830e 100644
--- a/generated/elasticsearch/composable/component/package.json
+++ b/generated/elasticsearch/composable/component/package.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-package.html",
-    "ecs_version": "8.10.0-dev"
+    "ecs_version": "8.11.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/process.json b/generated/elasticsearch/composable/component/process.json
index 219e8aae4c..42b78ee2eb 100644
--- a/generated/elasticsearch/composable/component/process.json
+++ b/generated/elasticsearch/composable/component/process.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-process.html",
-    "ecs_version": "8.10.0-dev"
+    "ecs_version": "8.11.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/registry.json b/generated/elasticsearch/composable/component/registry.json
index 26d56f47c9..4582074524 100644
--- a/generated/elasticsearch/composable/component/registry.json
+++ b/generated/elasticsearch/composable/component/registry.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-registry.html",
-    "ecs_version": "8.10.0-dev"
+    "ecs_version": "8.11.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/related.json b/generated/elasticsearch/composable/component/related.json
index ba394a9339..8b4234770b 100644
--- a/generated/elasticsearch/composable/component/related.json
+++ b/generated/elasticsearch/composable/component/related.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-related.html",
-    "ecs_version": "8.10.0-dev"
+    "ecs_version": "8.11.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/rule.json b/generated/elasticsearch/composable/component/rule.json
index 47e31f40e6..5736ae5394 100644
--- a/generated/elasticsearch/composable/component/rule.json
+++ b/generated/elasticsearch/composable/component/rule.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-rule.html",
-    "ecs_version": "8.10.0-dev"
+    "ecs_version": "8.11.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/server.json b/generated/elasticsearch/composable/component/server.json
index 77865f325a..d0837d773f 100644
--- a/generated/elasticsearch/composable/component/server.json
+++ b/generated/elasticsearch/composable/component/server.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-server.html",
-    "ecs_version": "8.10.0-dev"
+    "ecs_version": "8.11.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/service.json b/generated/elasticsearch/composable/component/service.json
index e47d108a42..2302f448c3 100644
--- a/generated/elasticsearch/composable/component/service.json
+++ b/generated/elasticsearch/composable/component/service.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-service.html",
-    "ecs_version": "8.10.0-dev"
+    "ecs_version": "8.11.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/source.json b/generated/elasticsearch/composable/component/source.json
index 1400dfc488..593d2c1154 100644
--- a/generated/elasticsearch/composable/component/source.json
+++ b/generated/elasticsearch/composable/component/source.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-source.html",
-    "ecs_version": "8.10.0-dev"
+    "ecs_version": "8.11.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/threat.json b/generated/elasticsearch/composable/component/threat.json
index 6828c8e510..ec22b3ddd8 100644
--- a/generated/elasticsearch/composable/component/threat.json
+++ b/generated/elasticsearch/composable/component/threat.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-threat.html",
-    "ecs_version": "8.10.0-dev"
+    "ecs_version": "8.11.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/tls.json b/generated/elasticsearch/composable/component/tls.json
index d079ea81ba..fd76fce78b 100644
--- a/generated/elasticsearch/composable/component/tls.json
+++ b/generated/elasticsearch/composable/component/tls.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tls.html",
-    "ecs_version": "8.10.0-dev"
+    "ecs_version": "8.11.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/tracing.json b/generated/elasticsearch/composable/component/tracing.json
index 7555afd3c2..1f13548585 100644
--- a/generated/elasticsearch/composable/component/tracing.json
+++ b/generated/elasticsearch/composable/component/tracing.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tracing.html",
-    "ecs_version": "8.10.0-dev"
+    "ecs_version": "8.11.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/url.json b/generated/elasticsearch/composable/component/url.json
index d75ab42f80..ef68854e78 100644
--- a/generated/elasticsearch/composable/component/url.json
+++ b/generated/elasticsearch/composable/component/url.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-url.html",
-    "ecs_version": "8.10.0-dev"
+    "ecs_version": "8.11.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/user.json b/generated/elasticsearch/composable/component/user.json
index 67e37251c7..19236c6634 100644
--- a/generated/elasticsearch/composable/component/user.json
+++ b/generated/elasticsearch/composable/component/user.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user.html",
-    "ecs_version": "8.10.0-dev"
+    "ecs_version": "8.11.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/user_agent.json b/generated/elasticsearch/composable/component/user_agent.json
index 3f3094d078..1e4acd0efb 100644
--- a/generated/elasticsearch/composable/component/user_agent.json
+++ b/generated/elasticsearch/composable/component/user_agent.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html",
-    "ecs_version": "8.10.0-dev"
+    "ecs_version": "8.11.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/vulnerability.json b/generated/elasticsearch/composable/component/vulnerability.json
index 02c8434892..da7d8cc253 100644
--- a/generated/elasticsearch/composable/component/vulnerability.json
+++ b/generated/elasticsearch/composable/component/vulnerability.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html",
-    "ecs_version": "8.10.0-dev"
+    "ecs_version": "8.11.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/template.json b/generated/elasticsearch/composable/template.json
index b87775c355..5c28737813 100644
--- a/generated/elasticsearch/composable/template.json
+++ b/generated/elasticsearch/composable/template.json
@@ -1,48 +1,48 @@
 {
   "_meta": {
     "description": "Sample composable template that includes all ECS fields",
-    "ecs_version": "8.10.0-dev"
+    "ecs_version": "8.11.0-dev"
   },
   "composed_of": [
-    "ecs_8.10.0-dev_base",
-    "ecs_8.10.0-dev_agent",
-    "ecs_8.10.0-dev_client",
-    "ecs_8.10.0-dev_cloud",
-    "ecs_8.10.0-dev_container",
-    "ecs_8.10.0-dev_data_stream",
-    "ecs_8.10.0-dev_destination",
-    "ecs_8.10.0-dev_device",
-    "ecs_8.10.0-dev_dll",
-    "ecs_8.10.0-dev_dns",
-    "ecs_8.10.0-dev_ecs",
-    "ecs_8.10.0-dev_email",
-    "ecs_8.10.0-dev_error",
-    "ecs_8.10.0-dev_event",
-    "ecs_8.10.0-dev_faas",
-    "ecs_8.10.0-dev_file",
-    "ecs_8.10.0-dev_group",
-    "ecs_8.10.0-dev_host",
-    "ecs_8.10.0-dev_http",
-    "ecs_8.10.0-dev_log",
-    "ecs_8.10.0-dev_network",
-    "ecs_8.10.0-dev_observer",
-    "ecs_8.10.0-dev_orchestrator",
-    "ecs_8.10.0-dev_organization",
-    "ecs_8.10.0-dev_package",
-    "ecs_8.10.0-dev_process",
-    "ecs_8.10.0-dev_registry",
-    "ecs_8.10.0-dev_related",
-    "ecs_8.10.0-dev_rule",
-    "ecs_8.10.0-dev_server",
-    "ecs_8.10.0-dev_service",
-    "ecs_8.10.0-dev_source",
-    "ecs_8.10.0-dev_threat",
-    "ecs_8.10.0-dev_tls",
-    "ecs_8.10.0-dev_tracing",
-    "ecs_8.10.0-dev_url",
-    "ecs_8.10.0-dev_user_agent",
-    "ecs_8.10.0-dev_user",
-    "ecs_8.10.0-dev_vulnerability"
+    "ecs_8.11.0-dev_base",
+    "ecs_8.11.0-dev_agent",
+    "ecs_8.11.0-dev_client",
+    "ecs_8.11.0-dev_cloud",
+    "ecs_8.11.0-dev_container",
+    "ecs_8.11.0-dev_data_stream",
+    "ecs_8.11.0-dev_destination",
+    "ecs_8.11.0-dev_device",
+    "ecs_8.11.0-dev_dll",
+    "ecs_8.11.0-dev_dns",
+    "ecs_8.11.0-dev_ecs",
+    "ecs_8.11.0-dev_email",
+    "ecs_8.11.0-dev_error",
+    "ecs_8.11.0-dev_event",
+    "ecs_8.11.0-dev_faas",
+    "ecs_8.11.0-dev_file",
+    "ecs_8.11.0-dev_group",
+    "ecs_8.11.0-dev_host",
+    "ecs_8.11.0-dev_http",
+    "ecs_8.11.0-dev_log",
+    "ecs_8.11.0-dev_network",
+    "ecs_8.11.0-dev_observer",
+    "ecs_8.11.0-dev_orchestrator",
+    "ecs_8.11.0-dev_organization",
+    "ecs_8.11.0-dev_package",
+    "ecs_8.11.0-dev_process",
+    "ecs_8.11.0-dev_registry",
+    "ecs_8.11.0-dev_related",
+    "ecs_8.11.0-dev_rule",
+    "ecs_8.11.0-dev_server",
+    "ecs_8.11.0-dev_service",
+    "ecs_8.11.0-dev_source",
+    "ecs_8.11.0-dev_threat",
+    "ecs_8.11.0-dev_tls",
+    "ecs_8.11.0-dev_tracing",
+    "ecs_8.11.0-dev_url",
+    "ecs_8.11.0-dev_user_agent",
+    "ecs_8.11.0-dev_user",
+    "ecs_8.11.0-dev_vulnerability"
   ],
   "index_patterns": [
     "try-ecs-*"
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index 73833069e8..29c5b838f4 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -4,7 +4,7 @@
   ],
   "mappings": {
     "_meta": {
-      "version": "8.10.0-dev"
+      "version": "8.11.0-dev"
     },
     "date_detection": false,
     "dynamic_templates": [
diff --git a/version b/version
index 388948e05c..f9f9fe18c7 100644
--- a/version
+++ b/version
@@ -1 +1 @@
-8.10.0-dev
+8.11.0-dev

From 10192e461dba0802684ce91a7a2f7d13406671e0 Mon Sep 17 00:00:00 2001
From: Chris Berkhout <chris.berkhout@elastic.co>
Date: Tue, 15 Aug 2023 23:04:54 +0200
Subject: [PATCH 114/186] Prepare CHANGELOG.next.md as part of 8.10.0 FF.
 (#2255)

---
 CHANGELOG.next.md | 21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 3e8169f97b..946960f9ad 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -15,12 +15,8 @@ Thanks, you're awesome :-) -->
 #### Bugfixes
 
 #### Added
-* Added `container.security_context.privileged` to indicated whether a container was started in privileged mode. #2219, #2225, #2246
-* Added `process.thread.capabilities.permitted` to contain the current thread's possible capabilities. #2245
-* Added `process.thread.capabilities.effective` to contain the current thread's effective capabilities. #2245
 
 #### Improvements
-* Permit `ignore_above` if explicitly set on a `flattened` field. #2248
 
 #### Deprecated
 
@@ -36,19 +32,22 @@ Thanks, you're awesome :-) -->
 
 #### Deprecated
 
-## 8.9.0 (Feature Freeze)
+## 8.10.0 (Feature Freeze)
 
 ### Schema Changes
 
-### Bugfixes
-
 #### Added
-* Added `process.vpid` for namespaced process ids. #2211
+* Added `container.security_context.privileged` to indicated whether a container was started in privileged mode. #2219, #2225, #2246
+* Added `process.thread.capabilities.permitted` to contain the current thread's possible capabilities. #2245
+* Added `process.thread.capabilities.effective` to contain the current thread's effective capabilities. #2245
 
-### Improvements
+#### Improvements
+* Permit `ignore_above` if explicitly set on a `flattened` field. #2248
 
-#### Deprecated
-* Removed `faas.trigger: nested` since we only have one trigger. #2194
+### Tooling and Artifact Changes
+
+#### Improvements
+* Improved documentation formatting to better follow the contributing guide. #2226
 
 <!-- All empty sections:
 

From 18bb1e585a6b24ce2a35ebed49af361d8dfbc585 Mon Sep 17 00:00:00 2001
From: Chris Berkhout <chris.berkhout@elastic.co>
Date: Tue, 15 Aug 2023 23:07:04 +0200
Subject: [PATCH 115/186] Add v8.10 to backport tool. (#2256)

---
 .backportrc.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.backportrc.json b/.backportrc.json
index 2c49a2c575..f5c1697135 100644
--- a/.backportrc.json
+++ b/.backportrc.json
@@ -2,6 +2,7 @@
   "upstream": "elastic/ecs",
   "branches": [
     { "name": "main", "checked": true },
+    "8.10",
     "8.9",
     "8.8",
     "8.7",

From 73788871c4fabc2ffcaa701ffbe625bc7ecc2126 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 28 Aug 2023 12:23:26 -0500
Subject: [PATCH 116/186] Bump gitpython from 3.1.30 to 3.1.32 in /scripts
 (#2251)

Bumps [gitpython](https://github.com/gitpython-developers/GitPython) from 3.1.30 to 3.1.32.
- [Release notes](https://github.com/gitpython-developers/GitPython/releases)
- [Changelog](https://github.com/gitpython-developers/GitPython/blob/main/CHANGES)
- [Commits](https://github.com/gitpython-developers/GitPython/compare/3.1.30...3.1.32)

---
updated-dependencies:
- dependency-name: gitpython
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Eric Beahan <eric.beahan@elastic.co>
---
 scripts/requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/requirements.txt b/scripts/requirements.txt
index f09efd0e0e..b0cf0dc732 100644
--- a/scripts/requirements.txt
+++ b/scripts/requirements.txt
@@ -2,6 +2,6 @@ pip
 # License: MIT
 PyYAML==6.0
 # License: BSD
-gitpython==3.1.30
+gitpython==3.1.32
 # License: BSD
 Jinja2==3.0.3

From b6842d73fdeda86f633478d660454f52f80e6250 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 8 Sep 2023 12:09:16 -0500
Subject: [PATCH 117/186] Bump gitpython from 3.1.32 to 3.1.34 in /scripts
 (#2264)

* Bump gitpython from 3.1.32 to 3.1.34 in /scripts

Bumps [gitpython](https://github.com/gitpython-developers/GitPython) from 3.1.32 to 3.1.34.
- [Release notes](https://github.com/gitpython-developers/GitPython/releases)
- [Changelog](https://github.com/gitpython-developers/GitPython/blob/main/CHANGES)
- [Commits](https://github.com/gitpython-developers/GitPython/compare/3.1.32...3.1.34)

---
updated-dependencies:
- dependency-name: gitpython
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

* capture dependency bump in changelog

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Eric Beahan <eric.beahan@elastic.co>
---
 CHANGELOG.next.md        | 6 ++++++
 scripts/requirements.txt | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 946960f9ad..8dcc64616d 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -49,6 +49,12 @@ Thanks, you're awesome :-) -->
 #### Improvements
 * Improved documentation formatting to better follow the contributing guide. #2226
 
+### Tooling and Artifact Changes
+
+#### Improvements
+
+* Bump `gitpython` dependency from 3.1.30 to 3.1.34 for security fixes. #2251, #2264
+
 <!-- All empty sections:
 
 ## Unreleased
diff --git a/scripts/requirements.txt b/scripts/requirements.txt
index b0cf0dc732..7d3fa2bef0 100644
--- a/scripts/requirements.txt
+++ b/scripts/requirements.txt
@@ -2,6 +2,6 @@ pip
 # License: MIT
 PyYAML==6.0
 # License: BSD
-gitpython==3.1.32
+gitpython==3.1.34
 # License: BSD
 Jinja2==3.0.3

From d1d3294a84ebd1e286a91a49fa7a34be0cdd2d13 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 8 Sep 2023 12:46:17 -0500
Subject: [PATCH 118/186] Bump gitpython from 3.1.34 to 3.1.35 in /scripts
 (#2265)

* Bump gitpython from 3.1.34 to 3.1.35 in /scripts

Bumps [gitpython](https://github.com/gitpython-developers/GitPython) from 3.1.34 to 3.1.35.
- [Release notes](https://github.com/gitpython-developers/GitPython/releases)
- [Changelog](https://github.com/gitpython-developers/GitPython/blob/main/CHANGES)
- [Commits](https://github.com/gitpython-developers/GitPython/compare/3.1.34...3.1.35)

---
updated-dependencies:
- dependency-name: gitpython
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

* changelog

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Eric Beahan <eric.beahan@elastic.co>
---
 CHANGELOG.next.md        | 7 +------
 scripts/requirements.txt | 2 +-
 2 files changed, 2 insertions(+), 7 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 8dcc64616d..24eadfa004 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -48,12 +48,7 @@ Thanks, you're awesome :-) -->
 
 #### Improvements
 * Improved documentation formatting to better follow the contributing guide. #2226
-
-### Tooling and Artifact Changes
-
-#### Improvements
-
-* Bump `gitpython` dependency from 3.1.30 to 3.1.34 for security fixes. #2251, #2264
+* Bump `gitpython` dependency from 3.1.30 to 3.1.35 for security fixes. #2251, #2264, #2265
 
 <!-- All empty sections:
 
diff --git a/scripts/requirements.txt b/scripts/requirements.txt
index 7d3fa2bef0..5de7f32585 100644
--- a/scripts/requirements.txt
+++ b/scripts/requirements.txt
@@ -2,6 +2,6 @@ pip
 # License: MIT
 PyYAML==6.0
 # License: BSD
-gitpython==3.1.34
+gitpython==3.1.35
 # License: BSD
 Jinja2==3.0.3

From a5ff8f1108b1f91e26209f1319a604fd464a56b3 Mon Sep 17 00:00:00 2001
From: Yamin Tian <56367679+Trinity2019@users.noreply.github.com>
Date: Tue, 12 Sep 2023 02:32:49 +0800
Subject: [PATCH 119/186] [RFC] Stage 2 for volume device (#2260)

* level/keyword/field adjustments

* update document

* update pr link

* tweak

* blanks

* add reviewer

* fix field name

* Update rfcs/text/0040-volume-device.md

Co-authored-by: Eric Beahan <ebeahan@gmail.com>

* set stage 2 advancement date

---------

Co-authored-by: Eric Beahan <eric.beahan@elastic.co>
Co-authored-by: Eric Beahan <ebeahan@gmail.com>
---
 rfcs/text/0040-volume-device.md | 204 ++++++++++++++++++++++----------
 rfcs/text/0040/volume.yml       |  26 ++--
 2 files changed, 160 insertions(+), 70 deletions(-)

diff --git a/rfcs/text/0040-volume-device.md b/rfcs/text/0040-volume-device.md
index 465bdf92ea..7d8b687150 100644
--- a/rfcs/text/0040-volume-device.md
+++ b/rfcs/text/0040-volume-device.md
@@ -1,8 +1,8 @@
 # 0040: Volume device
 <!-- Leave this ID at 0000. The ECS team will assign a unique, contiguous RFC number upon merging the initial stage of this RFC. -->
 
-- Stage: **1 (draft)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
-- Date: **2023-07-27** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
+- Stage: **2 (candidate)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
+- Date: **2023-09-11** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
 
 <!--
 As you work on your RFC, use the "Stage N" comments to guide you in what you should focus on, for the stage you're targeting.
@@ -28,8 +28,9 @@ This RFC propose adding the volume device fieldset to describe volume storage de
  * volume.vendor_id
  * volume.vendor_name
  * volume.serial_number
- * volume.volume_device_type
+ * volume.device_type
  * volume.size
+ * volume.removable
 
 <!--
 Stage 1: If the changes include field additions or modifications, please create a folder titled as the RFC number under rfcs/text/. This will be where proposed schema changes as standalone YAML files or extended example mappings and larger source documents will go as the RFC is iterated upon.
@@ -80,7 +81,7 @@ Details of the proposed fields:
         The field is relevant to Windows only.
 
     - name: nt_name
-      level: custom
+      level: extended
       type: keyword
       short: NT name of the device.
       description: >
@@ -110,7 +111,7 @@ Details of the proposed fields:
         A string to describe the default access(es) of the volume.
 
     - name: file_system_type
-      level: custom
+      level: extended
       type: keyword
       short: Volume device file system type.
       description: >
@@ -121,7 +122,7 @@ Details of the proposed fields:
         UDF
 
     - name: product_id
-      level: custom
+      level: extended
       type: keyword
       short: ProductID of the device.
       description: >
@@ -134,28 +135,28 @@ Details of the proposed fields:
         Product name of the volume device. It is provided by the vendor of the device.
 
     - name: vendor_id
-      level: custom
+      level: extended
       type: keyword
       short: VendorID of the device.
       description: >
         VendorID of the device. It is provided by the vendor of the device.
 
     - name: vendor_name
-      level: custom
+      level: extended
       type: keyword
       short: Vendor name of the device.
       description: >
         Vendor name of the volume device. It is provided by the vendor of the device.
 
     - name: serial_number
-      level: custom
+      level: extended
       type: keyword
       short: Serial Number of the device.
       description: >
         Serial Number of the device. It is provided by the vendor of the device if any.
 
     - name: device_type
-      level: custom
+      level: extended
       type: keyword
       short: Volume device type.
       description: >
@@ -166,10 +167,17 @@ Details of the proposed fields:
         CD-ROM File System
 
     - name: size
-      level: custom
-      type: keyword
+      level: extended
+      type: long
       description: >
         Size of the volume device in bytes.
+
+    - name: removable
+      level: extended
+      type: boolean
+      description: >
+        This field indicates if the volume is removable.
+
 ```
 
 <!--
@@ -194,51 +202,120 @@ Stage 1: Provide a high-level description of example sources of data. This does
 -->
 ```json
 {
-	"@timestamp": "2023-04-05T18:48:25.7435298Z",
-	"agent": {
-		"id": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
-		"type": "endpoint",
-		"version": "8.8.0-SNAPSHOT"
-	},
-	"data_stream": {
-		"dataset": "endpoint.events.volume_device",
-		"namespace": "default",
-		"type": "logs"
-	},
-	"ecs": {
-		"version": "1.11.0"
-	},
-	"elastic": {
-		"agent": {
-			"id": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
-		}
-	},
-	"event": {
-		"action": "attach",
-		"category": [
-			"volume_device"
-		],
-		"created": "2023-04-05T18:48:25.7435298Z",
-		"dataset": "endpoint.events.volume_device",
-		"id": "N0r0JIPXbQR6J+83++++++PP",
-		"kind": "event",
-		"module": "endpoint",
-		"outcome": "unknown",
-		"sequence": 1281,
-		"type": [
-			"attach"
-		]
-	},
-	"message": "Endpoint volume device event",
-	"volume.bus_type": "FileBackedVirtual",
-	"volume.dos_name": "E:",
-	"volume.file_system_type": "UDF",
-	"volume.nt_name": "\\Device\\CdRom1",
-	"volume.product_name": "Virtual DVD-ROM",
-	"volume.vendor_name": "Msft",
-	"volume.serial_number": "12345",
-	"volume.volume_device_type": "CD-ROM File System",
-	"volume.size": 1000,000,000
+    "@timestamp":"2023-08-24T12:37:59.9817807Z",
+    "agent":
+    {
+        "id":"ada69fee-8801-4248-9ea5-acada41cef88",
+        "type":"endpoint",
+        "version":"8.10.0-SNAPSHOT"
+    },
+    "data_stream":
+    {
+        "dataset":"endpoint.events.volume_device",
+        "namespace":"default",
+        "type":"logs"
+    },
+    "ecs":
+    {
+        "version":"1.11.0"
+    },
+    "elastic":
+    {
+        "agent":
+        {
+            "id":"ada69fee-8801-4248-9ea5-acada41cef88"
+        }
+    },
+    "event":
+    {
+        "action":"mount",
+        "category": [
+            "volume_device"
+        ],
+        "created":"2023-08-24T12:37:59.9817807Z",
+        "dataset":"endpoint.events.volume_device",
+        "id":"NCRD4OiOt10Kj8r9++++++e0",
+        "kind":"event",
+        "module":"endpoint",
+        "outcome":"success",
+        "sequence":1759,
+        "type": [
+            "start"
+        ]
+    },
+    "host":
+    {
+        "architecture":"x86_64",
+        "hostname":"win11vm",
+        "id":"01d52cf8-1917-4fab-8317-100076ab9aab",
+        "ip":
+        [
+            "192.168.2.3","127.0.0.1","::1"
+        ],
+        "mac": [
+            "00-0a-9d-b2-55-61"
+        ],
+        "name":"win11vm",
+        "os":
+        {
+            "Ext":
+            {
+                "variant":"Windows 11 Pro"
+            },
+            "family":"windows",
+            "full":"Windows 11 Pro 22H2 (10.0.22621.2134)",
+            "kernel":"22H2 (10.0.22621.2134)",
+            "name":"Windows",
+            "platform":"windows",
+            "type":"windows",
+            "version":"22H2 (10.0.22621.2134)"
+        }
+    },
+    "message":"Endpoint volume device event",
+    "process":
+    {
+        "Ext":
+        {
+            "code_signature": [
+                {
+                    "exists":true,
+                    "status":"trusted",
+                    "subject_name":"Microsoft Windows",
+                    "trusted":true
+                }
+            ]
+        },
+        "code_signature":
+        {
+            "exists":true,
+            "status":"trusted",
+            "subject_name":"Microsoft Windows",
+            "trusted":true
+        },
+        "entity_id":"NWRhNjlkZWUtODgwNS00MjZiLTllYTUtYmM5ZGE0MGMwZjc3LTY1ODAtMTY5Mjc1ODgyNC40OTIxMjU5MDA=",
+        "executable":"C:\\Windows\\explorer.exe",
+        "name":"explorer.exe",
+        "pid":6580
+    },
+    "user":
+    {
+        "domain":"WIN11VM",
+        "id":"S-1-5-21-3464081356-156823451-1687200008-1001",
+        "name":"john"
+    },
+    "volume":
+    {
+        "bus_type":"FileBackedVirtual",
+        "device_type":"CD-ROM File System",
+        "dos_name":"E:",
+        "file_system_type":"UDF",
+        "nt_name":"\\Device\\CdRom1",
+        "product_name":"Virtual DVD-ROM",
+        "serial_number":"",
+        "vendor_name":"Msft",
+        "size": 1000,000,000,
+        "removable": true
+    }
 }
 ```
 
@@ -259,6 +336,10 @@ Stage 2: Identifies scope of impact of changes. Are breaking changes required? S
  * ECS project (e.g. docs, tooling)
 The goal here is to research and understand the impact of these changes on users in the community and development teams across Elastic. 2-5 sentences each.
 -->
+As this RFC involves the creation of an entirely new fieldset, no breaking
+changes are envisaged. Some existing tooling might need updates to factor in the
+new fieldset's availability, however.
+
 
 ## Concerns
 
@@ -279,9 +360,10 @@ Stage 3: Document resolutions for all existing concerns. Any new concerns should
 
 The following are the people that consulted on the contents of this RFC.
 
- * @Trinity2019    | author
- * @ricardoungureanu| reviewer
- * @stanek-michal  | reviewer
+ * @Trinity2019      | author, sponsor
+ * @ricardoungureanu | reviewer
+ * @stanek-michal    | reviewer
+ * @intxgo           | reviewer
 
 <!--
 Who will be or has been consulted on the contents of this RFC? Identify authorship and sponsorship, and optionally identify the nature of involvement of others. Link to GitHub aliases where possible. This list will likely change or grow stage after stage.
@@ -310,6 +392,8 @@ https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%2
 
 * Stage 1: https://github.com/elastic/ecs/pull/2229
 
+* Stage 2: https://github.com/elastic/ecs/pull/2260
+
 <!--
 * Stage 1: https://github.com/elastic/ecs/pull/NNN
 ...
diff --git a/rfcs/text/0040/volume.yml b/rfcs/text/0040/volume.yml
index a85f575c50..8893373264 100644
--- a/rfcs/text/0040/volume.yml
+++ b/rfcs/text/0040/volume.yml
@@ -47,7 +47,7 @@
         The field is relevant to Windows only.
 
     - name: nt_name
-      level: custom
+      level: extended
       type: keyword
       short: NT name of the device.
       description: >
@@ -77,7 +77,7 @@
         A string to describe the default access(es) of the volume.
         
     - name: file_system_type
-      level: custom
+      level: extended
       type: keyword
       short: Volume device file system type.
       description: >
@@ -88,7 +88,7 @@
         UDF
 
     - name: product_id
-      level: custom
+      level: extended
       type: keyword
       short: ProductID of the device.
       description: >
@@ -101,28 +101,28 @@
         Product name of the volume device. It is provided by the vendor of the device.
 
     - name: vendor_id
-      level: custom
+      level: extended
       type: keyword
       short: VendorID of the device.
       description: >
         VendorID of the device. It is provided by the vendor of the device.
 
     - name: vendor_name
-      level: custom
+      level: extended
       type: keyword
       short: Vendor name of the device.
       description: >
         Vendor name of the volume device. It is provided by the vendor of the device.
 
     - name: serial_number
-      level: custom
+      level: extended
       type: keyword
       short: Serial Number of the device.
       description: >
         Serial Number of the device. It is provided by the vendor of the device if any.
 
     - name: device_type
-      level: custom
+      level: extended
       type: keyword
       short: Volume device type.
       description: >
@@ -133,7 +133,13 @@
         CD-ROM File System
 
     - name: size
-      level: custom
-      type: keyword
+      level: extended
+      type: long
+      description: >
+        Size of the volume device in bytes.
+
+    - name: removable
+      level: extended
+      type: boolean
       description: >
-        Size of the volume device in MB.
+        This field indicates if the volume is removable.

From f6e74a8c71a7bbd471a00a1da740147e5dd1a4f0 Mon Sep 17 00:00:00 2001
From: Chris Berkhout <chris.berkhout@elastic.co>
Date: Tue, 12 Sep 2023 21:49:40 +0200
Subject: [PATCH 120/186] Finalize changelog for 8.10. (#2272)

---
 CHANGELOG.md      | 21 +++++++++++++++++++++
 CHANGELOG.next.md | 18 ------------------
 2 files changed, 21 insertions(+), 18 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e7223fd19d..fa9f43fc4b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,27 @@
 # CHANGELOG
 All notable changes to this project will be documented in this file based on the [Keep a Changelog](http://keepachangelog.com/) Standard. This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [8.10.0](https://github.com/elastic/ecs/compare/v8.9.0...v8.10.0)
+
+### Schema Changes
+
+#### Added
+
+* Added `container.security_context.privileged` to indicated whether a container was started in privileged mode. #2219, #2225, #2246
+* Added `process.thread.capabilities.permitted` to contain the current thread's possible capabilities. #2245
+* Added `process.thread.capabilities.effective` to contain the current thread's effective capabilities. #2245
+
+#### Improvements
+
+* Permit `ignore_above` if explicitly set on a `flattened` field. #2248
+
+### Tooling and Artifact Changes
+
+#### Improvements
+
+* Improved documentation formatting to better follow the contributing guide. #2226
+* Bump `gitpython` dependency from 3.1.30 to 3.1.35 for security fixes. #2251, #2264, #2265
+
 ## [8.9.0](https://github.com/elastic/ecs/compare/v8.8.0...v8.9.0)
 
 ### Schema Changes
diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 24eadfa004..a1517826ff 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -32,24 +32,6 @@ Thanks, you're awesome :-) -->
 
 #### Deprecated
 
-## 8.10.0 (Feature Freeze)
-
-### Schema Changes
-
-#### Added
-* Added `container.security_context.privileged` to indicated whether a container was started in privileged mode. #2219, #2225, #2246
-* Added `process.thread.capabilities.permitted` to contain the current thread's possible capabilities. #2245
-* Added `process.thread.capabilities.effective` to contain the current thread's effective capabilities. #2245
-
-#### Improvements
-* Permit `ignore_above` if explicitly set on a `flattened` field. #2248
-
-### Tooling and Artifact Changes
-
-#### Improvements
-* Improved documentation formatting to better follow the contributing guide. #2226
-* Bump `gitpython` dependency from 3.1.30 to 3.1.35 for security fixes. #2251, #2264, #2265
-
 <!-- All empty sections:
 
 ## Unreleased

From af9c94d50a6c708f31ff5591ab169242fb1332c6 Mon Sep 17 00:00:00 2001
From: Chris Berkhout <chris.berkhout@elastic.co>
Date: Tue, 12 Sep 2023 22:05:21 +0200
Subject: [PATCH 121/186] Adding release notes for ECS 8.10 (#2274)

---
 docs/release-notes/8.10.asciidoc  | 31 +++++++++++++++++++++++++++++++
 docs/release-notes/index.asciidoc |  2 ++
 2 files changed, 33 insertions(+)
 create mode 100644 docs/release-notes/8.10.asciidoc

diff --git a/docs/release-notes/8.10.asciidoc b/docs/release-notes/8.10.asciidoc
new file mode 100644
index 0000000000..20c7a80be6
--- /dev/null
+++ b/docs/release-notes/8.10.asciidoc
@@ -0,0 +1,31 @@
+[[ecs-release-notes-8.10.0]]
+=== 8.10.0
+
+[[schema-changes-8.10.0]]
+[float]
+==== Schema changes
+
+[[schema-added-8.10.0]]
+[float]
+===== Added
+
+* Added `container.security_context.privileged` to indicated whether a container was started in privileged mode. {ecs_pull}2219[#2219], {ecs_pull}2225[#2225], {ecs_pull}2246[#2246]
+* Added `process.thread.capabilities.permitted` to contain the current thread's possible capabilities. {ecs_pull}2245[#2245]
+* Added `process.thread.capabilities.effective` to contain the current thread's effective capabilities. {ecs_pull}2245[#2245]
+
+[[schema-improvements-8.10.0]]
+[float]
+===== Improvements
+
+* Permit `ignore_above` if explicitly set on a `flattened` field. {ecs_pull}2248[#2248]
+
+[[tooling-changes-8.10.0]]
+[float]
+==== Tooling and artifact changes
+
+[[tooling-improvements-8.10.0]]
+[float]
+===== Improvements
+
+* Improved documentation formatting to better follow the contributing guide. {ecs_pull}2226[#2226]
+* Bump `gitpython` dependency from 3.1.30 to 3.1.35 for security fixes. {ecs_pull}2251[#2251], {ecs_pull}2264[#2264], {ecs_pull}2265[#2265]
diff --git a/docs/release-notes/index.asciidoc b/docs/release-notes/index.asciidoc
index 6a48a2cd62..2029cbdb48 100644
--- a/docs/release-notes/index.asciidoc
+++ b/docs/release-notes/index.asciidoc
@@ -3,6 +3,7 @@
 
 This section summarizes the changes in each release.
 
+* <<ecs-release-notes-8.10.0, {ecs} version 8.10.0>>
 * <<ecs-release-notes-8.9.0, {ecs} version 8.9.0>>
 * <<ecs-release-notes-8.8.0, {ecs} version 8.8.0>>
 * <<ecs-release-notes-8.7.0, {ecs} version 8.7.0>>
@@ -25,6 +26,7 @@ This section summarizes the changes in each release.
 :issue: https://github.com/elastic/ecs/issues/
 :pull: https://github.com/elastic/ecs/pull/
 
+include::8.10.asciidoc[]
 include::8.9.asciidoc[]
 include::8.8.asciidoc[]
 include::8.7.asciidoc[]

From a949d38cea78806247913b8bee36816d2e1e736b Mon Sep 17 00:00:00 2001
From: Ryland Herrick <ryalnd@gmail.com>
Date: Fri, 22 Sep 2023 14:04:39 -0500
Subject: [PATCH 122/186] [RFC][Stage 0] Risk Input fields  (#2244)

* Adds Stage 0 information for proposed Risk Input fields

* Fix Stage 0 PR link

Whoops, I guessed wrong ;)

* set stage 0 date and assign no.

---------

Co-authored-by: Eric Beahan <eric.beahan@elastic.co>
---
 rfcs/text/0043-risk-input-fields.md | 119 ++++++++++++++++++++++++++++
 1 file changed, 119 insertions(+)
 create mode 100644 rfcs/text/0043-risk-input-fields.md

diff --git a/rfcs/text/0043-risk-input-fields.md b/rfcs/text/0043-risk-input-fields.md
new file mode 100644
index 0000000000..18bce878bf
--- /dev/null
+++ b/rfcs/text/0043-risk-input-fields.md
@@ -0,0 +1,119 @@
+# 0043: Risk Input fields
+
+- Stage: **0 (strawperson)**
+- Date: **2023-09-22** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
+
+### Summary
+This RFC aims to add a few general fields that, when defined on a document, will allow that document containing them to be consumed by Kibana's Risk Engine for the purposes of entity analytics.
+
+Broadly, we need two fields to enable this behavior:
+
+* `risk_score`, a "base" risk score (numeric, float) defined by the data producer that is used as the basis for calculating risk for the entity represented in the document
+* `risk_category`, a keyword field defining to which of the five [proposed categories](https://github.com/elastic/ecs/pull/2236)
+
+### Motivation
+Kibana's Risk Engine (all iterations) currently only ingest Detection Engine Alerts. These are straightforward to score, as they contain:
+
+* an inherent risk score field (`kibana.alert.risk_score`)
+* an implicit category (`category_1`, which is described broadly as "Alerts")
+
+These fields are meant to allow the Risk Engine logic to be generalized to allow ingestion of any document containing these proposed fields.
+
+
+### Outstanding Questions/Concerns
+1. If we have need to represent multiple entities within the same document (i.e. both a host and a user), a single set of top-level fields may not be sufficient. In that case, nesting them separately under `host` and `user` would be appropriate.
+2. Related to the above, the fields proposed do not account for _multiple_ of either hosts or users within a single document. However, neither does the Risk Engine in general.
+3. We currently leverage the presence of either `host.name` or `user.name` to find/aggregate/score entities. It would seem reasonable that, in the future, data producers could define additional/other fields from which to "identify" host and user entities, respectively. This concept is already partly codified in the `identifier_field` and `identifier_value` fields on a [Risk Score document](https://github.com/elastic/ecs/pull/2236), but while those are meant for "outgoing" risk score documents, these fields would be used by the Risk Engine to identify incoming Risk Input documents. For complete disambiguation, this may also necessitate an explicit "entity type" field on both sides of this process.
+
+
+<!--
+Stage 1: If the changes include field additions or modifications, please create a folder titled as the RFC number under rfcs/text/. This will be where proposed schema changes as standalone YAML files or extended example mappings and larger source documents will go as the RFC is iterated upon.
+-->
+
+<!--
+Stage X: Provide a brief explanation of why the proposal is being marked as abandoned. This is useful context for anyone revisiting this proposal or considering similar changes later on.
+-->
+
+## Fields
+
+<!--
+Stage 1: Describe at a high level how this change affects fields. Include new or updated yml field definitions for all of the essential fields in this draft. While not exhaustive, the fields documented here should be comprehensive enough to deeply evaluate the technical considerations of this change. The goal here is to validate the technical details for all essential fields and to provide a basis for adding experimental field definitions to the schema. Use GitHub code blocks with yml syntax formatting, and add them to the corresponding RFC folder.
+-->
+
+<!--
+Stage 2: Add or update all remaining field definitions. The list should now be exhaustive. The goal here is to validate the technical details of all remaining fields and to provide a basis for releasing these field definitions as beta in the schema. Use GitHub code blocks with yml syntax formatting, and add them to the corresponding RFC folder.
+-->
+
+## Usage
+
+<!--
+Stage 1: Describe at a high-level how these field changes will be used in practice. Real world examples are encouraged. The goal here is to understand how people would leverage these fields to gain insights or solve problems. ~1-3 paragraphs.
+-->
+
+## Source data
+
+<!--
+Stage 1: Provide a high-level description of example sources of data. This does not yet need to be a concrete example of a source document, but instead can simply describe a potential source (e.g. nginx access log). This will ultimately be fleshed out to include literal source examples in a future stage. The goal here is to identify practical sources for these fields in the real world. ~1-3 sentences or unordered list.
+-->
+
+<!--
+Stage 2: Included a real world example source document. Ideally this example comes from the source(s) identified in stage 1. If not, it should replace them. The goal here is to validate the utility of these field changes in the context of a real world example. Format with the source name as a ### header and the example document in a GitHub code block with json formatting, or if on the larger side, add them to the corresponding RFC folder.
+-->
+
+<!--
+Stage 3: Add more real world example source documents so we have at least 2 total, but ideally 3. Format as described in stage 2.
+-->
+
+## Scope of impact
+
+<!--
+Stage 2: Identifies scope of impact of changes. Are breaking changes required? Should deprecation strategies be adopted? Will significant refactoring be involved? Break the impact down into:
+ * Ingestion mechanisms (e.g. beats/logstash)
+ * Usage mechanisms (e.g. Kibana applications, detections)
+ * ECS project (e.g. docs, tooling)
+The goal here is to research and understand the impact of these changes on users in the community and development teams across Elastic. 2-5 sentences each.
+-->
+
+## Concerns
+
+<!--
+Stage 1: Identify potential concerns, implementation challenges, or complexity. Spend some time on this. Play devil's advocate. Try to identify the sort of non-obvious challenges that tend to surface later. The goal here is to surface risks early, allow everyone the time to work through them, and ultimately document resolution for posterity's sake.
+-->
+
+<!--
+Stage 2: Document new concerns or resolutions to previously listed concerns. It's not critical that all concerns have resolutions at this point, but it would be helpful if resolutions were taking shape for the most significant concerns.
+-->
+
+<!--
+Stage 3: Document resolutions for all existing concerns. Any new concerns should be documented along with their resolution. The goal here is to eliminate risk of churn and instability by ensuring all concerns have been addressed.
+-->
+
+## People
+
+The following are the people that consulted on the contents of this RFC.
+
+* @rylnd | author
+* @SourinPaul | Subject Matter Expert, Product Manager
+
+<!--
+Who will be or has been consulted on the contents of this RFC? Identify authorship and sponsorship, and optionally identify the nature of involvement of others. Link to GitHub aliases where possible. This list will likely change or grow stage after stage.
+
+e.g.:
+
+* @Yasmina | author
+* @Monique | sponsor
+* @EunJung | subject matter expert
+* @JaneDoe | grammar, spelling, prose
+* @Mariana
+-->
+
+
+## References
+
+* Risk Score Fields RFC (Stage 1): https://github.com/elastic/ecs/pull/2236
+<!-- Insert any links appropriate to this RFC in this section. -->
+
+### RFC Pull Requests
+
+
+* Stage 0: https://github.com/elastic/ecs/pull/2244

From 7c374fee80f10eaa02dcffe79cbf72f4e020a0a5 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Mon, 25 Sep 2023 11:32:11 -0500
Subject: [PATCH 123/186] Respect `reusable.top_level` in Beats generator
 (#2278)

* migrate top_level:false handling to helper func

* handle top_level:false in beats generator

* regenerate Beats fields minus top_level:false field sets

* linting

* changelog
---
 CHANGELOG.next.md                           |    2 +
 experimental/generated/beats/fields.ecs.yml | 1452 ++-----------------
 generated/beats/fields.ecs.yml              | 1452 ++-----------------
 scripts/generators/beats.py                 |    1 +
 scripts/generators/ecs_helpers.py           |   11 +
 scripts/generators/es_template.py           |   15 +-
 scripts/tests/test_ecs_helpers.py           |   12 +
 7 files changed, 298 insertions(+), 2647 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index a1517826ff..2fec6bc55b 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -26,6 +26,8 @@ Thanks, you're awesome :-) -->
 
 #### Bugfixes
 
+* Respect reusable.top_level in Beats generator #2278
+
 #### Added
 
 #### Improvements
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 0eb0ccec7f..41ce694b58 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -122,32 +122,6 @@
       ignore_above: 1024
       description: Version of the agent.
       example: 6.0.0-rc2
-  - name: as
-    title: Autonomous System
-    group: 2
-    description: An autonomous system (AS) is a collection of connected Internet Protocol
-      (IP) routing prefixes under the control of one or more network operators on
-      behalf of a single administrative entity or domain that presents a common, clearly
-      defined routing policy to the internet.
-    type: group
-    default_field: true
-    fields:
-    - name: number
-      level: extended
-      type: long
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-    - name: organization.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-        default_field: false
-      description: Organization name.
-      example: Google LLC
   - name: cgroup
     title: Common cgroup metrics
     group: 2
@@ -777,91 +751,6 @@
         Examples: app engine, app service, cloud run, fargate, lambda.'
       example: lambda
       default_field: false
-  - name: code_signature
-    title: Code Signature
-    group: 2
-    description: These fields contain information about binary code signatures.
-    type: group
-    default_field: true
-    fields:
-    - name: digest_algorithm
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      default_field: false
-    - name: exists
-      level: core
-      type: boolean
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      default_field: false
-    - name: signing_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      default_field: false
-    - name: status
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      default_field: false
-    - name: subject_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      default_field: false
-    - name: team_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      default_field: false
-    - name: timestamp
-      level: extended
-      type: date
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      default_field: false
-    - name: trusted
-      level: extended
-      type: boolean
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      default_field: false
-    - name: valid
-      level: extended
-      type: boolean
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      default_field: false
   - name: container
     title: Container
     group: 2
@@ -1847,425 +1736,172 @@
         ECS versions -- this field lets integrations adjust to the schema version
         of the events.'
       example: 1.0.0
-  - name: elf
-    title: ELF Header
+  - name: email
+    title: Email
     group: 2
-    description: These fields contain Linux Executable Linkable Format (ELF) metadata.
+    description: 'Event details relating to an email transaction.
+
+      This field set focuses on the email message header, body, and attachments. Network
+      protocols that send and receive email messages such as SMTP are outside the
+      scope of the `email.*` fields.'
     type: group
     default_field: true
     fields:
-    - name: architecture
+    - name: attachments
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Machine architecture of the ELF file.
-      example: x86-64
+      type: nested
+      description: A list of objects describing the attachment files sent along with
+        an email message.
       default_field: false
-    - name: byte_order
+    - name: attachments.file.extension
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Byte sequence of ELF file.
-      example: Little Endian
+      description: Attachment file extension, excluding the leading dot.
+      example: txt
       default_field: false
-    - name: cpu_type
+    - name: attachments.file.hash.md5
       level: extended
       type: keyword
       ignore_above: 1024
-      description: CPU type of the ELF file.
-      example: Intel
-      default_field: false
-    - name: creation_date
-      level: extended
-      type: date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      default_field: false
-    - name: exports
-      level: extended
-      type: flattened
-      description: List of exported element names and types.
+      description: MD5 hash.
       default_field: false
-    - name: go_import_hash
+    - name: attachments.file.hash.sha1
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the Go language imports in an ELF file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available [here](https://github.com/elastic/toutoumomoma).'
-      example: 10bddcb4cee42080f76c88d9ff964491
+      description: SHA1 hash.
       default_field: false
-    - name: go_imports
+    - name: attachments.file.hash.sha256
       level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
+      type: keyword
+      ignore_above: 1024
+      description: SHA256 hash.
       default_field: false
-    - name: go_imports_names_entropy
+    - name: attachments.file.hash.sha384
       level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
+      type: keyword
+      ignore_above: 1024
+      description: SHA384 hash.
       default_field: false
-    - name: go_imports_names_var_entropy
+    - name: attachments.file.hash.sha512
       level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
+      type: keyword
+      ignore_above: 1024
+      description: SHA512 hash.
       default_field: false
-    - name: go_stripped
+    - name: attachments.file.hash.ssdeep
       level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
+      type: keyword
+      ignore_above: 1024
+      description: SSDEEP hash.
       default_field: false
-    - name: header.abi_version
+    - name: attachments.file.hash.tlsh
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Version of the ELF Application Binary Interface (ABI).
+      description: TLSH hash.
       default_field: false
-    - name: header.class
+    - name: attachments.file.mime_type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Header class of the ELF file.
+      description: 'The MIME media type of the attachment.
+
+        This value will typically be extracted from the `Content-Type` MIME header
+        field.'
+      example: text/plain
       default_field: false
-    - name: header.data
+    - name: attachments.file.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Data table of the ELF header.
+      description: Name of the attachment file including the file extension.
+      example: attachment.txt
       default_field: false
-    - name: header.entrypoint
+    - name: attachments.file.size
       level: extended
       type: long
-      format: string
-      description: Header entrypoint of the ELF file.
+      description: Attachment file size in bytes.
+      example: 64329
       default_field: false
-    - name: header.object_version
+    - name: bcc.address
       level: extended
       type: keyword
       ignore_above: 1024
-      description: '"0x1" for original ELF files.'
+      description: The email address of BCC recipient
+      example: bcc.user1@example.com
       default_field: false
-    - name: header.os_abi
+    - name: cc.address
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Application Binary Interface (ABI) of the Linux OS.
+      description: The email address of CC recipient
+      example: cc.user1@example.com
       default_field: false
-    - name: header.type
+    - name: content_type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Header type of the ELF file.
+      description: 'Information about how the message is to be displayed.
+
+        Typically a MIME type.'
+      example: text/plain
+      default_field: false
+    - name: delivery_timestamp
+      level: extended
+      type: date
+      description: The date and time when the email message was received by the service
+        or client.
+      example: '2020-11-10T22:12:34.8196921Z'
       default_field: false
-    - name: header.version
+    - name: direction
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Version of the ELF header.
+      description: The direction of the message based on the sending and receiving
+        domains.
+      example: inbound
       default_field: false
-    - name: import_hash
+    - name: from.address
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
+      description: The email address of the sender, typically from the RFC 5322 `From:`
+        header field.
+      example: sender@example.com
       default_field: false
-    - name: imports
+    - name: local_id
       level: extended
-      type: flattened
-      description: List of imported element names and types.
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique identifier given to the email by the source that created
+        the event.
+
+        Identifier is not persistent across hops.'
+      example: c26dbea0-80d5-463b-b93c-4e8b708219ce
       default_field: false
-    - name: imports_names_entropy
+    - name: message_id
       level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
+      type: wildcard
+      description: Identifier from the RFC 5322 `Message-ID:` email header that refers
+        to a particular email message.
+      example: 81ce15$8r2j59@mail01.example.com
       default_field: false
-    - name: imports_names_var_entropy
+    - name: origination_timestamp
       level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
+      type: date
+      description: The date and time the email message was composed. Many email clients
+        will fill in this value automatically when the message is sent by a user.
+      example: '2020-11-10T22:12:34.8196921Z'
       default_field: false
-    - name: sections
+    - name: reply_to.address
       level: extended
-      type: nested
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      default_field: false
-    - name: sections.chi2
-      level: extended
-      type: long
-      format: number
-      description: Chi-square probability distribution of the section.
-      default_field: false
-    - name: sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: sections.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List flags.
-      default_field: false
-    - name: sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List name.
-      default_field: false
-    - name: sections.physical_offset
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List offset.
-      default_field: false
-    - name: sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: ELF Section List physical size.
-      default_field: false
-    - name: sections.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List type.
-      default_field: false
-    - name: sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: sections.virtual_address
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual address.
-      default_field: false
-    - name: sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual size.
-      default_field: false
-    - name: segments
-      level: extended
-      type: nested
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      default_field: false
-    - name: segments.sections
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF object segment sections.
-      default_field: false
-    - name: segments.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF object segment type.
-      default_field: false
-    - name: shared_libraries
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of shared libraries used by this ELF object.
-      default_field: false
-    - name: telfhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: telfhash symbol hash for ELF file.
-      default_field: false
-  - name: email
-    title: Email
-    group: 2
-    description: 'Event details relating to an email transaction.
-
-      This field set focuses on the email message header, body, and attachments. Network
-      protocols that send and receive email messages such as SMTP are outside the
-      scope of the `email.*` fields.'
-    type: group
-    default_field: true
-    fields:
-    - name: attachments
-      level: extended
-      type: nested
-      description: A list of objects describing the attachment files sent along with
-        an email message.
-      default_field: false
-    - name: attachments.file.extension
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Attachment file extension, excluding the leading dot.
-      example: txt
-      default_field: false
-    - name: attachments.file.hash.md5
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: MD5 hash.
-      default_field: false
-    - name: attachments.file.hash.sha1
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA1 hash.
-      default_field: false
-    - name: attachments.file.hash.sha256
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA256 hash.
-      default_field: false
-    - name: attachments.file.hash.sha384
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA384 hash.
-      default_field: false
-    - name: attachments.file.hash.sha512
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA512 hash.
-      default_field: false
-    - name: attachments.file.hash.ssdeep
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SSDEEP hash.
-      default_field: false
-    - name: attachments.file.hash.tlsh
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: TLSH hash.
-      default_field: false
-    - name: attachments.file.mime_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The MIME media type of the attachment.
-
-        This value will typically be extracted from the `Content-Type` MIME header
-        field.'
-      example: text/plain
-      default_field: false
-    - name: attachments.file.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the attachment file including the file extension.
-      example: attachment.txt
-      default_field: false
-    - name: attachments.file.size
-      level: extended
-      type: long
-      description: Attachment file size in bytes.
-      example: 64329
-      default_field: false
-    - name: bcc.address
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The email address of BCC recipient
-      example: bcc.user1@example.com
-      default_field: false
-    - name: cc.address
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The email address of CC recipient
-      example: cc.user1@example.com
-      default_field: false
-    - name: content_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Information about how the message is to be displayed.
-
-        Typically a MIME type.'
-      example: text/plain
-      default_field: false
-    - name: delivery_timestamp
-      level: extended
-      type: date
-      description: The date and time when the email message was received by the service
-        or client.
-      example: '2020-11-10T22:12:34.8196921Z'
-      default_field: false
-    - name: direction
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The direction of the message based on the sending and receiving
-        domains.
-      example: inbound
-      default_field: false
-    - name: from.address
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The email address of the sender, typically from the RFC 5322 `From:`
-        header field.
-      example: sender@example.com
-      default_field: false
-    - name: local_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique identifier given to the email by the source that created
-        the event.
-
-        Identifier is not persistent across hops.'
-      example: c26dbea0-80d5-463b-b93c-4e8b708219ce
-      default_field: false
-    - name: message_id
-      level: extended
-      type: wildcard
-      description: Identifier from the RFC 5322 `Message-ID:` email header that refers
-        to a particular email message.
-      example: 81ce15$8r2j59@mail01.example.com
-      default_field: false
-    - name: origination_timestamp
-      level: extended
-      type: date
-      description: The date and time the email message was composed. Many email clients
-        will fill in this value automatically when the message is sent by a user.
-      example: '2020-11-10T22:12:34.8196921Z'
-      default_field: false
-    - name: reply_to.address
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The address that replies should be delivered to based on the value
-        in the RFC 5322 `Reply-To:` header.
-      example: reply.here@example.com
+      type: keyword
+      ignore_above: 1024
+      description: The address that replies should be delivered to based on the value
+        in the RFC 5322 `Reply-To:` header.
+      example: reply.here@example.com
       default_field: false
     - name: sender.address
       level: extended
@@ -3722,104 +3358,16 @@
       description: Version of x509 format.
       example: 3
       default_field: false
-  - name: geo
-    title: Geo
+  - name: group
+    title: Group
     group: 2
-    description: 'Geo fields can carry data about a specific location related to an
-      event.
-
-      This geolocation information can be derived from techniques such as Geo IP,
-      or be user-supplied.'
+    description: The group fields are meant to represent groups that are relevant
+      to the event.
     type: group
     default_field: true
     fields:
-    - name: city_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: City name.
-      example: Montreal
-    - name: continent_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Two-letter code representing continent's name.
-      example: NA
-      default_field: false
-    - name: continent_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Name of the continent.
-      example: North America
-    - name: country_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country ISO code.
-      example: CA
-    - name: country_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country name.
-      example: Canada
-    - name: location
-      level: core
-      type: geo_point
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-    - name: name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-    - name: postal_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      default_field: false
-    - name: region_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region ISO code.
-      example: CA-QC
-    - name: region_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region name.
-      example: Quebec
-    - name: timezone
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      default_field: false
-  - name: group
-    title: Group
-    group: 2
-    description: The group fields are meant to represent groups that are relevant
-      to the event.
-    type: group
-    default_field: true
-    fields:
-    - name: domain
-      level: extended
+    - name: domain
+      level: extended
       type: keyword
       ignore_above: 1024
       description: 'Name of the directory the group is a member of.
@@ -3835,60 +3383,6 @@
       type: keyword
       ignore_above: 1024
       description: Name of the group.
-  - name: hash
-    title: Hash
-    group: 2
-    description: 'The hash fields represent different bitwise hash algorithms and
-      their values.
-
-      Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for
-      other hashes by lowercasing the hash algorithm name and using underscore separators
-      as appropriate (snake case, e.g. sha3_512).
-
-      Note that this fieldset is used for common hashes that may be computed over
-      a range of generic bytes. Entity-specific hashes such as ja3 or imphash are
-      placed in the fieldsets to which they relate (tls and pe, respectively).'
-    type: group
-    default_field: true
-    fields:
-    - name: md5
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: MD5 hash.
-    - name: sha1
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA1 hash.
-    - name: sha256
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA256 hash.
-    - name: sha384
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA384 hash.
-      default_field: false
-    - name: sha512
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA512 hash.
-    - name: ssdeep
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SSDEEP hash.
-      default_field: false
-    - name: tlsh
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: TLSH hash.
-      default_field: false
   - name: host
     title: Host
     group: 2
@@ -4329,40 +3823,6 @@
       ignore_above: 1024
       description: HTTP version.
       example: 1.1
-  - name: interface
-    title: Interface
-    group: 2
-    description: The interface fields are used to record ingress and egress interface
-      information when reported by an observer (e.g. firewall, router, load balancer)
-      in the context of the observer handling a network connection.  In the case of
-      a single observer interface (e.g. network sensor on a span port) only the observer.ingress
-      information should be populated.
-    type: group
-    default_field: true
-    fields:
-    - name: alias
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Interface alias as reported by the system, typically used in firewall
-        implementations for e.g. inside, outside, or dmz logical interface naming.
-      example: outside
-      default_field: false
-    - name: id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Interface ID as reported by an observer (typically SNMP interface
-        ID).
-      example: 10
-      default_field: false
-    - name: name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Interface name as reported by the system.
-      example: eth0
-      default_field: false
   - name: log
     title: Log
     group: 2
@@ -4527,128 +3987,6 @@
         for RFC 5424 messages.
       example: 1
       default_field: false
-  - name: macho
-    title: Mach-O Header
-    group: 2
-    description: These fields contain Mac OS Mach Object file format (Mach-O) metadata.
-    type: group
-    default_field: true
-    fields:
-    - name: go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available [here](https://github.com/elastic/toutoumomoma).'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the Mach-O file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      default_field: false
-    - name: sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Mach-O Section List name.
-      default_field: false
-    - name: sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: Mach-O Section List physical size.
-      default_field: false
-    - name: sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      default_field: false
-    - name: symhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
-      default_field: false
   - name: network
     title: Network
     group: 2
@@ -5262,69 +4600,6 @@
         type: match_only_text
         default_field: false
       description: Organization name.
-  - name: os
-    title: Operating System
-    group: 2
-    description: The OS fields contain information about the operating system.
-    type: group
-    default_field: true
-    fields:
-    - name: family
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: OS family (such as redhat, debian, freebsd, windows).
-      example: debian
-    - name: full
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-        default_field: false
-      description: Operating system name, including the version or code name.
-      example: Mac OS Mojave
-    - name: kernel
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Operating system kernel version as a raw string.
-      example: 4.4.0-112-generic
-    - name: name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-        default_field: false
-      description: Operating system name, without the version.
-      example: Mac OS X
-    - name: platform
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Operating system platform (such centos, ubuntu, windows).
-      example: darwin
-    - name: type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Use the `os.type` field to categorize the operating system into
-        one of the broad commercial families.
-
-        If the OS you''re dealing with is not listed as an expected value, the field
-        should not be populated. Please let us know by opening an issue with ECS,
-        to propose its addition.'
-      example: macos
-      default_field: false
-    - name: version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Operating system version as a raw string.
-      example: 10.14.1
   - name: package
     title: Package
     group: 2
@@ -5386,219 +4661,44 @@
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Package name
-      example: go
-    - name: path
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Path where the package is installed.
-      example: /usr/local/Cellar/go/1.12.9/
-    - name: reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Home page or reference URL of the software in this package, if
-        available.
-      example: https://golang.org
-      default_field: false
-    - name: size
-      level: extended
-      type: long
-      format: string
-      description: Package size in bytes.
-      example: 62231
-    - name: type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Type of package.
-
-        This should contain the package file type, rather than the package manager
-        name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar.'
-      example: rpm
-      default_field: false
-    - name: version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Package version
-      example: 1.12.9
-  - name: pe
-    title: PE Header
-    group: 2
-    description: These fields contain Windows Portable Executable (PE) metadata.
-    type: group
-    default_field: true
-    fields:
-    - name: architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: CPU architecture target for the file.
-      example: x64
-      default_field: false
-    - name: company
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      default_field: false
-    - name: description
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      default_field: false
-    - name: file_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      default_field: false
-    - name: go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available [here](https://github.com/elastic/toutoumomoma).'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: imphash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      default_field: false
-    - name: import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: original_file_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      default_field: false
-    - name: pehash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      default_field: false
-    - name: product
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal product name of the file, provided at compile-time.
-      example: "Microsoft\xAE Windows\xAE Operating System"
-      default_field: false
-    - name: sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      default_field: false
-    - name: sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: PE Section List name.
-      default_field: false
-    - name: sections.physical_size
+      description: Package name
+      example: go
+    - name: path
       level: extended
-      type: long
-      format: bytes
-      description: PE Section List physical size.
-      default_field: false
-    - name: sections.var_entropy
+      type: keyword
+      ignore_above: 1024
+      description: Path where the package is installed.
+      example: /usr/local/Cellar/go/1.12.9/
+    - name: reference
       level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
+      type: keyword
+      ignore_above: 1024
+      description: Home page or reference URL of the software in this package, if
+        available.
+      example: https://golang.org
       default_field: false
-    - name: sections.virtual_size
+    - name: size
       level: extended
       type: long
       format: string
-      description: PE Section List virtual size. This is always the same as `physical_size`.
+      description: Package size in bytes.
+      example: 62231
+    - name: type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Type of package.
+
+        This should contain the package file type, rather than the package manager
+        name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar.'
+      example: rpm
       default_field: false
+    - name: version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Package version
+      example: 1.12.9
   - name: process
     title: Process
     group: 2
@@ -8777,62 +7877,6 @@
       ignore_above: 1024
       description: All the user names or other user identifiers seen on the event.
       default_field: false
-  - name: risk
-    title: Risk information
-    group: 2
-    description: Fields for describing risk score and risk level of entities such
-      as hosts and users.  These fields are not allowed to be nested under `event.*`.
-      Please continue to use  `event.risk_score` and `event.risk_score_norm` for event
-      risk.
-    type: group
-    default_field: true
-    fields:
-    - name: calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
   - name: rule
     title: Rule
     group: 2
@@ -14401,42 +13445,6 @@
       ignore_above: 1024
       description: Version of the user agent.
       example: 12.0
-  - name: vlan
-    title: VLAN
-    group: 2
-    description: 'The VLAN fields are used to identify 802.1q tag(s) of a packet,
-      as well as ingress and egress VLAN associations of an observer in relation to
-      a specific packet or connection.
-
-      Network.vlan fields are used to record a single VLAN tag, or the outer tag in
-      the case of q-in-q encapsulations, for a packet or connection as observed, typically
-      provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic.
-
-      Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple
-      802.1q encapsulations) as observed, typically provided by a network sensor  (e.g.
-      Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should
-      only be used in addition to network.vlan fields to indicate q-in-q tagging.
-
-      Observer.ingress and observer.egress VLAN values are used to record observer
-      specific information when observer events contain discrete ingress and egress
-      VLAN information, typically provided by firewalls, routers, or load balancers.'
-    type: group
-    default_field: true
-    fields:
-    - name: id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: VLAN ID as reported by the observer.
-      example: 10
-      default_field: false
-    - name: name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Optional VLAN name as reported by the observer.
-      example: outside
-      default_field: false
   - name: vulnerability
     title: Vulnerability
     group: 2
@@ -14566,193 +13574,3 @@
         prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss)
       example: Critical
       default_field: false
-  - name: x509
-    title: x509 Certificate
-    group: 2
-    description: 'This implements the common core fields for x509 certificates. This
-      information is likely logged with TLS sessions, digital signatures found in
-      executable binaries, S/MIME information in email bodies, or analysis of files
-      on disk.
-
-      When the certificate relates to a file, use the fields at `file.x509`. When
-      hashes of the DER-encoded certificate are available, the `hash` data set should
-      be populated as well (e.g. `file.hash.sha256`).
-
-      Events that contain certificate information about network connections, should
-      use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or
-      `tls.client.x509`.'
-    type: group
-    default_field: true
-    fields:
-    - name: alternative_names
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of subject alternative names (SAN). Name types vary by certificate
-        authority and certificate type but commonly contain IP addresses, DNS names
-        (and wildcards), and email addresses.
-      example: '*.elastic.co'
-      default_field: false
-    - name: issuer.common_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of common name (CN) of issuing certificate authority.
-      example: Example SHA2 High Assurance Server CA
-      default_field: false
-    - name: issuer.country
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of country \(C) codes
-      example: US
-      default_field: false
-    - name: issuer.distinguished_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Distinguished name (DN) of issuing certificate authority.
-      example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
-        Server CA
-      default_field: false
-    - name: issuer.locality
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of locality names (L)
-      example: Mountain View
-      default_field: false
-    - name: issuer.organization
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of organizations (O) of issuing certificate authority.
-      example: Example Inc
-      default_field: false
-    - name: issuer.organizational_unit
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of organizational units (OU) of issuing certificate authority.
-      example: www.example.com
-      default_field: false
-    - name: issuer.state_or_province
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of state or province names (ST, S, or P)
-      example: California
-      default_field: false
-    - name: not_after
-      level: extended
-      type: date
-      description: Time at which the certificate is no longer considered valid.
-      example: '2020-07-16T03:15:39Z'
-      default_field: false
-    - name: not_before
-      level: extended
-      type: date
-      description: Time at which the certificate is first considered valid.
-      example: '2019-08-16T01:40:25Z'
-      default_field: false
-    - name: public_key_algorithm
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Algorithm used to generate the public key.
-      example: RSA
-      default_field: false
-    - name: public_key_curve
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The curve used by the elliptic curve public key algorithm. This
-        is algorithm specific.
-      example: nistp521
-      default_field: false
-    - name: public_key_exponent
-      level: extended
-      type: long
-      description: Exponent used to derive the public key. This is algorithm specific.
-      example: 65537
-      index: false
-      doc_values: false
-      default_field: false
-    - name: public_key_size
-      level: extended
-      type: long
-      description: The size of the public key space in bits.
-      example: 2048
-      default_field: false
-    - name: serial_number
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique serial number issued by the certificate authority. For consistency,
-        if this value is alphanumeric, it should be formatted without colons and uppercase
-        characters.
-      example: 55FBB9C7DEBF09809D12CCAA
-      default_field: false
-    - name: signature_algorithm
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Identifier for certificate signature algorithm. We recommend using
-        names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
-      example: SHA256-RSA
-      default_field: false
-    - name: subject.common_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of common names (CN) of subject.
-      example: shared.global.example.net
-      default_field: false
-    - name: subject.country
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of country \(C) code
-      example: US
-      default_field: false
-    - name: subject.distinguished_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Distinguished name (DN) of the certificate subject entity.
-      example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
-      default_field: false
-    - name: subject.locality
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of locality names (L)
-      example: San Francisco
-      default_field: false
-    - name: subject.organization
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of organizations (O) of subject.
-      example: Example, Inc.
-      default_field: false
-    - name: subject.organizational_unit
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of organizational units (OU) of subject.
-      default_field: false
-    - name: subject.state_or_province
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of state or province names (ST, S, or P)
-      example: California
-      default_field: false
-    - name: version_number
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of x509 format.
-      example: 3
-      default_field: false
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index c13db67d1a..3e0b8c5d52 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -122,32 +122,6 @@
       ignore_above: 1024
       description: Version of the agent.
       example: 6.0.0-rc2
-  - name: as
-    title: Autonomous System
-    group: 2
-    description: An autonomous system (AS) is a collection of connected Internet Protocol
-      (IP) routing prefixes under the control of one or more network operators on
-      behalf of a single administrative entity or domain that presents a common, clearly
-      defined routing policy to the internet.
-    type: group
-    default_field: true
-    fields:
-    - name: number
-      level: extended
-      type: long
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-    - name: organization.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-        default_field: false
-      description: Organization name.
-      example: Google LLC
   - name: client
     title: Client
     group: 2
@@ -727,91 +701,6 @@
         Examples: app engine, app service, cloud run, fargate, lambda.'
       example: lambda
       default_field: false
-  - name: code_signature
-    title: Code Signature
-    group: 2
-    description: These fields contain information about binary code signatures.
-    type: group
-    default_field: true
-    fields:
-    - name: digest_algorithm
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      default_field: false
-    - name: exists
-      level: core
-      type: boolean
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      default_field: false
-    - name: signing_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      default_field: false
-    - name: status
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      default_field: false
-    - name: subject_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      default_field: false
-    - name: team_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      default_field: false
-    - name: timestamp
-      level: extended
-      type: date
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      default_field: false
-    - name: trusted
-      level: extended
-      type: boolean
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      default_field: false
-    - name: valid
-      level: extended
-      type: boolean
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      default_field: false
   - name: container
     title: Container
     group: 2
@@ -1797,425 +1686,172 @@
         ECS versions -- this field lets integrations adjust to the schema version
         of the events.'
       example: 1.0.0
-  - name: elf
-    title: ELF Header
+  - name: email
+    title: Email
     group: 2
-    description: These fields contain Linux Executable Linkable Format (ELF) metadata.
+    description: 'Event details relating to an email transaction.
+
+      This field set focuses on the email message header, body, and attachments. Network
+      protocols that send and receive email messages such as SMTP are outside the
+      scope of the `email.*` fields.'
     type: group
     default_field: true
     fields:
-    - name: architecture
+    - name: attachments
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Machine architecture of the ELF file.
-      example: x86-64
+      type: nested
+      description: A list of objects describing the attachment files sent along with
+        an email message.
       default_field: false
-    - name: byte_order
+    - name: attachments.file.extension
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Byte sequence of ELF file.
-      example: Little Endian
+      description: Attachment file extension, excluding the leading dot.
+      example: txt
       default_field: false
-    - name: cpu_type
+    - name: attachments.file.hash.md5
       level: extended
       type: keyword
       ignore_above: 1024
-      description: CPU type of the ELF file.
-      example: Intel
-      default_field: false
-    - name: creation_date
-      level: extended
-      type: date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      default_field: false
-    - name: exports
-      level: extended
-      type: flattened
-      description: List of exported element names and types.
+      description: MD5 hash.
       default_field: false
-    - name: go_import_hash
+    - name: attachments.file.hash.sha1
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the Go language imports in an ELF file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available [here](https://github.com/elastic/toutoumomoma).'
-      example: 10bddcb4cee42080f76c88d9ff964491
+      description: SHA1 hash.
       default_field: false
-    - name: go_imports
+    - name: attachments.file.hash.sha256
       level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
+      type: keyword
+      ignore_above: 1024
+      description: SHA256 hash.
       default_field: false
-    - name: go_imports_names_entropy
+    - name: attachments.file.hash.sha384
       level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
+      type: keyword
+      ignore_above: 1024
+      description: SHA384 hash.
       default_field: false
-    - name: go_imports_names_var_entropy
+    - name: attachments.file.hash.sha512
       level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
+      type: keyword
+      ignore_above: 1024
+      description: SHA512 hash.
       default_field: false
-    - name: go_stripped
+    - name: attachments.file.hash.ssdeep
       level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
+      type: keyword
+      ignore_above: 1024
+      description: SSDEEP hash.
       default_field: false
-    - name: header.abi_version
+    - name: attachments.file.hash.tlsh
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Version of the ELF Application Binary Interface (ABI).
+      description: TLSH hash.
       default_field: false
-    - name: header.class
+    - name: attachments.file.mime_type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Header class of the ELF file.
+      description: 'The MIME media type of the attachment.
+
+        This value will typically be extracted from the `Content-Type` MIME header
+        field.'
+      example: text/plain
       default_field: false
-    - name: header.data
+    - name: attachments.file.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Data table of the ELF header.
+      description: Name of the attachment file including the file extension.
+      example: attachment.txt
       default_field: false
-    - name: header.entrypoint
+    - name: attachments.file.size
       level: extended
       type: long
-      format: string
-      description: Header entrypoint of the ELF file.
+      description: Attachment file size in bytes.
+      example: 64329
       default_field: false
-    - name: header.object_version
+    - name: bcc.address
       level: extended
       type: keyword
       ignore_above: 1024
-      description: '"0x1" for original ELF files.'
+      description: The email address of BCC recipient
+      example: bcc.user1@example.com
       default_field: false
-    - name: header.os_abi
+    - name: cc.address
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Application Binary Interface (ABI) of the Linux OS.
+      description: The email address of CC recipient
+      example: cc.user1@example.com
       default_field: false
-    - name: header.type
+    - name: content_type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Header type of the ELF file.
+      description: 'Information about how the message is to be displayed.
+
+        Typically a MIME type.'
+      example: text/plain
+      default_field: false
+    - name: delivery_timestamp
+      level: extended
+      type: date
+      description: The date and time when the email message was received by the service
+        or client.
+      example: '2020-11-10T22:12:34.8196921Z'
       default_field: false
-    - name: header.version
+    - name: direction
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Version of the ELF header.
+      description: The direction of the message based on the sending and receiving
+        domains.
+      example: inbound
       default_field: false
-    - name: import_hash
+    - name: from.address
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
+      description: The email address of the sender, typically from the RFC 5322 `From:`
+        header field.
+      example: sender@example.com
       default_field: false
-    - name: imports
+    - name: local_id
       level: extended
-      type: flattened
-      description: List of imported element names and types.
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique identifier given to the email by the source that created
+        the event.
+
+        Identifier is not persistent across hops.'
+      example: c26dbea0-80d5-463b-b93c-4e8b708219ce
       default_field: false
-    - name: imports_names_entropy
+    - name: message_id
       level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
+      type: wildcard
+      description: Identifier from the RFC 5322 `Message-ID:` email header that refers
+        to a particular email message.
+      example: 81ce15$8r2j59@mail01.example.com
       default_field: false
-    - name: imports_names_var_entropy
+    - name: origination_timestamp
       level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
+      type: date
+      description: The date and time the email message was composed. Many email clients
+        will fill in this value automatically when the message is sent by a user.
+      example: '2020-11-10T22:12:34.8196921Z'
       default_field: false
-    - name: sections
+    - name: reply_to.address
       level: extended
-      type: nested
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      default_field: false
-    - name: sections.chi2
-      level: extended
-      type: long
-      format: number
-      description: Chi-square probability distribution of the section.
-      default_field: false
-    - name: sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: sections.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List flags.
-      default_field: false
-    - name: sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List name.
-      default_field: false
-    - name: sections.physical_offset
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List offset.
-      default_field: false
-    - name: sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: ELF Section List physical size.
-      default_field: false
-    - name: sections.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List type.
-      default_field: false
-    - name: sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: sections.virtual_address
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual address.
-      default_field: false
-    - name: sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual size.
-      default_field: false
-    - name: segments
-      level: extended
-      type: nested
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      default_field: false
-    - name: segments.sections
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF object segment sections.
-      default_field: false
-    - name: segments.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF object segment type.
-      default_field: false
-    - name: shared_libraries
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of shared libraries used by this ELF object.
-      default_field: false
-    - name: telfhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: telfhash symbol hash for ELF file.
-      default_field: false
-  - name: email
-    title: Email
-    group: 2
-    description: 'Event details relating to an email transaction.
-
-      This field set focuses on the email message header, body, and attachments. Network
-      protocols that send and receive email messages such as SMTP are outside the
-      scope of the `email.*` fields.'
-    type: group
-    default_field: true
-    fields:
-    - name: attachments
-      level: extended
-      type: nested
-      description: A list of objects describing the attachment files sent along with
-        an email message.
-      default_field: false
-    - name: attachments.file.extension
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Attachment file extension, excluding the leading dot.
-      example: txt
-      default_field: false
-    - name: attachments.file.hash.md5
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: MD5 hash.
-      default_field: false
-    - name: attachments.file.hash.sha1
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA1 hash.
-      default_field: false
-    - name: attachments.file.hash.sha256
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA256 hash.
-      default_field: false
-    - name: attachments.file.hash.sha384
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA384 hash.
-      default_field: false
-    - name: attachments.file.hash.sha512
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA512 hash.
-      default_field: false
-    - name: attachments.file.hash.ssdeep
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SSDEEP hash.
-      default_field: false
-    - name: attachments.file.hash.tlsh
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: TLSH hash.
-      default_field: false
-    - name: attachments.file.mime_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The MIME media type of the attachment.
-
-        This value will typically be extracted from the `Content-Type` MIME header
-        field.'
-      example: text/plain
-      default_field: false
-    - name: attachments.file.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the attachment file including the file extension.
-      example: attachment.txt
-      default_field: false
-    - name: attachments.file.size
-      level: extended
-      type: long
-      description: Attachment file size in bytes.
-      example: 64329
-      default_field: false
-    - name: bcc.address
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The email address of BCC recipient
-      example: bcc.user1@example.com
-      default_field: false
-    - name: cc.address
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The email address of CC recipient
-      example: cc.user1@example.com
-      default_field: false
-    - name: content_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Information about how the message is to be displayed.
-
-        Typically a MIME type.'
-      example: text/plain
-      default_field: false
-    - name: delivery_timestamp
-      level: extended
-      type: date
-      description: The date and time when the email message was received by the service
-        or client.
-      example: '2020-11-10T22:12:34.8196921Z'
-      default_field: false
-    - name: direction
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The direction of the message based on the sending and receiving
-        domains.
-      example: inbound
-      default_field: false
-    - name: from.address
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The email address of the sender, typically from the RFC 5322 `From:`
-        header field.
-      example: sender@example.com
-      default_field: false
-    - name: local_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique identifier given to the email by the source that created
-        the event.
-
-        Identifier is not persistent across hops.'
-      example: c26dbea0-80d5-463b-b93c-4e8b708219ce
-      default_field: false
-    - name: message_id
-      level: extended
-      type: wildcard
-      description: Identifier from the RFC 5322 `Message-ID:` email header that refers
-        to a particular email message.
-      example: 81ce15$8r2j59@mail01.example.com
-      default_field: false
-    - name: origination_timestamp
-      level: extended
-      type: date
-      description: The date and time the email message was composed. Many email clients
-        will fill in this value automatically when the message is sent by a user.
-      example: '2020-11-10T22:12:34.8196921Z'
-      default_field: false
-    - name: reply_to.address
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The address that replies should be delivered to based on the value
-        in the RFC 5322 `Reply-To:` header.
-      example: reply.here@example.com
+      type: keyword
+      ignore_above: 1024
+      description: The address that replies should be delivered to based on the value
+        in the RFC 5322 `Reply-To:` header.
+      example: reply.here@example.com
       default_field: false
     - name: sender.address
       level: extended
@@ -3672,104 +3308,16 @@
       description: Version of x509 format.
       example: 3
       default_field: false
-  - name: geo
-    title: Geo
+  - name: group
+    title: Group
     group: 2
-    description: 'Geo fields can carry data about a specific location related to an
-      event.
-
-      This geolocation information can be derived from techniques such as Geo IP,
-      or be user-supplied.'
+    description: The group fields are meant to represent groups that are relevant
+      to the event.
     type: group
     default_field: true
     fields:
-    - name: city_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: City name.
-      example: Montreal
-    - name: continent_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Two-letter code representing continent's name.
-      example: NA
-      default_field: false
-    - name: continent_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Name of the continent.
-      example: North America
-    - name: country_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country ISO code.
-      example: CA
-    - name: country_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country name.
-      example: Canada
-    - name: location
-      level: core
-      type: geo_point
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-    - name: name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-    - name: postal_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      default_field: false
-    - name: region_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region ISO code.
-      example: CA-QC
-    - name: region_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region name.
-      example: Quebec
-    - name: timezone
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      default_field: false
-  - name: group
-    title: Group
-    group: 2
-    description: The group fields are meant to represent groups that are relevant
-      to the event.
-    type: group
-    default_field: true
-    fields:
-    - name: domain
-      level: extended
+    - name: domain
+      level: extended
       type: keyword
       ignore_above: 1024
       description: 'Name of the directory the group is a member of.
@@ -3785,60 +3333,6 @@
       type: keyword
       ignore_above: 1024
       description: Name of the group.
-  - name: hash
-    title: Hash
-    group: 2
-    description: 'The hash fields represent different bitwise hash algorithms and
-      their values.
-
-      Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for
-      other hashes by lowercasing the hash algorithm name and using underscore separators
-      as appropriate (snake case, e.g. sha3_512).
-
-      Note that this fieldset is used for common hashes that may be computed over
-      a range of generic bytes. Entity-specific hashes such as ja3 or imphash are
-      placed in the fieldsets to which they relate (tls and pe, respectively).'
-    type: group
-    default_field: true
-    fields:
-    - name: md5
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: MD5 hash.
-    - name: sha1
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA1 hash.
-    - name: sha256
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA256 hash.
-    - name: sha384
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA384 hash.
-      default_field: false
-    - name: sha512
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA512 hash.
-    - name: ssdeep
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SSDEEP hash.
-      default_field: false
-    - name: tlsh
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: TLSH hash.
-      default_field: false
   - name: host
     title: Host
     group: 2
@@ -4279,40 +3773,6 @@
       ignore_above: 1024
       description: HTTP version.
       example: 1.1
-  - name: interface
-    title: Interface
-    group: 2
-    description: The interface fields are used to record ingress and egress interface
-      information when reported by an observer (e.g. firewall, router, load balancer)
-      in the context of the observer handling a network connection.  In the case of
-      a single observer interface (e.g. network sensor on a span port) only the observer.ingress
-      information should be populated.
-    type: group
-    default_field: true
-    fields:
-    - name: alias
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Interface alias as reported by the system, typically used in firewall
-        implementations for e.g. inside, outside, or dmz logical interface naming.
-      example: outside
-      default_field: false
-    - name: id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Interface ID as reported by an observer (typically SNMP interface
-        ID).
-      example: 10
-      default_field: false
-    - name: name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Interface name as reported by the system.
-      example: eth0
-      default_field: false
   - name: log
     title: Log
     group: 2
@@ -4477,128 +3937,6 @@
         for RFC 5424 messages.
       example: 1
       default_field: false
-  - name: macho
-    title: Mach-O Header
-    group: 2
-    description: These fields contain Mac OS Mach Object file format (Mach-O) metadata.
-    type: group
-    default_field: true
-    fields:
-    - name: go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available [here](https://github.com/elastic/toutoumomoma).'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the Mach-O file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      default_field: false
-    - name: sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Mach-O Section List name.
-      default_field: false
-    - name: sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: Mach-O Section List physical size.
-      default_field: false
-    - name: sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      default_field: false
-    - name: symhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
-      default_field: false
   - name: network
     title: Network
     group: 2
@@ -5212,69 +4550,6 @@
         type: match_only_text
         default_field: false
       description: Organization name.
-  - name: os
-    title: Operating System
-    group: 2
-    description: The OS fields contain information about the operating system.
-    type: group
-    default_field: true
-    fields:
-    - name: family
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: OS family (such as redhat, debian, freebsd, windows).
-      example: debian
-    - name: full
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-        default_field: false
-      description: Operating system name, including the version or code name.
-      example: Mac OS Mojave
-    - name: kernel
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Operating system kernel version as a raw string.
-      example: 4.4.0-112-generic
-    - name: name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-        default_field: false
-      description: Operating system name, without the version.
-      example: Mac OS X
-    - name: platform
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Operating system platform (such centos, ubuntu, windows).
-      example: darwin
-    - name: type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Use the `os.type` field to categorize the operating system into
-        one of the broad commercial families.
-
-        If the OS you''re dealing with is not listed as an expected value, the field
-        should not be populated. Please let us know by opening an issue with ECS,
-        to propose its addition.'
-      example: macos
-      default_field: false
-    - name: version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Operating system version as a raw string.
-      example: 10.14.1
   - name: package
     title: Package
     group: 2
@@ -5336,219 +4611,44 @@
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Package name
-      example: go
-    - name: path
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Path where the package is installed.
-      example: /usr/local/Cellar/go/1.12.9/
-    - name: reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Home page or reference URL of the software in this package, if
-        available.
-      example: https://golang.org
-      default_field: false
-    - name: size
-      level: extended
-      type: long
-      format: string
-      description: Package size in bytes.
-      example: 62231
-    - name: type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Type of package.
-
-        This should contain the package file type, rather than the package manager
-        name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar.'
-      example: rpm
-      default_field: false
-    - name: version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Package version
-      example: 1.12.9
-  - name: pe
-    title: PE Header
-    group: 2
-    description: These fields contain Windows Portable Executable (PE) metadata.
-    type: group
-    default_field: true
-    fields:
-    - name: architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: CPU architecture target for the file.
-      example: x64
-      default_field: false
-    - name: company
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      default_field: false
-    - name: description
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      default_field: false
-    - name: file_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      default_field: false
-    - name: go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available [here](https://github.com/elastic/toutoumomoma).'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: imphash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      default_field: false
-    - name: import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: original_file_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      default_field: false
-    - name: pehash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      default_field: false
-    - name: product
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal product name of the file, provided at compile-time.
-      example: "Microsoft\xAE Windows\xAE Operating System"
-      default_field: false
-    - name: sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      default_field: false
-    - name: sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: PE Section List name.
-      default_field: false
-    - name: sections.physical_size
+      description: Package name
+      example: go
+    - name: path
       level: extended
-      type: long
-      format: bytes
-      description: PE Section List physical size.
-      default_field: false
-    - name: sections.var_entropy
+      type: keyword
+      ignore_above: 1024
+      description: Path where the package is installed.
+      example: /usr/local/Cellar/go/1.12.9/
+    - name: reference
       level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
+      type: keyword
+      ignore_above: 1024
+      description: Home page or reference URL of the software in this package, if
+        available.
+      example: https://golang.org
       default_field: false
-    - name: sections.virtual_size
+    - name: size
       level: extended
       type: long
       format: string
-      description: PE Section List virtual size. This is always the same as `physical_size`.
+      description: Package size in bytes.
+      example: 62231
+    - name: type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Type of package.
+
+        This should contain the package file type, rather than the package manager
+        name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar.'
+      example: rpm
       default_field: false
+    - name: version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Package version
+      example: 1.12.9
   - name: process
     title: Process
     group: 2
@@ -8727,62 +7827,6 @@
       ignore_above: 1024
       description: All the user names or other user identifiers seen on the event.
       default_field: false
-  - name: risk
-    title: Risk information
-    group: 2
-    description: Fields for describing risk score and risk level of entities such
-      as hosts and users.  These fields are not allowed to be nested under `event.*`.
-      Please continue to use  `event.risk_score` and `event.risk_score_norm` for event
-      risk.
-    type: group
-    default_field: true
-    fields:
-    - name: calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
   - name: rule
     title: Rule
     group: 2
@@ -14351,42 +13395,6 @@
       ignore_above: 1024
       description: Version of the user agent.
       example: 12.0
-  - name: vlan
-    title: VLAN
-    group: 2
-    description: 'The VLAN fields are used to identify 802.1q tag(s) of a packet,
-      as well as ingress and egress VLAN associations of an observer in relation to
-      a specific packet or connection.
-
-      Network.vlan fields are used to record a single VLAN tag, or the outer tag in
-      the case of q-in-q encapsulations, for a packet or connection as observed, typically
-      provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic.
-
-      Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple
-      802.1q encapsulations) as observed, typically provided by a network sensor  (e.g.
-      Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should
-      only be used in addition to network.vlan fields to indicate q-in-q tagging.
-
-      Observer.ingress and observer.egress VLAN values are used to record observer
-      specific information when observer events contain discrete ingress and egress
-      VLAN information, typically provided by firewalls, routers, or load balancers.'
-    type: group
-    default_field: true
-    fields:
-    - name: id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: VLAN ID as reported by the observer.
-      example: 10
-      default_field: false
-    - name: name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Optional VLAN name as reported by the observer.
-      example: outside
-      default_field: false
   - name: vulnerability
     title: Vulnerability
     group: 2
@@ -14516,193 +13524,3 @@
         prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss)
       example: Critical
       default_field: false
-  - name: x509
-    title: x509 Certificate
-    group: 2
-    description: 'This implements the common core fields for x509 certificates. This
-      information is likely logged with TLS sessions, digital signatures found in
-      executable binaries, S/MIME information in email bodies, or analysis of files
-      on disk.
-
-      When the certificate relates to a file, use the fields at `file.x509`. When
-      hashes of the DER-encoded certificate are available, the `hash` data set should
-      be populated as well (e.g. `file.hash.sha256`).
-
-      Events that contain certificate information about network connections, should
-      use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or
-      `tls.client.x509`.'
-    type: group
-    default_field: true
-    fields:
-    - name: alternative_names
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of subject alternative names (SAN). Name types vary by certificate
-        authority and certificate type but commonly contain IP addresses, DNS names
-        (and wildcards), and email addresses.
-      example: '*.elastic.co'
-      default_field: false
-    - name: issuer.common_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of common name (CN) of issuing certificate authority.
-      example: Example SHA2 High Assurance Server CA
-      default_field: false
-    - name: issuer.country
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of country \(C) codes
-      example: US
-      default_field: false
-    - name: issuer.distinguished_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Distinguished name (DN) of issuing certificate authority.
-      example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
-        Server CA
-      default_field: false
-    - name: issuer.locality
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of locality names (L)
-      example: Mountain View
-      default_field: false
-    - name: issuer.organization
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of organizations (O) of issuing certificate authority.
-      example: Example Inc
-      default_field: false
-    - name: issuer.organizational_unit
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of organizational units (OU) of issuing certificate authority.
-      example: www.example.com
-      default_field: false
-    - name: issuer.state_or_province
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of state or province names (ST, S, or P)
-      example: California
-      default_field: false
-    - name: not_after
-      level: extended
-      type: date
-      description: Time at which the certificate is no longer considered valid.
-      example: '2020-07-16T03:15:39Z'
-      default_field: false
-    - name: not_before
-      level: extended
-      type: date
-      description: Time at which the certificate is first considered valid.
-      example: '2019-08-16T01:40:25Z'
-      default_field: false
-    - name: public_key_algorithm
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Algorithm used to generate the public key.
-      example: RSA
-      default_field: false
-    - name: public_key_curve
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The curve used by the elliptic curve public key algorithm. This
-        is algorithm specific.
-      example: nistp521
-      default_field: false
-    - name: public_key_exponent
-      level: extended
-      type: long
-      description: Exponent used to derive the public key. This is algorithm specific.
-      example: 65537
-      index: false
-      doc_values: false
-      default_field: false
-    - name: public_key_size
-      level: extended
-      type: long
-      description: The size of the public key space in bits.
-      example: 2048
-      default_field: false
-    - name: serial_number
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique serial number issued by the certificate authority. For consistency,
-        if this value is alphanumeric, it should be formatted without colons and uppercase
-        characters.
-      example: 55FBB9C7DEBF09809D12CCAA
-      default_field: false
-    - name: signature_algorithm
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Identifier for certificate signature algorithm. We recommend using
-        names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
-      example: SHA256-RSA
-      default_field: false
-    - name: subject.common_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of common names (CN) of subject.
-      example: shared.global.example.net
-      default_field: false
-    - name: subject.country
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of country \(C) code
-      example: US
-      default_field: false
-    - name: subject.distinguished_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Distinguished name (DN) of the certificate subject entity.
-      example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
-      default_field: false
-    - name: subject.locality
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of locality names (L)
-      example: San Francisco
-      default_field: false
-    - name: subject.organization
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of organizations (O) of subject.
-      example: Example, Inc.
-      default_field: false
-    - name: subject.organizational_unit
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of organizational units (OU) of subject.
-      default_field: false
-    - name: subject.state_or_province
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of state or province names (ST, S, or P)
-      example: California
-      default_field: false
-    - name: version_number
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of x509 format.
-      example: 3
-      default_field: false
diff --git a/scripts/generators/beats.py b/scripts/generators/beats.py
index b6422a86fd..fc9d46f972 100644
--- a/scripts/generators/beats.py
+++ b/scripts/generators/beats.py
@@ -36,6 +36,7 @@ def generate(
     out_dir: str
 ) -> None:
     # base first
+    ecs_nested = ecs_helpers.remove_top_level_reusable_false(ecs_nested)
     beats_fields: List[OrderedDict] = fieldset_field_array(ecs_nested['base']['fields'], ecs_nested['base']['prefix'])
 
     allowed_fieldset_keys: List[str] = ['name', 'title', 'group', 'description', 'footnote', 'type']
diff --git a/scripts/generators/ecs_helpers.py b/scripts/generators/ecs_helpers.py
index a39a5bc463..84c6759e3e 100644
--- a/scripts/generators/ecs_helpers.py
+++ b/scripts/generators/ecs_helpers.py
@@ -254,6 +254,17 @@ def is_intermediate(field: FieldEntry) -> bool:
     return ('intermediate' in field['field_details'] and field['field_details']['intermediate'])
 
 
+def remove_top_level_reusable_false(ecs_nested: Dict[str, FieldNestedEntry]) -> Dict[str, FieldNestedEntry]:
+    """Returns same structure as ecs_nested, but skips all field sets with reusable.top_level: False"""
+    components: Dict[str, FieldNestedEntry] = {}
+    for (fieldset_name, fieldset) in ecs_nested.items():
+        if fieldset.get('reusable', None):
+            if not fieldset['reusable']['top_level']:
+                continue
+        components[fieldset_name] = fieldset
+    return components
+
+
 # Warning helper
 
 
diff --git a/scripts/generators/es_template.py b/scripts/generators/es_template.py
index 4c78b9ff6f..fa9fdda9c0 100644
--- a/scripts/generators/es_template.py
+++ b/scripts/generators/es_template.py
@@ -65,7 +65,7 @@ def all_component_templates(
     component_dir: str = join(out_dir, 'elasticsearch/composable/component')
     ecs_helpers.make_dirs(component_dir)
 
-    for (fieldset_name, fieldset) in candidate_components(ecs_nested).items():
+    for (fieldset_name, fieldset) in ecs_helpers.remove_top_level_reusable_false(ecs_nested).items():
         field_mappings = {}
         for (flat_name, field) in fieldset['fields'].items():
             name_parts = flat_name.split('.')
@@ -104,22 +104,11 @@ def component_name_convention(
 ) -> List[str]:
     version: str = ecs_version.replace('+', '-')
     names: List[str] = []
-    for (fieldset_name, fieldset) in candidate_components(ecs_nested).items():
+    for (fieldset_name, fieldset) in ecs_helpers.remove_top_level_reusable_false(ecs_nested).items():
         names.append("ecs_{}_{}".format(version, fieldset_name.lower()))
     return names
 
 
-def candidate_components(ecs_nested: Dict[str, FieldNestedEntry]) -> Dict[str, FieldNestedEntry]:
-    """Returns same structure as ecs_nested, but skips all field sets with reusable.top_level: False"""
-    components: Dict[str, FieldNestedEntry] = {}
-    for (fieldset_name, fieldset) in ecs_nested.items():
-        if fieldset.get('reusable', None):
-            if not fieldset['reusable']['top_level']:
-                continue
-        components[fieldset_name] = fieldset
-    return components
-
-
 # Legacy template
 
 
diff --git a/scripts/tests/test_ecs_helpers.py b/scripts/tests/test_ecs_helpers.py
index d2413cd64b..a1b2af4fc0 100644
--- a/scripts/tests/test_ecs_helpers.py
+++ b/scripts/tests/test_ecs_helpers.py
@@ -157,6 +157,18 @@ def test_glob_yaml_files(self):
             ecs_helpers.glob_yaml_files('schemas/*.yml'))) >= min_schema_count)
         self.assertEqual(len(ecs_helpers.glob_yaml_files(ecs_helpers.glob_yaml_files('schemas/*.yaml'))), 0)
 
+    # Remove top_level:false field sets helper
+
+    def test_remove_top_level_false_field_sets(self):
+        nested_schema_original = {
+            'as': {'group': 2, 'name': 'as', 'reusable': {'top_level': False}},
+            'agent': {'group': 2, 'name': 'agent'},
+        }
+        nested_schema_expected = {
+            'agent': {'group': 2, 'name': 'agent'}
+        }
+        self.assertEqual(ecs_helpers.remove_top_level_reusable_false(nested_schema_original), nested_schema_expected)
+
 
 if __name__ == '__main__':
     unittest.main()

From 8752db51efe97b0f79d179f318813229ebfeefad Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Mon, 2 Oct 2023 11:55:14 -0500
Subject: [PATCH 124/186] Remove `expected_values` from *.indicator.name field
 defs (#2281)

* remove expected_values for indicator.name fields

* generate artifacts

* changelog
---
 CHANGELOG.next.md                           |  2 ++
 docs/fields/field-details.asciidoc          | 28 ++---------------
 experimental/generated/beats/fields.ecs.yml | 10 ++++--
 experimental/generated/ecs/ecs_flat.yml     | 34 +++++----------------
 experimental/generated/ecs/ecs_nested.yml   | 34 +++++----------------
 generated/beats/fields.ecs.yml              | 10 ++++--
 generated/ecs/ecs_flat.yml                  | 34 +++++----------------
 generated/ecs/ecs_nested.yml                | 34 +++++----------------
 schemas/threat.yml                          | 30 ++++--------------
 9 files changed, 58 insertions(+), 158 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 2fec6bc55b..fc526611f1 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -14,6 +14,8 @@ Thanks, you're awesome :-) -->
 
 #### Bugfixes
 
+* Remove `expected_values` from `threat.*.indicator.name` fields. #2281
+
 #### Added
 
 #### Improvements
diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index b5d67924ff..7317aade5c 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -10526,19 +10526,7 @@ example: `2020-11-05T17:25:47.000Z`
 
 a| The display name indicator in an UI friendly format
 
-Expected values for this field:
-
-* `5.2.75.227`
-* `2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6`
-* `https://example.com/some/path`
-* `example.com`
-* `373d34874d7bc89fd4cefa6272ee80bf`
-* `b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7`
-* `email@example.com`
-* `HKLM\\SOFTWARE\\Microsoft\\Active`
-* `13335`
-* `00:00:5e:00:53:af`
-* `8008`
+URL, IP address, email address, registry key, port number, hash value, or other relevant name can serve as the display name.
 
 type: keyword
 
@@ -11084,19 +11072,7 @@ example: `2020-11-05T17:25:47.000Z`
 
 a| The display name indicator in an UI friendly format
 
-Expected values for this field:
-
-* `5.2.75.227`
-* `2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6`
-* `https://example.com/some/path`
-* `example.com`
-* `373d34874d7bc89fd4cefa6272ee80bf`
-* `b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7`
-* `email@example.com`
-* `HKLM\\SOFTWARE\\Microsoft\\Active`
-* `13335`
-* `00:00:5e:00:53:af`
-* `8008`
+URL, IP address, email address, registry key, port number, hash value, or other relevant name can serve as the display name.
 
 type: keyword
 
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 41ce694b58..7018f4b333 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -10077,7 +10077,10 @@
       level: extended
       type: keyword
       ignore_above: 1024
-      description: The display name indicator in an UI friendly format
+      description: 'The display name indicator in an UI friendly format
+
+        URL, IP address, email address, registry key, port number, hash value, or
+        other relevant name can serve as the display name.'
       example: 5.2.75.227
       default_field: false
     - name: enrichments.indicator.port
@@ -11681,7 +11684,10 @@
       level: extended
       type: keyword
       ignore_above: 1024
-      description: The display name indicator in an UI friendly format
+      description: 'The display name indicator in an UI friendly format
+
+        URL, IP address, email address, registry key, port number, hash value, or
+        other relevant name can serve as the display name.'
       example: 5.2.75.227
       default_field: false
     - name: indicator.port
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 151c000712..c46dee2556 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -16325,20 +16325,11 @@ threat.enrichments.indicator.modified_at:
   type: date
 threat.enrichments.indicator.name:
   dashed_name: threat-enrichments-indicator-name
-  description: The display name indicator in an UI friendly format
+  description: 'The display name indicator in an UI friendly format
+
+    URL, IP address, email address, registry key, port number, hash value, or other
+    relevant name can serve as the display name.'
   example: 5.2.75.227
-  expected_values:
-  - 5.2.75.227
-  - 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6
-  - https://example.com/some/path
-  - example.com
-  - 373d34874d7bc89fd4cefa6272ee80bf
-  - b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7
-  - email@example.com
-  - HKLM\\SOFTWARE\\Microsoft\\Active
-  - 13335
-  - 00:00:5e:00:53:af
-  - 8008
   flat_name: threat.enrichments.indicator.name
   ignore_above: 1024
   level: extended
@@ -19044,20 +19035,11 @@ threat.indicator.modified_at:
   type: date
 threat.indicator.name:
   dashed_name: threat-indicator-name
-  description: The display name indicator in an UI friendly format
+  description: 'The display name indicator in an UI friendly format
+
+    URL, IP address, email address, registry key, port number, hash value, or other
+    relevant name can serve as the display name.'
   example: 5.2.75.227
-  expected_values:
-  - 5.2.75.227
-  - 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6
-  - https://example.com/some/path
-  - example.com
-  - 373d34874d7bc89fd4cefa6272ee80bf
-  - b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7
-  - email@example.com
-  - HKLM\\SOFTWARE\\Microsoft\\Active
-  - 13335
-  - 00:00:5e:00:53:af
-  - 8008
   flat_name: threat.indicator.name
   ignore_above: 1024
   level: extended
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 326f4a15e3..bb26762db2 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -18992,20 +18992,11 @@ threat:
       type: date
     threat.enrichments.indicator.name:
       dashed_name: threat-enrichments-indicator-name
-      description: The display name indicator in an UI friendly format
+      description: 'The display name indicator in an UI friendly format
+
+        URL, IP address, email address, registry key, port number, hash value, or
+        other relevant name can serve as the display name.'
       example: 5.2.75.227
-      expected_values:
-      - 5.2.75.227
-      - 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6
-      - https://example.com/some/path
-      - example.com
-      - 373d34874d7bc89fd4cefa6272ee80bf
-      - b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7
-      - email@example.com
-      - HKLM\\SOFTWARE\\Microsoft\\Active
-      - 13335
-      - 00:00:5e:00:53:af
-      - 8008
       flat_name: threat.enrichments.indicator.name
       ignore_above: 1024
       level: extended
@@ -21717,20 +21708,11 @@ threat:
       type: date
     threat.indicator.name:
       dashed_name: threat-indicator-name
-      description: The display name indicator in an UI friendly format
+      description: 'The display name indicator in an UI friendly format
+
+        URL, IP address, email address, registry key, port number, hash value, or
+        other relevant name can serve as the display name.'
       example: 5.2.75.227
-      expected_values:
-      - 5.2.75.227
-      - 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6
-      - https://example.com/some/path
-      - example.com
-      - 373d34874d7bc89fd4cefa6272ee80bf
-      - b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7
-      - email@example.com
-      - HKLM\\SOFTWARE\\Microsoft\\Active
-      - 13335
-      - 00:00:5e:00:53:af
-      - 8008
       flat_name: threat.indicator.name
       ignore_above: 1024
       level: extended
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 3e0b8c5d52..822c3ddeff 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -10027,7 +10027,10 @@
       level: extended
       type: keyword
       ignore_above: 1024
-      description: The display name indicator in an UI friendly format
+      description: 'The display name indicator in an UI friendly format
+
+        URL, IP address, email address, registry key, port number, hash value, or
+        other relevant name can serve as the display name.'
       example: 5.2.75.227
       default_field: false
     - name: enrichments.indicator.port
@@ -11631,7 +11634,10 @@
       level: extended
       type: keyword
       ignore_above: 1024
-      description: The display name indicator in an UI friendly format
+      description: 'The display name indicator in an UI friendly format
+
+        URL, IP address, email address, registry key, port number, hash value, or
+        other relevant name can serve as the display name.'
       example: 5.2.75.227
       default_field: false
     - name: indicator.port
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index d38886a565..03591ada52 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -16256,20 +16256,11 @@ threat.enrichments.indicator.modified_at:
   type: date
 threat.enrichments.indicator.name:
   dashed_name: threat-enrichments-indicator-name
-  description: The display name indicator in an UI friendly format
+  description: 'The display name indicator in an UI friendly format
+
+    URL, IP address, email address, registry key, port number, hash value, or other
+    relevant name can serve as the display name.'
   example: 5.2.75.227
-  expected_values:
-  - 5.2.75.227
-  - 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6
-  - https://example.com/some/path
-  - example.com
-  - 373d34874d7bc89fd4cefa6272ee80bf
-  - b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7
-  - email@example.com
-  - HKLM\\SOFTWARE\\Microsoft\\Active
-  - 13335
-  - 00:00:5e:00:53:af
-  - 8008
   flat_name: threat.enrichments.indicator.name
   ignore_above: 1024
   level: extended
@@ -18975,20 +18966,11 @@ threat.indicator.modified_at:
   type: date
 threat.indicator.name:
   dashed_name: threat-indicator-name
-  description: The display name indicator in an UI friendly format
+  description: 'The display name indicator in an UI friendly format
+
+    URL, IP address, email address, registry key, port number, hash value, or other
+    relevant name can serve as the display name.'
   example: 5.2.75.227
-  expected_values:
-  - 5.2.75.227
-  - 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6
-  - https://example.com/some/path
-  - example.com
-  - 373d34874d7bc89fd4cefa6272ee80bf
-  - b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7
-  - email@example.com
-  - HKLM\\SOFTWARE\\Microsoft\\Active
-  - 13335
-  - 00:00:5e:00:53:af
-  - 8008
   flat_name: threat.indicator.name
   ignore_above: 1024
   level: extended
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index d8affec2da..94db2fcf1e 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -18912,20 +18912,11 @@ threat:
       type: date
     threat.enrichments.indicator.name:
       dashed_name: threat-enrichments-indicator-name
-      description: The display name indicator in an UI friendly format
+      description: 'The display name indicator in an UI friendly format
+
+        URL, IP address, email address, registry key, port number, hash value, or
+        other relevant name can serve as the display name.'
       example: 5.2.75.227
-      expected_values:
-      - 5.2.75.227
-      - 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6
-      - https://example.com/some/path
-      - example.com
-      - 373d34874d7bc89fd4cefa6272ee80bf
-      - b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7
-      - email@example.com
-      - HKLM\\SOFTWARE\\Microsoft\\Active
-      - 13335
-      - 00:00:5e:00:53:af
-      - 8008
       flat_name: threat.enrichments.indicator.name
       ignore_above: 1024
       level: extended
@@ -21637,20 +21628,11 @@ threat:
       type: date
     threat.indicator.name:
       dashed_name: threat-indicator-name
-      description: The display name indicator in an UI friendly format
+      description: 'The display name indicator in an UI friendly format
+
+        URL, IP address, email address, registry key, port number, hash value, or
+        other relevant name can serve as the display name.'
       example: 5.2.75.227
-      expected_values:
-      - 5.2.75.227
-      - 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6
-      - https://example.com/some/path
-      - example.com
-      - 373d34874d7bc89fd4cefa6272ee80bf
-      - b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7
-      - email@example.com
-      - HKLM\\SOFTWARE\\Microsoft\\Active
-      - 13335
-      - 00:00:5e:00:53:af
-      - 8008
       flat_name: threat.indicator.name
       ignore_above: 1024
       level: extended
diff --git a/schemas/threat.yml b/schemas/threat.yml
index 26c1018e11..a9cb544948 100644
--- a/schemas/threat.yml
+++ b/schemas/threat.yml
@@ -111,18 +111,9 @@
       short: Indicator display name
       description: >
         The display name indicator in an UI friendly format
-      expected_values:
-        - 5.2.75.227
-        - 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6
-        - https://example.com/some/path
-        - example.com
-        - 373d34874d7bc89fd4cefa6272ee80bf
-        - b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7
-        - email@example.com
-        - HKLM\\SOFTWARE\\Microsoft\\Active
-        - 13335
-        - 00:00:5e:00:53:af
-        - 8008
+
+        URL, IP address, email address, registry key, port number, hash value,
+        or other relevant name can serve as the display name.
       example: 5.2.75.227
 
     - name: enrichments.indicator.description
@@ -419,18 +410,9 @@
       short: Indicator display name
       description: >
         The display name indicator in an UI friendly format
-      expected_values:
-        - 5.2.75.227
-        - 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6
-        - https://example.com/some/path
-        - example.com
-        - 373d34874d7bc89fd4cefa6272ee80bf
-        - b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7
-        - email@example.com
-        - HKLM\\SOFTWARE\\Microsoft\\Active
-        - 13335
-        - 00:00:5e:00:53:af
-        - 8008
+
+        URL, IP address, email address, registry key, port number, hash value,
+        or other relevant name can serve as the display name.
       example: 5.2.75.227
 
     - name: indicator.description

From 3ba1e525a5a2db91f4265abbc2cbe2b94655e9a6 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Tue, 3 Oct 2023 10:57:42 -0500
Subject: [PATCH 125/186] Stage 2 `beta` changes for RFC 0040, `volume.*`
 (#2269)

* add volume.* field set

* update generated artifacts for volume.*

* add beta setting and made an editorial pass on field descriptions

* add example for dos_name

* changelog

* artifacts
---
 CHANGELOG.next.md                             |   2 +
 docs/fields/field-details.asciidoc            | 297 ++++++++++++++++++
 docs/fields/fields.asciidoc                   |   2 +
 experimental/generated/beats/fields.ecs.yml   | 131 ++++++++
 experimental/generated/csv/fields.csv         |  16 +
 experimental/generated/ecs/ecs_flat.yml       | 188 +++++++++++
 experimental/generated/ecs/ecs_nested.yml     | 198 ++++++++++++
 .../elasticsearch/composable/template.json    |   1 +
 .../elasticsearch/legacy/template.json        |  65 ++++
 generated/beats/fields.ecs.yml                | 131 ++++++++
 generated/csv/fields.csv                      |  16 +
 generated/ecs/ecs_flat.yml                    | 188 +++++++++++
 generated/ecs/ecs_nested.yml                  | 198 ++++++++++++
 .../elasticsearch/composable/template.json    |   1 +
 generated/elasticsearch/legacy/template.json  |  65 ++++
 schemas/subsets/main.yml                      |   2 +
 schemas/volume.yml                            | 165 ++++++++++
 17 files changed, 1666 insertions(+)
 create mode 100644 schemas/volume.yml

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index fc526611f1..1fce70ac4a 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -18,6 +18,8 @@ Thanks, you're awesome :-) -->
 
 #### Added
 
+* Added `volume.*` as beta field set. #2269
+
 #### Improvements
 
 #### Deprecated
diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index 7317aade5c..b71ae31f60 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -12934,6 +12934,303 @@ The `vlan` fields are expected to be nested at:
 
 
 Note also that the `vlan` fields are not expected to be used directly at the root of the events.
+[[ecs-volume]]
+=== Volume Fields
+
+Fields related to storage volume details.
+
+beta::[ These fields are beta and are subject to change.]
+
+[discrete]
+==== Volume Field Details
+
+[options="header"]
+|=====
+| Field  | Description | Level
+
+// ===============================================================
+
+|
+[[field-volume-bus-type]]
+<<field-volume-bus-type, volume.bus_type>>
+
+a| Bus type of the device, such as `Nvme`, `Usb`, or `FileBackedVirtual`.
+
+type: keyword
+
+
+
+example: `FileBackedVirtual`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-volume-default-access]]
+<<field-volume-default-access, volume.default_access>>
+
+a| Describes the default access(es) of the volume.
+
+type: keyword
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-volume-device-name]]
+<<field-volume-device-name, volume.device_name>>
+
+a| Full path of the volume device.
+
+Only populate this field for POSIX system volumes.
+
+type: keyword
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-volume-device-type]]
+<<field-volume-device-type, volume.device_type>>
+
+a| Volume device type.
+
+The most frequently seen volume device types are `Disk File System` and `CD-ROM File System`.
+
+type: keyword
+
+
+
+example: `CD-ROM File System`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-volume-dos-name]]
+<<field-volume-dos-name, volume.dos_name>>
+
+a| The MS-DOS name of a device.
+
+DOS device name is in the format of driver letters, such as `C:`. The field is relevant to Windows systems only.
+
+type: keyword
+
+
+
+example: `E:`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-volume-file-system-type]]
+<<field-volume-file-system-type, volume.file_system_type>>
+
+a| Volume device file system type.
+
+The most common volume file system types are `NTFS` and `UDF`.
+
+type: keyword
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-volume-mount-name]]
+<<field-volume-mount-name, volume.mount_name>>
+
+a| Mount name of the volume device.
+
+Only populate this field for POSIX system volumes.
+
+type: keyword
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-volume-nt-name]]
+<<field-volume-nt-name, volume.nt_name>>
+
+a| The NT device name.
+
+NT device name uses a format of `\Device\HarddiskVolume2`. The field is relevant to Windows systems only.
+
+type: keyword
+
+
+
+example: `\Device\Cdrom1`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-volume-product-id]]
+<<field-volume-product-id, volume.product_id>>
+
+a| ProductID of the device.
+
+The vendor provides the ProductID for the volume, if any.
+
+type: keyword
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-volume-product-name]]
+<<field-volume-product-name, volume.product_name>>
+
+a| Product name of the volume.
+
+The volume device vendor provides this value.
+
+type: keyword
+
+
+
+example: `Virtual DVD-ROM`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-volume-removable]]
+<<field-volume-removable, volume.removable>>
+
+a| Indicates if the volume is removable.
+
+type: boolean
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-volume-serial-number]]
+<<field-volume-serial-number, volume.serial_number>>
+
+a| Serial number identifier for the volume device.
+
+The serial number is provided by the vendor of the device, if any.
+
+type: keyword
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-volume-size]]
+<<field-volume-size, volume.size>>
+
+a| Size of the volume device in bytes.
+
+type: long
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-volume-vendor-id]]
+<<field-volume-vendor-id, volume.vendor_id>>
+
+a| VendorID of the volume device.
+
+The volume device vendor provides this value.
+
+type: keyword
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-volume-vendor-name]]
+<<field-volume-vendor-name, volume.vendor_name>>
+
+a| Vendor name of the volume device.
+
+The value is provided by the vendor of the device.
+
+type: keyword
+
+
+
+example: `Msft`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-volume-writable]]
+<<field-volume-writable, volume.writable>>
+
+a| Indicates if the volume is writable.
+
+type: boolean
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|=====
+
+
 [[ecs-vulnerability]]
 === Vulnerability Fields
 
diff --git a/docs/fields/fields.asciidoc b/docs/fields/fields.asciidoc
index 2cc4207fac..b29d1c353f 100644
--- a/docs/fields/fields.asciidoc
+++ b/docs/fields/fields.asciidoc
@@ -118,6 +118,8 @@ For a single page representation of all fields, please see the
 
 | <<ecs-vlan,VLAN>> | Fields to describe observed VLAN information.
 
+| <<ecs-volume,Volume>> | Fields related to storage volume details.
+
 | <<ecs-vulnerability,Vulnerability>> | Fields to describe the vulnerability relevant to an event.
 
 | <<ecs-x509,x509 Certificate>> | These fields contain x509 certificate metadata.
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 7018f4b333..3ac5221046 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -13451,6 +13451,137 @@
       ignore_above: 1024
       description: Version of the user agent.
       example: 12.0
+  - name: volume
+    title: Volume
+    group: 2
+    description: Fields related to storage volume details.
+    type: group
+    default_field: true
+    fields:
+    - name: bus_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Bus type of the device, such as `Nvme`, `Usb`, or `FileBackedVirtual`.
+      example: FileBackedVirtual
+      default_field: false
+    - name: default_access
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Describes the default access(es) of the volume.
+      default_field: false
+    - name: device_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Full path of the volume device.
+
+        Only populate this field for POSIX system volumes.'
+      default_field: false
+    - name: device_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Volume device type.
+
+        The most frequently seen volume device types are `Disk File System` and `CD-ROM
+        File System`.'
+      example: CD-ROM File System
+      default_field: false
+    - name: dos_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The MS-DOS name of a device.
+
+        DOS device name is in the format of driver letters, such as `C:`. The field
+        is relevant to Windows systems only.'
+      example: 'E:'
+      default_field: false
+    - name: file_system_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Volume device file system type.
+
+        The most common volume file system types are `NTFS` and `UDF`.'
+      default_field: false
+    - name: mount_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Mount name of the volume device.
+
+        Only populate this field for POSIX system volumes.'
+      default_field: false
+    - name: nt_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The NT device name.
+
+        NT device name uses a format of `\Device\HarddiskVolume2`. The field is relevant
+        to Windows systems only.'
+      example: \Device\Cdrom1
+      default_field: false
+    - name: product_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'ProductID of the device.
+
+        The vendor provides the ProductID for the volume, if any.'
+      default_field: false
+    - name: product_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Product name of the volume.
+
+        The volume device vendor provides this value.'
+      example: Virtual DVD-ROM
+      default_field: false
+    - name: removable
+      level: extended
+      type: boolean
+      description: Indicates if the volume is removable.
+      default_field: false
+    - name: serial_number
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Serial number identifier for the volume device.
+
+        The serial number is provided by the vendor of the device, if any.'
+      default_field: false
+    - name: size
+      level: extended
+      type: long
+      description: Size of the volume device in bytes.
+      default_field: false
+    - name: vendor_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'VendorID of the volume device.
+
+        The volume device vendor provides this value.'
+      default_field: false
+    - name: vendor_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Vendor name of the volume device.
+
+        The value is provided by the vendor of the device.'
+      example: Msft
+      default_field: false
+    - name: writable
+      level: extended
+      type: boolean
+      description: Indicates if the volume is writable.
+      default_field: false
   - name: vulnerability
     title: Vulnerability
     group: 2
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index cc25b761db..ec392d3a3f 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -1739,6 +1739,22 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.11.0-dev+exp,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
 8.11.0-dev+exp,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
 8.11.0-dev+exp,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
+8.11.0-dev+exp,true,volume,volume.bus_type,keyword,extended,,FileBackedVirtual,Bus type of the device.
+8.11.0-dev+exp,true,volume,volume.default_access,keyword,extended,,,Bus type of the device.
+8.11.0-dev+exp,true,volume,volume.device_name,keyword,extended,,,Device name of the volume.
+8.11.0-dev+exp,true,volume,volume.device_type,keyword,extended,,CD-ROM File System,Volume device type.
+8.11.0-dev+exp,true,volume,volume.dos_name,keyword,extended,,E:,DOS name of the device.
+8.11.0-dev+exp,true,volume,volume.file_system_type,keyword,extended,,,Volume device file system type.
+8.11.0-dev+exp,true,volume,volume.mount_name,keyword,extended,,,Mount name of the volume.
+8.11.0-dev+exp,true,volume,volume.nt_name,keyword,extended,,\Device\Cdrom1,NT name of the device.
+8.11.0-dev+exp,true,volume,volume.product_id,keyword,extended,,,ProductID of the device.
+8.11.0-dev+exp,true,volume,volume.product_name,keyword,extended,,Virtual DVD-ROM,Produce name of the volume.
+8.11.0-dev+exp,true,volume,volume.removable,boolean,extended,,,Indicates if the volume is removable.
+8.11.0-dev+exp,true,volume,volume.serial_number,keyword,extended,,,Serial number of the device.
+8.11.0-dev+exp,true,volume,volume.size,long,extended,,,Size of the volume device in bytes.
+8.11.0-dev+exp,true,volume,volume.vendor_id,keyword,extended,,,VendorID of the device.
+8.11.0-dev+exp,true,volume,volume.vendor_name,keyword,extended,,Msft,Vendor name of the device.
+8.11.0-dev+exp,true,volume,volume.writable,boolean,extended,,,Indicates if the volume is writable.
 8.11.0-dev+exp,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
 8.11.0-dev+exp,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
 8.11.0-dev+exp,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index c46dee2556..9b74b8e01a 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -21921,6 +21921,194 @@ user_agent.version:
   normalize: []
   short: Version of the user agent.
   type: keyword
+volume.bus_type:
+  dashed_name: volume-bus-type
+  description: Bus type of the device, such as `Nvme`, `Usb`, or `FileBackedVirtual`.
+  example: FileBackedVirtual
+  flat_name: volume.bus_type
+  ignore_above: 1024
+  level: extended
+  name: bus_type
+  normalize: []
+  short: Bus type of the device.
+  type: keyword
+volume.default_access:
+  dashed_name: volume-default-access
+  description: Describes the default access(es) of the volume.
+  flat_name: volume.default_access
+  ignore_above: 1024
+  level: extended
+  name: default_access
+  normalize: []
+  short: Bus type of the device.
+  type: keyword
+volume.device_name:
+  dashed_name: volume-device-name
+  description: 'Full path of the volume device.
+
+    Only populate this field for POSIX system volumes.'
+  flat_name: volume.device_name
+  ignore_above: 1024
+  level: extended
+  name: device_name
+  normalize: []
+  short: Device name of the volume.
+  type: keyword
+volume.device_type:
+  dashed_name: volume-device-type
+  description: 'Volume device type.
+
+    The most frequently seen volume device types are `Disk File System` and `CD-ROM
+    File System`.'
+  example: CD-ROM File System
+  flat_name: volume.device_type
+  ignore_above: 1024
+  level: extended
+  name: device_type
+  normalize: []
+  short: Volume device type.
+  type: keyword
+volume.dos_name:
+  dashed_name: volume-dos-name
+  description: 'The MS-DOS name of a device.
+
+    DOS device name is in the format of driver letters, such as `C:`. The field is
+    relevant to Windows systems only.'
+  example: 'E:'
+  flat_name: volume.dos_name
+  ignore_above: 1024
+  level: extended
+  name: dos_name
+  normalize: []
+  short: DOS name of the device.
+  type: keyword
+volume.file_system_type:
+  dashed_name: volume-file-system-type
+  description: 'Volume device file system type.
+
+    The most common volume file system types are `NTFS` and `UDF`.'
+  flat_name: volume.file_system_type
+  ignore_above: 1024
+  level: extended
+  name: file_system_type
+  normalize: []
+  short: Volume device file system type.
+  type: keyword
+volume.mount_name:
+  dashed_name: volume-mount-name
+  description: 'Mount name of the volume device.
+
+    Only populate this field for POSIX system volumes.'
+  flat_name: volume.mount_name
+  ignore_above: 1024
+  level: extended
+  name: mount_name
+  normalize: []
+  short: Mount name of the volume.
+  type: keyword
+volume.nt_name:
+  dashed_name: volume-nt-name
+  description: 'The NT device name.
+
+    NT device name uses a format of `\Device\HarddiskVolume2`. The field is relevant
+    to Windows systems only.'
+  example: \Device\Cdrom1
+  flat_name: volume.nt_name
+  ignore_above: 1024
+  level: extended
+  name: nt_name
+  normalize: []
+  short: NT name of the device.
+  type: keyword
+volume.product_id:
+  dashed_name: volume-product-id
+  description: 'ProductID of the device.
+
+    The vendor provides the ProductID for the volume, if any.'
+  flat_name: volume.product_id
+  ignore_above: 1024
+  level: extended
+  name: product_id
+  normalize: []
+  short: ProductID of the device.
+  type: keyword
+volume.product_name:
+  dashed_name: volume-product-name
+  description: 'Product name of the volume.
+
+    The volume device vendor provides this value.'
+  example: Virtual DVD-ROM
+  flat_name: volume.product_name
+  ignore_above: 1024
+  level: extended
+  name: product_name
+  normalize: []
+  short: Produce name of the volume.
+  type: keyword
+volume.removable:
+  dashed_name: volume-removable
+  description: Indicates if the volume is removable.
+  flat_name: volume.removable
+  level: extended
+  name: removable
+  normalize: []
+  short: Indicates if the volume is removable.
+  type: boolean
+volume.serial_number:
+  dashed_name: volume-serial-number
+  description: 'Serial number identifier for the volume device.
+
+    The serial number is provided by the vendor of the device, if any.'
+  flat_name: volume.serial_number
+  ignore_above: 1024
+  level: extended
+  name: serial_number
+  normalize: []
+  short: Serial number of the device.
+  type: keyword
+volume.size:
+  dashed_name: volume-size
+  description: Size of the volume device in bytes.
+  flat_name: volume.size
+  level: extended
+  name: size
+  normalize: []
+  short: Size of the volume device in bytes.
+  type: long
+volume.vendor_id:
+  dashed_name: volume-vendor-id
+  description: 'VendorID of the volume device.
+
+    The volume device vendor provides this value.'
+  flat_name: volume.vendor_id
+  ignore_above: 1024
+  level: extended
+  name: vendor_id
+  normalize: []
+  short: VendorID of the device.
+  type: keyword
+volume.vendor_name:
+  dashed_name: volume-vendor-name
+  description: 'Vendor name of the volume device.
+
+    The value is provided by the vendor of the device.'
+  example: Msft
+  flat_name: volume.vendor_name
+  ignore_above: 1024
+  level: extended
+  name: vendor_name
+  normalize: []
+  short: Vendor name of the device.
+  type: keyword
+volume.writable:
+  dashed_name: volume-writable
+  description: Indicates if the volume is writable.
+  flat_name: volume.writable
+  level: extended
+  name: writable
+  normalize: []
+  short: Indicates if the volume is writable.
+  type: boolean
 vulnerability.category:
   dashed_name: vulnerability-category
   description: 'The type of system or architecture that the vulnerability affects.
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index bb26762db2..0eee0300d9 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -24890,6 +24890,204 @@ vlan:
   short: Fields to describe observed VLAN information.
   title: VLAN
   type: group
+volume:
+  beta: These fields are beta and are subject to change.
+  description: Fields related to storage volume details.
+  fields:
+    volume.bus_type:
+      dashed_name: volume-bus-type
+      description: Bus type of the device, such as `Nvme`, `Usb`, or `FileBackedVirtual`.
+      example: FileBackedVirtual
+      flat_name: volume.bus_type
+      ignore_above: 1024
+      level: extended
+      name: bus_type
+      normalize: []
+      short: Bus type of the device.
+      type: keyword
+    volume.default_access:
+      dashed_name: volume-default-access
+      description: Describes the default access(es) of the volume.
+      flat_name: volume.default_access
+      ignore_above: 1024
+      level: extended
+      name: default_access
+      normalize: []
+      short: Bus type of the device.
+      type: keyword
+    volume.device_name:
+      dashed_name: volume-device-name
+      description: 'Full path of the volume device.
+
+        Only populate this field for POSIX system volumes.'
+      flat_name: volume.device_name
+      ignore_above: 1024
+      level: extended
+      name: device_name
+      normalize: []
+      short: Device name of the volume.
+      type: keyword
+    volume.device_type:
+      dashed_name: volume-device-type
+      description: 'Volume device type.
+
+        The most frequently seen volume device types are `Disk File System` and `CD-ROM
+        File System`.'
+      example: CD-ROM File System
+      flat_name: volume.device_type
+      ignore_above: 1024
+      level: extended
+      name: device_type
+      normalize: []
+      short: Volume device type.
+      type: keyword
+    volume.dos_name:
+      dashed_name: volume-dos-name
+      description: 'The MS-DOS name of a device.
+
+        DOS device name is in the format of driver letters, such as `C:`. The field
+        is relevant to Windows systems only.'
+      example: 'E:'
+      flat_name: volume.dos_name
+      ignore_above: 1024
+      level: extended
+      name: dos_name
+      normalize: []
+      short: DOS name of the device.
+      type: keyword
+    volume.file_system_type:
+      dashed_name: volume-file-system-type
+      description: 'Volume device file system type.
+
+        The most common volume file system types are `NTFS` and `UDF`.'
+      flat_name: volume.file_system_type
+      ignore_above: 1024
+      level: extended
+      name: file_system_type
+      normalize: []
+      short: Volume device file system type.
+      type: keyword
+    volume.mount_name:
+      dashed_name: volume-mount-name
+      description: 'Mount name of the volume device.
+
+        Only populate this field for POSIX system volumes.'
+      flat_name: volume.mount_name
+      ignore_above: 1024
+      level: extended
+      name: mount_name
+      normalize: []
+      short: Mount name of the volume.
+      type: keyword
+    volume.nt_name:
+      dashed_name: volume-nt-name
+      description: 'The NT device name.
+
+        NT device name uses a format of `\Device\HarddiskVolume2`. The field is relevant
+        to Windows systems only.'
+      example: \Device\Cdrom1
+      flat_name: volume.nt_name
+      ignore_above: 1024
+      level: extended
+      name: nt_name
+      normalize: []
+      short: NT name of the device.
+      type: keyword
+    volume.product_id:
+      dashed_name: volume-product-id
+      description: 'ProductID of the device.
+
+        The vendor provides the ProductID for the volume, if any.'
+      flat_name: volume.product_id
+      ignore_above: 1024
+      level: extended
+      name: product_id
+      normalize: []
+      short: ProductID of the device.
+      type: keyword
+    volume.product_name:
+      dashed_name: volume-product-name
+      description: 'Product name of the volume.
+
+        The volume device vendor provides this value.'
+      example: Virtual DVD-ROM
+      flat_name: volume.product_name
+      ignore_above: 1024
+      level: extended
+      name: product_name
+      normalize: []
+      short: Produce name of the volume.
+      type: keyword
+    volume.removable:
+      dashed_name: volume-removable
+      description: Indicates if the volume is removable.
+      flat_name: volume.removable
+      level: extended
+      name: removable
+      normalize: []
+      short: Indicates if the volume is removable.
+      type: boolean
+    volume.serial_number:
+      dashed_name: volume-serial-number
+      description: 'Serial number identifier for the volume device.
+
+        The serial number is provided by the vendor of the device, if any.'
+      flat_name: volume.serial_number
+      ignore_above: 1024
+      level: extended
+      name: serial_number
+      normalize: []
+      short: Serial number of the device.
+      type: keyword
+    volume.size:
+      dashed_name: volume-size
+      description: Size of the volume device in bytes.
+      flat_name: volume.size
+      level: extended
+      name: size
+      normalize: []
+      short: Size of the volume device in bytes.
+      type: long
+    volume.vendor_id:
+      dashed_name: volume-vendor-id
+      description: 'VendorID of the volume device.
+
+        The volume device vendor provides this value.'
+      flat_name: volume.vendor_id
+      ignore_above: 1024
+      level: extended
+      name: vendor_id
+      normalize: []
+      short: VendorID of the device.
+      type: keyword
+    volume.vendor_name:
+      dashed_name: volume-vendor-name
+      description: 'Vendor name of the volume device.
+
+        The value is provided by the vendor of the device.'
+      example: Msft
+      flat_name: volume.vendor_name
+      ignore_above: 1024
+      level: extended
+      name: vendor_name
+      normalize: []
+      short: Vendor name of the device.
+      type: keyword
+    volume.writable:
+      dashed_name: volume-writable
+      description: Indicates if the volume is writable.
+      flat_name: volume.writable
+      level: extended
+      name: writable
+      normalize: []
+      short: Indicates if the volume is writable.
+      type: boolean
+  group: 2
+  name: volume
+  prefix: volume.
+  short: Fields related to storage volume details.
+  title: Volume
+  type: group
 vulnerability:
   description: The vulnerability fields describe information about a vulnerability
     that is relevant to an event.
diff --git a/experimental/generated/elasticsearch/composable/template.json b/experimental/generated/elasticsearch/composable/template.json
index b1e055b426..959d8eade1 100644
--- a/experimental/generated/elasticsearch/composable/template.json
+++ b/experimental/generated/elasticsearch/composable/template.json
@@ -43,6 +43,7 @@
     "ecs_8.11.0-dev-exp_url",
     "ecs_8.11.0-dev-exp_user_agent",
     "ecs_8.11.0-dev-exp_user",
+    "ecs_8.11.0-dev-exp_volume",
     "ecs_8.11.0-dev-exp_vulnerability"
   ],
   "index_patterns": [
diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json
index 1c71c9c150..cc8a247b93 100644
--- a/experimental/generated/elasticsearch/legacy/template.json
+++ b/experimental/generated/elasticsearch/legacy/template.json
@@ -7821,6 +7821,71 @@
           }
         }
       },
+      "volume": {
+        "properties": {
+          "bus_type": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "default_access": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "device_name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "device_type": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "dos_name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "file_system_type": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "mount_name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "nt_name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "product_id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "product_name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "removable": {
+            "type": "boolean"
+          },
+          "serial_number": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "size": {
+            "type": "long"
+          },
+          "vendor_id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "vendor_name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "writable": {
+            "type": "boolean"
+          }
+        }
+      },
       "vulnerability": {
         "properties": {
           "category": {
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 822c3ddeff..669097e0e2 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -13401,6 +13401,137 @@
       ignore_above: 1024
       description: Version of the user agent.
       example: 12.0
+  - name: volume
+    title: Volume
+    group: 2
+    description: Fields related to storage volume details.
+    type: group
+    default_field: true
+    fields:
+    - name: bus_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Bus type of the device, such as `Nvme`, `Usb`, or `FileBackedVirtual`.
+      example: FileBackedVirtual
+      default_field: false
+    - name: default_access
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Describes the default access(es) of the volume.
+      default_field: false
+    - name: device_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Full path of the volume device.
+
+        Only populate this field for POSIX system volumes.'
+      default_field: false
+    - name: device_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Volume device type.
+
+        The most frequently seen volume device types are `Disk File System` and `CD-ROM
+        File System`.'
+      example: CD-ROM File System
+      default_field: false
+    - name: dos_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The MS-DOS name of a device.
+
+        DOS device name is in the format of driver letters, such as `C:`. The field
+        is relevant to Windows systems only.'
+      example: 'E:'
+      default_field: false
+    - name: file_system_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Volume device file system type.
+
+        The most common volume file system types are `NTFS` and `UDF`.'
+      default_field: false
+    - name: mount_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Mount name of the volume device.
+
+        Only populate this field for POSIX system volumes.'
+      default_field: false
+    - name: nt_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The NT device name.
+
+        NT device name uses a format of `\Device\HarddiskVolume2`. The field is relevant
+        to Windows systems only.'
+      example: \Device\Cdrom1
+      default_field: false
+    - name: product_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'ProductID of the device.
+
+        The vendor provides the ProductID for the volume, if any.'
+      default_field: false
+    - name: product_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Product name of the volume.
+
+        The volume device vendor provides this value.'
+      example: Virtual DVD-ROM
+      default_field: false
+    - name: removable
+      level: extended
+      type: boolean
+      description: Indicates if the volume is removable.
+      default_field: false
+    - name: serial_number
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Serial number identifier for the volume device.
+
+        The serial number is provided by the vendor of the device, if any.'
+      default_field: false
+    - name: size
+      level: extended
+      type: long
+      description: Size of the volume device in bytes.
+      default_field: false
+    - name: vendor_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'VendorID of the volume device.
+
+        The volume device vendor provides this value.'
+      default_field: false
+    - name: vendor_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Vendor name of the volume device.
+
+        The value is provided by the vendor of the device.'
+      example: Msft
+      default_field: false
+    - name: writable
+      level: extended
+      type: boolean
+      description: Indicates if the volume is writable.
+      default_field: false
   - name: vulnerability
     title: Vulnerability
     group: 2
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index f47e61efa2..93791246aa 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -1732,6 +1732,22 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.11.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
 8.11.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
 8.11.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
+8.11.0-dev,true,volume,volume.bus_type,keyword,extended,,FileBackedVirtual,Bus type of the device.
+8.11.0-dev,true,volume,volume.default_access,keyword,extended,,,Bus type of the device.
+8.11.0-dev,true,volume,volume.device_name,keyword,extended,,,Device name of the volume.
+8.11.0-dev,true,volume,volume.device_type,keyword,extended,,CD-ROM File System,Volume device type.
+8.11.0-dev,true,volume,volume.dos_name,keyword,extended,,E:,DOS name of the device.
+8.11.0-dev,true,volume,volume.file_system_type,keyword,extended,,,Volume device file system type.
+8.11.0-dev,true,volume,volume.mount_name,keyword,extended,,,Mount name of the volume.
+8.11.0-dev,true,volume,volume.nt_name,keyword,extended,,\Device\Cdrom1,NT name of the device.
+8.11.0-dev,true,volume,volume.product_id,keyword,extended,,,ProductID of the device.
+8.11.0-dev,true,volume,volume.product_name,keyword,extended,,Virtual DVD-ROM,Produce name of the volume.
+8.11.0-dev,true,volume,volume.removable,boolean,extended,,,Indicates if the volume is removable.
+8.11.0-dev,true,volume,volume.serial_number,keyword,extended,,,Serial number of the device.
+8.11.0-dev,true,volume,volume.size,long,extended,,,Size of the volume device in bytes.
+8.11.0-dev,true,volume,volume.vendor_id,keyword,extended,,,VendorID of the device.
+8.11.0-dev,true,volume,volume.vendor_name,keyword,extended,,Msft,Vendor name of the device.
+8.11.0-dev,true,volume,volume.writable,boolean,extended,,,Indicates if the volume is writable.
 8.11.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
 8.11.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
 8.11.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 03591ada52..e5f035baa7 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -21852,6 +21852,194 @@ user_agent.version:
   normalize: []
   short: Version of the user agent.
   type: keyword
+volume.bus_type:
+  dashed_name: volume-bus-type
+  description: Bus type of the device, such as `Nvme`, `Usb`, or `FileBackedVirtual`.
+  example: FileBackedVirtual
+  flat_name: volume.bus_type
+  ignore_above: 1024
+  level: extended
+  name: bus_type
+  normalize: []
+  short: Bus type of the device.
+  type: keyword
+volume.default_access:
+  dashed_name: volume-default-access
+  description: Describes the default access(es) of the volume.
+  flat_name: volume.default_access
+  ignore_above: 1024
+  level: extended
+  name: default_access
+  normalize: []
+  short: Bus type of the device.
+  type: keyword
+volume.device_name:
+  dashed_name: volume-device-name
+  description: 'Full path of the volume device.
+
+    Only populate this field for POSIX system volumes.'
+  flat_name: volume.device_name
+  ignore_above: 1024
+  level: extended
+  name: device_name
+  normalize: []
+  short: Device name of the volume.
+  type: keyword
+volume.device_type:
+  dashed_name: volume-device-type
+  description: 'Volume device type.
+
+    The most frequently seen volume device types are `Disk File System` and `CD-ROM
+    File System`.'
+  example: CD-ROM File System
+  flat_name: volume.device_type
+  ignore_above: 1024
+  level: extended
+  name: device_type
+  normalize: []
+  short: Volume device type.
+  type: keyword
+volume.dos_name:
+  dashed_name: volume-dos-name
+  description: 'The MS-DOS name of a device.
+
+    DOS device name is in the format of driver letters, such as `C:`. The field is
+    relevant to Windows systems only.'
+  example: 'E:'
+  flat_name: volume.dos_name
+  ignore_above: 1024
+  level: extended
+  name: dos_name
+  normalize: []
+  short: DOS name of the device.
+  type: keyword
+volume.file_system_type:
+  dashed_name: volume-file-system-type
+  description: 'Volume device file system type.
+
+    The most common volume file system types are `NTFS` and `UDF`.'
+  flat_name: volume.file_system_type
+  ignore_above: 1024
+  level: extended
+  name: file_system_type
+  normalize: []
+  short: Volume device file system type.
+  type: keyword
+volume.mount_name:
+  dashed_name: volume-mount-name
+  description: 'Mount name of the volume device.
+
+    Only populate this field for POSIX system volumes.'
+  flat_name: volume.mount_name
+  ignore_above: 1024
+  level: extended
+  name: mount_name
+  normalize: []
+  short: Mount name of the volume.
+  type: keyword
+volume.nt_name:
+  dashed_name: volume-nt-name
+  description: 'The NT device name.
+
+    NT device name uses a format of `\Device\HarddiskVolume2`. The field is relevant
+    to Windows systems only.'
+  example: \Device\Cdrom1
+  flat_name: volume.nt_name
+  ignore_above: 1024
+  level: extended
+  name: nt_name
+  normalize: []
+  short: NT name of the device.
+  type: keyword
+volume.product_id:
+  dashed_name: volume-product-id
+  description: 'ProductID of the device.
+
+    The vendor provides the ProductID for the volume, if any.'
+  flat_name: volume.product_id
+  ignore_above: 1024
+  level: extended
+  name: product_id
+  normalize: []
+  short: ProductID of the device.
+  type: keyword
+volume.product_name:
+  dashed_name: volume-product-name
+  description: 'Product name of the volume.
+
+    The volume device vendor provides this value.'
+  example: Virtual DVD-ROM
+  flat_name: volume.product_name
+  ignore_above: 1024
+  level: extended
+  name: product_name
+  normalize: []
+  short: Produce name of the volume.
+  type: keyword
+volume.removable:
+  dashed_name: volume-removable
+  description: Indicates if the volume is removable.
+  flat_name: volume.removable
+  level: extended
+  name: removable
+  normalize: []
+  short: Indicates if the volume is removable.
+  type: boolean
+volume.serial_number:
+  dashed_name: volume-serial-number
+  description: 'Serial number identifier for the volume device.
+
+    The serial number is provided by the vendor of the device, if any.'
+  flat_name: volume.serial_number
+  ignore_above: 1024
+  level: extended
+  name: serial_number
+  normalize: []
+  short: Serial number of the device.
+  type: keyword
+volume.size:
+  dashed_name: volume-size
+  description: Size of the volume device in bytes.
+  flat_name: volume.size
+  level: extended
+  name: size
+  normalize: []
+  short: Size of the volume device in bytes.
+  type: long
+volume.vendor_id:
+  dashed_name: volume-vendor-id
+  description: 'VendorID of the volume device.
+
+    The volume device vendor provides this value.'
+  flat_name: volume.vendor_id
+  ignore_above: 1024
+  level: extended
+  name: vendor_id
+  normalize: []
+  short: VendorID of the device.
+  type: keyword
+volume.vendor_name:
+  dashed_name: volume-vendor-name
+  description: 'Vendor name of the volume device.
+
+    The value is provided by the vendor of the device.'
+  example: Msft
+  flat_name: volume.vendor_name
+  ignore_above: 1024
+  level: extended
+  name: vendor_name
+  normalize: []
+  short: Vendor name of the device.
+  type: keyword
+volume.writable:
+  dashed_name: volume-writable
+  description: Indicates if the volume is writable.
+  flat_name: volume.writable
+  level: extended
+  name: writable
+  normalize: []
+  short: Indicates if the volume is writable.
+  type: boolean
 vulnerability.category:
   dashed_name: vulnerability-category
   description: 'The type of system or architecture that the vulnerability affects.
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 94db2fcf1e..048948d37f 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -24810,6 +24810,204 @@ vlan:
   short: Fields to describe observed VLAN information.
   title: VLAN
   type: group
+volume:
+  beta: These fields are beta and are subject to change.
+  description: Fields related to storage volume details.
+  fields:
+    volume.bus_type:
+      dashed_name: volume-bus-type
+      description: Bus type of the device, such as `Nvme`, `Usb`, or `FileBackedVirtual`.
+      example: FileBackedVirtual
+      flat_name: volume.bus_type
+      ignore_above: 1024
+      level: extended
+      name: bus_type
+      normalize: []
+      short: Bus type of the device.
+      type: keyword
+    volume.default_access:
+      dashed_name: volume-default-access
+      description: Describes the default access(es) of the volume.
+      flat_name: volume.default_access
+      ignore_above: 1024
+      level: extended
+      name: default_access
+      normalize: []
+      short: Bus type of the device.
+      type: keyword
+    volume.device_name:
+      dashed_name: volume-device-name
+      description: 'Full path of the volume device.
+
+        Only populate this field for POSIX system volumes.'
+      flat_name: volume.device_name
+      ignore_above: 1024
+      level: extended
+      name: device_name
+      normalize: []
+      short: Device name of the volume.
+      type: keyword
+    volume.device_type:
+      dashed_name: volume-device-type
+      description: 'Volume device type.
+
+        The most frequently seen volume device types are `Disk File System` and `CD-ROM
+        File System`.'
+      example: CD-ROM File System
+      flat_name: volume.device_type
+      ignore_above: 1024
+      level: extended
+      name: device_type
+      normalize: []
+      short: Volume device type.
+      type: keyword
+    volume.dos_name:
+      dashed_name: volume-dos-name
+      description: 'The MS-DOS name of a device.
+
+        DOS device name is in the format of driver letters, such as `C:`. The field
+        is relevant to Windows systems only.'
+      example: 'E:'
+      flat_name: volume.dos_name
+      ignore_above: 1024
+      level: extended
+      name: dos_name
+      normalize: []
+      short: DOS name of the device.
+      type: keyword
+    volume.file_system_type:
+      dashed_name: volume-file-system-type
+      description: 'Volume device file system type.
+
+        The most common volume file system types are `NTFS` and `UDF`.'
+      flat_name: volume.file_system_type
+      ignore_above: 1024
+      level: extended
+      name: file_system_type
+      normalize: []
+      short: Volume device file system type.
+      type: keyword
+    volume.mount_name:
+      dashed_name: volume-mount-name
+      description: 'Mount name of the volume device.
+
+        Only populate this field for POSIX system volumes.'
+      flat_name: volume.mount_name
+      ignore_above: 1024
+      level: extended
+      name: mount_name
+      normalize: []
+      short: Mount name of the volume.
+      type: keyword
+    volume.nt_name:
+      dashed_name: volume-nt-name
+      description: 'The NT device name.
+
+        NT device name uses a format of `\Device\HarddiskVolume2`. The field is relevant
+        to Windows systems only.'
+      example: \Device\Cdrom1
+      flat_name: volume.nt_name
+      ignore_above: 1024
+      level: extended
+      name: nt_name
+      normalize: []
+      short: NT name of the device.
+      type: keyword
+    volume.product_id:
+      dashed_name: volume-product-id
+      description: 'ProductID of the device.
+
+        The vendor provides the ProductID for the volume, if any.'
+      flat_name: volume.product_id
+      ignore_above: 1024
+      level: extended
+      name: product_id
+      normalize: []
+      short: ProductID of the device.
+      type: keyword
+    volume.product_name:
+      dashed_name: volume-product-name
+      description: 'Product name of the volume.
+
+        The volume device vendor provides this value.'
+      example: Virtual DVD-ROM
+      flat_name: volume.product_name
+      ignore_above: 1024
+      level: extended
+      name: product_name
+      normalize: []
+      short: Produce name of the volume.
+      type: keyword
+    volume.removable:
+      dashed_name: volume-removable
+      description: Indicates if the volume is removable.
+      flat_name: volume.removable
+      level: extended
+      name: removable
+      normalize: []
+      short: Indicates if the volume is removable.
+      type: boolean
+    volume.serial_number:
+      dashed_name: volume-serial-number
+      description: 'Serial number identifier for the volume device.
+
+        The serial number is provided by the vendor of the device, if any.'
+      flat_name: volume.serial_number
+      ignore_above: 1024
+      level: extended
+      name: serial_number
+      normalize: []
+      short: Serial number of the device.
+      type: keyword
+    volume.size:
+      dashed_name: volume-size
+      description: Size of the volume device in bytes.
+      flat_name: volume.size
+      level: extended
+      name: size
+      normalize: []
+      short: Size of the volume device in bytes.
+      type: long
+    volume.vendor_id:
+      dashed_name: volume-vendor-id
+      description: 'VendorID of the volume device.
+
+        The volume device vendor provides this value.'
+      flat_name: volume.vendor_id
+      ignore_above: 1024
+      level: extended
+      name: vendor_id
+      normalize: []
+      short: VendorID of the device.
+      type: keyword
+    volume.vendor_name:
+      dashed_name: volume-vendor-name
+      description: 'Vendor name of the volume device.
+
+        The value is provided by the vendor of the device.'
+      example: Msft
+      flat_name: volume.vendor_name
+      ignore_above: 1024
+      level: extended
+      name: vendor_name
+      normalize: []
+      short: Vendor name of the device.
+      type: keyword
+    volume.writable:
+      dashed_name: volume-writable
+      description: Indicates if the volume is writable.
+      flat_name: volume.writable
+      level: extended
+      name: writable
+      normalize: []
+      short: Indicates if the volume is writable.
+      type: boolean
+  group: 2
+  name: volume
+  prefix: volume.
+  short: Fields related to storage volume details.
+  title: Volume
+  type: group
 vulnerability:
   description: The vulnerability fields describe information about a vulnerability
     that is relevant to an event.
diff --git a/generated/elasticsearch/composable/template.json b/generated/elasticsearch/composable/template.json
index 5c28737813..d44ce68eca 100644
--- a/generated/elasticsearch/composable/template.json
+++ b/generated/elasticsearch/composable/template.json
@@ -42,6 +42,7 @@
     "ecs_8.11.0-dev_url",
     "ecs_8.11.0-dev_user_agent",
     "ecs_8.11.0-dev_user",
+    "ecs_8.11.0-dev_volume",
     "ecs_8.11.0-dev_vulnerability"
   ],
   "index_patterns": [
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index 29c5b838f4..7da741a2d9 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -7779,6 +7779,71 @@
           }
         }
       },
+      "volume": {
+        "properties": {
+          "bus_type": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "default_access": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "device_name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "device_type": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "dos_name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "file_system_type": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "mount_name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "nt_name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "product_id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "product_name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "removable": {
+            "type": "boolean"
+          },
+          "serial_number": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "size": {
+            "type": "long"
+          },
+          "vendor_id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "vendor_name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "writable": {
+            "type": "boolean"
+          }
+        }
+      },
       "vulnerability": {
         "properties": {
           "category": {
diff --git a/schemas/subsets/main.yml b/schemas/subsets/main.yml
index 0b953e321f..69391cf839 100644
--- a/schemas/subsets/main.yml
+++ b/schemas/subsets/main.yml
@@ -590,6 +590,8 @@ fields:
           roles: {}
   vlan:
     fields: "*"
+  volume:
+    fields: "*"
   vulnerability:
     fields: "*"
   x509:
diff --git a/schemas/volume.yml b/schemas/volume.yml
new file mode 100644
index 0000000000..f2e6dadfa1
--- /dev/null
+++ b/schemas/volume.yml
@@ -0,0 +1,165 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+---
+- name: volume
+  title: Volume
+  group: 2
+  description: >
+    Fields related to storage volume details.
+  beta: >
+    These fields are beta and are subject to change.
+  type: group
+  fields:
+    - name: mount_name
+      level: extended
+      type: keyword
+      short: Mount name of the volume.
+      description: >
+        Mount name of the volume device.
+
+        Only populate this field for POSIX system volumes.
+
+    - name: device_name
+      level: extended
+      type: keyword
+      short: Device name of the volume.
+      description: >
+        Full path of the volume device.
+
+        Only populate this field for POSIX system volumes.
+
+    - name: dos_name
+      level: extended
+      type: keyword
+      short: DOS name of the device.
+      description: >
+        The MS-DOS name of a device.
+
+        DOS device name is in the format of driver letters, such as `C:`. The
+        field is relevant to Windows systems only.
+      example: "E:"
+
+    - name: nt_name
+      level: extended
+      type: keyword
+      short: NT name of the device.
+      description: >
+        The NT device name.
+
+        NT device name uses a format of `\Device\HarddiskVolume2`. The
+        field is relevant to Windows systems only.
+      example: \Device\Cdrom1
+
+    - name: bus_type
+      level: extended
+      type: keyword
+      short: Bus type of the device.
+      description: >
+        Bus type of the device, such as `Nvme`, `Usb`, or `FileBackedVirtual`.
+      example: "FileBackedVirtual"
+
+    - name: writable
+      level: extended
+      type: boolean
+      description: >
+        Indicates if the volume is writable.
+
+    - name: default_access
+      level: extended
+      type: keyword
+      short: Bus type of the device.
+      description: >
+        Describes the default access(es) of the volume.
+
+    - name: file_system_type
+      level: extended
+      type: keyword
+      short: Volume device file system type.
+      description: >
+        Volume device file system type.
+
+        The most common volume file system types are `NTFS` and `UDF`.
+
+    - name: product_id
+      level: extended
+      type: keyword
+      short: ProductID of the device.
+      description: >
+        ProductID of the device.
+
+        The vendor provides the ProductID for the volume, if any.
+
+    - name: product_name
+      level: extended
+      type: keyword
+      short: Produce name of the volume.
+      description: >
+        Product name of the volume.
+
+        The volume device vendor provides this value.
+      example: "Virtual DVD-ROM"
+
+    - name: vendor_id
+      level: extended
+      type: keyword
+      short: VendorID of the device.
+      description: >
+        VendorID of the volume device.
+
+        The volume device vendor provides this value.
+
+    - name: vendor_name
+      level: extended
+      type: keyword
+      short: Vendor name of the device.
+      description: >
+        Vendor name of the volume device.
+
+        The value is provided by the vendor of the device.
+      example: "Msft"
+
+    - name: serial_number
+      level: extended
+      type: keyword
+      short: Serial number of the device.
+      description: >
+        Serial number identifier for the volume device.
+
+        The serial number is provided by the vendor of the device, if any.
+
+    - name: device_type
+      level: extended
+      type: keyword
+      short: Volume device type.
+      description: >
+        Volume device type.
+
+        The most frequently seen volume device types are `Disk File System` and
+        `CD-ROM File System`.
+      example: "CD-ROM File System"
+
+    - name: size
+      level: extended
+      type: long
+      description: >
+        Size of the volume device in bytes.
+
+    - name: removable
+      level: extended
+      type: boolean
+      description: >
+        Indicates if the volume is removable.

From 658fd4e8265b62a62890a376a343419f800d6571 Mon Sep 17 00:00:00 2001
From: Taylor Swanson <90622908+taylor-swanson@users.noreply.github.com>
Date: Tue, 3 Oct 2023 11:17:04 -0500
Subject: [PATCH 126/186] Update version to 8.12.0-dev for 8.11.0 feature
 freeze (#2283)

---
 docs/fields/fields.asciidoc                   |    2 +-
 docs/index.asciidoc                           |    2 +-
 experimental/generated/beats/fields.ecs.yml   |    2 +-
 experimental/generated/csv/fields.csv         | 3540 ++++++++---------
 .../composable/component/agent.json           |    2 +-
 .../composable/component/base.json            |    2 +-
 .../composable/component/cgroup.json          |    2 +-
 .../composable/component/client.json          |    2 +-
 .../composable/component/cloud.json           |    2 +-
 .../composable/component/container.json       |    2 +-
 .../composable/component/data_stream.json     |    2 +-
 .../composable/component/destination.json     |    2 +-
 .../composable/component/device.json          |    2 +-
 .../composable/component/dll.json             |    2 +-
 .../composable/component/dns.json             |    2 +-
 .../composable/component/ecs.json             |    2 +-
 .../composable/component/email.json           |    2 +-
 .../composable/component/error.json           |    2 +-
 .../composable/component/event.json           |    2 +-
 .../composable/component/faas.json            |    2 +-
 .../composable/component/file.json            |    2 +-
 .../composable/component/group.json           |    2 +-
 .../composable/component/host.json            |    2 +-
 .../composable/component/http.json            |    2 +-
 .../composable/component/log.json             |    2 +-
 .../composable/component/network.json         |    2 +-
 .../composable/component/observer.json        |    2 +-
 .../composable/component/orchestrator.json    |    2 +-
 .../composable/component/organization.json    |    2 +-
 .../composable/component/package.json         |    2 +-
 .../composable/component/process.json         |    2 +-
 .../composable/component/registry.json        |    2 +-
 .../composable/component/related.json         |    2 +-
 .../composable/component/rule.json            |    2 +-
 .../composable/component/server.json          |    2 +-
 .../composable/component/service.json         |    2 +-
 .../composable/component/source.json          |    2 +-
 .../composable/component/threat.json          |    2 +-
 .../composable/component/tls.json             |    2 +-
 .../composable/component/tracing.json         |    2 +-
 .../composable/component/url.json             |    2 +-
 .../composable/component/user.json            |    2 +-
 .../composable/component/user_agent.json      |    2 +-
 .../composable/component/volume.json          |   77 +
 .../composable/component/vulnerability.json   |    2 +-
 .../elasticsearch/composable/template.json    |   84 +-
 .../elasticsearch/legacy/template.json        |    2 +-
 generated/beats/fields.ecs.yml                |    2 +-
 generated/csv/fields.csv                      | 3526 ++++++++--------
 .../composable/component/agent.json           |    2 +-
 .../composable/component/base.json            |    2 +-
 .../composable/component/client.json          |    2 +-
 .../composable/component/cloud.json           |    2 +-
 .../composable/component/container.json       |    2 +-
 .../composable/component/data_stream.json     |    2 +-
 .../composable/component/destination.json     |    2 +-
 .../composable/component/device.json          |    2 +-
 .../composable/component/dll.json             |    2 +-
 .../composable/component/dns.json             |    2 +-
 .../composable/component/ecs.json             |    2 +-
 .../composable/component/email.json           |    2 +-
 .../composable/component/error.json           |    2 +-
 .../composable/component/event.json           |    2 +-
 .../composable/component/faas.json            |    2 +-
 .../composable/component/file.json            |    2 +-
 .../composable/component/group.json           |    2 +-
 .../composable/component/host.json            |    2 +-
 .../composable/component/http.json            |    2 +-
 .../composable/component/log.json             |    2 +-
 .../composable/component/network.json         |    2 +-
 .../composable/component/observer.json        |    2 +-
 .../composable/component/orchestrator.json    |    2 +-
 .../composable/component/organization.json    |    2 +-
 .../composable/component/package.json         |    2 +-
 .../composable/component/process.json         |    2 +-
 .../composable/component/registry.json        |    2 +-
 .../composable/component/related.json         |    2 +-
 .../composable/component/rule.json            |    2 +-
 .../composable/component/server.json          |    2 +-
 .../composable/component/service.json         |    2 +-
 .../composable/component/source.json          |    2 +-
 .../composable/component/threat.json          |    2 +-
 .../composable/component/tls.json             |    2 +-
 .../composable/component/tracing.json         |    2 +-
 .../composable/component/url.json             |    2 +-
 .../composable/component/user.json            |    2 +-
 .../composable/component/user_agent.json      |    2 +-
 .../composable/component/volume.json          |   77 +
 .../composable/component/vulnerability.json   |    2 +-
 .../elasticsearch/composable/template.json    |   82 +-
 generated/elasticsearch/legacy/template.json  |    2 +-
 version                                       |    2 +-
 92 files changed, 3856 insertions(+), 3702 deletions(-)
 create mode 100644 experimental/generated/elasticsearch/composable/component/volume.json
 create mode 100644 generated/elasticsearch/composable/component/volume.json

diff --git a/docs/fields/fields.asciidoc b/docs/fields/fields.asciidoc
index b29d1c353f..e8efb3cc75 100644
--- a/docs/fields/fields.asciidoc
+++ b/docs/fields/fields.asciidoc
@@ -1,7 +1,7 @@
 [[ecs-field-reference]]
 == {ecs} Field Reference
 
-This is the documentation of ECS version 8.11.0-dev.
+This is the documentation of ECS version 8.12.0-dev.
 
 ECS defines multiple groups of related fields. They are called "field sets".
 The <<ecs-base,Base>> field set is the only one whose fields are defined
diff --git a/docs/index.asciidoc b/docs/index.asciidoc
index 145146852d..0df56fe128 100644
--- a/docs/index.asciidoc
+++ b/docs/index.asciidoc
@@ -13,7 +13,7 @@ include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
 [[ecs-reference]]
 == Overview
 
-This is the documentation of ECS version 8.11.0-dev.
+This is the documentation of ECS version 8.12.0-dev.
 
 [float]
 === What is ECS?
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 3ac5221046..27ee873efa 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -1,5 +1,5 @@
 # WARNING! Do not edit this file directly, it was generated by the ECS project,
-# based on ECS version 8.11.0-dev+exp.
+# based on ECS version 8.12.0-dev+exp.
 # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields.
 
 - key: ecs
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index ec392d3a3f..2f9837c989 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -1,1771 +1,1771 @@
 ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
-8.11.0-dev+exp,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
-8.11.0-dev+exp,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
-8.11.0-dev+exp,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer.
-8.11.0-dev+exp,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
-8.11.0-dev+exp,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
-8.11.0-dev+exp,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
-8.11.0-dev+exp,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
-8.11.0-dev+exp,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
-8.11.0-dev+exp,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
-8.11.0-dev+exp,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
-8.11.0-dev+exp,true,cgroup,cgroup.cpu.periods,long,extended,,454839343,Number of period intervals that have elapsed.
-8.11.0-dev+exp,true,cgroup,cgroup.cpu.throttled.us,long,extended,,15000,Microseconds of CPU throttled time.
-8.11.0-dev+exp,true,cgroup,cgroup.cpu.usage,scaled_float,extended,,,"CPU usage, normalized by the CPU count."
-8.11.0-dev+exp,true,cgroup,cgroup.memory.limit,long,extended,,256,Memory limit within the cgroup.
-8.11.0-dev+exp,true,cgroup,cgroup.memory.swap.usage,long,extended,,5600,The amount of cgroup memory in swap.
-8.11.0-dev+exp,true,cgroup,cgroup.memory.usage,long,extended,,25600,Memory usage in bytes
-8.11.0-dev+exp,true,cgroup,cgroup.version,long,extended,,,The cgroup version linked to the metrics
-8.11.0-dev+exp,true,client,client.address,keyword,extended,,,Client network address.
-8.11.0-dev+exp,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.11.0-dev+exp,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.11.0-dev+exp,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.11.0-dev+exp,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
-8.11.0-dev+exp,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client.
-8.11.0-dev+exp,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
-8.11.0-dev+exp,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
-8.11.0-dev+exp,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.11.0-dev+exp,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.11.0-dev+exp,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
-8.11.0-dev+exp,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.11.0-dev+exp,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.11.0-dev+exp,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
-8.11.0-dev+exp,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.11.0-dev+exp,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
-8.11.0-dev+exp,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.11.0-dev+exp,true,client,client.ip,ip,core,,,IP address of the client.
-8.11.0-dev+exp,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
-8.11.0-dev+exp,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
-8.11.0-dev+exp,true,client,client.nat.port,long,extended,,,Client NAT port
-8.11.0-dev+exp,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
-8.11.0-dev+exp,true,client,client.port,long,core,,,Port of the client.
-8.11.0-dev+exp,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
-8.11.0-dev+exp,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.11.0-dev+exp,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.11.0-dev+exp,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.11.0-dev+exp,true,client,client.user.email,keyword,extended,,,User email address.
-8.11.0-dev+exp,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.11.0-dev+exp,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.11.0-dev+exp,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.11.0-dev+exp,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev+exp,true,client,client.user.group.name,keyword,extended,,,Name of the group.
-8.11.0-dev+exp,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.11.0-dev+exp,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev+exp,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.11.0-dev+exp,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.11.0-dev+exp,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.11.0-dev+exp,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.11.0-dev+exp,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.11.0-dev+exp,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
-8.11.0-dev+exp,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.11.0-dev+exp,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.11.0-dev+exp,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.11.0-dev+exp,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.11.0-dev+exp,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.11.0-dev+exp,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine.
-8.11.0-dev+exp,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.11.0-dev+exp,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id.
-8.11.0-dev+exp,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name.
-8.11.0-dev+exp,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider.
-8.11.0-dev+exp,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.11.0-dev+exp,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name.
-8.11.0-dev+exp,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
-8.11.0-dev+exp,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
-8.11.0-dev+exp,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
-8.11.0-dev+exp,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.11.0-dev+exp,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name.
-8.11.0-dev+exp,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.11.0-dev+exp,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.11.0-dev+exp,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.11.0-dev+exp,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.11.0-dev+exp,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine.
-8.11.0-dev+exp,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.11.0-dev+exp,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id.
-8.11.0-dev+exp,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name.
-8.11.0-dev+exp,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider.
-8.11.0-dev+exp,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.11.0-dev+exp,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name.
-8.11.0-dev+exp,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
-8.11.0-dev+exp,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
-8.11.0-dev+exp,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
-8.11.0-dev+exp,true,container,container.id,keyword,core,,,Unique container id.
-8.11.0-dev+exp,true,container,container.image.hash.all,keyword,extended,array,[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26],An array of digests of the image the container was built on.
-8.11.0-dev+exp,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
-8.11.0-dev+exp,true,container,container.image.tag,keyword,extended,array,,Container image tags.
-8.11.0-dev+exp,true,container,container.labels,object,extended,,,Image labels.
-8.11.0-dev+exp,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1."
-8.11.0-dev+exp,true,container,container.name,keyword,extended,,,Container name.
-8.11.0-dev+exp,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
-8.11.0-dev+exp,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
-8.11.0-dev+exp,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
-8.11.0-dev+exp,true,container,container.security_context.privileged,boolean,extended,,,Indicates whether the container is running in privileged mode.
-8.11.0-dev+exp,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
-8.11.0-dev+exp,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
-8.11.0-dev+exp,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
-8.11.0-dev+exp,true,destination,destination.address,keyword,extended,,,Destination network address.
-8.11.0-dev+exp,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.11.0-dev+exp,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.11.0-dev+exp,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.11.0-dev+exp,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
-8.11.0-dev+exp,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination.
-8.11.0-dev+exp,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
-8.11.0-dev+exp,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
-8.11.0-dev+exp,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.11.0-dev+exp,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.11.0-dev+exp,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
-8.11.0-dev+exp,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.11.0-dev+exp,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.11.0-dev+exp,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
-8.11.0-dev+exp,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.11.0-dev+exp,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
-8.11.0-dev+exp,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.11.0-dev+exp,true,destination,destination.ip,ip,core,,,IP address of the destination.
-8.11.0-dev+exp,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
-8.11.0-dev+exp,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
-8.11.0-dev+exp,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
-8.11.0-dev+exp,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
-8.11.0-dev+exp,true,destination,destination.port,long,core,,,Port of the destination.
-8.11.0-dev+exp,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
-8.11.0-dev+exp,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.11.0-dev+exp,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.11.0-dev+exp,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.11.0-dev+exp,true,destination,destination.user.email,keyword,extended,,,User email address.
-8.11.0-dev+exp,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.11.0-dev+exp,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.11.0-dev+exp,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.11.0-dev+exp,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev+exp,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
-8.11.0-dev+exp,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.11.0-dev+exp,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev+exp,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.11.0-dev+exp,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device.
-8.11.0-dev+exp,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer.
-8.11.0-dev+exp,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model.
-8.11.0-dev+exp,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model.
-8.11.0-dev+exp,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.11.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.11.0-dev+exp,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.11.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.11.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.11.0-dev+exp,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.11.0-dev+exp,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.11.0-dev+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.11.0-dev+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.11.0-dev+exp,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
-8.11.0-dev+exp,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
-8.11.0-dev+exp,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
-8.11.0-dev+exp,true,dll,dll.hash.sha384,keyword,extended,,,SHA384 hash.
-8.11.0-dev+exp,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
-8.11.0-dev+exp,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.11.0-dev+exp,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash.
-8.11.0-dev+exp,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
-8.11.0-dev+exp,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
-8.11.0-dev+exp,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.11.0-dev+exp,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.11.0-dev+exp,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.11.0-dev+exp,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.11.0-dev+exp,true,dll,dll.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.11.0-dev+exp,true,dll,dll.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.11.0-dev+exp,true,dll,dll.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.11.0-dev+exp,true,dll,dll.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.11.0-dev+exp,true,dll,dll.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.11.0-dev+exp,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.11.0-dev+exp,true,dll,dll.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.11.0-dev+exp,true,dll,dll.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.11.0-dev+exp,true,dll,dll.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev+exp,true,dll,dll.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev+exp,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.11.0-dev+exp,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.11.0-dev+exp,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.11.0-dev+exp,true,dll,dll.pe.sections,nested,extended,array,,Section information of the PE file.
-8.11.0-dev+exp,true,dll,dll.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.11.0-dev+exp,true,dll,dll.pe.sections.name,keyword,extended,,,PE Section List name.
-8.11.0-dev+exp,true,dll,dll.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.11.0-dev+exp,true,dll,dll.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.11.0-dev+exp,true,dll,dll.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.11.0-dev+exp,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
-8.11.0-dev+exp,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
-8.11.0-dev+exp,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
-8.11.0-dev+exp,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
-8.11.0-dev+exp,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
-8.11.0-dev+exp,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
-8.11.0-dev+exp,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
-8.11.0-dev+exp,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
-8.11.0-dev+exp,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
-8.11.0-dev+exp,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
-8.11.0-dev+exp,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
-8.11.0-dev+exp,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
-8.11.0-dev+exp,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
-8.11.0-dev+exp,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.11.0-dev+exp,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
-8.11.0-dev+exp,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
-8.11.0-dev+exp,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
-8.11.0-dev+exp,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
-8.11.0-dev+exp,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
-8.11.0-dev+exp,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
-8.11.0-dev+exp,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
-8.11.0-dev+exp,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash.
-8.11.0-dev+exp,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.11.0-dev+exp,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.11.0-dev+exp,true,email,email.attachments.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.11.0-dev+exp,true,email,email.attachments.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.11.0-dev+exp,true,email,email.attachments.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.11.0-dev+exp,true,email,email.attachments.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.11.0-dev+exp,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file.
-8.11.0-dev+exp,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file.
-8.11.0-dev+exp,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size.
-8.11.0-dev+exp,true,email,email.bcc.address,keyword,extended,array,bcc.user1@example.com,Email address of BCC recipient
-8.11.0-dev+exp,true,email,email.cc.address,keyword,extended,array,cc.user1@example.com,Email address of CC recipient
-8.11.0-dev+exp,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message.
-8.11.0-dev+exp,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered.
-8.11.0-dev+exp,true,email,email.direction,keyword,extended,,inbound,Direction of the message.
-8.11.0-dev+exp,true,email,email.from.address,keyword,extended,array,sender@example.com,The sender's email address.
-8.11.0-dev+exp,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source.
-8.11.0-dev+exp,true,email,email.message_id,wildcard,extended,,81ce15$8r2j59@mail01.example.com,Value from the Message-ID header.
-8.11.0-dev+exp,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed.
-8.11.0-dev+exp,true,email,email.reply_to.address,keyword,extended,array,reply.here@example.com,Address replies should be delivered to.
-8.11.0-dev+exp,true,email,email.sender.address,keyword,extended,,,Address of the message sender.
-8.11.0-dev+exp,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message.
-8.11.0-dev+exp,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
-8.11.0-dev+exp,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient
-8.11.0-dev+exp,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
-8.11.0-dev+exp,true,error,error.code,keyword,core,,,Error code describing the error.
-8.11.0-dev+exp,true,error,error.id,keyword,core,,,Unique identifier for the error.
-8.11.0-dev+exp,true,error,error.message,match_only_text,core,,,Error message.
-8.11.0-dev+exp,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
-8.11.0-dev+exp,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text.
-8.11.0-dev+exp,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
-8.11.0-dev+exp,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
-8.11.0-dev+exp,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field.
-8.11.0-dev+exp,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
-8.11.0-dev+exp,true,event,event.code,keyword,extended,,4648,Identification code for this event.
-8.11.0-dev+exp,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
-8.11.0-dev+exp,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
-8.11.0-dev+exp,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
-8.11.0-dev+exp,true,event,event.end,date,extended,,,`event.end` contains the date when the event ended or when the activity was last observed.
-8.11.0-dev+exp,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
-8.11.0-dev+exp,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
-8.11.0-dev+exp,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
-8.11.0-dev+exp,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
-8.11.0-dev+exp,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
-8.11.0-dev+exp,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
-8.11.0-dev+exp,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
-8.11.0-dev+exp,true,event,event.provider,keyword,extended,,kernel,Source of the event.
-8.11.0-dev+exp,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
-8.11.0-dev+exp,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
-8.11.0-dev+exp,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
-8.11.0-dev+exp,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
-8.11.0-dev+exp,true,event,event.sequence,long,extended,,,Sequence number of the event.
-8.11.0-dev+exp,true,event,event.severity,long,core,,7,Numeric severity of the event.
-8.11.0-dev+exp,true,event,event.start,date,extended,,,`event.start` contains the date when the event started or when the activity was first observed.
-8.11.0-dev+exp,true,event,event.timezone,keyword,extended,,,Event time zone.
-8.11.0-dev+exp,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
-8.11.0-dev+exp,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
-8.11.0-dev+exp,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function.
-8.11.0-dev+exp,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution.
-8.11.0-dev+exp,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function.
-8.11.0-dev+exp,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function.
-8.11.0-dev+exp,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc."
-8.11.0-dev+exp,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution.
-8.11.0-dev+exp,true,faas,faas.version,keyword,extended,,123,The version of a serverless function.
-8.11.0-dev+exp,true,file,file.accessed,date,extended,,,Last time the file was accessed.
-8.11.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.11.0-dev+exp,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.11.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.11.0-dev+exp,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.11.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.11.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.11.0-dev+exp,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.11.0-dev+exp,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.11.0-dev+exp,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.11.0-dev+exp,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.11.0-dev+exp,true,file,file.created,date,extended,,,File creation time.
-8.11.0-dev+exp,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.11.0-dev+exp,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
-8.11.0-dev+exp,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.11.0-dev+exp,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.11.0-dev+exp,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.11.0-dev+exp,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.11.0-dev+exp,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.11.0-dev+exp,true,file,file.elf.creation_date,date,extended,,,Build or compile date.
-8.11.0-dev+exp,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.11.0-dev+exp,true,file,file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.11.0-dev+exp,true,file,file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.11.0-dev+exp,true,file,file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.11.0-dev+exp,true,file,file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.11.0-dev+exp,true,file,file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.11.0-dev+exp,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.11.0-dev+exp,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.11.0-dev+exp,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.11.0-dev+exp,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.11.0-dev+exp,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.11.0-dev+exp,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.11.0-dev+exp,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.11.0-dev+exp,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.11.0-dev+exp,true,file,file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.11.0-dev+exp,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.11.0-dev+exp,true,file,file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev+exp,true,file,file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev+exp,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.11.0-dev+exp,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.11.0-dev+exp,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.11.0-dev+exp,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.11.0-dev+exp,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.11.0-dev+exp,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.11.0-dev+exp,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.11.0-dev+exp,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.11.0-dev+exp,true,file,file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.11.0-dev+exp,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.11.0-dev+exp,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.11.0-dev+exp,true,file,file.elf.segments,nested,extended,array,,ELF object segment list.
-8.11.0-dev+exp,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.11.0-dev+exp,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.11.0-dev+exp,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.11.0-dev+exp,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.11.0-dev+exp,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.11.0-dev+exp,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.11.0-dev+exp,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.11.0-dev+exp,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
-8.11.0-dev+exp,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
-8.11.0-dev+exp,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.11.0-dev+exp,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.11.0-dev+exp,true,file,file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.11.0-dev+exp,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.11.0-dev+exp,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.11.0-dev+exp,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.11.0-dev+exp,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.11.0-dev+exp,true,file,file.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-8.11.0-dev+exp,true,file,file.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.11.0-dev+exp,true,file,file.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.11.0-dev+exp,true,file,file.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.11.0-dev+exp,true,file,file.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.11.0-dev+exp,true,file,file.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-8.11.0-dev+exp,true,file,file.macho.imports,flattened,extended,array,,List of imported element names and types.
-8.11.0-dev+exp,true,file,file.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev+exp,true,file,file.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev+exp,true,file,file.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-8.11.0-dev+exp,true,file,file.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.11.0-dev+exp,true,file,file.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-8.11.0-dev+exp,true,file,file.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-8.11.0-dev+exp,true,file,file.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.11.0-dev+exp,true,file,file.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-8.11.0-dev+exp,true,file,file.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-8.11.0-dev+exp,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.11.0-dev+exp,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.11.0-dev+exp,true,file,file.mtime,date,extended,,,Last time the file content was modified.
-8.11.0-dev+exp,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.11.0-dev+exp,true,file,file.owner,keyword,extended,,alice,File owner's username.
-8.11.0-dev+exp,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.11.0-dev+exp,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.11.0-dev+exp,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.11.0-dev+exp,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.11.0-dev+exp,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.11.0-dev+exp,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.11.0-dev+exp,true,file,file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.11.0-dev+exp,true,file,file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.11.0-dev+exp,true,file,file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.11.0-dev+exp,true,file,file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.11.0-dev+exp,true,file,file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.11.0-dev+exp,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.11.0-dev+exp,true,file,file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.11.0-dev+exp,true,file,file.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.11.0-dev+exp,true,file,file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev+exp,true,file,file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev+exp,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.11.0-dev+exp,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.11.0-dev+exp,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.11.0-dev+exp,true,file,file.pe.sections,nested,extended,array,,Section information of the PE file.
-8.11.0-dev+exp,true,file,file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.11.0-dev+exp,true,file,file.pe.sections.name,keyword,extended,,,PE Section List name.
-8.11.0-dev+exp,true,file,file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.11.0-dev+exp,true,file,file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.11.0-dev+exp,true,file,file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.11.0-dev+exp,true,file,file.size,long,extended,,16384,File size in bytes.
-8.11.0-dev+exp,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
-8.11.0-dev+exp,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.11.0-dev+exp,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.11.0-dev+exp,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.11.0-dev+exp,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.11.0-dev+exp,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.11.0-dev+exp,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.11.0-dev+exp,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.11.0-dev+exp,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.11.0-dev+exp,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.11.0-dev+exp,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.11.0-dev+exp,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.11.0-dev+exp,true,file,file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.11.0-dev+exp,true,file,file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.11.0-dev+exp,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.11.0-dev+exp,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.11.0-dev+exp,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.11.0-dev+exp,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.11.0-dev+exp,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.11.0-dev+exp,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.11.0-dev+exp,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.11.0-dev+exp,true,file,file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.11.0-dev+exp,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.11.0-dev+exp,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.11.0-dev+exp,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.11.0-dev+exp,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.11.0-dev+exp,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.11.0-dev+exp,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.11.0-dev+exp,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.11.0-dev+exp,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev+exp,true,group,group.name,keyword,extended,,,Name of the group.
-8.11.0-dev+exp,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
-8.11.0-dev+exp,true,host,host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id
-8.11.0-dev+exp,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
-8.11.0-dev+exp,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
-8.11.0-dev+exp,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
-8.11.0-dev+exp,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
-8.11.0-dev+exp,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
-8.11.0-dev+exp,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
-8.11.0-dev+exp,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.11.0-dev+exp,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.11.0-dev+exp,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
-8.11.0-dev+exp,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.11.0-dev+exp,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.11.0-dev+exp,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
-8.11.0-dev+exp,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.11.0-dev+exp,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
-8.11.0-dev+exp,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.11.0-dev+exp,true,host,host.hostname,keyword,core,,,Hostname of the host.
-8.11.0-dev+exp,true,host,host.id,keyword,core,,,Unique host id.
-8.11.0-dev+exp,true,host,host.ip,ip,core,array,,Host ip addresses.
-8.11.0-dev+exp,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
-8.11.0-dev+exp,true,host,host.name,keyword,core,,,Name of the host.
-8.11.0-dev+exp,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
-8.11.0-dev+exp,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
-8.11.0-dev+exp,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
-8.11.0-dev+exp,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
-8.11.0-dev+exp,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.11.0-dev+exp,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.11.0-dev+exp,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.11.0-dev+exp,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.11.0-dev+exp,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.11.0-dev+exp,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.11.0-dev+exp,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.11.0-dev+exp,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-8.11.0-dev+exp,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.11.0-dev+exp,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode
-8.11.0-dev+exp,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.11.0-dev+exp,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.11.0-dev+exp,true,host,host.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.11.0-dev+exp,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.11.0-dev+exp,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.11.0-dev+exp,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-8.11.0-dev+exp,true,host,host.type,keyword,core,,,Type of host.
-8.11.0-dev+exp,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
-8.11.0-dev+exp,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
-8.11.0-dev+exp,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
-8.11.0-dev+exp,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body.
-8.11.0-dev+exp,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
-8.11.0-dev+exp,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
-8.11.0-dev+exp,true,http,http.request.method,keyword,extended,,POST,HTTP request method.
-8.11.0-dev+exp,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
-8.11.0-dev+exp,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
-8.11.0-dev+exp,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
-8.11.0-dev+exp,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
-8.11.0-dev+exp,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body.
-8.11.0-dev+exp,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
-8.11.0-dev+exp,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
-8.11.0-dev+exp,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
-8.11.0-dev+exp,true,http,http.version,keyword,extended,,1.1,HTTP version.
-8.11.0-dev+exp,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
-8.11.0-dev+exp,true,log,log.level,keyword,core,,error,Log level of the log event.
-8.11.0-dev+exp,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
-8.11.0-dev+exp,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event.
-8.11.0-dev+exp,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
-8.11.0-dev+exp,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
-8.11.0-dev+exp,true,log,log.syslog,object,extended,,,Syslog metadata
-8.11.0-dev+exp,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message.
-8.11.0-dev+exp,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
-8.11.0-dev+exp,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
-8.11.0-dev+exp,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message.
-8.11.0-dev+exp,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message.
-8.11.0-dev+exp,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
-8.11.0-dev+exp,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message.
-8.11.0-dev+exp,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
-8.11.0-dev+exp,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
-8.11.0-dev+exp,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages.
-8.11.0-dev+exp,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version.
-8.11.0-dev+exp,true,network,network.application,keyword,extended,,aim,Application level protocol name.
-8.11.0-dev+exp,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
-8.11.0-dev+exp,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
-8.11.0-dev+exp,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
-8.11.0-dev+exp,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
-8.11.0-dev+exp,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
-8.11.0-dev+exp,true,network,network.inner,object,extended,,,Inner VLAN tag information
-8.11.0-dev+exp,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.11.0-dev+exp,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.11.0-dev+exp,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
-8.11.0-dev+exp,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
-8.11.0-dev+exp,true,network,network.protocol,keyword,core,,http,Application protocol name.
-8.11.0-dev+exp,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
-8.11.0-dev+exp,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
-8.11.0-dev+exp,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.11.0-dev+exp,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.11.0-dev+exp,true,observer,observer.egress,object,extended,,,Object field for egress information
-8.11.0-dev+exp,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
-8.11.0-dev+exp,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
-8.11.0-dev+exp,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
-8.11.0-dev+exp,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.11.0-dev+exp,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.11.0-dev+exp,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
-8.11.0-dev+exp,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
-8.11.0-dev+exp,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code.
-8.11.0-dev+exp,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.11.0-dev+exp,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.11.0-dev+exp,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
-8.11.0-dev+exp,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.11.0-dev+exp,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.11.0-dev+exp,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code.
-8.11.0-dev+exp,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.11.0-dev+exp,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
-8.11.0-dev+exp,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.11.0-dev+exp,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
-8.11.0-dev+exp,true,observer,observer.ingress,object,extended,,,Object field for ingress information
-8.11.0-dev+exp,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
-8.11.0-dev+exp,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
-8.11.0-dev+exp,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
-8.11.0-dev+exp,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.11.0-dev+exp,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.11.0-dev+exp,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
-8.11.0-dev+exp,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
-8.11.0-dev+exp,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer.
-8.11.0-dev+exp,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
-8.11.0-dev+exp,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.11.0-dev+exp,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.11.0-dev+exp,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.11.0-dev+exp,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.11.0-dev+exp,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.11.0-dev+exp,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.11.0-dev+exp,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.11.0-dev+exp,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-8.11.0-dev+exp,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.11.0-dev+exp,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
-8.11.0-dev+exp,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
-8.11.0-dev+exp,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
-8.11.0-dev+exp,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
-8.11.0-dev+exp,true,observer,observer.version,keyword,core,,,Observer version.
-8.11.0-dev+exp,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action
-8.11.0-dev+exp,true,orchestrator,orchestrator.cluster.id,keyword,extended,,,Unique ID of the cluster.
-8.11.0-dev+exp,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster.
-8.11.0-dev+exp,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster.
-8.11.0-dev+exp,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster.
-8.11.0-dev+exp,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place.
-8.11.0-dev+exp,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups).
-8.11.0-dev+exp,true,orchestrator,orchestrator.resource.annotation,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of annotations added to the resource.
-8.11.0-dev+exp,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon.
-8.11.0-dev+exp,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed.
-8.11.0-dev+exp,true,orchestrator,orchestrator.resource.label,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of labels added to the resource.
-8.11.0-dev+exp,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon.
-8.11.0-dev+exp,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed.
-8.11.0-dev+exp,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon.
-8.11.0-dev+exp,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)."
-8.11.0-dev+exp,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
-8.11.0-dev+exp,true,organization,organization.name,keyword,extended,,,Organization name.
-8.11.0-dev+exp,true,organization,organization.name.text,match_only_text,extended,,,Organization name.
-8.11.0-dev+exp,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
-8.11.0-dev+exp,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
-8.11.0-dev+exp,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
-8.11.0-dev+exp,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
-8.11.0-dev+exp,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
-8.11.0-dev+exp,true,package,package.installed,date,extended,,,Time when package was installed.
-8.11.0-dev+exp,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
-8.11.0-dev+exp,true,package,package.name,keyword,extended,,go,Package name
-8.11.0-dev+exp,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
-8.11.0-dev+exp,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
-8.11.0-dev+exp,true,package,package.size,long,extended,,62231,Package size in bytes.
-8.11.0-dev+exp,true,package,package.type,keyword,extended,,rpm,Package type
-8.11.0-dev+exp,true,package,package.version,keyword,extended,,1.12.9,Package version
-8.11.0-dev+exp,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.11.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array.
-8.11.0-dev+exp,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.11.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.11.0-dev+exp,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.11.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.11.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.11.0-dev+exp,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.11.0-dev+exp,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.11.0-dev+exp,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.11.0-dev+exp,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.11.0-dev+exp,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.11.0-dev+exp,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.11.0-dev+exp,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.11.0-dev+exp,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.11.0-dev+exp,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.11.0-dev+exp,true,process,process.elf.creation_date,date,extended,,,Build or compile date.
-8.11.0-dev+exp,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.11.0-dev+exp,true,process,process.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.11.0-dev+exp,true,process,process.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.11.0-dev+exp,true,process,process.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.11.0-dev+exp,true,process,process.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.11.0-dev+exp,true,process,process.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.11.0-dev+exp,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.11.0-dev+exp,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.11.0-dev+exp,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.11.0-dev+exp,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.11.0-dev+exp,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.11.0-dev+exp,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.11.0-dev+exp,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.11.0-dev+exp,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.11.0-dev+exp,true,process,process.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.11.0-dev+exp,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.11.0-dev+exp,true,process,process.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev+exp,true,process,process.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev+exp,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.11.0-dev+exp,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.11.0-dev+exp,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.11.0-dev+exp,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.11.0-dev+exp,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.11.0-dev+exp,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.11.0-dev+exp,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.11.0-dev+exp,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.11.0-dev+exp,true,process,process.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.11.0-dev+exp,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.11.0-dev+exp,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.11.0-dev+exp,true,process,process.elf.segments,nested,extended,array,,ELF object segment list.
-8.11.0-dev+exp,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.11.0-dev+exp,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.11.0-dev+exp,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.11.0-dev+exp,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.11.0-dev+exp,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-8.11.0-dev+exp,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.11.0-dev+exp,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.11.0-dev+exp,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array.
-8.11.0-dev+exp,true,process,process.entry_leader.attested_groups.name,keyword,extended,,,Name of the group.
-8.11.0-dev+exp,true,process,process.entry_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev+exp,true,process,process.entry_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,process,process.entry_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.11.0-dev+exp,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.11.0-dev+exp,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.11.0-dev+exp,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
-8.11.0-dev+exp,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
-8.11.0-dev+exp,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.11.0-dev+exp,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.11.0-dev+exp,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev+exp,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group.
-8.11.0-dev+exp,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.11.0-dev+exp,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name.
-8.11.0-dev+exp,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.11.0-dev+exp,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.11.0-dev+exp,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id.
-8.11.0-dev+exp,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.11.0-dev+exp,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id.
-8.11.0-dev+exp,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.11.0-dev+exp,true,process,process.entry_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
-8.11.0-dev+exp,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.11.0-dev+exp,true,process,process.entry_leader.parent.vpid,long,core,,4242,Virtual process id.
-8.11.0-dev+exp,true,process,process.entry_leader.pid,long,core,,4242,Process id.
-8.11.0-dev+exp,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev+exp,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group.
-8.11.0-dev+exp,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev+exp,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,process,process.entry_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.11.0-dev+exp,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev+exp,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.11.0-dev+exp,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev+exp,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,process,process.entry_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.11.0-dev+exp,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev+exp,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.11.0-dev+exp,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.11.0-dev+exp,true,process,process.entry_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.11.0-dev+exp,true,process,process.entry_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.11.0-dev+exp,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev+exp,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,process,process.entry_leader.vpid,long,core,,4242,Virtual process id.
-8.11.0-dev+exp,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.11.0-dev+exp,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.11.0-dev+exp,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
-8.11.0-dev+exp,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.11.0-dev+exp,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.11.0-dev+exp,true,process,process.exit_code,long,extended,,137,The exit code of the process.
-8.11.0-dev+exp,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.11.0-dev+exp,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array.
-8.11.0-dev+exp,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.11.0-dev+exp,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.11.0-dev+exp,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.11.0-dev+exp,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.11.0-dev+exp,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.11.0-dev+exp,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev+exp,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group.
-8.11.0-dev+exp,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.11.0-dev+exp,true,process,process.group_leader.name,keyword,extended,,ssh,Process name.
-8.11.0-dev+exp,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.11.0-dev+exp,true,process,process.group_leader.pid,long,core,,4242,Process id.
-8.11.0-dev+exp,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev+exp,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group.
-8.11.0-dev+exp,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev+exp,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,process,process.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.11.0-dev+exp,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev+exp,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.11.0-dev+exp,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev+exp,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,process,process.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.11.0-dev+exp,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev+exp,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.11.0-dev+exp,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.11.0-dev+exp,true,process,process.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.11.0-dev+exp,true,process,process.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.11.0-dev+exp,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev+exp,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,process,process.group_leader.vpid,long,core,,4242,Virtual process id.
-8.11.0-dev+exp,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.11.0-dev+exp,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.11.0-dev+exp,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
-8.11.0-dev+exp,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
-8.11.0-dev+exp,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
-8.11.0-dev+exp,true,process,process.hash.sha384,keyword,extended,,,SHA384 hash.
-8.11.0-dev+exp,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
-8.11.0-dev+exp,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.11.0-dev+exp,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash.
-8.11.0-dev+exp,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.11.0-dev+exp,true,process,process.io,object,extended,,,A chunk of input or output (IO) from a single process.
-8.11.0-dev+exp,true,process,process.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
-8.11.0-dev+exp,true,process,process.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
-8.11.0-dev+exp,true,process,process.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
-8.11.0-dev+exp,true,process,process.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
-8.11.0-dev+exp,true,process,process.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
-8.11.0-dev+exp,true,process,process.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
-8.11.0-dev+exp,true,process,process.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
-8.11.0-dev+exp,true,process,process.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
-8.11.0-dev+exp,true,process,process.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-8.11.0-dev+exp,true,process,process.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.11.0-dev+exp,true,process,process.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.11.0-dev+exp,true,process,process.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.11.0-dev+exp,true,process,process.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.11.0-dev+exp,true,process,process.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-8.11.0-dev+exp,true,process,process.macho.imports,flattened,extended,array,,List of imported element names and types.
-8.11.0-dev+exp,true,process,process.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev+exp,true,process,process.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev+exp,true,process,process.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-8.11.0-dev+exp,true,process,process.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.11.0-dev+exp,true,process,process.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-8.11.0-dev+exp,true,process,process.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-8.11.0-dev+exp,true,process,process.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.11.0-dev+exp,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-8.11.0-dev+exp,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-8.11.0-dev+exp,true,process,process.name,keyword,extended,,ssh,Process name.
-8.11.0-dev+exp,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
-8.11.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.11.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
-8.11.0-dev+exp,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.11.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.11.0-dev+exp,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.11.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.11.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.11.0-dev+exp,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.11.0-dev+exp,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.11.0-dev+exp,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.11.0-dev+exp,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.11.0-dev+exp,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.11.0-dev+exp,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.11.0-dev+exp,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.11.0-dev+exp,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.11.0-dev+exp,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.11.0-dev+exp,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date.
-8.11.0-dev+exp,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.11.0-dev+exp,true,process,process.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.11.0-dev+exp,true,process,process.parent.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.11.0-dev+exp,true,process,process.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.11.0-dev+exp,true,process,process.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.11.0-dev+exp,true,process,process.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.11.0-dev+exp,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.11.0-dev+exp,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.11.0-dev+exp,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.11.0-dev+exp,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.11.0-dev+exp,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.11.0-dev+exp,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.11.0-dev+exp,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.11.0-dev+exp,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.11.0-dev+exp,true,process,process.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.11.0-dev+exp,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.11.0-dev+exp,true,process,process.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev+exp,true,process,process.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev+exp,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.11.0-dev+exp,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.11.0-dev+exp,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.11.0-dev+exp,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.11.0-dev+exp,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.11.0-dev+exp,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.11.0-dev+exp,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.11.0-dev+exp,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.11.0-dev+exp,true,process,process.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.11.0-dev+exp,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.11.0-dev+exp,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.11.0-dev+exp,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list.
-8.11.0-dev+exp,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.11.0-dev+exp,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.11.0-dev+exp,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.11.0-dev+exp,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.11.0-dev+exp,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-8.11.0-dev+exp,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.11.0-dev+exp,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.11.0-dev+exp,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.11.0-dev+exp,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
-8.11.0-dev+exp,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev+exp,true,process,process.parent.group.name,keyword,extended,,,Name of the group.
-8.11.0-dev+exp,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.11.0-dev+exp,true,process,process.parent.group_leader.pid,long,core,,4242,Process id.
-8.11.0-dev+exp,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.11.0-dev+exp,true,process,process.parent.group_leader.vpid,long,core,,4242,Virtual process id.
-8.11.0-dev+exp,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
-8.11.0-dev+exp,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
-8.11.0-dev+exp,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
-8.11.0-dev+exp,true,process,process.parent.hash.sha384,keyword,extended,,,SHA384 hash.
-8.11.0-dev+exp,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
-8.11.0-dev+exp,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.11.0-dev+exp,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash.
-8.11.0-dev+exp,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.11.0-dev+exp,true,process,process.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-8.11.0-dev+exp,true,process,process.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.11.0-dev+exp,true,process,process.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.11.0-dev+exp,true,process,process.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.11.0-dev+exp,true,process,process.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.11.0-dev+exp,true,process,process.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-8.11.0-dev+exp,true,process,process.parent.macho.imports,flattened,extended,array,,List of imported element names and types.
-8.11.0-dev+exp,true,process,process.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev+exp,true,process,process.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev+exp,true,process,process.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-8.11.0-dev+exp,true,process,process.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.11.0-dev+exp,true,process,process.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-8.11.0-dev+exp,true,process,process.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-8.11.0-dev+exp,true,process,process.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.11.0-dev+exp,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-8.11.0-dev+exp,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-8.11.0-dev+exp,true,process,process.parent.name,keyword,extended,,ssh,Process name.
-8.11.0-dev+exp,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
-8.11.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.11.0-dev+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.11.0-dev+exp,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.11.0-dev+exp,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.11.0-dev+exp,true,process,process.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.11.0-dev+exp,true,process,process.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.11.0-dev+exp,true,process,process.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.11.0-dev+exp,true,process,process.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.11.0-dev+exp,true,process,process.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.11.0-dev+exp,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.11.0-dev+exp,true,process,process.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.11.0-dev+exp,true,process,process.parent.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.11.0-dev+exp,true,process,process.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev+exp,true,process,process.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev+exp,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.11.0-dev+exp,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.11.0-dev+exp,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.11.0-dev+exp,true,process,process.parent.pe.sections,nested,extended,array,,Section information of the PE file.
-8.11.0-dev+exp,true,process,process.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.11.0-dev+exp,true,process,process.parent.pe.sections.name,keyword,extended,,,PE Section List name.
-8.11.0-dev+exp,true,process,process.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.11.0-dev+exp,true,process,process.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.11.0-dev+exp,true,process,process.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.11.0-dev+exp,true,process,process.parent.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
-8.11.0-dev+exp,true,process,process.parent.pid,long,core,,4242,Process id.
-8.11.0-dev+exp,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev+exp,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group.
-8.11.0-dev+exp,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev+exp,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,process,process.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev+exp,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group.
-8.11.0-dev+exp,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev+exp,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,process,process.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.11.0-dev+exp,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev+exp,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.11.0-dev+exp,true,process,process.parent.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
-8.11.0-dev+exp,true,process,process.parent.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
-8.11.0-dev+exp,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
-8.11.0-dev+exp,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
-8.11.0-dev+exp,true,process,process.parent.title,keyword,extended,,,Process title.
-8.11.0-dev+exp,true,process,process.parent.title.text,match_only_text,extended,,,Process title.
-8.11.0-dev+exp,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device.
-8.11.0-dev+exp,true,process,process.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.11.0-dev+exp,true,process,process.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.11.0-dev+exp,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
-8.11.0-dev+exp,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev+exp,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,process,process.parent.vpid,long,core,,4242,Virtual process id.
-8.11.0-dev+exp,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.11.0-dev+exp,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.11.0-dev+exp,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.11.0-dev+exp,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.11.0-dev+exp,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.11.0-dev+exp,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.11.0-dev+exp,true,process,process.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.11.0-dev+exp,true,process,process.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.11.0-dev+exp,true,process,process.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.11.0-dev+exp,true,process,process.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.11.0-dev+exp,true,process,process.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.11.0-dev+exp,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.11.0-dev+exp,true,process,process.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.11.0-dev+exp,true,process,process.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.11.0-dev+exp,true,process,process.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev+exp,true,process,process.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev+exp,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.11.0-dev+exp,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.11.0-dev+exp,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.11.0-dev+exp,true,process,process.pe.sections,nested,extended,array,,Section information of the PE file.
-8.11.0-dev+exp,true,process,process.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.11.0-dev+exp,true,process,process.pe.sections.name,keyword,extended,,,PE Section List name.
-8.11.0-dev+exp,true,process,process.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.11.0-dev+exp,true,process,process.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.11.0-dev+exp,true,process,process.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.11.0-dev+exp,true,process,process.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
-8.11.0-dev+exp,true,process,process.pid,long,core,,4242,Process id.
-8.11.0-dev+exp,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.11.0-dev+exp,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array.
-8.11.0-dev+exp,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.11.0-dev+exp,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.11.0-dev+exp,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev+exp,true,process,process.real_group.name,keyword,extended,,,Name of the group.
-8.11.0-dev+exp,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev+exp,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,process,process.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev+exp,true,process,process.saved_group.name,keyword,extended,,,Name of the group.
-8.11.0-dev+exp,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev+exp,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,process,process.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.11.0-dev+exp,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array.
-8.11.0-dev+exp,true,process,process.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.11.0-dev+exp,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.11.0-dev+exp,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.11.0-dev+exp,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.11.0-dev+exp,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.11.0-dev+exp,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev+exp,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group.
-8.11.0-dev+exp,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.11.0-dev+exp,true,process,process.session_leader.name,keyword,extended,,ssh,Process name.
-8.11.0-dev+exp,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.11.0-dev+exp,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.11.0-dev+exp,true,process,process.session_leader.parent.pid,long,core,,4242,Process id.
-8.11.0-dev+exp,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.11.0-dev+exp,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id.
-8.11.0-dev+exp,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.11.0-dev+exp,true,process,process.session_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
-8.11.0-dev+exp,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.11.0-dev+exp,true,process,process.session_leader.parent.vpid,long,core,,4242,Virtual process id.
-8.11.0-dev+exp,true,process,process.session_leader.pid,long,core,,4242,Process id.
-8.11.0-dev+exp,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev+exp,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group.
-8.11.0-dev+exp,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev+exp,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,process,process.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.11.0-dev+exp,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev+exp,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.11.0-dev+exp,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev+exp,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,process,process.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.11.0-dev+exp,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev+exp,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.11.0-dev+exp,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.11.0-dev+exp,true,process,process.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.11.0-dev+exp,true,process,process.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.11.0-dev+exp,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev+exp,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,process,process.session_leader.vpid,long,core,,4242,Virtual process id.
-8.11.0-dev+exp,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.11.0-dev+exp,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.11.0-dev+exp,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.11.0-dev+exp,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev+exp,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.11.0-dev+exp,true,process,process.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
-8.11.0-dev+exp,true,process,process.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
-8.11.0-dev+exp,true,process,process.thread.id,long,extended,,4242,Thread ID.
-8.11.0-dev+exp,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
-8.11.0-dev+exp,true,process,process.title,keyword,extended,,,Process title.
-8.11.0-dev+exp,true,process,process.title.text,match_only_text,extended,,,Process title.
-8.11.0-dev+exp,true,process,process.tty,object,extended,,,Information about the controlling TTY device.
-8.11.0-dev+exp,true,process,process.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.11.0-dev+exp,true,process,process.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.11.0-dev+exp,true,process,process.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
-8.11.0-dev+exp,true,process,process.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
-8.11.0-dev+exp,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
-8.11.0-dev+exp,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev+exp,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,process,process.vpid,long,core,,4242,Virtual process id.
-8.11.0-dev+exp,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.11.0-dev+exp,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.11.0-dev+exp,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.11.0-dev+exp,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.11.0-dev+exp,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.11.0-dev+exp,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.11.0-dev+exp,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.11.0-dev+exp,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.11.0-dev+exp,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
-8.11.0-dev+exp,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
-8.11.0-dev+exp,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
-8.11.0-dev+exp,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
-8.11.0-dev+exp,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event.
-8.11.0-dev+exp,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
-8.11.0-dev+exp,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
-8.11.0-dev+exp,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
-8.11.0-dev+exp,true,rule,rule.id,keyword,extended,,101,Rule ID
-8.11.0-dev+exp,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
-8.11.0-dev+exp,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
-8.11.0-dev+exp,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
-8.11.0-dev+exp,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
-8.11.0-dev+exp,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
-8.11.0-dev+exp,true,rule,rule.version,keyword,extended,,1.1,Rule version
-8.11.0-dev+exp,true,server,server.address,keyword,extended,,,Server network address.
-8.11.0-dev+exp,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.11.0-dev+exp,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.11.0-dev+exp,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.11.0-dev+exp,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
-8.11.0-dev+exp,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server.
-8.11.0-dev+exp,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
-8.11.0-dev+exp,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
-8.11.0-dev+exp,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.11.0-dev+exp,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.11.0-dev+exp,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
-8.11.0-dev+exp,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.11.0-dev+exp,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.11.0-dev+exp,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
-8.11.0-dev+exp,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.11.0-dev+exp,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
-8.11.0-dev+exp,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.11.0-dev+exp,true,server,server.ip,ip,core,,,IP address of the server.
-8.11.0-dev+exp,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
-8.11.0-dev+exp,true,server,server.nat.ip,ip,extended,,,Server NAT ip
-8.11.0-dev+exp,true,server,server.nat.port,long,extended,,,Server NAT port
-8.11.0-dev+exp,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
-8.11.0-dev+exp,true,server,server.port,long,core,,,Port of the server.
-8.11.0-dev+exp,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
-8.11.0-dev+exp,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.11.0-dev+exp,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.11.0-dev+exp,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.11.0-dev+exp,true,server,server.user.email,keyword,extended,,,User email address.
-8.11.0-dev+exp,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.11.0-dev+exp,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.11.0-dev+exp,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.11.0-dev+exp,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev+exp,true,server,server.user.group.name,keyword,extended,,,Name of the group.
-8.11.0-dev+exp,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.11.0-dev+exp,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev+exp,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.11.0-dev+exp,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.11.0-dev+exp,true,service,service.environment,keyword,extended,,production,Environment of the service.
-8.11.0-dev+exp,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.11.0-dev+exp,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.11.0-dev+exp,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.11.0-dev+exp,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.11.0-dev+exp,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.11.0-dev+exp,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.11.0-dev+exp,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.11.0-dev+exp,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
-8.11.0-dev+exp,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.11.0-dev+exp,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.11.0-dev+exp,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.11.0-dev+exp,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.11.0-dev+exp,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.11.0-dev+exp,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.11.0-dev+exp,true,service,service.origin.state,keyword,core,,,Current state of the service.
-8.11.0-dev+exp,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service.
-8.11.0-dev+exp,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service.
-8.11.0-dev+exp,true,service,service.state,keyword,core,,,Current state of the service.
-8.11.0-dev+exp,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.11.0-dev+exp,true,service,service.target.environment,keyword,extended,,production,Environment of the service.
-8.11.0-dev+exp,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.11.0-dev+exp,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.11.0-dev+exp,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.11.0-dev+exp,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.11.0-dev+exp,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.11.0-dev+exp,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.11.0-dev+exp,true,service,service.target.state,keyword,core,,,Current state of the service.
-8.11.0-dev+exp,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service.
-8.11.0-dev+exp,true,service,service.target.version,keyword,core,,3.2.4,Version of the service.
-8.11.0-dev+exp,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
-8.11.0-dev+exp,true,service,service.version,keyword,core,,3.2.4,Version of the service.
-8.11.0-dev+exp,true,source,source.address,keyword,extended,,,Source network address.
-8.11.0-dev+exp,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.11.0-dev+exp,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.11.0-dev+exp,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.11.0-dev+exp,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
-8.11.0-dev+exp,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source.
-8.11.0-dev+exp,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
-8.11.0-dev+exp,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
-8.11.0-dev+exp,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.11.0-dev+exp,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.11.0-dev+exp,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
-8.11.0-dev+exp,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.11.0-dev+exp,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.11.0-dev+exp,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
-8.11.0-dev+exp,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.11.0-dev+exp,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
-8.11.0-dev+exp,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.11.0-dev+exp,true,source,source.ip,ip,core,,,IP address of the source.
-8.11.0-dev+exp,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
-8.11.0-dev+exp,true,source,source.nat.ip,ip,extended,,,Source NAT ip
-8.11.0-dev+exp,true,source,source.nat.port,long,extended,,,Source NAT port
-8.11.0-dev+exp,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
-8.11.0-dev+exp,true,source,source.port,long,core,,,Port of the source.
-8.11.0-dev+exp,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-8.11.0-dev+exp,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.11.0-dev+exp,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.11.0-dev+exp,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.11.0-dev+exp,true,source,source.user.email,keyword,extended,,,User email address.
-8.11.0-dev+exp,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.11.0-dev+exp,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.11.0-dev+exp,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.11.0-dev+exp,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev+exp,true,source,source.user.group.name,keyword,extended,,,Name of the group.
-8.11.0-dev+exp,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.11.0-dev+exp,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev+exp,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.11.0-dev+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
-8.11.0-dev+exp,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.11.0-dev+exp,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.11.0-dev+exp,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.11.0-dev+exp,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value
-8.11.0-dev+exp,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field
-8.11.0-dev+exp,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier
-8.11.0-dev+exp,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index
-8.11.0-dev+exp,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05T17:00:58.326Z,Date of match
-8.11.0-dev+exp,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match
-8.11.0-dev+exp,true,threat,threat.feed.dashboard_id,keyword,extended,,5ba16340-72e6-11eb-a3e3-b3cc7c78a70f,Feed dashboard ID.
-8.11.0-dev+exp,true,threat,threat.feed.description,keyword,extended,,Threat feed from the AlienVault Open Threat eXchange network.,Description of the threat feed.
-8.11.0-dev+exp,true,threat,threat.feed.name,keyword,extended,,AlienVault OTX,Name of the threat feed.
-8.11.0-dev+exp,true,threat,threat.feed.reference,keyword,extended,,https://otx.alienvault.com,Reference for the threat feed.
-8.11.0-dev+exp,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
-8.11.0-dev+exp,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group.
-8.11.0-dev+exp,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group.
-8.11.0-dev+exp,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group.
-8.11.0-dev+exp,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group.
-8.11.0-dev+exp,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.11.0-dev+exp,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.11.0-dev+exp,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.11.0-dev+exp,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
-8.11.0-dev+exp,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
-8.11.0-dev+exp,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
-8.11.0-dev+exp,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed.
-8.11.0-dev+exp,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.11.0-dev+exp,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.11.0-dev+exp,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.11.0-dev+exp,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.11.0-dev+exp,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.11.0-dev+exp,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.11.0-dev+exp,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.11.0-dev+exp,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.11.0-dev+exp,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.11.0-dev+exp,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.11.0-dev+exp,true,threat,threat.indicator.file.created,date,extended,,,File creation time.
-8.11.0-dev+exp,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.11.0-dev+exp,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
-8.11.0-dev+exp,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.11.0-dev+exp,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.11.0-dev+exp,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.11.0-dev+exp,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.11.0-dev+exp,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.11.0-dev+exp,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
-8.11.0-dev+exp,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.11.0-dev+exp,true,threat,threat.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.11.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.11.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.11.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.11.0-dev+exp,true,threat,threat.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.11.0-dev+exp,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.11.0-dev+exp,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.11.0-dev+exp,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.11.0-dev+exp,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.11.0-dev+exp,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.11.0-dev+exp,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.11.0-dev+exp,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.11.0-dev+exp,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.11.0-dev+exp,true,threat,threat.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.11.0-dev+exp,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.11.0-dev+exp,true,threat,threat.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev+exp,true,threat,threat.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev+exp,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.11.0-dev+exp,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.11.0-dev+exp,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.11.0-dev+exp,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.11.0-dev+exp,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.11.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.11.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.11.0-dev+exp,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.11.0-dev+exp,true,threat,threat.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.11.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.11.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.11.0-dev+exp,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
-8.11.0-dev+exp,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.11.0-dev+exp,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.11.0-dev+exp,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.11.0-dev+exp,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.11.0-dev+exp,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.11.0-dev+exp,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.11.0-dev+exp,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.11.0-dev+exp,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
-8.11.0-dev+exp,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
-8.11.0-dev+exp,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.11.0-dev+exp,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.11.0-dev+exp,true,threat,threat.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.11.0-dev+exp,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.11.0-dev+exp,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.11.0-dev+exp,true,threat,threat.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.11.0-dev+exp,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.11.0-dev+exp,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.11.0-dev+exp,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.11.0-dev+exp,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified.
-8.11.0-dev+exp,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.11.0-dev+exp,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username.
-8.11.0-dev+exp,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.11.0-dev+exp,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.11.0-dev+exp,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.11.0-dev+exp,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.11.0-dev+exp,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.11.0-dev+exp,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.11.0-dev+exp,true,threat,threat.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.11.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.11.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.11.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.11.0-dev+exp,true,threat,threat.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.11.0-dev+exp,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.11.0-dev+exp,true,threat,threat.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.11.0-dev+exp,true,threat,threat.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.11.0-dev+exp,true,threat,threat.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev+exp,true,threat,threat.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev+exp,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.11.0-dev+exp,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.11.0-dev+exp,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.11.0-dev+exp,true,threat,threat.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
-8.11.0-dev+exp,true,threat,threat.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.11.0-dev+exp,true,threat,threat.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
-8.11.0-dev+exp,true,threat,threat.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.11.0-dev+exp,true,threat,threat.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.11.0-dev+exp,true,threat,threat.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.11.0-dev+exp,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes.
-8.11.0-dev+exp,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
-8.11.0-dev+exp,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.11.0-dev+exp,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.11.0-dev+exp,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.11.0-dev+exp,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.11.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.11.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.11.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.11.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.11.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.11.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.11.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.11.0-dev+exp,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.11.0-dev+exp,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.11.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.11.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.11.0-dev+exp,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.11.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.11.0-dev+exp,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.11.0-dev+exp,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.11.0-dev+exp,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.11.0-dev+exp,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.11.0-dev+exp,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.11.0-dev+exp,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.11.0-dev+exp,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.11.0-dev+exp,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.11.0-dev+exp,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.11.0-dev+exp,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.11.0-dev+exp,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
-8.11.0-dev+exp,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name.
-8.11.0-dev+exp,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code.
-8.11.0-dev+exp,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.11.0-dev+exp,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.11.0-dev+exp,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name.
-8.11.0-dev+exp,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.11.0-dev+exp,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.11.0-dev+exp,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code.
-8.11.0-dev+exp,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.11.0-dev+exp,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name.
-8.11.0-dev+exp,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.11.0-dev+exp,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
-8.11.0-dev+exp,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-8.11.0-dev+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
-8.11.0-dev+exp,true,threat,threat.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
-8.11.0-dev+exp,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
-8.11.0-dev+exp,true,threat,threat.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
-8.11.0-dev+exp,true,threat,threat.indicator.port,long,extended,,443,Indicator port
-8.11.0-dev+exp,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
-8.11.0-dev+exp,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
-8.11.0-dev+exp,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.11.0-dev+exp,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.11.0-dev+exp,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.11.0-dev+exp,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.11.0-dev+exp,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.11.0-dev+exp,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.11.0-dev+exp,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
-8.11.0-dev+exp,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics
-8.11.0-dev+exp,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed
-8.11.0-dev+exp,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
-8.11.0-dev+exp,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.11.0-dev+exp,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.11.0-dev+exp,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.11.0-dev+exp,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.11.0-dev+exp,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.11.0-dev+exp,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.11.0-dev+exp,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.11.0-dev+exp,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request.
-8.11.0-dev+exp,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.11.0-dev+exp,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
-8.11.0-dev+exp,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request.
-8.11.0-dev+exp,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.11.0-dev+exp,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
-8.11.0-dev+exp,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.11.0-dev+exp,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.11.0-dev+exp,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request.
-8.11.0-dev+exp,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.11.0-dev+exp,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.11.0-dev+exp,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.11.0-dev+exp,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.11.0-dev+exp,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.11.0-dev+exp,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.11.0-dev+exp,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.11.0-dev+exp,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.11.0-dev+exp,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.11.0-dev+exp,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.11.0-dev+exp,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.11.0-dev+exp,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.11.0-dev+exp,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.11.0-dev+exp,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.11.0-dev+exp,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.11.0-dev+exp,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.11.0-dev+exp,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.11.0-dev+exp,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.11.0-dev+exp,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.11.0-dev+exp,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.11.0-dev+exp,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.11.0-dev+exp,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.11.0-dev+exp,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.11.0-dev+exp,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.11.0-dev+exp,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software
-8.11.0-dev+exp,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software
-8.11.0-dev+exp,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software.
-8.11.0-dev+exp,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software.
-8.11.0-dev+exp,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL.
-8.11.0-dev+exp,true,threat,threat.software.type,keyword,extended,,Tool,Software type.
-8.11.0-dev+exp,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
-8.11.0-dev+exp,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
-8.11.0-dev+exp,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
-8.11.0-dev+exp,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
-8.11.0-dev+exp,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
-8.11.0-dev+exp,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name.
-8.11.0-dev+exp,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
-8.11.0-dev+exp,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
-8.11.0-dev+exp,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
-8.11.0-dev+exp,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
-8.11.0-dev+exp,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
-8.11.0-dev+exp,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
-8.11.0-dev+exp,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
-8.11.0-dev+exp,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
-8.11.0-dev+exp,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
-8.11.0-dev+exp,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
-8.11.0-dev+exp,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
-8.11.0-dev+exp,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
-8.11.0-dev+exp,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
-8.11.0-dev+exp,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
-8.11.0-dev+exp,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
-8.11.0-dev+exp,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
-8.11.0-dev+exp,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
-8.11.0-dev+exp,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
-8.11.0-dev+exp,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.11.0-dev+exp,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.11.0-dev+exp,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.11.0-dev+exp,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.11.0-dev+exp,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.11.0-dev+exp,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.11.0-dev+exp,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.11.0-dev+exp,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.11.0-dev+exp,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.11.0-dev+exp,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.11.0-dev+exp,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.11.0-dev+exp,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.11.0-dev+exp,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.11.0-dev+exp,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.11.0-dev+exp,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.11.0-dev+exp,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.11.0-dev+exp,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.11.0-dev+exp,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.11.0-dev+exp,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.11.0-dev+exp,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.11.0-dev+exp,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.11.0-dev+exp,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.11.0-dev+exp,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.11.0-dev+exp,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.11.0-dev+exp,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
-8.11.0-dev+exp,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
-8.11.0-dev+exp,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
-8.11.0-dev+exp,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
-8.11.0-dev+exp,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
-8.11.0-dev+exp,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
-8.11.0-dev+exp,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
-8.11.0-dev+exp,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
-8.11.0-dev+exp,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
-8.11.0-dev+exp,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
-8.11.0-dev+exp,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
-8.11.0-dev+exp,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
-8.11.0-dev+exp,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
-8.11.0-dev+exp,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
-8.11.0-dev+exp,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.11.0-dev+exp,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.11.0-dev+exp,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.11.0-dev+exp,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.11.0-dev+exp,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.11.0-dev+exp,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.11.0-dev+exp,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.11.0-dev+exp,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.11.0-dev+exp,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.11.0-dev+exp,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.11.0-dev+exp,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.11.0-dev+exp,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.11.0-dev+exp,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.11.0-dev+exp,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.11.0-dev+exp,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.11.0-dev+exp,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.11.0-dev+exp,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.11.0-dev+exp,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.11.0-dev+exp,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.11.0-dev+exp,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.11.0-dev+exp,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.11.0-dev+exp,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.11.0-dev+exp,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.11.0-dev+exp,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.11.0-dev+exp,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
-8.11.0-dev+exp,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
-8.11.0-dev+exp,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
-8.11.0-dev+exp,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
-8.11.0-dev+exp,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.11.0-dev+exp,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.11.0-dev+exp,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.11.0-dev+exp,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.11.0-dev+exp,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.11.0-dev+exp,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.11.0-dev+exp,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.11.0-dev+exp,true,url,url.password,keyword,extended,,,Password of the request.
-8.11.0-dev+exp,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.11.0-dev+exp,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
-8.11.0-dev+exp,true,url,url.query,keyword,extended,,,Query string of the request.
-8.11.0-dev+exp,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.11.0-dev+exp,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
-8.11.0-dev+exp,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.11.0-dev+exp,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.11.0-dev+exp,true,url,url.username,keyword,extended,,,Username of the request.
-8.11.0-dev+exp,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.11.0-dev+exp,true,user,user.changes.email,keyword,extended,,,User email address.
-8.11.0-dev+exp,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.11.0-dev+exp,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.11.0-dev+exp,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.11.0-dev+exp,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev+exp,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
-8.11.0-dev+exp,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.11.0-dev+exp,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev+exp,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.11.0-dev+exp,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.11.0-dev+exp,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.11.0-dev+exp,true,user,user.effective.email,keyword,extended,,,User email address.
-8.11.0-dev+exp,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.11.0-dev+exp,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.11.0-dev+exp,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.11.0-dev+exp,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev+exp,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
-8.11.0-dev+exp,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.11.0-dev+exp,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev+exp,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.11.0-dev+exp,true,user,user.email,keyword,extended,,,User email address.
-8.11.0-dev+exp,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.11.0-dev+exp,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.11.0-dev+exp,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.11.0-dev+exp,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev+exp,true,user,user.group.name,keyword,extended,,,Name of the group.
-8.11.0-dev+exp,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.11.0-dev+exp,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev+exp,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.11.0-dev+exp,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.11.0-dev+exp,true,user,user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.11.0-dev+exp,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.11.0-dev+exp,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.11.0-dev+exp,true,user,user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-8.11.0-dev+exp,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.11.0-dev+exp,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.11.0-dev+exp,true,user,user.target.email,keyword,extended,,,User email address.
-8.11.0-dev+exp,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.11.0-dev+exp,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.11.0-dev+exp,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.11.0-dev+exp,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev+exp,true,user,user.target.group.name,keyword,extended,,,Name of the group.
-8.11.0-dev+exp,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.11.0-dev+exp,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev+exp,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev+exp,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.11.0-dev+exp,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
-8.11.0-dev+exp,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
-8.11.0-dev+exp,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-8.11.0-dev+exp,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-8.11.0-dev+exp,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.11.0-dev+exp,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.11.0-dev+exp,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.11.0-dev+exp,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.11.0-dev+exp,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.11.0-dev+exp,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.11.0-dev+exp,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.11.0-dev+exp,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-8.11.0-dev+exp,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.11.0-dev+exp,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
-8.11.0-dev+exp,true,volume,volume.bus_type,keyword,extended,,FileBackedVirtual,Bus type of the device.
-8.11.0-dev+exp,true,volume,volume.default_access,keyword,extended,,,Bus type of the device.
-8.11.0-dev+exp,true,volume,volume.device_name,keyword,extended,,,Device name of the volume.
-8.11.0-dev+exp,true,volume,volume.device_type,keyword,extended,,CD-ROM File System,Volume device type.
-8.11.0-dev+exp,true,volume,volume.dos_name,keyword,extended,,E:,DOS name of the device.
-8.11.0-dev+exp,true,volume,volume.file_system_type,keyword,extended,,,Volume device file system type.
-8.11.0-dev+exp,true,volume,volume.mount_name,keyword,extended,,,Mount name of the volume.
-8.11.0-dev+exp,true,volume,volume.nt_name,keyword,extended,,\Device\Cdrom1,NT name of the device.
-8.11.0-dev+exp,true,volume,volume.product_id,keyword,extended,,,ProductID of the device.
-8.11.0-dev+exp,true,volume,volume.product_name,keyword,extended,,Virtual DVD-ROM,Produce name of the volume.
-8.11.0-dev+exp,true,volume,volume.removable,boolean,extended,,,Indicates if the volume is removable.
-8.11.0-dev+exp,true,volume,volume.serial_number,keyword,extended,,,Serial number of the device.
-8.11.0-dev+exp,true,volume,volume.size,long,extended,,,Size of the volume device in bytes.
-8.11.0-dev+exp,true,volume,volume.vendor_id,keyword,extended,,,VendorID of the device.
-8.11.0-dev+exp,true,volume,volume.vendor_name,keyword,extended,,Msft,Vendor name of the device.
-8.11.0-dev+exp,true,volume,volume.writable,boolean,extended,,,Indicates if the volume is writable.
-8.11.0-dev+exp,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
-8.11.0-dev+exp,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
-8.11.0-dev+exp,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-8.11.0-dev+exp,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-8.11.0-dev+exp,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
-8.11.0-dev+exp,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
-8.11.0-dev+exp,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
-8.11.0-dev+exp,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
-8.11.0-dev+exp,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
-8.11.0-dev+exp,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
-8.11.0-dev+exp,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
-8.11.0-dev+exp,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
-8.11.0-dev+exp,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
-8.11.0-dev+exp,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
+8.12.0-dev+exp,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
+8.12.0-dev+exp,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
+8.12.0-dev+exp,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer.
+8.12.0-dev+exp,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
+8.12.0-dev+exp,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
+8.12.0-dev+exp,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
+8.12.0-dev+exp,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
+8.12.0-dev+exp,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
+8.12.0-dev+exp,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
+8.12.0-dev+exp,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
+8.12.0-dev+exp,true,cgroup,cgroup.cpu.periods,long,extended,,454839343,Number of period intervals that have elapsed.
+8.12.0-dev+exp,true,cgroup,cgroup.cpu.throttled.us,long,extended,,15000,Microseconds of CPU throttled time.
+8.12.0-dev+exp,true,cgroup,cgroup.cpu.usage,scaled_float,extended,,,"CPU usage, normalized by the CPU count."
+8.12.0-dev+exp,true,cgroup,cgroup.memory.limit,long,extended,,256,Memory limit within the cgroup.
+8.12.0-dev+exp,true,cgroup,cgroup.memory.swap.usage,long,extended,,5600,The amount of cgroup memory in swap.
+8.12.0-dev+exp,true,cgroup,cgroup.memory.usage,long,extended,,25600,Memory usage in bytes
+8.12.0-dev+exp,true,cgroup,cgroup.version,long,extended,,,The cgroup version linked to the metrics
+8.12.0-dev+exp,true,client,client.address,keyword,extended,,,Client network address.
+8.12.0-dev+exp,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.12.0-dev+exp,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.12.0-dev+exp,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.12.0-dev+exp,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
+8.12.0-dev+exp,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client.
+8.12.0-dev+exp,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
+8.12.0-dev+exp,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
+8.12.0-dev+exp,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.12.0-dev+exp,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.12.0-dev+exp,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
+8.12.0-dev+exp,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.12.0-dev+exp,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.12.0-dev+exp,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
+8.12.0-dev+exp,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.12.0-dev+exp,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
+8.12.0-dev+exp,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.12.0-dev+exp,true,client,client.ip,ip,core,,,IP address of the client.
+8.12.0-dev+exp,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
+8.12.0-dev+exp,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
+8.12.0-dev+exp,true,client,client.nat.port,long,extended,,,Client NAT port
+8.12.0-dev+exp,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
+8.12.0-dev+exp,true,client,client.port,long,core,,,Port of the client.
+8.12.0-dev+exp,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
+8.12.0-dev+exp,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.12.0-dev+exp,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.12.0-dev+exp,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.12.0-dev+exp,true,client,client.user.email,keyword,extended,,,User email address.
+8.12.0-dev+exp,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.12.0-dev+exp,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.12.0-dev+exp,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.12.0-dev+exp,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev+exp,true,client,client.user.group.name,keyword,extended,,,Name of the group.
+8.12.0-dev+exp,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.12.0-dev+exp,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev+exp,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.12.0-dev+exp,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.12.0-dev+exp,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.12.0-dev+exp,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.12.0-dev+exp,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.12.0-dev+exp,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
+8.12.0-dev+exp,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.12.0-dev+exp,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.12.0-dev+exp,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.12.0-dev+exp,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.12.0-dev+exp,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.12.0-dev+exp,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine.
+8.12.0-dev+exp,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.12.0-dev+exp,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id.
+8.12.0-dev+exp,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name.
+8.12.0-dev+exp,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider.
+8.12.0-dev+exp,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.12.0-dev+exp,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name.
+8.12.0-dev+exp,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
+8.12.0-dev+exp,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
+8.12.0-dev+exp,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
+8.12.0-dev+exp,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.12.0-dev+exp,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name.
+8.12.0-dev+exp,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.12.0-dev+exp,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.12.0-dev+exp,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.12.0-dev+exp,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.12.0-dev+exp,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine.
+8.12.0-dev+exp,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.12.0-dev+exp,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id.
+8.12.0-dev+exp,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name.
+8.12.0-dev+exp,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider.
+8.12.0-dev+exp,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.12.0-dev+exp,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name.
+8.12.0-dev+exp,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
+8.12.0-dev+exp,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
+8.12.0-dev+exp,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
+8.12.0-dev+exp,true,container,container.id,keyword,core,,,Unique container id.
+8.12.0-dev+exp,true,container,container.image.hash.all,keyword,extended,array,[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26],An array of digests of the image the container was built on.
+8.12.0-dev+exp,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
+8.12.0-dev+exp,true,container,container.image.tag,keyword,extended,array,,Container image tags.
+8.12.0-dev+exp,true,container,container.labels,object,extended,,,Image labels.
+8.12.0-dev+exp,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1."
+8.12.0-dev+exp,true,container,container.name,keyword,extended,,,Container name.
+8.12.0-dev+exp,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
+8.12.0-dev+exp,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+8.12.0-dev+exp,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
+8.12.0-dev+exp,true,container,container.security_context.privileged,boolean,extended,,,Indicates whether the container is running in privileged mode.
+8.12.0-dev+exp,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
+8.12.0-dev+exp,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
+8.12.0-dev+exp,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
+8.12.0-dev+exp,true,destination,destination.address,keyword,extended,,,Destination network address.
+8.12.0-dev+exp,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.12.0-dev+exp,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.12.0-dev+exp,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.12.0-dev+exp,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
+8.12.0-dev+exp,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination.
+8.12.0-dev+exp,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
+8.12.0-dev+exp,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
+8.12.0-dev+exp,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.12.0-dev+exp,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.12.0-dev+exp,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
+8.12.0-dev+exp,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.12.0-dev+exp,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.12.0-dev+exp,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
+8.12.0-dev+exp,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.12.0-dev+exp,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
+8.12.0-dev+exp,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.12.0-dev+exp,true,destination,destination.ip,ip,core,,,IP address of the destination.
+8.12.0-dev+exp,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
+8.12.0-dev+exp,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
+8.12.0-dev+exp,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
+8.12.0-dev+exp,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
+8.12.0-dev+exp,true,destination,destination.port,long,core,,,Port of the destination.
+8.12.0-dev+exp,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
+8.12.0-dev+exp,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.12.0-dev+exp,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.12.0-dev+exp,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.12.0-dev+exp,true,destination,destination.user.email,keyword,extended,,,User email address.
+8.12.0-dev+exp,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.12.0-dev+exp,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.12.0-dev+exp,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.12.0-dev+exp,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev+exp,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
+8.12.0-dev+exp,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.12.0-dev+exp,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev+exp,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.12.0-dev+exp,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device.
+8.12.0-dev+exp,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer.
+8.12.0-dev+exp,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model.
+8.12.0-dev+exp,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model.
+8.12.0-dev+exp,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.12.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.12.0-dev+exp,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.12.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.12.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.12.0-dev+exp,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.12.0-dev+exp,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.12.0-dev+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.12.0-dev+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.12.0-dev+exp,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
+8.12.0-dev+exp,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
+8.12.0-dev+exp,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
+8.12.0-dev+exp,true,dll,dll.hash.sha384,keyword,extended,,,SHA384 hash.
+8.12.0-dev+exp,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
+8.12.0-dev+exp,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.12.0-dev+exp,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash.
+8.12.0-dev+exp,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
+8.12.0-dev+exp,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
+8.12.0-dev+exp,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.12.0-dev+exp,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.12.0-dev+exp,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.12.0-dev+exp,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.12.0-dev+exp,true,dll,dll.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.12.0-dev+exp,true,dll,dll.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.12.0-dev+exp,true,dll,dll.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.12.0-dev+exp,true,dll,dll.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.12.0-dev+exp,true,dll,dll.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.12.0-dev+exp,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.12.0-dev+exp,true,dll,dll.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.12.0-dev+exp,true,dll,dll.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.12.0-dev+exp,true,dll,dll.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev+exp,true,dll,dll.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev+exp,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.12.0-dev+exp,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.12.0-dev+exp,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.12.0-dev+exp,true,dll,dll.pe.sections,nested,extended,array,,Section information of the PE file.
+8.12.0-dev+exp,true,dll,dll.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.12.0-dev+exp,true,dll,dll.pe.sections.name,keyword,extended,,,PE Section List name.
+8.12.0-dev+exp,true,dll,dll.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.12.0-dev+exp,true,dll,dll.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.12.0-dev+exp,true,dll,dll.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.12.0-dev+exp,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
+8.12.0-dev+exp,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
+8.12.0-dev+exp,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
+8.12.0-dev+exp,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
+8.12.0-dev+exp,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
+8.12.0-dev+exp,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
+8.12.0-dev+exp,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
+8.12.0-dev+exp,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
+8.12.0-dev+exp,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
+8.12.0-dev+exp,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
+8.12.0-dev+exp,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
+8.12.0-dev+exp,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
+8.12.0-dev+exp,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
+8.12.0-dev+exp,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.12.0-dev+exp,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
+8.12.0-dev+exp,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
+8.12.0-dev+exp,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
+8.12.0-dev+exp,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
+8.12.0-dev+exp,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
+8.12.0-dev+exp,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
+8.12.0-dev+exp,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
+8.12.0-dev+exp,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash.
+8.12.0-dev+exp,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.12.0-dev+exp,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.12.0-dev+exp,true,email,email.attachments.file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.12.0-dev+exp,true,email,email.attachments.file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.12.0-dev+exp,true,email,email.attachments.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.12.0-dev+exp,true,email,email.attachments.file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.12.0-dev+exp,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file.
+8.12.0-dev+exp,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file.
+8.12.0-dev+exp,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size.
+8.12.0-dev+exp,true,email,email.bcc.address,keyword,extended,array,bcc.user1@example.com,Email address of BCC recipient
+8.12.0-dev+exp,true,email,email.cc.address,keyword,extended,array,cc.user1@example.com,Email address of CC recipient
+8.12.0-dev+exp,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message.
+8.12.0-dev+exp,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered.
+8.12.0-dev+exp,true,email,email.direction,keyword,extended,,inbound,Direction of the message.
+8.12.0-dev+exp,true,email,email.from.address,keyword,extended,array,sender@example.com,The sender's email address.
+8.12.0-dev+exp,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source.
+8.12.0-dev+exp,true,email,email.message_id,wildcard,extended,,81ce15$8r2j59@mail01.example.com,Value from the Message-ID header.
+8.12.0-dev+exp,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed.
+8.12.0-dev+exp,true,email,email.reply_to.address,keyword,extended,array,reply.here@example.com,Address replies should be delivered to.
+8.12.0-dev+exp,true,email,email.sender.address,keyword,extended,,,Address of the message sender.
+8.12.0-dev+exp,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message.
+8.12.0-dev+exp,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
+8.12.0-dev+exp,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient
+8.12.0-dev+exp,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
+8.12.0-dev+exp,true,error,error.code,keyword,core,,,Error code describing the error.
+8.12.0-dev+exp,true,error,error.id,keyword,core,,,Unique identifier for the error.
+8.12.0-dev+exp,true,error,error.message,match_only_text,core,,,Error message.
+8.12.0-dev+exp,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
+8.12.0-dev+exp,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text.
+8.12.0-dev+exp,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
+8.12.0-dev+exp,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
+8.12.0-dev+exp,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field.
+8.12.0-dev+exp,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
+8.12.0-dev+exp,true,event,event.code,keyword,extended,,4648,Identification code for this event.
+8.12.0-dev+exp,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
+8.12.0-dev+exp,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
+8.12.0-dev+exp,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
+8.12.0-dev+exp,true,event,event.end,date,extended,,,`event.end` contains the date when the event ended or when the activity was last observed.
+8.12.0-dev+exp,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
+8.12.0-dev+exp,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
+8.12.0-dev+exp,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
+8.12.0-dev+exp,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
+8.12.0-dev+exp,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
+8.12.0-dev+exp,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
+8.12.0-dev+exp,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
+8.12.0-dev+exp,true,event,event.provider,keyword,extended,,kernel,Source of the event.
+8.12.0-dev+exp,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
+8.12.0-dev+exp,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
+8.12.0-dev+exp,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
+8.12.0-dev+exp,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
+8.12.0-dev+exp,true,event,event.sequence,long,extended,,,Sequence number of the event.
+8.12.0-dev+exp,true,event,event.severity,long,core,,7,Numeric severity of the event.
+8.12.0-dev+exp,true,event,event.start,date,extended,,,`event.start` contains the date when the event started or when the activity was first observed.
+8.12.0-dev+exp,true,event,event.timezone,keyword,extended,,,Event time zone.
+8.12.0-dev+exp,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
+8.12.0-dev+exp,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
+8.12.0-dev+exp,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function.
+8.12.0-dev+exp,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution.
+8.12.0-dev+exp,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function.
+8.12.0-dev+exp,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function.
+8.12.0-dev+exp,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc."
+8.12.0-dev+exp,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution.
+8.12.0-dev+exp,true,faas,faas.version,keyword,extended,,123,The version of a serverless function.
+8.12.0-dev+exp,true,file,file.accessed,date,extended,,,Last time the file was accessed.
+8.12.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.12.0-dev+exp,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.12.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.12.0-dev+exp,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.12.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.12.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.12.0-dev+exp,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.12.0-dev+exp,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.12.0-dev+exp,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.12.0-dev+exp,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.12.0-dev+exp,true,file,file.created,date,extended,,,File creation time.
+8.12.0-dev+exp,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.12.0-dev+exp,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
+8.12.0-dev+exp,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.12.0-dev+exp,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.12.0-dev+exp,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.12.0-dev+exp,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.12.0-dev+exp,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.12.0-dev+exp,true,file,file.elf.creation_date,date,extended,,,Build or compile date.
+8.12.0-dev+exp,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.12.0-dev+exp,true,file,file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.12.0-dev+exp,true,file,file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.12.0-dev+exp,true,file,file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.12.0-dev+exp,true,file,file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.12.0-dev+exp,true,file,file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.12.0-dev+exp,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.12.0-dev+exp,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.12.0-dev+exp,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.12.0-dev+exp,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.12.0-dev+exp,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.12.0-dev+exp,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.12.0-dev+exp,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.12.0-dev+exp,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.12.0-dev+exp,true,file,file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.12.0-dev+exp,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.12.0-dev+exp,true,file,file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev+exp,true,file,file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev+exp,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.12.0-dev+exp,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.12.0-dev+exp,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.12.0-dev+exp,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.12.0-dev+exp,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.12.0-dev+exp,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.12.0-dev+exp,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.12.0-dev+exp,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.12.0-dev+exp,true,file,file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.12.0-dev+exp,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.12.0-dev+exp,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.12.0-dev+exp,true,file,file.elf.segments,nested,extended,array,,ELF object segment list.
+8.12.0-dev+exp,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.12.0-dev+exp,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.12.0-dev+exp,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.12.0-dev+exp,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.12.0-dev+exp,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.12.0-dev+exp,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.12.0-dev+exp,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.12.0-dev+exp,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
+8.12.0-dev+exp,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
+8.12.0-dev+exp,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.12.0-dev+exp,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.12.0-dev+exp,true,file,file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.12.0-dev+exp,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.12.0-dev+exp,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.12.0-dev+exp,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.12.0-dev+exp,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.12.0-dev+exp,true,file,file.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+8.12.0-dev+exp,true,file,file.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.12.0-dev+exp,true,file,file.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.12.0-dev+exp,true,file,file.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.12.0-dev+exp,true,file,file.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.12.0-dev+exp,true,file,file.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+8.12.0-dev+exp,true,file,file.macho.imports,flattened,extended,array,,List of imported element names and types.
+8.12.0-dev+exp,true,file,file.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev+exp,true,file,file.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev+exp,true,file,file.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+8.12.0-dev+exp,true,file,file.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.12.0-dev+exp,true,file,file.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+8.12.0-dev+exp,true,file,file.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+8.12.0-dev+exp,true,file,file.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.12.0-dev+exp,true,file,file.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+8.12.0-dev+exp,true,file,file.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+8.12.0-dev+exp,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.12.0-dev+exp,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.12.0-dev+exp,true,file,file.mtime,date,extended,,,Last time the file content was modified.
+8.12.0-dev+exp,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.12.0-dev+exp,true,file,file.owner,keyword,extended,,alice,File owner's username.
+8.12.0-dev+exp,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.12.0-dev+exp,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.12.0-dev+exp,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.12.0-dev+exp,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.12.0-dev+exp,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.12.0-dev+exp,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.12.0-dev+exp,true,file,file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.12.0-dev+exp,true,file,file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.12.0-dev+exp,true,file,file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.12.0-dev+exp,true,file,file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.12.0-dev+exp,true,file,file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.12.0-dev+exp,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.12.0-dev+exp,true,file,file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.12.0-dev+exp,true,file,file.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.12.0-dev+exp,true,file,file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev+exp,true,file,file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev+exp,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.12.0-dev+exp,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.12.0-dev+exp,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.12.0-dev+exp,true,file,file.pe.sections,nested,extended,array,,Section information of the PE file.
+8.12.0-dev+exp,true,file,file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.12.0-dev+exp,true,file,file.pe.sections.name,keyword,extended,,,PE Section List name.
+8.12.0-dev+exp,true,file,file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.12.0-dev+exp,true,file,file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.12.0-dev+exp,true,file,file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.12.0-dev+exp,true,file,file.size,long,extended,,16384,File size in bytes.
+8.12.0-dev+exp,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
+8.12.0-dev+exp,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.12.0-dev+exp,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.12.0-dev+exp,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.12.0-dev+exp,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.12.0-dev+exp,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.12.0-dev+exp,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.12.0-dev+exp,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.12.0-dev+exp,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.12.0-dev+exp,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.12.0-dev+exp,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.12.0-dev+exp,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.12.0-dev+exp,true,file,file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.12.0-dev+exp,true,file,file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.12.0-dev+exp,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.12.0-dev+exp,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.12.0-dev+exp,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.12.0-dev+exp,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.12.0-dev+exp,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.12.0-dev+exp,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.12.0-dev+exp,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.12.0-dev+exp,true,file,file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.12.0-dev+exp,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.12.0-dev+exp,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.12.0-dev+exp,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.12.0-dev+exp,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.12.0-dev+exp,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.12.0-dev+exp,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.12.0-dev+exp,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.12.0-dev+exp,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev+exp,true,group,group.name,keyword,extended,,,Name of the group.
+8.12.0-dev+exp,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
+8.12.0-dev+exp,true,host,host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id
+8.12.0-dev+exp,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
+8.12.0-dev+exp,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
+8.12.0-dev+exp,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
+8.12.0-dev+exp,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
+8.12.0-dev+exp,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
+8.12.0-dev+exp,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
+8.12.0-dev+exp,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.12.0-dev+exp,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.12.0-dev+exp,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
+8.12.0-dev+exp,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.12.0-dev+exp,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.12.0-dev+exp,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
+8.12.0-dev+exp,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.12.0-dev+exp,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
+8.12.0-dev+exp,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.12.0-dev+exp,true,host,host.hostname,keyword,core,,,Hostname of the host.
+8.12.0-dev+exp,true,host,host.id,keyword,core,,,Unique host id.
+8.12.0-dev+exp,true,host,host.ip,ip,core,array,,Host ip addresses.
+8.12.0-dev+exp,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
+8.12.0-dev+exp,true,host,host.name,keyword,core,,,Name of the host.
+8.12.0-dev+exp,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
+8.12.0-dev+exp,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
+8.12.0-dev+exp,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+8.12.0-dev+exp,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
+8.12.0-dev+exp,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.12.0-dev+exp,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.12.0-dev+exp,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.12.0-dev+exp,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.12.0-dev+exp,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.12.0-dev+exp,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.12.0-dev+exp,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.12.0-dev+exp,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+8.12.0-dev+exp,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.12.0-dev+exp,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode
+8.12.0-dev+exp,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.12.0-dev+exp,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.12.0-dev+exp,true,host,host.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.12.0-dev+exp,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.12.0-dev+exp,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.12.0-dev+exp,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+8.12.0-dev+exp,true,host,host.type,keyword,core,,,Type of host.
+8.12.0-dev+exp,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
+8.12.0-dev+exp,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
+8.12.0-dev+exp,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
+8.12.0-dev+exp,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body.
+8.12.0-dev+exp,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
+8.12.0-dev+exp,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
+8.12.0-dev+exp,true,http,http.request.method,keyword,extended,,POST,HTTP request method.
+8.12.0-dev+exp,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
+8.12.0-dev+exp,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
+8.12.0-dev+exp,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
+8.12.0-dev+exp,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
+8.12.0-dev+exp,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body.
+8.12.0-dev+exp,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
+8.12.0-dev+exp,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
+8.12.0-dev+exp,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
+8.12.0-dev+exp,true,http,http.version,keyword,extended,,1.1,HTTP version.
+8.12.0-dev+exp,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
+8.12.0-dev+exp,true,log,log.level,keyword,core,,error,Log level of the log event.
+8.12.0-dev+exp,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
+8.12.0-dev+exp,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event.
+8.12.0-dev+exp,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
+8.12.0-dev+exp,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
+8.12.0-dev+exp,true,log,log.syslog,object,extended,,,Syslog metadata
+8.12.0-dev+exp,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message.
+8.12.0-dev+exp,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
+8.12.0-dev+exp,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
+8.12.0-dev+exp,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message.
+8.12.0-dev+exp,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message.
+8.12.0-dev+exp,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
+8.12.0-dev+exp,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message.
+8.12.0-dev+exp,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
+8.12.0-dev+exp,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
+8.12.0-dev+exp,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages.
+8.12.0-dev+exp,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version.
+8.12.0-dev+exp,true,network,network.application,keyword,extended,,aim,Application level protocol name.
+8.12.0-dev+exp,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
+8.12.0-dev+exp,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
+8.12.0-dev+exp,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
+8.12.0-dev+exp,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
+8.12.0-dev+exp,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
+8.12.0-dev+exp,true,network,network.inner,object,extended,,,Inner VLAN tag information
+8.12.0-dev+exp,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.12.0-dev+exp,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.12.0-dev+exp,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
+8.12.0-dev+exp,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
+8.12.0-dev+exp,true,network,network.protocol,keyword,core,,http,Application protocol name.
+8.12.0-dev+exp,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
+8.12.0-dev+exp,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
+8.12.0-dev+exp,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.12.0-dev+exp,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.12.0-dev+exp,true,observer,observer.egress,object,extended,,,Object field for egress information
+8.12.0-dev+exp,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
+8.12.0-dev+exp,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
+8.12.0-dev+exp,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
+8.12.0-dev+exp,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.12.0-dev+exp,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.12.0-dev+exp,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
+8.12.0-dev+exp,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
+8.12.0-dev+exp,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code.
+8.12.0-dev+exp,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.12.0-dev+exp,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.12.0-dev+exp,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
+8.12.0-dev+exp,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.12.0-dev+exp,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.12.0-dev+exp,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code.
+8.12.0-dev+exp,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.12.0-dev+exp,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
+8.12.0-dev+exp,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.12.0-dev+exp,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
+8.12.0-dev+exp,true,observer,observer.ingress,object,extended,,,Object field for ingress information
+8.12.0-dev+exp,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
+8.12.0-dev+exp,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
+8.12.0-dev+exp,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
+8.12.0-dev+exp,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.12.0-dev+exp,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.12.0-dev+exp,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
+8.12.0-dev+exp,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
+8.12.0-dev+exp,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer.
+8.12.0-dev+exp,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
+8.12.0-dev+exp,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.12.0-dev+exp,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.12.0-dev+exp,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.12.0-dev+exp,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.12.0-dev+exp,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.12.0-dev+exp,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.12.0-dev+exp,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.12.0-dev+exp,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+8.12.0-dev+exp,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.12.0-dev+exp,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
+8.12.0-dev+exp,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
+8.12.0-dev+exp,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
+8.12.0-dev+exp,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
+8.12.0-dev+exp,true,observer,observer.version,keyword,core,,,Observer version.
+8.12.0-dev+exp,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action
+8.12.0-dev+exp,true,orchestrator,orchestrator.cluster.id,keyword,extended,,,Unique ID of the cluster.
+8.12.0-dev+exp,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster.
+8.12.0-dev+exp,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster.
+8.12.0-dev+exp,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster.
+8.12.0-dev+exp,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place.
+8.12.0-dev+exp,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups).
+8.12.0-dev+exp,true,orchestrator,orchestrator.resource.annotation,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of annotations added to the resource.
+8.12.0-dev+exp,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon.
+8.12.0-dev+exp,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed.
+8.12.0-dev+exp,true,orchestrator,orchestrator.resource.label,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of labels added to the resource.
+8.12.0-dev+exp,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon.
+8.12.0-dev+exp,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed.
+8.12.0-dev+exp,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon.
+8.12.0-dev+exp,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)."
+8.12.0-dev+exp,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
+8.12.0-dev+exp,true,organization,organization.name,keyword,extended,,,Organization name.
+8.12.0-dev+exp,true,organization,organization.name.text,match_only_text,extended,,,Organization name.
+8.12.0-dev+exp,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
+8.12.0-dev+exp,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
+8.12.0-dev+exp,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
+8.12.0-dev+exp,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
+8.12.0-dev+exp,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
+8.12.0-dev+exp,true,package,package.installed,date,extended,,,Time when package was installed.
+8.12.0-dev+exp,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
+8.12.0-dev+exp,true,package,package.name,keyword,extended,,go,Package name
+8.12.0-dev+exp,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
+8.12.0-dev+exp,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
+8.12.0-dev+exp,true,package,package.size,long,extended,,62231,Package size in bytes.
+8.12.0-dev+exp,true,package,package.type,keyword,extended,,rpm,Package type
+8.12.0-dev+exp,true,package,package.version,keyword,extended,,1.12.9,Package version
+8.12.0-dev+exp,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.12.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array.
+8.12.0-dev+exp,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.12.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.12.0-dev+exp,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.12.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.12.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.12.0-dev+exp,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.12.0-dev+exp,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.12.0-dev+exp,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.12.0-dev+exp,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.12.0-dev+exp,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.12.0-dev+exp,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.12.0-dev+exp,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.12.0-dev+exp,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.12.0-dev+exp,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.12.0-dev+exp,true,process,process.elf.creation_date,date,extended,,,Build or compile date.
+8.12.0-dev+exp,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.12.0-dev+exp,true,process,process.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.12.0-dev+exp,true,process,process.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.12.0-dev+exp,true,process,process.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.12.0-dev+exp,true,process,process.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.12.0-dev+exp,true,process,process.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.12.0-dev+exp,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.12.0-dev+exp,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.12.0-dev+exp,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.12.0-dev+exp,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.12.0-dev+exp,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.12.0-dev+exp,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.12.0-dev+exp,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.12.0-dev+exp,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.12.0-dev+exp,true,process,process.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.12.0-dev+exp,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.12.0-dev+exp,true,process,process.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev+exp,true,process,process.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev+exp,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.12.0-dev+exp,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.12.0-dev+exp,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.12.0-dev+exp,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.12.0-dev+exp,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.12.0-dev+exp,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.12.0-dev+exp,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.12.0-dev+exp,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.12.0-dev+exp,true,process,process.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.12.0-dev+exp,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.12.0-dev+exp,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.12.0-dev+exp,true,process,process.elf.segments,nested,extended,array,,ELF object segment list.
+8.12.0-dev+exp,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.12.0-dev+exp,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.12.0-dev+exp,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.12.0-dev+exp,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.12.0-dev+exp,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+8.12.0-dev+exp,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.12.0-dev+exp,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.12.0-dev+exp,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array.
+8.12.0-dev+exp,true,process,process.entry_leader.attested_groups.name,keyword,extended,,,Name of the group.
+8.12.0-dev+exp,true,process,process.entry_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev+exp,true,process,process.entry_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,process,process.entry_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.12.0-dev+exp,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.12.0-dev+exp,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.12.0-dev+exp,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
+8.12.0-dev+exp,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
+8.12.0-dev+exp,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.12.0-dev+exp,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.12.0-dev+exp,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev+exp,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group.
+8.12.0-dev+exp,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.12.0-dev+exp,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name.
+8.12.0-dev+exp,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name.
+8.12.0-dev+exp,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.12.0-dev+exp,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id.
+8.12.0-dev+exp,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.12.0-dev+exp,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id.
+8.12.0-dev+exp,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.12.0-dev+exp,true,process,process.entry_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
+8.12.0-dev+exp,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.12.0-dev+exp,true,process,process.entry_leader.parent.vpid,long,core,,4242,Virtual process id.
+8.12.0-dev+exp,true,process,process.entry_leader.pid,long,core,,4242,Process id.
+8.12.0-dev+exp,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev+exp,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group.
+8.12.0-dev+exp,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev+exp,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,process,process.entry_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+8.12.0-dev+exp,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev+exp,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group.
+8.12.0-dev+exp,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev+exp,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,process,process.entry_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.12.0-dev+exp,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev+exp,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.12.0-dev+exp,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device.
+8.12.0-dev+exp,true,process,process.entry_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.12.0-dev+exp,true,process,process.entry_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.12.0-dev+exp,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev+exp,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,process,process.entry_leader.vpid,long,core,,4242,Virtual process id.
+8.12.0-dev+exp,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.12.0-dev+exp,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.12.0-dev+exp,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
+8.12.0-dev+exp,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.12.0-dev+exp,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.12.0-dev+exp,true,process,process.exit_code,long,extended,,137,The exit code of the process.
+8.12.0-dev+exp,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.12.0-dev+exp,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array.
+8.12.0-dev+exp,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.12.0-dev+exp,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.12.0-dev+exp,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.12.0-dev+exp,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.12.0-dev+exp,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.12.0-dev+exp,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev+exp,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group.
+8.12.0-dev+exp,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.12.0-dev+exp,true,process,process.group_leader.name,keyword,extended,,ssh,Process name.
+8.12.0-dev+exp,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name.
+8.12.0-dev+exp,true,process,process.group_leader.pid,long,core,,4242,Process id.
+8.12.0-dev+exp,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev+exp,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group.
+8.12.0-dev+exp,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev+exp,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,process,process.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+8.12.0-dev+exp,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev+exp,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group.
+8.12.0-dev+exp,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev+exp,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,process,process.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.12.0-dev+exp,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev+exp,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.12.0-dev+exp,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device.
+8.12.0-dev+exp,true,process,process.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.12.0-dev+exp,true,process,process.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.12.0-dev+exp,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev+exp,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,process,process.group_leader.vpid,long,core,,4242,Virtual process id.
+8.12.0-dev+exp,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.12.0-dev+exp,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.12.0-dev+exp,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
+8.12.0-dev+exp,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
+8.12.0-dev+exp,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
+8.12.0-dev+exp,true,process,process.hash.sha384,keyword,extended,,,SHA384 hash.
+8.12.0-dev+exp,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
+8.12.0-dev+exp,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.12.0-dev+exp,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash.
+8.12.0-dev+exp,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.12.0-dev+exp,true,process,process.io,object,extended,,,A chunk of input or output (IO) from a single process.
+8.12.0-dev+exp,true,process,process.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
+8.12.0-dev+exp,true,process,process.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
+8.12.0-dev+exp,true,process,process.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
+8.12.0-dev+exp,true,process,process.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
+8.12.0-dev+exp,true,process,process.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
+8.12.0-dev+exp,true,process,process.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
+8.12.0-dev+exp,true,process,process.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
+8.12.0-dev+exp,true,process,process.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
+8.12.0-dev+exp,true,process,process.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+8.12.0-dev+exp,true,process,process.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.12.0-dev+exp,true,process,process.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.12.0-dev+exp,true,process,process.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.12.0-dev+exp,true,process,process.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.12.0-dev+exp,true,process,process.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+8.12.0-dev+exp,true,process,process.macho.imports,flattened,extended,array,,List of imported element names and types.
+8.12.0-dev+exp,true,process,process.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev+exp,true,process,process.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev+exp,true,process,process.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+8.12.0-dev+exp,true,process,process.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.12.0-dev+exp,true,process,process.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+8.12.0-dev+exp,true,process,process.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+8.12.0-dev+exp,true,process,process.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.12.0-dev+exp,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+8.12.0-dev+exp,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+8.12.0-dev+exp,true,process,process.name,keyword,extended,,ssh,Process name.
+8.12.0-dev+exp,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
+8.12.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.12.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
+8.12.0-dev+exp,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.12.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.12.0-dev+exp,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.12.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.12.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.12.0-dev+exp,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.12.0-dev+exp,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.12.0-dev+exp,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.12.0-dev+exp,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.12.0-dev+exp,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.12.0-dev+exp,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.12.0-dev+exp,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.12.0-dev+exp,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.12.0-dev+exp,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.12.0-dev+exp,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date.
+8.12.0-dev+exp,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.12.0-dev+exp,true,process,process.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.12.0-dev+exp,true,process,process.parent.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.12.0-dev+exp,true,process,process.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.12.0-dev+exp,true,process,process.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.12.0-dev+exp,true,process,process.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.12.0-dev+exp,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.12.0-dev+exp,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.12.0-dev+exp,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.12.0-dev+exp,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.12.0-dev+exp,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.12.0-dev+exp,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.12.0-dev+exp,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.12.0-dev+exp,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.12.0-dev+exp,true,process,process.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.12.0-dev+exp,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.12.0-dev+exp,true,process,process.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev+exp,true,process,process.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev+exp,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.12.0-dev+exp,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.12.0-dev+exp,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.12.0-dev+exp,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.12.0-dev+exp,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.12.0-dev+exp,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.12.0-dev+exp,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.12.0-dev+exp,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.12.0-dev+exp,true,process,process.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.12.0-dev+exp,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.12.0-dev+exp,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.12.0-dev+exp,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list.
+8.12.0-dev+exp,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.12.0-dev+exp,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.12.0-dev+exp,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.12.0-dev+exp,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.12.0-dev+exp,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+8.12.0-dev+exp,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.12.0-dev+exp,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.12.0-dev+exp,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.12.0-dev+exp,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
+8.12.0-dev+exp,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev+exp,true,process,process.parent.group.name,keyword,extended,,,Name of the group.
+8.12.0-dev+exp,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.12.0-dev+exp,true,process,process.parent.group_leader.pid,long,core,,4242,Process id.
+8.12.0-dev+exp,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.12.0-dev+exp,true,process,process.parent.group_leader.vpid,long,core,,4242,Virtual process id.
+8.12.0-dev+exp,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
+8.12.0-dev+exp,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
+8.12.0-dev+exp,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
+8.12.0-dev+exp,true,process,process.parent.hash.sha384,keyword,extended,,,SHA384 hash.
+8.12.0-dev+exp,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
+8.12.0-dev+exp,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.12.0-dev+exp,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash.
+8.12.0-dev+exp,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.12.0-dev+exp,true,process,process.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+8.12.0-dev+exp,true,process,process.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.12.0-dev+exp,true,process,process.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.12.0-dev+exp,true,process,process.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.12.0-dev+exp,true,process,process.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.12.0-dev+exp,true,process,process.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+8.12.0-dev+exp,true,process,process.parent.macho.imports,flattened,extended,array,,List of imported element names and types.
+8.12.0-dev+exp,true,process,process.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev+exp,true,process,process.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev+exp,true,process,process.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+8.12.0-dev+exp,true,process,process.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.12.0-dev+exp,true,process,process.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+8.12.0-dev+exp,true,process,process.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+8.12.0-dev+exp,true,process,process.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.12.0-dev+exp,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+8.12.0-dev+exp,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+8.12.0-dev+exp,true,process,process.parent.name,keyword,extended,,ssh,Process name.
+8.12.0-dev+exp,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
+8.12.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.12.0-dev+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.12.0-dev+exp,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.12.0-dev+exp,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.12.0-dev+exp,true,process,process.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.12.0-dev+exp,true,process,process.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.12.0-dev+exp,true,process,process.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.12.0-dev+exp,true,process,process.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.12.0-dev+exp,true,process,process.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.12.0-dev+exp,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.12.0-dev+exp,true,process,process.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.12.0-dev+exp,true,process,process.parent.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.12.0-dev+exp,true,process,process.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev+exp,true,process,process.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev+exp,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.12.0-dev+exp,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.12.0-dev+exp,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.12.0-dev+exp,true,process,process.parent.pe.sections,nested,extended,array,,Section information of the PE file.
+8.12.0-dev+exp,true,process,process.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.12.0-dev+exp,true,process,process.parent.pe.sections.name,keyword,extended,,,PE Section List name.
+8.12.0-dev+exp,true,process,process.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.12.0-dev+exp,true,process,process.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.12.0-dev+exp,true,process,process.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.12.0-dev+exp,true,process,process.parent.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
+8.12.0-dev+exp,true,process,process.parent.pid,long,core,,4242,Process id.
+8.12.0-dev+exp,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev+exp,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group.
+8.12.0-dev+exp,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev+exp,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,process,process.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev+exp,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group.
+8.12.0-dev+exp,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev+exp,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,process,process.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.12.0-dev+exp,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev+exp,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.12.0-dev+exp,true,process,process.parent.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
+8.12.0-dev+exp,true,process,process.parent.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
+8.12.0-dev+exp,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
+8.12.0-dev+exp,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
+8.12.0-dev+exp,true,process,process.parent.title,keyword,extended,,,Process title.
+8.12.0-dev+exp,true,process,process.parent.title.text,match_only_text,extended,,,Process title.
+8.12.0-dev+exp,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device.
+8.12.0-dev+exp,true,process,process.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.12.0-dev+exp,true,process,process.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.12.0-dev+exp,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
+8.12.0-dev+exp,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev+exp,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,process,process.parent.vpid,long,core,,4242,Virtual process id.
+8.12.0-dev+exp,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.12.0-dev+exp,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.12.0-dev+exp,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.12.0-dev+exp,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.12.0-dev+exp,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.12.0-dev+exp,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.12.0-dev+exp,true,process,process.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.12.0-dev+exp,true,process,process.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.12.0-dev+exp,true,process,process.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.12.0-dev+exp,true,process,process.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.12.0-dev+exp,true,process,process.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.12.0-dev+exp,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.12.0-dev+exp,true,process,process.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.12.0-dev+exp,true,process,process.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.12.0-dev+exp,true,process,process.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev+exp,true,process,process.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev+exp,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.12.0-dev+exp,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.12.0-dev+exp,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.12.0-dev+exp,true,process,process.pe.sections,nested,extended,array,,Section information of the PE file.
+8.12.0-dev+exp,true,process,process.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.12.0-dev+exp,true,process,process.pe.sections.name,keyword,extended,,,PE Section List name.
+8.12.0-dev+exp,true,process,process.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.12.0-dev+exp,true,process,process.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.12.0-dev+exp,true,process,process.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.12.0-dev+exp,true,process,process.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
+8.12.0-dev+exp,true,process,process.pid,long,core,,4242,Process id.
+8.12.0-dev+exp,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.12.0-dev+exp,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array.
+8.12.0-dev+exp,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.12.0-dev+exp,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.12.0-dev+exp,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev+exp,true,process,process.real_group.name,keyword,extended,,,Name of the group.
+8.12.0-dev+exp,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev+exp,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,process,process.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev+exp,true,process,process.saved_group.name,keyword,extended,,,Name of the group.
+8.12.0-dev+exp,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev+exp,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,process,process.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.12.0-dev+exp,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array.
+8.12.0-dev+exp,true,process,process.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.12.0-dev+exp,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.12.0-dev+exp,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.12.0-dev+exp,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.12.0-dev+exp,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.12.0-dev+exp,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev+exp,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group.
+8.12.0-dev+exp,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.12.0-dev+exp,true,process,process.session_leader.name,keyword,extended,,ssh,Process name.
+8.12.0-dev+exp,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name.
+8.12.0-dev+exp,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.12.0-dev+exp,true,process,process.session_leader.parent.pid,long,core,,4242,Process id.
+8.12.0-dev+exp,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.12.0-dev+exp,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id.
+8.12.0-dev+exp,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.12.0-dev+exp,true,process,process.session_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
+8.12.0-dev+exp,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.12.0-dev+exp,true,process,process.session_leader.parent.vpid,long,core,,4242,Virtual process id.
+8.12.0-dev+exp,true,process,process.session_leader.pid,long,core,,4242,Process id.
+8.12.0-dev+exp,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev+exp,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group.
+8.12.0-dev+exp,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev+exp,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,process,process.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+8.12.0-dev+exp,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev+exp,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group.
+8.12.0-dev+exp,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev+exp,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,process,process.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.12.0-dev+exp,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev+exp,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.12.0-dev+exp,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device.
+8.12.0-dev+exp,true,process,process.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.12.0-dev+exp,true,process,process.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.12.0-dev+exp,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev+exp,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,process,process.session_leader.vpid,long,core,,4242,Virtual process id.
+8.12.0-dev+exp,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.12.0-dev+exp,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.12.0-dev+exp,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.12.0-dev+exp,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev+exp,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.12.0-dev+exp,true,process,process.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
+8.12.0-dev+exp,true,process,process.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
+8.12.0-dev+exp,true,process,process.thread.id,long,extended,,4242,Thread ID.
+8.12.0-dev+exp,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
+8.12.0-dev+exp,true,process,process.title,keyword,extended,,,Process title.
+8.12.0-dev+exp,true,process,process.title.text,match_only_text,extended,,,Process title.
+8.12.0-dev+exp,true,process,process.tty,object,extended,,,Information about the controlling TTY device.
+8.12.0-dev+exp,true,process,process.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.12.0-dev+exp,true,process,process.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.12.0-dev+exp,true,process,process.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
+8.12.0-dev+exp,true,process,process.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
+8.12.0-dev+exp,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
+8.12.0-dev+exp,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev+exp,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,process,process.vpid,long,core,,4242,Virtual process id.
+8.12.0-dev+exp,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.12.0-dev+exp,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.12.0-dev+exp,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.12.0-dev+exp,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.12.0-dev+exp,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.12.0-dev+exp,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.12.0-dev+exp,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.12.0-dev+exp,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.12.0-dev+exp,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
+8.12.0-dev+exp,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
+8.12.0-dev+exp,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
+8.12.0-dev+exp,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
+8.12.0-dev+exp,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event.
+8.12.0-dev+exp,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
+8.12.0-dev+exp,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
+8.12.0-dev+exp,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
+8.12.0-dev+exp,true,rule,rule.id,keyword,extended,,101,Rule ID
+8.12.0-dev+exp,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
+8.12.0-dev+exp,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
+8.12.0-dev+exp,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
+8.12.0-dev+exp,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
+8.12.0-dev+exp,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
+8.12.0-dev+exp,true,rule,rule.version,keyword,extended,,1.1,Rule version
+8.12.0-dev+exp,true,server,server.address,keyword,extended,,,Server network address.
+8.12.0-dev+exp,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.12.0-dev+exp,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.12.0-dev+exp,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.12.0-dev+exp,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
+8.12.0-dev+exp,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server.
+8.12.0-dev+exp,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
+8.12.0-dev+exp,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
+8.12.0-dev+exp,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.12.0-dev+exp,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.12.0-dev+exp,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
+8.12.0-dev+exp,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.12.0-dev+exp,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.12.0-dev+exp,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
+8.12.0-dev+exp,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.12.0-dev+exp,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
+8.12.0-dev+exp,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.12.0-dev+exp,true,server,server.ip,ip,core,,,IP address of the server.
+8.12.0-dev+exp,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
+8.12.0-dev+exp,true,server,server.nat.ip,ip,extended,,,Server NAT ip
+8.12.0-dev+exp,true,server,server.nat.port,long,extended,,,Server NAT port
+8.12.0-dev+exp,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
+8.12.0-dev+exp,true,server,server.port,long,core,,,Port of the server.
+8.12.0-dev+exp,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
+8.12.0-dev+exp,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.12.0-dev+exp,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.12.0-dev+exp,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.12.0-dev+exp,true,server,server.user.email,keyword,extended,,,User email address.
+8.12.0-dev+exp,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.12.0-dev+exp,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.12.0-dev+exp,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.12.0-dev+exp,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev+exp,true,server,server.user.group.name,keyword,extended,,,Name of the group.
+8.12.0-dev+exp,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.12.0-dev+exp,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev+exp,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.12.0-dev+exp,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.12.0-dev+exp,true,service,service.environment,keyword,extended,,production,Environment of the service.
+8.12.0-dev+exp,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.12.0-dev+exp,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.12.0-dev+exp,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.12.0-dev+exp,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.12.0-dev+exp,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.12.0-dev+exp,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+8.12.0-dev+exp,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.12.0-dev+exp,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
+8.12.0-dev+exp,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.12.0-dev+exp,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.12.0-dev+exp,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.12.0-dev+exp,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.12.0-dev+exp,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.12.0-dev+exp,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+8.12.0-dev+exp,true,service,service.origin.state,keyword,core,,,Current state of the service.
+8.12.0-dev+exp,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service.
+8.12.0-dev+exp,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service.
+8.12.0-dev+exp,true,service,service.state,keyword,core,,,Current state of the service.
+8.12.0-dev+exp,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.12.0-dev+exp,true,service,service.target.environment,keyword,extended,,production,Environment of the service.
+8.12.0-dev+exp,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.12.0-dev+exp,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.12.0-dev+exp,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.12.0-dev+exp,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.12.0-dev+exp,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.12.0-dev+exp,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+8.12.0-dev+exp,true,service,service.target.state,keyword,core,,,Current state of the service.
+8.12.0-dev+exp,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service.
+8.12.0-dev+exp,true,service,service.target.version,keyword,core,,3.2.4,Version of the service.
+8.12.0-dev+exp,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
+8.12.0-dev+exp,true,service,service.version,keyword,core,,3.2.4,Version of the service.
+8.12.0-dev+exp,true,source,source.address,keyword,extended,,,Source network address.
+8.12.0-dev+exp,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.12.0-dev+exp,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.12.0-dev+exp,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.12.0-dev+exp,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
+8.12.0-dev+exp,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source.
+8.12.0-dev+exp,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
+8.12.0-dev+exp,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
+8.12.0-dev+exp,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.12.0-dev+exp,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.12.0-dev+exp,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
+8.12.0-dev+exp,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.12.0-dev+exp,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.12.0-dev+exp,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
+8.12.0-dev+exp,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.12.0-dev+exp,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
+8.12.0-dev+exp,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.12.0-dev+exp,true,source,source.ip,ip,core,,,IP address of the source.
+8.12.0-dev+exp,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
+8.12.0-dev+exp,true,source,source.nat.ip,ip,extended,,,Source NAT ip
+8.12.0-dev+exp,true,source,source.nat.port,long,extended,,,Source NAT port
+8.12.0-dev+exp,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
+8.12.0-dev+exp,true,source,source.port,long,core,,,Port of the source.
+8.12.0-dev+exp,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+8.12.0-dev+exp,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.12.0-dev+exp,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.12.0-dev+exp,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.12.0-dev+exp,true,source,source.user.email,keyword,extended,,,User email address.
+8.12.0-dev+exp,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.12.0-dev+exp,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.12.0-dev+exp,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.12.0-dev+exp,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev+exp,true,source,source.user.group.name,keyword,extended,,,Name of the group.
+8.12.0-dev+exp,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.12.0-dev+exp,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev+exp,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.12.0-dev+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
+8.12.0-dev+exp,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.12.0-dev+exp,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.12.0-dev+exp,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.12.0-dev+exp,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value
+8.12.0-dev+exp,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field
+8.12.0-dev+exp,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier
+8.12.0-dev+exp,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index
+8.12.0-dev+exp,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05T17:00:58.326Z,Date of match
+8.12.0-dev+exp,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match
+8.12.0-dev+exp,true,threat,threat.feed.dashboard_id,keyword,extended,,5ba16340-72e6-11eb-a3e3-b3cc7c78a70f,Feed dashboard ID.
+8.12.0-dev+exp,true,threat,threat.feed.description,keyword,extended,,Threat feed from the AlienVault Open Threat eXchange network.,Description of the threat feed.
+8.12.0-dev+exp,true,threat,threat.feed.name,keyword,extended,,AlienVault OTX,Name of the threat feed.
+8.12.0-dev+exp,true,threat,threat.feed.reference,keyword,extended,,https://otx.alienvault.com,Reference for the threat feed.
+8.12.0-dev+exp,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
+8.12.0-dev+exp,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group.
+8.12.0-dev+exp,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group.
+8.12.0-dev+exp,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group.
+8.12.0-dev+exp,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group.
+8.12.0-dev+exp,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.12.0-dev+exp,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.12.0-dev+exp,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.12.0-dev+exp,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
+8.12.0-dev+exp,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
+8.12.0-dev+exp,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
+8.12.0-dev+exp,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed.
+8.12.0-dev+exp,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.12.0-dev+exp,true,threat,threat.indicator.file.created,date,extended,,,File creation time.
+8.12.0-dev+exp,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.12.0-dev+exp,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
+8.12.0-dev+exp,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.12.0-dev+exp,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.12.0-dev+exp,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.12.0-dev+exp,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.12.0-dev+exp,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.12.0-dev+exp,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
+8.12.0-dev+exp,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.12.0-dev+exp,true,threat,threat.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.12.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.12.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.12.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.12.0-dev+exp,true,threat,threat.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.12.0-dev+exp,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.12.0-dev+exp,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.12.0-dev+exp,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.12.0-dev+exp,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.12.0-dev+exp,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.12.0-dev+exp,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.12.0-dev+exp,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.12.0-dev+exp,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.12.0-dev+exp,true,threat,threat.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.12.0-dev+exp,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.12.0-dev+exp,true,threat,threat.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev+exp,true,threat,threat.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev+exp,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.12.0-dev+exp,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.12.0-dev+exp,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.12.0-dev+exp,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.12.0-dev+exp,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.12.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.12.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.12.0-dev+exp,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.12.0-dev+exp,true,threat,threat.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.12.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.12.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.12.0-dev+exp,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
+8.12.0-dev+exp,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.12.0-dev+exp,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.12.0-dev+exp,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.12.0-dev+exp,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.12.0-dev+exp,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.12.0-dev+exp,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.12.0-dev+exp,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.12.0-dev+exp,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
+8.12.0-dev+exp,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
+8.12.0-dev+exp,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.12.0-dev+exp,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.12.0-dev+exp,true,threat,threat.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.12.0-dev+exp,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.12.0-dev+exp,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.12.0-dev+exp,true,threat,threat.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.12.0-dev+exp,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.12.0-dev+exp,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.12.0-dev+exp,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.12.0-dev+exp,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified.
+8.12.0-dev+exp,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.12.0-dev+exp,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username.
+8.12.0-dev+exp,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.12.0-dev+exp,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.12.0-dev+exp,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.12.0-dev+exp,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.12.0-dev+exp,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.12.0-dev+exp,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.12.0-dev+exp,true,threat,threat.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.12.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.12.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.12.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.12.0-dev+exp,true,threat,threat.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.12.0-dev+exp,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.12.0-dev+exp,true,threat,threat.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.12.0-dev+exp,true,threat,threat.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.12.0-dev+exp,true,threat,threat.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev+exp,true,threat,threat.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev+exp,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.12.0-dev+exp,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.12.0-dev+exp,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.12.0-dev+exp,true,threat,threat.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
+8.12.0-dev+exp,true,threat,threat.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.12.0-dev+exp,true,threat,threat.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
+8.12.0-dev+exp,true,threat,threat.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.12.0-dev+exp,true,threat,threat.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.12.0-dev+exp,true,threat,threat.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.12.0-dev+exp,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes.
+8.12.0-dev+exp,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
+8.12.0-dev+exp,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.12.0-dev+exp,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.12.0-dev+exp,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.12.0-dev+exp,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.12.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.12.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.12.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.12.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.12.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.12.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.12.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.12.0-dev+exp,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.12.0-dev+exp,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.12.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.12.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.12.0-dev+exp,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.12.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.12.0-dev+exp,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.12.0-dev+exp,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.12.0-dev+exp,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.12.0-dev+exp,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.12.0-dev+exp,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.12.0-dev+exp,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.12.0-dev+exp,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.12.0-dev+exp,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.12.0-dev+exp,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.12.0-dev+exp,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.12.0-dev+exp,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
+8.12.0-dev+exp,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name.
+8.12.0-dev+exp,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code.
+8.12.0-dev+exp,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.12.0-dev+exp,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.12.0-dev+exp,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name.
+8.12.0-dev+exp,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.12.0-dev+exp,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.12.0-dev+exp,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code.
+8.12.0-dev+exp,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.12.0-dev+exp,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name.
+8.12.0-dev+exp,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.12.0-dev+exp,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
+8.12.0-dev+exp,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
+8.12.0-dev+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
+8.12.0-dev+exp,true,threat,threat.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
+8.12.0-dev+exp,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
+8.12.0-dev+exp,true,threat,threat.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
+8.12.0-dev+exp,true,threat,threat.indicator.port,long,extended,,443,Indicator port
+8.12.0-dev+exp,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
+8.12.0-dev+exp,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
+8.12.0-dev+exp,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.12.0-dev+exp,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.12.0-dev+exp,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.12.0-dev+exp,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.12.0-dev+exp,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.12.0-dev+exp,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.12.0-dev+exp,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
+8.12.0-dev+exp,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics
+8.12.0-dev+exp,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed
+8.12.0-dev+exp,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
+8.12.0-dev+exp,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.12.0-dev+exp,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.12.0-dev+exp,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.12.0-dev+exp,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.12.0-dev+exp,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.12.0-dev+exp,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.12.0-dev+exp,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.12.0-dev+exp,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request.
+8.12.0-dev+exp,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.12.0-dev+exp,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
+8.12.0-dev+exp,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request.
+8.12.0-dev+exp,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.12.0-dev+exp,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
+8.12.0-dev+exp,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.12.0-dev+exp,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.12.0-dev+exp,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request.
+8.12.0-dev+exp,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.12.0-dev+exp,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.12.0-dev+exp,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.12.0-dev+exp,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.12.0-dev+exp,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.12.0-dev+exp,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.12.0-dev+exp,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.12.0-dev+exp,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.12.0-dev+exp,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.12.0-dev+exp,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.12.0-dev+exp,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.12.0-dev+exp,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.12.0-dev+exp,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.12.0-dev+exp,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.12.0-dev+exp,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.12.0-dev+exp,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.12.0-dev+exp,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.12.0-dev+exp,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.12.0-dev+exp,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.12.0-dev+exp,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.12.0-dev+exp,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.12.0-dev+exp,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.12.0-dev+exp,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.12.0-dev+exp,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.12.0-dev+exp,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software
+8.12.0-dev+exp,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software
+8.12.0-dev+exp,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software.
+8.12.0-dev+exp,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software.
+8.12.0-dev+exp,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL.
+8.12.0-dev+exp,true,threat,threat.software.type,keyword,extended,,Tool,Software type.
+8.12.0-dev+exp,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
+8.12.0-dev+exp,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
+8.12.0-dev+exp,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
+8.12.0-dev+exp,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
+8.12.0-dev+exp,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
+8.12.0-dev+exp,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name.
+8.12.0-dev+exp,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
+8.12.0-dev+exp,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
+8.12.0-dev+exp,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
+8.12.0-dev+exp,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
+8.12.0-dev+exp,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
+8.12.0-dev+exp,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
+8.12.0-dev+exp,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
+8.12.0-dev+exp,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
+8.12.0-dev+exp,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
+8.12.0-dev+exp,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
+8.12.0-dev+exp,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
+8.12.0-dev+exp,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
+8.12.0-dev+exp,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
+8.12.0-dev+exp,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
+8.12.0-dev+exp,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
+8.12.0-dev+exp,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
+8.12.0-dev+exp,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
+8.12.0-dev+exp,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
+8.12.0-dev+exp,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.12.0-dev+exp,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.12.0-dev+exp,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.12.0-dev+exp,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.12.0-dev+exp,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.12.0-dev+exp,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.12.0-dev+exp,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.12.0-dev+exp,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.12.0-dev+exp,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.12.0-dev+exp,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.12.0-dev+exp,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.12.0-dev+exp,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.12.0-dev+exp,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.12.0-dev+exp,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.12.0-dev+exp,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.12.0-dev+exp,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.12.0-dev+exp,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.12.0-dev+exp,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.12.0-dev+exp,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.12.0-dev+exp,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.12.0-dev+exp,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.12.0-dev+exp,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.12.0-dev+exp,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.12.0-dev+exp,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.12.0-dev+exp,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
+8.12.0-dev+exp,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
+8.12.0-dev+exp,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
+8.12.0-dev+exp,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
+8.12.0-dev+exp,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
+8.12.0-dev+exp,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
+8.12.0-dev+exp,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
+8.12.0-dev+exp,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
+8.12.0-dev+exp,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
+8.12.0-dev+exp,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
+8.12.0-dev+exp,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
+8.12.0-dev+exp,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
+8.12.0-dev+exp,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
+8.12.0-dev+exp,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
+8.12.0-dev+exp,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.12.0-dev+exp,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.12.0-dev+exp,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.12.0-dev+exp,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.12.0-dev+exp,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.12.0-dev+exp,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.12.0-dev+exp,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.12.0-dev+exp,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.12.0-dev+exp,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.12.0-dev+exp,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.12.0-dev+exp,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.12.0-dev+exp,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.12.0-dev+exp,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.12.0-dev+exp,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.12.0-dev+exp,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.12.0-dev+exp,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.12.0-dev+exp,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.12.0-dev+exp,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.12.0-dev+exp,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.12.0-dev+exp,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.12.0-dev+exp,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.12.0-dev+exp,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.12.0-dev+exp,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.12.0-dev+exp,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.12.0-dev+exp,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
+8.12.0-dev+exp,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
+8.12.0-dev+exp,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
+8.12.0-dev+exp,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
+8.12.0-dev+exp,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.12.0-dev+exp,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.12.0-dev+exp,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.12.0-dev+exp,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.12.0-dev+exp,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.12.0-dev+exp,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.12.0-dev+exp,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.12.0-dev+exp,true,url,url.password,keyword,extended,,,Password of the request.
+8.12.0-dev+exp,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.12.0-dev+exp,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
+8.12.0-dev+exp,true,url,url.query,keyword,extended,,,Query string of the request.
+8.12.0-dev+exp,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.12.0-dev+exp,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
+8.12.0-dev+exp,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.12.0-dev+exp,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.12.0-dev+exp,true,url,url.username,keyword,extended,,,Username of the request.
+8.12.0-dev+exp,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.12.0-dev+exp,true,user,user.changes.email,keyword,extended,,,User email address.
+8.12.0-dev+exp,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.12.0-dev+exp,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.12.0-dev+exp,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.12.0-dev+exp,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev+exp,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
+8.12.0-dev+exp,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.12.0-dev+exp,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev+exp,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.12.0-dev+exp,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.12.0-dev+exp,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.12.0-dev+exp,true,user,user.effective.email,keyword,extended,,,User email address.
+8.12.0-dev+exp,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.12.0-dev+exp,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.12.0-dev+exp,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.12.0-dev+exp,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev+exp,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
+8.12.0-dev+exp,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.12.0-dev+exp,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev+exp,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.12.0-dev+exp,true,user,user.email,keyword,extended,,,User email address.
+8.12.0-dev+exp,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.12.0-dev+exp,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.12.0-dev+exp,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.12.0-dev+exp,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev+exp,true,user,user.group.name,keyword,extended,,,Name of the group.
+8.12.0-dev+exp,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.12.0-dev+exp,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev+exp,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.12.0-dev+exp,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.12.0-dev+exp,true,user,user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.12.0-dev+exp,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.12.0-dev+exp,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.12.0-dev+exp,true,user,user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+8.12.0-dev+exp,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.12.0-dev+exp,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.12.0-dev+exp,true,user,user.target.email,keyword,extended,,,User email address.
+8.12.0-dev+exp,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.12.0-dev+exp,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.12.0-dev+exp,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.12.0-dev+exp,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev+exp,true,user,user.target.group.name,keyword,extended,,,Name of the group.
+8.12.0-dev+exp,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.12.0-dev+exp,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev+exp,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev+exp,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.12.0-dev+exp,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
+8.12.0-dev+exp,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
+8.12.0-dev+exp,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+8.12.0-dev+exp,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+8.12.0-dev+exp,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.12.0-dev+exp,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.12.0-dev+exp,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.12.0-dev+exp,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.12.0-dev+exp,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.12.0-dev+exp,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.12.0-dev+exp,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.12.0-dev+exp,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+8.12.0-dev+exp,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.12.0-dev+exp,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
+8.12.0-dev+exp,true,volume,volume.bus_type,keyword,extended,,FileBackedVirtual,Bus type of the device.
+8.12.0-dev+exp,true,volume,volume.default_access,keyword,extended,,,Bus type of the device.
+8.12.0-dev+exp,true,volume,volume.device_name,keyword,extended,,,Device name of the volume.
+8.12.0-dev+exp,true,volume,volume.device_type,keyword,extended,,CD-ROM File System,Volume device type.
+8.12.0-dev+exp,true,volume,volume.dos_name,keyword,extended,,E:,DOS name of the device.
+8.12.0-dev+exp,true,volume,volume.file_system_type,keyword,extended,,,Volume device file system type.
+8.12.0-dev+exp,true,volume,volume.mount_name,keyword,extended,,,Mount name of the volume.
+8.12.0-dev+exp,true,volume,volume.nt_name,keyword,extended,,\Device\Cdrom1,NT name of the device.
+8.12.0-dev+exp,true,volume,volume.product_id,keyword,extended,,,ProductID of the device.
+8.12.0-dev+exp,true,volume,volume.product_name,keyword,extended,,Virtual DVD-ROM,Produce name of the volume.
+8.12.0-dev+exp,true,volume,volume.removable,boolean,extended,,,Indicates if the volume is removable.
+8.12.0-dev+exp,true,volume,volume.serial_number,keyword,extended,,,Serial number of the device.
+8.12.0-dev+exp,true,volume,volume.size,long,extended,,,Size of the volume device in bytes.
+8.12.0-dev+exp,true,volume,volume.vendor_id,keyword,extended,,,VendorID of the device.
+8.12.0-dev+exp,true,volume,volume.vendor_name,keyword,extended,,Msft,Vendor name of the device.
+8.12.0-dev+exp,true,volume,volume.writable,boolean,extended,,,Indicates if the volume is writable.
+8.12.0-dev+exp,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
+8.12.0-dev+exp,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
+8.12.0-dev+exp,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+8.12.0-dev+exp,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+8.12.0-dev+exp,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
+8.12.0-dev+exp,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
+8.12.0-dev+exp,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
+8.12.0-dev+exp,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
+8.12.0-dev+exp,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
+8.12.0-dev+exp,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
+8.12.0-dev+exp,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
+8.12.0-dev+exp,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
+8.12.0-dev+exp,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
+8.12.0-dev+exp,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
diff --git a/experimental/generated/elasticsearch/composable/component/agent.json b/experimental/generated/elasticsearch/composable/component/agent.json
index c705b83c61..557ba8eb6e 100644
--- a/experimental/generated/elasticsearch/composable/component/agent.json
+++ b/experimental/generated/elasticsearch/composable/component/agent.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html",
-    "ecs_version": "8.11.0-dev+exp"
+    "ecs_version": "8.12.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/base.json b/experimental/generated/elasticsearch/composable/component/base.json
index aca1117d8d..aaf9afefb0 100644
--- a/experimental/generated/elasticsearch/composable/component/base.json
+++ b/experimental/generated/elasticsearch/composable/component/base.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
-    "ecs_version": "8.11.0-dev+exp"
+    "ecs_version": "8.12.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/cgroup.json b/experimental/generated/elasticsearch/composable/component/cgroup.json
index 051104d805..941bb2191a 100644
--- a/experimental/generated/elasticsearch/composable/component/cgroup.json
+++ b/experimental/generated/elasticsearch/composable/component/cgroup.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cgroup.html",
-    "ecs_version": "8.11.0-dev+exp"
+    "ecs_version": "8.12.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/client.json b/experimental/generated/elasticsearch/composable/component/client.json
index 5126bbcf57..743a9d3dc2 100644
--- a/experimental/generated/elasticsearch/composable/component/client.json
+++ b/experimental/generated/elasticsearch/composable/component/client.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-client.html",
-    "ecs_version": "8.11.0-dev+exp"
+    "ecs_version": "8.12.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/cloud.json b/experimental/generated/elasticsearch/composable/component/cloud.json
index 686b49f367..e8ce7e6399 100644
--- a/experimental/generated/elasticsearch/composable/component/cloud.json
+++ b/experimental/generated/elasticsearch/composable/component/cloud.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cloud.html",
-    "ecs_version": "8.11.0-dev+exp"
+    "ecs_version": "8.12.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/container.json b/experimental/generated/elasticsearch/composable/component/container.json
index abde645c63..5a939273fa 100644
--- a/experimental/generated/elasticsearch/composable/component/container.json
+++ b/experimental/generated/elasticsearch/composable/component/container.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-container.html",
-    "ecs_version": "8.11.0-dev+exp"
+    "ecs_version": "8.12.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/data_stream.json b/experimental/generated/elasticsearch/composable/component/data_stream.json
index fb689dbe04..602c2f81d3 100644
--- a/experimental/generated/elasticsearch/composable/component/data_stream.json
+++ b/experimental/generated/elasticsearch/composable/component/data_stream.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-data_stream.html",
-    "ecs_version": "8.11.0-dev+exp"
+    "ecs_version": "8.12.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/destination.json b/experimental/generated/elasticsearch/composable/component/destination.json
index 98d8476de0..a332a95269 100644
--- a/experimental/generated/elasticsearch/composable/component/destination.json
+++ b/experimental/generated/elasticsearch/composable/component/destination.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-destination.html",
-    "ecs_version": "8.11.0-dev+exp"
+    "ecs_version": "8.12.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/device.json b/experimental/generated/elasticsearch/composable/component/device.json
index 03b9792933..cf66d72b06 100644
--- a/experimental/generated/elasticsearch/composable/component/device.json
+++ b/experimental/generated/elasticsearch/composable/component/device.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-device.html",
-    "ecs_version": "8.11.0-dev+exp"
+    "ecs_version": "8.12.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/dll.json b/experimental/generated/elasticsearch/composable/component/dll.json
index c507fe14d8..2de113a6ea 100644
--- a/experimental/generated/elasticsearch/composable/component/dll.json
+++ b/experimental/generated/elasticsearch/composable/component/dll.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dll.html",
-    "ecs_version": "8.11.0-dev+exp"
+    "ecs_version": "8.12.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/dns.json b/experimental/generated/elasticsearch/composable/component/dns.json
index fc68bcb657..4ed0861343 100644
--- a/experimental/generated/elasticsearch/composable/component/dns.json
+++ b/experimental/generated/elasticsearch/composable/component/dns.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html",
-    "ecs_version": "8.11.0-dev+exp"
+    "ecs_version": "8.12.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/ecs.json b/experimental/generated/elasticsearch/composable/component/ecs.json
index b5c28444f0..a4e6e32eff 100644
--- a/experimental/generated/elasticsearch/composable/component/ecs.json
+++ b/experimental/generated/elasticsearch/composable/component/ecs.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html",
-    "ecs_version": "8.11.0-dev+exp"
+    "ecs_version": "8.12.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/email.json b/experimental/generated/elasticsearch/composable/component/email.json
index 625f722a2a..83863c9c0c 100644
--- a/experimental/generated/elasticsearch/composable/component/email.json
+++ b/experimental/generated/elasticsearch/composable/component/email.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-email.html",
-    "ecs_version": "8.11.0-dev+exp"
+    "ecs_version": "8.12.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/error.json b/experimental/generated/elasticsearch/composable/component/error.json
index 95305a532a..81365f394c 100644
--- a/experimental/generated/elasticsearch/composable/component/error.json
+++ b/experimental/generated/elasticsearch/composable/component/error.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-error.html",
-    "ecs_version": "8.11.0-dev+exp"
+    "ecs_version": "8.12.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/event.json b/experimental/generated/elasticsearch/composable/component/event.json
index c63ebb78e1..b26490b26e 100644
--- a/experimental/generated/elasticsearch/composable/component/event.json
+++ b/experimental/generated/elasticsearch/composable/component/event.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html",
-    "ecs_version": "8.11.0-dev+exp"
+    "ecs_version": "8.12.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/faas.json b/experimental/generated/elasticsearch/composable/component/faas.json
index 7572524786..f87ec45729 100644
--- a/experimental/generated/elasticsearch/composable/component/faas.json
+++ b/experimental/generated/elasticsearch/composable/component/faas.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-faas.html",
-    "ecs_version": "8.11.0-dev+exp"
+    "ecs_version": "8.12.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/file.json b/experimental/generated/elasticsearch/composable/component/file.json
index 97150ec5b2..a04643e7d9 100644
--- a/experimental/generated/elasticsearch/composable/component/file.json
+++ b/experimental/generated/elasticsearch/composable/component/file.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html",
-    "ecs_version": "8.11.0-dev+exp"
+    "ecs_version": "8.12.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/group.json b/experimental/generated/elasticsearch/composable/component/group.json
index e64b20614b..d553ed9148 100644
--- a/experimental/generated/elasticsearch/composable/component/group.json
+++ b/experimental/generated/elasticsearch/composable/component/group.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-group.html",
-    "ecs_version": "8.11.0-dev+exp"
+    "ecs_version": "8.12.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/host.json b/experimental/generated/elasticsearch/composable/component/host.json
index 931b8e9797..b62d228655 100644
--- a/experimental/generated/elasticsearch/composable/component/host.json
+++ b/experimental/generated/elasticsearch/composable/component/host.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-host.html",
-    "ecs_version": "8.11.0-dev+exp"
+    "ecs_version": "8.12.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/http.json b/experimental/generated/elasticsearch/composable/component/http.json
index 958d97bac4..cd3cefba64 100644
--- a/experimental/generated/elasticsearch/composable/component/http.json
+++ b/experimental/generated/elasticsearch/composable/component/http.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-http.html",
-    "ecs_version": "8.11.0-dev+exp"
+    "ecs_version": "8.12.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/log.json b/experimental/generated/elasticsearch/composable/component/log.json
index b0ae568f36..6aae5a04e0 100644
--- a/experimental/generated/elasticsearch/composable/component/log.json
+++ b/experimental/generated/elasticsearch/composable/component/log.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-log.html",
-    "ecs_version": "8.11.0-dev+exp"
+    "ecs_version": "8.12.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/network.json b/experimental/generated/elasticsearch/composable/component/network.json
index a0ca529c0c..b170d396f5 100644
--- a/experimental/generated/elasticsearch/composable/component/network.json
+++ b/experimental/generated/elasticsearch/composable/component/network.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html",
-    "ecs_version": "8.11.0-dev+exp"
+    "ecs_version": "8.12.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/observer.json b/experimental/generated/elasticsearch/composable/component/observer.json
index 19c44771be..80f43d522d 100644
--- a/experimental/generated/elasticsearch/composable/component/observer.json
+++ b/experimental/generated/elasticsearch/composable/component/observer.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html",
-    "ecs_version": "8.11.0-dev+exp"
+    "ecs_version": "8.12.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/orchestrator.json b/experimental/generated/elasticsearch/composable/component/orchestrator.json
index c4fe907974..f1eedca0d1 100644
--- a/experimental/generated/elasticsearch/composable/component/orchestrator.json
+++ b/experimental/generated/elasticsearch/composable/component/orchestrator.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-orchestrator.html",
-    "ecs_version": "8.11.0-dev+exp"
+    "ecs_version": "8.12.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/organization.json b/experimental/generated/elasticsearch/composable/component/organization.json
index 86fea86dd8..49962ddcb3 100644
--- a/experimental/generated/elasticsearch/composable/component/organization.json
+++ b/experimental/generated/elasticsearch/composable/component/organization.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-organization.html",
-    "ecs_version": "8.11.0-dev+exp"
+    "ecs_version": "8.12.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/package.json b/experimental/generated/elasticsearch/composable/component/package.json
index 384389383b..d7aa066318 100644
--- a/experimental/generated/elasticsearch/composable/component/package.json
+++ b/experimental/generated/elasticsearch/composable/component/package.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-package.html",
-    "ecs_version": "8.11.0-dev+exp"
+    "ecs_version": "8.12.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/process.json b/experimental/generated/elasticsearch/composable/component/process.json
index 034901bc2a..3f144db017 100644
--- a/experimental/generated/elasticsearch/composable/component/process.json
+++ b/experimental/generated/elasticsearch/composable/component/process.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-process.html",
-    "ecs_version": "8.11.0-dev+exp"
+    "ecs_version": "8.12.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/registry.json b/experimental/generated/elasticsearch/composable/component/registry.json
index e760bd4b98..71753df64d 100644
--- a/experimental/generated/elasticsearch/composable/component/registry.json
+++ b/experimental/generated/elasticsearch/composable/component/registry.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-registry.html",
-    "ecs_version": "8.11.0-dev+exp"
+    "ecs_version": "8.12.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/related.json b/experimental/generated/elasticsearch/composable/component/related.json
index ecb28636ef..529fa9a356 100644
--- a/experimental/generated/elasticsearch/composable/component/related.json
+++ b/experimental/generated/elasticsearch/composable/component/related.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-related.html",
-    "ecs_version": "8.11.0-dev+exp"
+    "ecs_version": "8.12.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/rule.json b/experimental/generated/elasticsearch/composable/component/rule.json
index efef030345..a614c71927 100644
--- a/experimental/generated/elasticsearch/composable/component/rule.json
+++ b/experimental/generated/elasticsearch/composable/component/rule.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-rule.html",
-    "ecs_version": "8.11.0-dev+exp"
+    "ecs_version": "8.12.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/server.json b/experimental/generated/elasticsearch/composable/component/server.json
index 19278c6b94..102722875f 100644
--- a/experimental/generated/elasticsearch/composable/component/server.json
+++ b/experimental/generated/elasticsearch/composable/component/server.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-server.html",
-    "ecs_version": "8.11.0-dev+exp"
+    "ecs_version": "8.12.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/service.json b/experimental/generated/elasticsearch/composable/component/service.json
index 6cfdd222f1..93a1f7fca9 100644
--- a/experimental/generated/elasticsearch/composable/component/service.json
+++ b/experimental/generated/elasticsearch/composable/component/service.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-service.html",
-    "ecs_version": "8.11.0-dev+exp"
+    "ecs_version": "8.12.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/source.json b/experimental/generated/elasticsearch/composable/component/source.json
index 61803cbab3..a17ed2a0a8 100644
--- a/experimental/generated/elasticsearch/composable/component/source.json
+++ b/experimental/generated/elasticsearch/composable/component/source.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-source.html",
-    "ecs_version": "8.11.0-dev+exp"
+    "ecs_version": "8.12.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/threat.json b/experimental/generated/elasticsearch/composable/component/threat.json
index 766fec3adf..c49f845733 100644
--- a/experimental/generated/elasticsearch/composable/component/threat.json
+++ b/experimental/generated/elasticsearch/composable/component/threat.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-threat.html",
-    "ecs_version": "8.11.0-dev+exp"
+    "ecs_version": "8.12.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/tls.json b/experimental/generated/elasticsearch/composable/component/tls.json
index c55861ba80..5ce583f817 100644
--- a/experimental/generated/elasticsearch/composable/component/tls.json
+++ b/experimental/generated/elasticsearch/composable/component/tls.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tls.html",
-    "ecs_version": "8.11.0-dev+exp"
+    "ecs_version": "8.12.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/tracing.json b/experimental/generated/elasticsearch/composable/component/tracing.json
index 089a67cd15..b3485b8808 100644
--- a/experimental/generated/elasticsearch/composable/component/tracing.json
+++ b/experimental/generated/elasticsearch/composable/component/tracing.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tracing.html",
-    "ecs_version": "8.11.0-dev+exp"
+    "ecs_version": "8.12.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/url.json b/experimental/generated/elasticsearch/composable/component/url.json
index f8d4e05d86..e2f6efe932 100644
--- a/experimental/generated/elasticsearch/composable/component/url.json
+++ b/experimental/generated/elasticsearch/composable/component/url.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-url.html",
-    "ecs_version": "8.11.0-dev+exp"
+    "ecs_version": "8.12.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/user.json b/experimental/generated/elasticsearch/composable/component/user.json
index 32ba199710..a2e9f72723 100644
--- a/experimental/generated/elasticsearch/composable/component/user.json
+++ b/experimental/generated/elasticsearch/composable/component/user.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user.html",
-    "ecs_version": "8.11.0-dev+exp"
+    "ecs_version": "8.12.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/user_agent.json b/experimental/generated/elasticsearch/composable/component/user_agent.json
index a5ad6c0245..f95f4f22a1 100644
--- a/experimental/generated/elasticsearch/composable/component/user_agent.json
+++ b/experimental/generated/elasticsearch/composable/component/user_agent.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html",
-    "ecs_version": "8.11.0-dev+exp"
+    "ecs_version": "8.12.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/volume.json b/experimental/generated/elasticsearch/composable/component/volume.json
new file mode 100644
index 0000000000..a53f3b65d8
--- /dev/null
+++ b/experimental/generated/elasticsearch/composable/component/volume.json
@@ -0,0 +1,77 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-volume.html",
+    "ecs_version": "8.12.0-dev+exp"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "volume": {
+          "properties": {
+            "bus_type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "default_access": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "device_name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "device_type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "dos_name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "file_system_type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "mount_name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "nt_name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "product_id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "product_name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "removable": {
+              "type": "boolean"
+            },
+            "serial_number": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "size": {
+              "type": "long"
+            },
+            "vendor_id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "vendor_name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "writable": {
+              "type": "boolean"
+            }
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/experimental/generated/elasticsearch/composable/component/vulnerability.json b/experimental/generated/elasticsearch/composable/component/vulnerability.json
index aa21bb97b5..395e9a6cbe 100644
--- a/experimental/generated/elasticsearch/composable/component/vulnerability.json
+++ b/experimental/generated/elasticsearch/composable/component/vulnerability.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html",
-    "ecs_version": "8.11.0-dev+exp"
+    "ecs_version": "8.12.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/template.json b/experimental/generated/elasticsearch/composable/template.json
index 959d8eade1..5243ee3ba5 100644
--- a/experimental/generated/elasticsearch/composable/template.json
+++ b/experimental/generated/elasticsearch/composable/template.json
@@ -1,50 +1,50 @@
 {
   "_meta": {
     "description": "Sample composable template that includes all ECS fields",
-    "ecs_version": "8.11.0-dev+exp"
+    "ecs_version": "8.12.0-dev+exp"
   },
   "composed_of": [
-    "ecs_8.11.0-dev-exp_cgroup",
-    "ecs_8.11.0-dev-exp_base",
-    "ecs_8.11.0-dev-exp_agent",
-    "ecs_8.11.0-dev-exp_client",
-    "ecs_8.11.0-dev-exp_cloud",
-    "ecs_8.11.0-dev-exp_container",
-    "ecs_8.11.0-dev-exp_data_stream",
-    "ecs_8.11.0-dev-exp_destination",
-    "ecs_8.11.0-dev-exp_device",
-    "ecs_8.11.0-dev-exp_dll",
-    "ecs_8.11.0-dev-exp_dns",
-    "ecs_8.11.0-dev-exp_ecs",
-    "ecs_8.11.0-dev-exp_email",
-    "ecs_8.11.0-dev-exp_error",
-    "ecs_8.11.0-dev-exp_event",
-    "ecs_8.11.0-dev-exp_faas",
-    "ecs_8.11.0-dev-exp_file",
-    "ecs_8.11.0-dev-exp_group",
-    "ecs_8.11.0-dev-exp_host",
-    "ecs_8.11.0-dev-exp_http",
-    "ecs_8.11.0-dev-exp_log",
-    "ecs_8.11.0-dev-exp_network",
-    "ecs_8.11.0-dev-exp_observer",
-    "ecs_8.11.0-dev-exp_orchestrator",
-    "ecs_8.11.0-dev-exp_organization",
-    "ecs_8.11.0-dev-exp_package",
-    "ecs_8.11.0-dev-exp_process",
-    "ecs_8.11.0-dev-exp_registry",
-    "ecs_8.11.0-dev-exp_related",
-    "ecs_8.11.0-dev-exp_rule",
-    "ecs_8.11.0-dev-exp_server",
-    "ecs_8.11.0-dev-exp_service",
-    "ecs_8.11.0-dev-exp_source",
-    "ecs_8.11.0-dev-exp_threat",
-    "ecs_8.11.0-dev-exp_tls",
-    "ecs_8.11.0-dev-exp_tracing",
-    "ecs_8.11.0-dev-exp_url",
-    "ecs_8.11.0-dev-exp_user_agent",
-    "ecs_8.11.0-dev-exp_user",
-    "ecs_8.11.0-dev-exp_volume",
-    "ecs_8.11.0-dev-exp_vulnerability"
+    "ecs_8.12.0-dev-exp_cgroup",
+    "ecs_8.12.0-dev-exp_base",
+    "ecs_8.12.0-dev-exp_agent",
+    "ecs_8.12.0-dev-exp_client",
+    "ecs_8.12.0-dev-exp_cloud",
+    "ecs_8.12.0-dev-exp_container",
+    "ecs_8.12.0-dev-exp_data_stream",
+    "ecs_8.12.0-dev-exp_destination",
+    "ecs_8.12.0-dev-exp_device",
+    "ecs_8.12.0-dev-exp_dll",
+    "ecs_8.12.0-dev-exp_dns",
+    "ecs_8.12.0-dev-exp_ecs",
+    "ecs_8.12.0-dev-exp_email",
+    "ecs_8.12.0-dev-exp_error",
+    "ecs_8.12.0-dev-exp_event",
+    "ecs_8.12.0-dev-exp_faas",
+    "ecs_8.12.0-dev-exp_file",
+    "ecs_8.12.0-dev-exp_group",
+    "ecs_8.12.0-dev-exp_host",
+    "ecs_8.12.0-dev-exp_http",
+    "ecs_8.12.0-dev-exp_log",
+    "ecs_8.12.0-dev-exp_network",
+    "ecs_8.12.0-dev-exp_observer",
+    "ecs_8.12.0-dev-exp_orchestrator",
+    "ecs_8.12.0-dev-exp_organization",
+    "ecs_8.12.0-dev-exp_package",
+    "ecs_8.12.0-dev-exp_process",
+    "ecs_8.12.0-dev-exp_registry",
+    "ecs_8.12.0-dev-exp_related",
+    "ecs_8.12.0-dev-exp_rule",
+    "ecs_8.12.0-dev-exp_server",
+    "ecs_8.12.0-dev-exp_service",
+    "ecs_8.12.0-dev-exp_source",
+    "ecs_8.12.0-dev-exp_threat",
+    "ecs_8.12.0-dev-exp_tls",
+    "ecs_8.12.0-dev-exp_tracing",
+    "ecs_8.12.0-dev-exp_url",
+    "ecs_8.12.0-dev-exp_user_agent",
+    "ecs_8.12.0-dev-exp_user",
+    "ecs_8.12.0-dev-exp_volume",
+    "ecs_8.12.0-dev-exp_vulnerability"
   ],
   "index_patterns": [
     "try-ecs-*"
diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json
index cc8a247b93..6ecdd5d57e 100644
--- a/experimental/generated/elasticsearch/legacy/template.json
+++ b/experimental/generated/elasticsearch/legacy/template.json
@@ -4,7 +4,7 @@
   ],
   "mappings": {
     "_meta": {
-      "version": "8.11.0-dev+exp"
+      "version": "8.12.0-dev+exp"
     },
     "date_detection": false,
     "dynamic_templates": [
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 669097e0e2..0c45bd930d 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -1,5 +1,5 @@
 # WARNING! Do not edit this file directly, it was generated by the ECS project,
-# based on ECS version 8.11.0-dev.
+# based on ECS version 8.12.0-dev.
 # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields.
 
 - key: ecs
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index 93791246aa..d9bd84920e 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -1,1764 +1,1764 @@
 ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
-8.11.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
-8.11.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
-8.11.0-dev,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer.
-8.11.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
-8.11.0-dev,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
-8.11.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
-8.11.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
-8.11.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
-8.11.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
-8.11.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
-8.11.0-dev,true,client,client.address,keyword,extended,,,Client network address.
-8.11.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.11.0-dev,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.11.0-dev,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.11.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
-8.11.0-dev,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client.
-8.11.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
-8.11.0-dev,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
-8.11.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.11.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.11.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
-8.11.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.11.0-dev,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.11.0-dev,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
-8.11.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.11.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
-8.11.0-dev,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.11.0-dev,true,client,client.ip,ip,core,,,IP address of the client.
-8.11.0-dev,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
-8.11.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
-8.11.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port
-8.11.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
-8.11.0-dev,true,client,client.port,long,core,,,Port of the client.
-8.11.0-dev,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
-8.11.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.11.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.11.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.11.0-dev,true,client,client.user.email,keyword,extended,,,User email address.
-8.11.0-dev,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.11.0-dev,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.11.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.11.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group.
-8.11.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.11.0-dev,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.11.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.11.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.11.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.11.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.11.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
-8.11.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.11.0-dev,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.11.0-dev,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.11.0-dev,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.11.0-dev,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.11.0-dev,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine.
-8.11.0-dev,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.11.0-dev,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id.
-8.11.0-dev,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name.
-8.11.0-dev,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider.
-8.11.0-dev,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.11.0-dev,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name.
-8.11.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
-8.11.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
-8.11.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
-8.11.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.11.0-dev,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name.
-8.11.0-dev,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.11.0-dev,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.11.0-dev,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.11.0-dev,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.11.0-dev,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine.
-8.11.0-dev,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.11.0-dev,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id.
-8.11.0-dev,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name.
-8.11.0-dev,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider.
-8.11.0-dev,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.11.0-dev,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name.
-8.11.0-dev,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
-8.11.0-dev,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
-8.11.0-dev,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
-8.11.0-dev,true,container,container.id,keyword,core,,,Unique container id.
-8.11.0-dev,true,container,container.image.hash.all,keyword,extended,array,[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26],An array of digests of the image the container was built on.
-8.11.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
-8.11.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags.
-8.11.0-dev,true,container,container.labels,object,extended,,,Image labels.
-8.11.0-dev,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1."
-8.11.0-dev,true,container,container.name,keyword,extended,,,Container name.
-8.11.0-dev,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
-8.11.0-dev,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
-8.11.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
-8.11.0-dev,true,container,container.security_context.privileged,boolean,extended,,,Indicates whether the container is running in privileged mode.
-8.11.0-dev,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
-8.11.0-dev,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
-8.11.0-dev,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
-8.11.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address.
-8.11.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.11.0-dev,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.11.0-dev,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.11.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
-8.11.0-dev,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination.
-8.11.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
-8.11.0-dev,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
-8.11.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.11.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.11.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
-8.11.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.11.0-dev,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.11.0-dev,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
-8.11.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.11.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
-8.11.0-dev,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.11.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination.
-8.11.0-dev,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
-8.11.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
-8.11.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
-8.11.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
-8.11.0-dev,true,destination,destination.port,long,core,,,Port of the destination.
-8.11.0-dev,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
-8.11.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.11.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.11.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.11.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address.
-8.11.0-dev,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.11.0-dev,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.11.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.11.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
-8.11.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.11.0-dev,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.11.0-dev,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device.
-8.11.0-dev,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer.
-8.11.0-dev,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model.
-8.11.0-dev,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model.
-8.11.0-dev,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.11.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.11.0-dev,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.11.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.11.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.11.0-dev,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.11.0-dev,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.11.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.11.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.11.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
-8.11.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
-8.11.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
-8.11.0-dev,true,dll,dll.hash.sha384,keyword,extended,,,SHA384 hash.
-8.11.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
-8.11.0-dev,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.11.0-dev,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash.
-8.11.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
-8.11.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
-8.11.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.11.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.11.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.11.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.11.0-dev,true,dll,dll.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.11.0-dev,true,dll,dll.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.11.0-dev,true,dll,dll.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.11.0-dev,true,dll,dll.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.11.0-dev,true,dll,dll.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.11.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.11.0-dev,true,dll,dll.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.11.0-dev,true,dll,dll.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.11.0-dev,true,dll,dll.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev,true,dll,dll.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.11.0-dev,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.11.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.11.0-dev,true,dll,dll.pe.sections,nested,extended,array,,Section information of the PE file.
-8.11.0-dev,true,dll,dll.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.11.0-dev,true,dll,dll.pe.sections.name,keyword,extended,,,PE Section List name.
-8.11.0-dev,true,dll,dll.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.11.0-dev,true,dll,dll.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.11.0-dev,true,dll,dll.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.11.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
-8.11.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
-8.11.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
-8.11.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
-8.11.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
-8.11.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
-8.11.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
-8.11.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
-8.11.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
-8.11.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
-8.11.0-dev,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
-8.11.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
-8.11.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
-8.11.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.11.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
-8.11.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
-8.11.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
-8.11.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
-8.11.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
-8.11.0-dev,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
-8.11.0-dev,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
-8.11.0-dev,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash.
-8.11.0-dev,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.11.0-dev,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.11.0-dev,true,email,email.attachments.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.11.0-dev,true,email,email.attachments.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.11.0-dev,true,email,email.attachments.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.11.0-dev,true,email,email.attachments.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.11.0-dev,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file.
-8.11.0-dev,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file.
-8.11.0-dev,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size.
-8.11.0-dev,true,email,email.bcc.address,keyword,extended,array,bcc.user1@example.com,Email address of BCC recipient
-8.11.0-dev,true,email,email.cc.address,keyword,extended,array,cc.user1@example.com,Email address of CC recipient
-8.11.0-dev,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message.
-8.11.0-dev,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered.
-8.11.0-dev,true,email,email.direction,keyword,extended,,inbound,Direction of the message.
-8.11.0-dev,true,email,email.from.address,keyword,extended,array,sender@example.com,The sender's email address.
-8.11.0-dev,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source.
-8.11.0-dev,true,email,email.message_id,wildcard,extended,,81ce15$8r2j59@mail01.example.com,Value from the Message-ID header.
-8.11.0-dev,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed.
-8.11.0-dev,true,email,email.reply_to.address,keyword,extended,array,reply.here@example.com,Address replies should be delivered to.
-8.11.0-dev,true,email,email.sender.address,keyword,extended,,,Address of the message sender.
-8.11.0-dev,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message.
-8.11.0-dev,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
-8.11.0-dev,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient
-8.11.0-dev,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
-8.11.0-dev,true,error,error.code,keyword,core,,,Error code describing the error.
-8.11.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error.
-8.11.0-dev,true,error,error.message,match_only_text,core,,,Error message.
-8.11.0-dev,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
-8.11.0-dev,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text.
-8.11.0-dev,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
-8.11.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
-8.11.0-dev,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field.
-8.11.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
-8.11.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event.
-8.11.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
-8.11.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
-8.11.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
-8.11.0-dev,true,event,event.end,date,extended,,,`event.end` contains the date when the event ended or when the activity was last observed.
-8.11.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
-8.11.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
-8.11.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
-8.11.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
-8.11.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
-8.11.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
-8.11.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
-8.11.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event.
-8.11.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
-8.11.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
-8.11.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
-8.11.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
-8.11.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event.
-8.11.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event.
-8.11.0-dev,true,event,event.start,date,extended,,,`event.start` contains the date when the event started or when the activity was first observed.
-8.11.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone.
-8.11.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
-8.11.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
-8.11.0-dev,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function.
-8.11.0-dev,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution.
-8.11.0-dev,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function.
-8.11.0-dev,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function.
-8.11.0-dev,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc."
-8.11.0-dev,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution.
-8.11.0-dev,true,faas,faas.version,keyword,extended,,123,The version of a serverless function.
-8.11.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed.
-8.11.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.11.0-dev,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.11.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.11.0-dev,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.11.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.11.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.11.0-dev,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.11.0-dev,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.11.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.11.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.11.0-dev,true,file,file.created,date,extended,,,File creation time.
-8.11.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.11.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
-8.11.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.11.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.11.0-dev,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.11.0-dev,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.11.0-dev,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.11.0-dev,true,file,file.elf.creation_date,date,extended,,,Build or compile date.
-8.11.0-dev,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.11.0-dev,true,file,file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.11.0-dev,true,file,file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.11.0-dev,true,file,file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.11.0-dev,true,file,file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.11.0-dev,true,file,file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.11.0-dev,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.11.0-dev,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.11.0-dev,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.11.0-dev,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.11.0-dev,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.11.0-dev,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.11.0-dev,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.11.0-dev,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.11.0-dev,true,file,file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.11.0-dev,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.11.0-dev,true,file,file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev,true,file,file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.11.0-dev,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.11.0-dev,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.11.0-dev,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.11.0-dev,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.11.0-dev,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.11.0-dev,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.11.0-dev,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.11.0-dev,true,file,file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.11.0-dev,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.11.0-dev,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.11.0-dev,true,file,file.elf.segments,nested,extended,array,,ELF object segment list.
-8.11.0-dev,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.11.0-dev,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.11.0-dev,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.11.0-dev,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.11.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.11.0-dev,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.11.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.11.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
-8.11.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
-8.11.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.11.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.11.0-dev,true,file,file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.11.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.11.0-dev,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.11.0-dev,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.11.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.11.0-dev,true,file,file.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-8.11.0-dev,true,file,file.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.11.0-dev,true,file,file.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.11.0-dev,true,file,file.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.11.0-dev,true,file,file.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.11.0-dev,true,file,file.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-8.11.0-dev,true,file,file.macho.imports,flattened,extended,array,,List of imported element names and types.
-8.11.0-dev,true,file,file.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev,true,file,file.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev,true,file,file.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-8.11.0-dev,true,file,file.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.11.0-dev,true,file,file.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-8.11.0-dev,true,file,file.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-8.11.0-dev,true,file,file.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.11.0-dev,true,file,file.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-8.11.0-dev,true,file,file.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-8.11.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.11.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.11.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified.
-8.11.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.11.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username.
-8.11.0-dev,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.11.0-dev,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.11.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.11.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.11.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.11.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.11.0-dev,true,file,file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.11.0-dev,true,file,file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.11.0-dev,true,file,file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.11.0-dev,true,file,file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.11.0-dev,true,file,file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.11.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.11.0-dev,true,file,file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.11.0-dev,true,file,file.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.11.0-dev,true,file,file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev,true,file,file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.11.0-dev,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.11.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.11.0-dev,true,file,file.pe.sections,nested,extended,array,,Section information of the PE file.
-8.11.0-dev,true,file,file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.11.0-dev,true,file,file.pe.sections.name,keyword,extended,,,PE Section List name.
-8.11.0-dev,true,file,file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.11.0-dev,true,file,file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.11.0-dev,true,file,file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.11.0-dev,true,file,file.size,long,extended,,16384,File size in bytes.
-8.11.0-dev,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
-8.11.0-dev,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.11.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.11.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.11.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.11.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.11.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.11.0-dev,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.11.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.11.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.11.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.11.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.11.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.11.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.11.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.11.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.11.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.11.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.11.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.11.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.11.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.11.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.11.0-dev,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.11.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.11.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.11.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.11.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.11.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.11.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.11.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev,true,group,group.name,keyword,extended,,,Name of the group.
-8.11.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
-8.11.0-dev,true,host,host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id
-8.11.0-dev,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
-8.11.0-dev,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
-8.11.0-dev,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
-8.11.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
-8.11.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
-8.11.0-dev,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
-8.11.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.11.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.11.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
-8.11.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.11.0-dev,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.11.0-dev,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
-8.11.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.11.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
-8.11.0-dev,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.11.0-dev,true,host,host.hostname,keyword,core,,,Hostname of the host.
-8.11.0-dev,true,host,host.id,keyword,core,,,Unique host id.
-8.11.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses.
-8.11.0-dev,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
-8.11.0-dev,true,host,host.name,keyword,core,,,Name of the host.
-8.11.0-dev,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
-8.11.0-dev,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
-8.11.0-dev,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
-8.11.0-dev,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
-8.11.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.11.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.11.0-dev,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.11.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.11.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.11.0-dev,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.11.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.11.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-8.11.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.11.0-dev,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode
-8.11.0-dev,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.11.0-dev,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.11.0-dev,true,host,host.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.11.0-dev,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.11.0-dev,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.11.0-dev,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-8.11.0-dev,true,host,host.type,keyword,core,,,Type of host.
-8.11.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
-8.11.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
-8.11.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
-8.11.0-dev,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body.
-8.11.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
-8.11.0-dev,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
-8.11.0-dev,true,http,http.request.method,keyword,extended,,POST,HTTP request method.
-8.11.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
-8.11.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
-8.11.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
-8.11.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
-8.11.0-dev,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body.
-8.11.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
-8.11.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
-8.11.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
-8.11.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version.
-8.11.0-dev,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
-8.11.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event.
-8.11.0-dev,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
-8.11.0-dev,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event.
-8.11.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
-8.11.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
-8.11.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata
-8.11.0-dev,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message.
-8.11.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
-8.11.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
-8.11.0-dev,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message.
-8.11.0-dev,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message.
-8.11.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
-8.11.0-dev,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message.
-8.11.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
-8.11.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
-8.11.0-dev,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages.
-8.11.0-dev,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version.
-8.11.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name.
-8.11.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
-8.11.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
-8.11.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
-8.11.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
-8.11.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
-8.11.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information
-8.11.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.11.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.11.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
-8.11.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
-8.11.0-dev,true,network,network.protocol,keyword,core,,http,Application protocol name.
-8.11.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
-8.11.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
-8.11.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.11.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.11.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information
-8.11.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
-8.11.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
-8.11.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
-8.11.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.11.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.11.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
-8.11.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
-8.11.0-dev,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code.
-8.11.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.11.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.11.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
-8.11.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.11.0-dev,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.11.0-dev,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code.
-8.11.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.11.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
-8.11.0-dev,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.11.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
-8.11.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information
-8.11.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
-8.11.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
-8.11.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
-8.11.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.11.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.11.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
-8.11.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
-8.11.0-dev,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer.
-8.11.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
-8.11.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.11.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.11.0-dev,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.11.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.11.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.11.0-dev,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.11.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.11.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-8.11.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.11.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
-8.11.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
-8.11.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
-8.11.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
-8.11.0-dev,true,observer,observer.version,keyword,core,,,Observer version.
-8.11.0-dev,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action
-8.11.0-dev,true,orchestrator,orchestrator.cluster.id,keyword,extended,,,Unique ID of the cluster.
-8.11.0-dev,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster.
-8.11.0-dev,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster.
-8.11.0-dev,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster.
-8.11.0-dev,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place.
-8.11.0-dev,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups).
-8.11.0-dev,true,orchestrator,orchestrator.resource.annotation,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of annotations added to the resource.
-8.11.0-dev,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon.
-8.11.0-dev,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed.
-8.11.0-dev,true,orchestrator,orchestrator.resource.label,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of labels added to the resource.
-8.11.0-dev,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon.
-8.11.0-dev,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed.
-8.11.0-dev,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon.
-8.11.0-dev,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)."
-8.11.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
-8.11.0-dev,true,organization,organization.name,keyword,extended,,,Organization name.
-8.11.0-dev,true,organization,organization.name.text,match_only_text,extended,,,Organization name.
-8.11.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
-8.11.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
-8.11.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
-8.11.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
-8.11.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
-8.11.0-dev,true,package,package.installed,date,extended,,,Time when package was installed.
-8.11.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
-8.11.0-dev,true,package,package.name,keyword,extended,,go,Package name
-8.11.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
-8.11.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
-8.11.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes.
-8.11.0-dev,true,package,package.type,keyword,extended,,rpm,Package type
-8.11.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version
-8.11.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.11.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array.
-8.11.0-dev,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.11.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.11.0-dev,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.11.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.11.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.11.0-dev,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.11.0-dev,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.11.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.11.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.11.0-dev,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.11.0-dev,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.11.0-dev,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.11.0-dev,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.11.0-dev,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.11.0-dev,true,process,process.elf.creation_date,date,extended,,,Build or compile date.
-8.11.0-dev,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.11.0-dev,true,process,process.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.11.0-dev,true,process,process.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.11.0-dev,true,process,process.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.11.0-dev,true,process,process.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.11.0-dev,true,process,process.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.11.0-dev,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.11.0-dev,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.11.0-dev,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.11.0-dev,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.11.0-dev,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.11.0-dev,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.11.0-dev,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.11.0-dev,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.11.0-dev,true,process,process.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.11.0-dev,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.11.0-dev,true,process,process.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev,true,process,process.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.11.0-dev,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.11.0-dev,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.11.0-dev,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.11.0-dev,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.11.0-dev,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.11.0-dev,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.11.0-dev,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.11.0-dev,true,process,process.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.11.0-dev,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.11.0-dev,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.11.0-dev,true,process,process.elf.segments,nested,extended,array,,ELF object segment list.
-8.11.0-dev,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.11.0-dev,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.11.0-dev,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.11.0-dev,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.11.0-dev,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-8.11.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.11.0-dev,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.11.0-dev,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array.
-8.11.0-dev,true,process,process.entry_leader.attested_groups.name,keyword,extended,,,Name of the group.
-8.11.0-dev,true,process,process.entry_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev,true,process,process.entry_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,process,process.entry_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.11.0-dev,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.11.0-dev,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.11.0-dev,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
-8.11.0-dev,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
-8.11.0-dev,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.11.0-dev,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.11.0-dev,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group.
-8.11.0-dev,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.11.0-dev,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name.
-8.11.0-dev,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.11.0-dev,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.11.0-dev,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id.
-8.11.0-dev,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.11.0-dev,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id.
-8.11.0-dev,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.11.0-dev,true,process,process.entry_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
-8.11.0-dev,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.11.0-dev,true,process,process.entry_leader.parent.vpid,long,core,,4242,Virtual process id.
-8.11.0-dev,true,process,process.entry_leader.pid,long,core,,4242,Process id.
-8.11.0-dev,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group.
-8.11.0-dev,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,process,process.entry_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.11.0-dev,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.11.0-dev,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,process,process.entry_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.11.0-dev,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.11.0-dev,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.11.0-dev,true,process,process.entry_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.11.0-dev,true,process,process.entry_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.11.0-dev,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,process,process.entry_leader.vpid,long,core,,4242,Virtual process id.
-8.11.0-dev,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.11.0-dev,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.11.0-dev,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
-8.11.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.11.0-dev,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.11.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process.
-8.11.0-dev,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.11.0-dev,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array.
-8.11.0-dev,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.11.0-dev,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.11.0-dev,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.11.0-dev,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.11.0-dev,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.11.0-dev,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group.
-8.11.0-dev,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.11.0-dev,true,process,process.group_leader.name,keyword,extended,,ssh,Process name.
-8.11.0-dev,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.11.0-dev,true,process,process.group_leader.pid,long,core,,4242,Process id.
-8.11.0-dev,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group.
-8.11.0-dev,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,process,process.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.11.0-dev,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.11.0-dev,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,process,process.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.11.0-dev,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.11.0-dev,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.11.0-dev,true,process,process.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.11.0-dev,true,process,process.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.11.0-dev,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,process,process.group_leader.vpid,long,core,,4242,Virtual process id.
-8.11.0-dev,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.11.0-dev,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.11.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
-8.11.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
-8.11.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
-8.11.0-dev,true,process,process.hash.sha384,keyword,extended,,,SHA384 hash.
-8.11.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
-8.11.0-dev,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.11.0-dev,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash.
-8.11.0-dev,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.11.0-dev,true,process,process.io,object,extended,,,A chunk of input or output (IO) from a single process.
-8.11.0-dev,true,process,process.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
-8.11.0-dev,true,process,process.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
-8.11.0-dev,true,process,process.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
-8.11.0-dev,true,process,process.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
-8.11.0-dev,true,process,process.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
-8.11.0-dev,true,process,process.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
-8.11.0-dev,true,process,process.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
-8.11.0-dev,true,process,process.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
-8.11.0-dev,true,process,process.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-8.11.0-dev,true,process,process.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.11.0-dev,true,process,process.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.11.0-dev,true,process,process.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.11.0-dev,true,process,process.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.11.0-dev,true,process,process.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-8.11.0-dev,true,process,process.macho.imports,flattened,extended,array,,List of imported element names and types.
-8.11.0-dev,true,process,process.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev,true,process,process.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev,true,process,process.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-8.11.0-dev,true,process,process.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.11.0-dev,true,process,process.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-8.11.0-dev,true,process,process.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-8.11.0-dev,true,process,process.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.11.0-dev,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-8.11.0-dev,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-8.11.0-dev,true,process,process.name,keyword,extended,,ssh,Process name.
-8.11.0-dev,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
-8.11.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.11.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
-8.11.0-dev,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.11.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.11.0-dev,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.11.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.11.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.11.0-dev,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.11.0-dev,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.11.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.11.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.11.0-dev,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.11.0-dev,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.11.0-dev,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.11.0-dev,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.11.0-dev,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.11.0-dev,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date.
-8.11.0-dev,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.11.0-dev,true,process,process.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.11.0-dev,true,process,process.parent.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.11.0-dev,true,process,process.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.11.0-dev,true,process,process.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.11.0-dev,true,process,process.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.11.0-dev,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.11.0-dev,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.11.0-dev,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.11.0-dev,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.11.0-dev,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.11.0-dev,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.11.0-dev,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.11.0-dev,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.11.0-dev,true,process,process.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.11.0-dev,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.11.0-dev,true,process,process.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev,true,process,process.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.11.0-dev,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.11.0-dev,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.11.0-dev,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.11.0-dev,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.11.0-dev,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.11.0-dev,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.11.0-dev,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.11.0-dev,true,process,process.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.11.0-dev,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.11.0-dev,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.11.0-dev,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list.
-8.11.0-dev,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.11.0-dev,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.11.0-dev,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.11.0-dev,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.11.0-dev,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-8.11.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.11.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.11.0-dev,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.11.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
-8.11.0-dev,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev,true,process,process.parent.group.name,keyword,extended,,,Name of the group.
-8.11.0-dev,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.11.0-dev,true,process,process.parent.group_leader.pid,long,core,,4242,Process id.
-8.11.0-dev,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.11.0-dev,true,process,process.parent.group_leader.vpid,long,core,,4242,Virtual process id.
-8.11.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
-8.11.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
-8.11.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
-8.11.0-dev,true,process,process.parent.hash.sha384,keyword,extended,,,SHA384 hash.
-8.11.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
-8.11.0-dev,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.11.0-dev,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash.
-8.11.0-dev,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.11.0-dev,true,process,process.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-8.11.0-dev,true,process,process.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.11.0-dev,true,process,process.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.11.0-dev,true,process,process.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.11.0-dev,true,process,process.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.11.0-dev,true,process,process.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-8.11.0-dev,true,process,process.parent.macho.imports,flattened,extended,array,,List of imported element names and types.
-8.11.0-dev,true,process,process.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev,true,process,process.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev,true,process,process.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-8.11.0-dev,true,process,process.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.11.0-dev,true,process,process.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-8.11.0-dev,true,process,process.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-8.11.0-dev,true,process,process.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.11.0-dev,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-8.11.0-dev,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-8.11.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name.
-8.11.0-dev,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
-8.11.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.11.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.11.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.11.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.11.0-dev,true,process,process.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.11.0-dev,true,process,process.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.11.0-dev,true,process,process.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.11.0-dev,true,process,process.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.11.0-dev,true,process,process.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.11.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.11.0-dev,true,process,process.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.11.0-dev,true,process,process.parent.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.11.0-dev,true,process,process.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev,true,process,process.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.11.0-dev,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.11.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.11.0-dev,true,process,process.parent.pe.sections,nested,extended,array,,Section information of the PE file.
-8.11.0-dev,true,process,process.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.11.0-dev,true,process,process.parent.pe.sections.name,keyword,extended,,,PE Section List name.
-8.11.0-dev,true,process,process.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.11.0-dev,true,process,process.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.11.0-dev,true,process,process.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.11.0-dev,true,process,process.parent.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
-8.11.0-dev,true,process,process.parent.pid,long,core,,4242,Process id.
-8.11.0-dev,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group.
-8.11.0-dev,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,process,process.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group.
-8.11.0-dev,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,process,process.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.11.0-dev,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.11.0-dev,true,process,process.parent.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
-8.11.0-dev,true,process,process.parent.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
-8.11.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
-8.11.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
-8.11.0-dev,true,process,process.parent.title,keyword,extended,,,Process title.
-8.11.0-dev,true,process,process.parent.title.text,match_only_text,extended,,,Process title.
-8.11.0-dev,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device.
-8.11.0-dev,true,process,process.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.11.0-dev,true,process,process.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.11.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
-8.11.0-dev,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,process,process.parent.vpid,long,core,,4242,Virtual process id.
-8.11.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.11.0-dev,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.11.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.11.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.11.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.11.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.11.0-dev,true,process,process.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.11.0-dev,true,process,process.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.11.0-dev,true,process,process.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.11.0-dev,true,process,process.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.11.0-dev,true,process,process.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.11.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.11.0-dev,true,process,process.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.11.0-dev,true,process,process.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.11.0-dev,true,process,process.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev,true,process,process.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.11.0-dev,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.11.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.11.0-dev,true,process,process.pe.sections,nested,extended,array,,Section information of the PE file.
-8.11.0-dev,true,process,process.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.11.0-dev,true,process,process.pe.sections.name,keyword,extended,,,PE Section List name.
-8.11.0-dev,true,process,process.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.11.0-dev,true,process,process.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.11.0-dev,true,process,process.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.11.0-dev,true,process,process.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
-8.11.0-dev,true,process,process.pid,long,core,,4242,Process id.
-8.11.0-dev,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.11.0-dev,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array.
-8.11.0-dev,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.11.0-dev,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.11.0-dev,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev,true,process,process.real_group.name,keyword,extended,,,Name of the group.
-8.11.0-dev,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,process,process.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev,true,process,process.saved_group.name,keyword,extended,,,Name of the group.
-8.11.0-dev,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,process,process.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.11.0-dev,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array.
-8.11.0-dev,true,process,process.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.11.0-dev,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.11.0-dev,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.11.0-dev,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.11.0-dev,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.11.0-dev,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group.
-8.11.0-dev,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.11.0-dev,true,process,process.session_leader.name,keyword,extended,,ssh,Process name.
-8.11.0-dev,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.11.0-dev,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.11.0-dev,true,process,process.session_leader.parent.pid,long,core,,4242,Process id.
-8.11.0-dev,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.11.0-dev,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id.
-8.11.0-dev,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.11.0-dev,true,process,process.session_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
-8.11.0-dev,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.11.0-dev,true,process,process.session_leader.parent.vpid,long,core,,4242,Virtual process id.
-8.11.0-dev,true,process,process.session_leader.pid,long,core,,4242,Process id.
-8.11.0-dev,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group.
-8.11.0-dev,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,process,process.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.11.0-dev,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.11.0-dev,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,process,process.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.11.0-dev,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.11.0-dev,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.11.0-dev,true,process,process.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.11.0-dev,true,process,process.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.11.0-dev,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,process,process.session_leader.vpid,long,core,,4242,Virtual process id.
-8.11.0-dev,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.11.0-dev,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.11.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.11.0-dev,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.11.0-dev,true,process,process.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
-8.11.0-dev,true,process,process.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
-8.11.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID.
-8.11.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
-8.11.0-dev,true,process,process.title,keyword,extended,,,Process title.
-8.11.0-dev,true,process,process.title.text,match_only_text,extended,,,Process title.
-8.11.0-dev,true,process,process.tty,object,extended,,,Information about the controlling TTY device.
-8.11.0-dev,true,process,process.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.11.0-dev,true,process,process.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.11.0-dev,true,process,process.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
-8.11.0-dev,true,process,process.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
-8.11.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
-8.11.0-dev,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,process,process.vpid,long,core,,4242,Virtual process id.
-8.11.0-dev,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.11.0-dev,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.11.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.11.0-dev,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.11.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.11.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.11.0-dev,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.11.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.11.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
-8.11.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
-8.11.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
-8.11.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
-8.11.0-dev,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event.
-8.11.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
-8.11.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
-8.11.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
-8.11.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID
-8.11.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
-8.11.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
-8.11.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
-8.11.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
-8.11.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
-8.11.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version
-8.11.0-dev,true,server,server.address,keyword,extended,,,Server network address.
-8.11.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.11.0-dev,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.11.0-dev,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.11.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
-8.11.0-dev,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server.
-8.11.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
-8.11.0-dev,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
-8.11.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.11.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.11.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
-8.11.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.11.0-dev,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.11.0-dev,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
-8.11.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.11.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
-8.11.0-dev,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.11.0-dev,true,server,server.ip,ip,core,,,IP address of the server.
-8.11.0-dev,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
-8.11.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip
-8.11.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port
-8.11.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
-8.11.0-dev,true,server,server.port,long,core,,,Port of the server.
-8.11.0-dev,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
-8.11.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.11.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.11.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.11.0-dev,true,server,server.user.email,keyword,extended,,,User email address.
-8.11.0-dev,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.11.0-dev,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.11.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.11.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group.
-8.11.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.11.0-dev,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.11.0-dev,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.11.0-dev,true,service,service.environment,keyword,extended,,production,Environment of the service.
-8.11.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.11.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.11.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.11.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.11.0-dev,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.11.0-dev,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.11.0-dev,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.11.0-dev,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
-8.11.0-dev,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.11.0-dev,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.11.0-dev,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.11.0-dev,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.11.0-dev,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.11.0-dev,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.11.0-dev,true,service,service.origin.state,keyword,core,,,Current state of the service.
-8.11.0-dev,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service.
-8.11.0-dev,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service.
-8.11.0-dev,true,service,service.state,keyword,core,,,Current state of the service.
-8.11.0-dev,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.11.0-dev,true,service,service.target.environment,keyword,extended,,production,Environment of the service.
-8.11.0-dev,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.11.0-dev,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.11.0-dev,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.11.0-dev,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.11.0-dev,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.11.0-dev,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.11.0-dev,true,service,service.target.state,keyword,core,,,Current state of the service.
-8.11.0-dev,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service.
-8.11.0-dev,true,service,service.target.version,keyword,core,,3.2.4,Version of the service.
-8.11.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
-8.11.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service.
-8.11.0-dev,true,source,source.address,keyword,extended,,,Source network address.
-8.11.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.11.0-dev,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.11.0-dev,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.11.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
-8.11.0-dev,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source.
-8.11.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
-8.11.0-dev,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
-8.11.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.11.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.11.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
-8.11.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.11.0-dev,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.11.0-dev,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
-8.11.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.11.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
-8.11.0-dev,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.11.0-dev,true,source,source.ip,ip,core,,,IP address of the source.
-8.11.0-dev,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
-8.11.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip
-8.11.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port
-8.11.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
-8.11.0-dev,true,source,source.port,long,core,,,Port of the source.
-8.11.0-dev,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-8.11.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.11.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.11.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.11.0-dev,true,source,source.user.email,keyword,extended,,,User email address.
-8.11.0-dev,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.11.0-dev,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.11.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.11.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group.
-8.11.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.11.0-dev,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.11.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
-8.11.0-dev,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event.
-8.11.0-dev,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event.
-8.11.0-dev,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.11.0-dev,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.11.0-dev,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.11.0-dev,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
-8.11.0-dev,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
-8.11.0-dev,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.11.0-dev,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.11.0-dev,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.11.0-dev,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
-8.11.0-dev,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name.
-8.11.0-dev,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code.
-8.11.0-dev,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.11.0-dev,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.11.0-dev,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name.
-8.11.0-dev,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.11.0-dev,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.11.0-dev,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code.
-8.11.0-dev,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.11.0-dev,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name.
-8.11.0-dev,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.11.0-dev,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
-8.11.0-dev,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-8.11.0-dev,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
-8.11.0-dev,true,threat,threat.enrichments.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
-8.11.0-dev,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
-8.11.0-dev,true,threat,threat.enrichments.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
-8.11.0-dev,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
-8.11.0-dev,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
-8.11.0-dev,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
-8.11.0-dev,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.11.0-dev,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.11.0-dev,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.11.0-dev,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.11.0-dev,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.11.0-dev,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.11.0-dev,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
-8.11.0-dev,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics
-8.11.0-dev,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed
-8.11.0-dev,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
-8.11.0-dev,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.11.0-dev,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.11.0-dev,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.11.0-dev,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.11.0-dev,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.11.0-dev,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.11.0-dev,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.11.0-dev,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request.
-8.11.0-dev,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.11.0-dev,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
-8.11.0-dev,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request.
-8.11.0-dev,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.11.0-dev,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
-8.11.0-dev,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.11.0-dev,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.11.0-dev,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request.
-8.11.0-dev,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.11.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.11.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.11.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.11.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.11.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.11.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.11.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.11.0-dev,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.11.0-dev,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.11.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.11.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.11.0-dev,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.11.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.11.0-dev,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.11.0-dev,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.11.0-dev,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.11.0-dev,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.11.0-dev,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.11.0-dev,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.11.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.11.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.11.0-dev,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.11.0-dev,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.11.0-dev,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value
-8.11.0-dev,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field
-8.11.0-dev,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier
-8.11.0-dev,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index
-8.11.0-dev,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05T17:00:58.326Z,Date of match
-8.11.0-dev,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match
-8.11.0-dev,true,threat,threat.feed.dashboard_id,keyword,extended,,5ba16340-72e6-11eb-a3e3-b3cc7c78a70f,Feed dashboard ID.
-8.11.0-dev,true,threat,threat.feed.description,keyword,extended,,Threat feed from the AlienVault Open Threat eXchange network.,Description of the threat feed.
-8.11.0-dev,true,threat,threat.feed.name,keyword,extended,,AlienVault OTX,Name of the threat feed.
-8.11.0-dev,true,threat,threat.feed.reference,keyword,extended,,https://otx.alienvault.com,Reference for the threat feed.
-8.11.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
-8.11.0-dev,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group.
-8.11.0-dev,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group.
-8.11.0-dev,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group.
-8.11.0-dev,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group.
-8.11.0-dev,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.11.0-dev,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.11.0-dev,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.11.0-dev,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
-8.11.0-dev,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
-8.11.0-dev,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
-8.11.0-dev,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed.
-8.11.0-dev,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.11.0-dev,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.11.0-dev,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.11.0-dev,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.11.0-dev,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.11.0-dev,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.11.0-dev,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.11.0-dev,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.11.0-dev,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.11.0-dev,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.11.0-dev,true,threat,threat.indicator.file.created,date,extended,,,File creation time.
-8.11.0-dev,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.11.0-dev,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
-8.11.0-dev,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.11.0-dev,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.11.0-dev,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.11.0-dev,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.11.0-dev,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.11.0-dev,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
-8.11.0-dev,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.11.0-dev,true,threat,threat.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.11.0-dev,true,threat,threat.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.11.0-dev,true,threat,threat.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.11.0-dev,true,threat,threat.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.11.0-dev,true,threat,threat.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.11.0-dev,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.11.0-dev,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.11.0-dev,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.11.0-dev,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.11.0-dev,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.11.0-dev,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.11.0-dev,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.11.0-dev,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.11.0-dev,true,threat,threat.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.11.0-dev,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.11.0-dev,true,threat,threat.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev,true,threat,threat.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.11.0-dev,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.11.0-dev,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.11.0-dev,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.11.0-dev,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.11.0-dev,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.11.0-dev,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.11.0-dev,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.11.0-dev,true,threat,threat.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.11.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.11.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.11.0-dev,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
-8.11.0-dev,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.11.0-dev,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.11.0-dev,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.11.0-dev,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.11.0-dev,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.11.0-dev,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.11.0-dev,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.11.0-dev,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
-8.11.0-dev,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
-8.11.0-dev,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.11.0-dev,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.11.0-dev,true,threat,threat.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.11.0-dev,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.11.0-dev,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.11.0-dev,true,threat,threat.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.11.0-dev,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.11.0-dev,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.11.0-dev,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.11.0-dev,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified.
-8.11.0-dev,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.11.0-dev,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username.
-8.11.0-dev,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.11.0-dev,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.11.0-dev,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.11.0-dev,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.11.0-dev,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.11.0-dev,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.11.0-dev,true,threat,threat.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.11.0-dev,true,threat,threat.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.11.0-dev,true,threat,threat.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.11.0-dev,true,threat,threat.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.11.0-dev,true,threat,threat.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.11.0-dev,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.11.0-dev,true,threat,threat.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.11.0-dev,true,threat,threat.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.11.0-dev,true,threat,threat.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev,true,threat,threat.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.11.0-dev,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.11.0-dev,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.11.0-dev,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.11.0-dev,true,threat,threat.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
-8.11.0-dev,true,threat,threat.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.11.0-dev,true,threat,threat.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
-8.11.0-dev,true,threat,threat.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.11.0-dev,true,threat,threat.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.11.0-dev,true,threat,threat.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.11.0-dev,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes.
-8.11.0-dev,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
-8.11.0-dev,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.11.0-dev,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.11.0-dev,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.11.0-dev,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.11.0-dev,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.11.0-dev,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.11.0-dev,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.11.0-dev,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.11.0-dev,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.11.0-dev,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.11.0-dev,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.11.0-dev,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.11.0-dev,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.11.0-dev,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.11.0-dev,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.11.0-dev,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.11.0-dev,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.11.0-dev,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.11.0-dev,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.11.0-dev,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.11.0-dev,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.11.0-dev,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.11.0-dev,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.11.0-dev,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.11.0-dev,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.11.0-dev,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.11.0-dev,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.11.0-dev,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
-8.11.0-dev,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name.
-8.11.0-dev,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code.
-8.11.0-dev,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.11.0-dev,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.11.0-dev,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name.
-8.11.0-dev,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.11.0-dev,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.11.0-dev,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code.
-8.11.0-dev,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.11.0-dev,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name.
-8.11.0-dev,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.11.0-dev,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
-8.11.0-dev,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-8.11.0-dev,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
-8.11.0-dev,true,threat,threat.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
-8.11.0-dev,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
-8.11.0-dev,true,threat,threat.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
-8.11.0-dev,true,threat,threat.indicator.port,long,extended,,443,Indicator port
-8.11.0-dev,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
-8.11.0-dev,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
-8.11.0-dev,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.11.0-dev,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.11.0-dev,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.11.0-dev,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.11.0-dev,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.11.0-dev,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.11.0-dev,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
-8.11.0-dev,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics
-8.11.0-dev,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed
-8.11.0-dev,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
-8.11.0-dev,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.11.0-dev,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.11.0-dev,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.11.0-dev,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.11.0-dev,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.11.0-dev,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.11.0-dev,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.11.0-dev,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request.
-8.11.0-dev,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.11.0-dev,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
-8.11.0-dev,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request.
-8.11.0-dev,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.11.0-dev,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
-8.11.0-dev,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.11.0-dev,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.11.0-dev,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request.
-8.11.0-dev,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.11.0-dev,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.11.0-dev,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.11.0-dev,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.11.0-dev,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.11.0-dev,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.11.0-dev,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.11.0-dev,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.11.0-dev,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.11.0-dev,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.11.0-dev,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.11.0-dev,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.11.0-dev,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.11.0-dev,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.11.0-dev,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.11.0-dev,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.11.0-dev,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.11.0-dev,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.11.0-dev,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.11.0-dev,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.11.0-dev,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.11.0-dev,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.11.0-dev,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.11.0-dev,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.11.0-dev,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software
-8.11.0-dev,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software
-8.11.0-dev,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software.
-8.11.0-dev,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software.
-8.11.0-dev,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL.
-8.11.0-dev,true,threat,threat.software.type,keyword,extended,,Tool,Software type.
-8.11.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
-8.11.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
-8.11.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
-8.11.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
-8.11.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
-8.11.0-dev,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name.
-8.11.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
-8.11.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
-8.11.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
-8.11.0-dev,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
-8.11.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
-8.11.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
-8.11.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
-8.11.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
-8.11.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
-8.11.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
-8.11.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
-8.11.0-dev,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
-8.11.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
-8.11.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
-8.11.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
-8.11.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
-8.11.0-dev,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
-8.11.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
-8.11.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.11.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.11.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.11.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.11.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.11.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.11.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.11.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.11.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.11.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.11.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.11.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.11.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.11.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.11.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.11.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.11.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.11.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.11.0-dev,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.11.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.11.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.11.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.11.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.11.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.11.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
-8.11.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
-8.11.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
-8.11.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
-8.11.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
-8.11.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
-8.11.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
-8.11.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
-8.11.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
-8.11.0-dev,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
-8.11.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
-8.11.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
-8.11.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
-8.11.0-dev,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
-8.11.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.11.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.11.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.11.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.11.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.11.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.11.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.11.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.11.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.11.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.11.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.11.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.11.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.11.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.11.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.11.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.11.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.11.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.11.0-dev,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.11.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.11.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.11.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.11.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.11.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.11.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
-8.11.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
-8.11.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
-8.11.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
-8.11.0-dev,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.11.0-dev,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.11.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.11.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.11.0-dev,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.11.0-dev,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.11.0-dev,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.11.0-dev,true,url,url.password,keyword,extended,,,Password of the request.
-8.11.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.11.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
-8.11.0-dev,true,url,url.query,keyword,extended,,,Query string of the request.
-8.11.0-dev,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.11.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
-8.11.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.11.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.11.0-dev,true,url,url.username,keyword,extended,,,Username of the request.
-8.11.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.11.0-dev,true,user,user.changes.email,keyword,extended,,,User email address.
-8.11.0-dev,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.11.0-dev,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.11.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.11.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
-8.11.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.11.0-dev,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.11.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.11.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.11.0-dev,true,user,user.effective.email,keyword,extended,,,User email address.
-8.11.0-dev,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.11.0-dev,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.11.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.11.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
-8.11.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.11.0-dev,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.11.0-dev,true,user,user.email,keyword,extended,,,User email address.
-8.11.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.11.0-dev,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.11.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.11.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group.
-8.11.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.11.0-dev,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.11.0-dev,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.11.0-dev,true,user,user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.11.0-dev,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.11.0-dev,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.11.0-dev,true,user,user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-8.11.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.11.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.11.0-dev,true,user,user.target.email,keyword,extended,,,User email address.
-8.11.0-dev,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.11.0-dev,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.11.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.11.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.11.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group.
-8.11.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.11.0-dev,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.11.0-dev,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.11.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.11.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
-8.11.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
-8.11.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-8.11.0-dev,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-8.11.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.11.0-dev,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.11.0-dev,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.11.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.11.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.11.0-dev,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.11.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.11.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-8.11.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.11.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
-8.11.0-dev,true,volume,volume.bus_type,keyword,extended,,FileBackedVirtual,Bus type of the device.
-8.11.0-dev,true,volume,volume.default_access,keyword,extended,,,Bus type of the device.
-8.11.0-dev,true,volume,volume.device_name,keyword,extended,,,Device name of the volume.
-8.11.0-dev,true,volume,volume.device_type,keyword,extended,,CD-ROM File System,Volume device type.
-8.11.0-dev,true,volume,volume.dos_name,keyword,extended,,E:,DOS name of the device.
-8.11.0-dev,true,volume,volume.file_system_type,keyword,extended,,,Volume device file system type.
-8.11.0-dev,true,volume,volume.mount_name,keyword,extended,,,Mount name of the volume.
-8.11.0-dev,true,volume,volume.nt_name,keyword,extended,,\Device\Cdrom1,NT name of the device.
-8.11.0-dev,true,volume,volume.product_id,keyword,extended,,,ProductID of the device.
-8.11.0-dev,true,volume,volume.product_name,keyword,extended,,Virtual DVD-ROM,Produce name of the volume.
-8.11.0-dev,true,volume,volume.removable,boolean,extended,,,Indicates if the volume is removable.
-8.11.0-dev,true,volume,volume.serial_number,keyword,extended,,,Serial number of the device.
-8.11.0-dev,true,volume,volume.size,long,extended,,,Size of the volume device in bytes.
-8.11.0-dev,true,volume,volume.vendor_id,keyword,extended,,,VendorID of the device.
-8.11.0-dev,true,volume,volume.vendor_name,keyword,extended,,Msft,Vendor name of the device.
-8.11.0-dev,true,volume,volume.writable,boolean,extended,,,Indicates if the volume is writable.
-8.11.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
-8.11.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
-8.11.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-8.11.0-dev,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-8.11.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
-8.11.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
-8.11.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
-8.11.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
-8.11.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
-8.11.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
-8.11.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
-8.11.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
-8.11.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
-8.11.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
+8.12.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
+8.12.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
+8.12.0-dev,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer.
+8.12.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
+8.12.0-dev,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
+8.12.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
+8.12.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
+8.12.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
+8.12.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
+8.12.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
+8.12.0-dev,true,client,client.address,keyword,extended,,,Client network address.
+8.12.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.12.0-dev,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.12.0-dev,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.12.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
+8.12.0-dev,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client.
+8.12.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
+8.12.0-dev,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
+8.12.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.12.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.12.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
+8.12.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.12.0-dev,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.12.0-dev,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
+8.12.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.12.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
+8.12.0-dev,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.12.0-dev,true,client,client.ip,ip,core,,,IP address of the client.
+8.12.0-dev,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
+8.12.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
+8.12.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port
+8.12.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
+8.12.0-dev,true,client,client.port,long,core,,,Port of the client.
+8.12.0-dev,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
+8.12.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.12.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.12.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.12.0-dev,true,client,client.user.email,keyword,extended,,,User email address.
+8.12.0-dev,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.12.0-dev,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.12.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.12.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group.
+8.12.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.12.0-dev,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.12.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.12.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.12.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.12.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.12.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
+8.12.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.12.0-dev,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.12.0-dev,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.12.0-dev,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.12.0-dev,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.12.0-dev,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine.
+8.12.0-dev,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.12.0-dev,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id.
+8.12.0-dev,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name.
+8.12.0-dev,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider.
+8.12.0-dev,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.12.0-dev,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name.
+8.12.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
+8.12.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
+8.12.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
+8.12.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.12.0-dev,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name.
+8.12.0-dev,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.12.0-dev,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.12.0-dev,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.12.0-dev,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.12.0-dev,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine.
+8.12.0-dev,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.12.0-dev,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id.
+8.12.0-dev,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name.
+8.12.0-dev,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider.
+8.12.0-dev,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.12.0-dev,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name.
+8.12.0-dev,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
+8.12.0-dev,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
+8.12.0-dev,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
+8.12.0-dev,true,container,container.id,keyword,core,,,Unique container id.
+8.12.0-dev,true,container,container.image.hash.all,keyword,extended,array,[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26],An array of digests of the image the container was built on.
+8.12.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
+8.12.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags.
+8.12.0-dev,true,container,container.labels,object,extended,,,Image labels.
+8.12.0-dev,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1."
+8.12.0-dev,true,container,container.name,keyword,extended,,,Container name.
+8.12.0-dev,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
+8.12.0-dev,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+8.12.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
+8.12.0-dev,true,container,container.security_context.privileged,boolean,extended,,,Indicates whether the container is running in privileged mode.
+8.12.0-dev,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
+8.12.0-dev,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
+8.12.0-dev,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
+8.12.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address.
+8.12.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.12.0-dev,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.12.0-dev,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.12.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
+8.12.0-dev,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination.
+8.12.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
+8.12.0-dev,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
+8.12.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.12.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.12.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
+8.12.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.12.0-dev,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.12.0-dev,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
+8.12.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.12.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
+8.12.0-dev,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.12.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination.
+8.12.0-dev,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
+8.12.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
+8.12.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
+8.12.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
+8.12.0-dev,true,destination,destination.port,long,core,,,Port of the destination.
+8.12.0-dev,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
+8.12.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.12.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.12.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.12.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address.
+8.12.0-dev,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.12.0-dev,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.12.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.12.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
+8.12.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.12.0-dev,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.12.0-dev,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device.
+8.12.0-dev,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer.
+8.12.0-dev,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model.
+8.12.0-dev,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model.
+8.12.0-dev,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.12.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.12.0-dev,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.12.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.12.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.12.0-dev,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.12.0-dev,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.12.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.12.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.12.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
+8.12.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
+8.12.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
+8.12.0-dev,true,dll,dll.hash.sha384,keyword,extended,,,SHA384 hash.
+8.12.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
+8.12.0-dev,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.12.0-dev,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash.
+8.12.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
+8.12.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
+8.12.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.12.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.12.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.12.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.12.0-dev,true,dll,dll.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.12.0-dev,true,dll,dll.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.12.0-dev,true,dll,dll.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.12.0-dev,true,dll,dll.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.12.0-dev,true,dll,dll.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.12.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.12.0-dev,true,dll,dll.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.12.0-dev,true,dll,dll.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.12.0-dev,true,dll,dll.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev,true,dll,dll.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.12.0-dev,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.12.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.12.0-dev,true,dll,dll.pe.sections,nested,extended,array,,Section information of the PE file.
+8.12.0-dev,true,dll,dll.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.12.0-dev,true,dll,dll.pe.sections.name,keyword,extended,,,PE Section List name.
+8.12.0-dev,true,dll,dll.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.12.0-dev,true,dll,dll.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.12.0-dev,true,dll,dll.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.12.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
+8.12.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
+8.12.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
+8.12.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
+8.12.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
+8.12.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
+8.12.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
+8.12.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
+8.12.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
+8.12.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
+8.12.0-dev,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
+8.12.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
+8.12.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
+8.12.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.12.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
+8.12.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
+8.12.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
+8.12.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
+8.12.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
+8.12.0-dev,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
+8.12.0-dev,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
+8.12.0-dev,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash.
+8.12.0-dev,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.12.0-dev,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.12.0-dev,true,email,email.attachments.file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.12.0-dev,true,email,email.attachments.file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.12.0-dev,true,email,email.attachments.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.12.0-dev,true,email,email.attachments.file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.12.0-dev,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file.
+8.12.0-dev,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file.
+8.12.0-dev,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size.
+8.12.0-dev,true,email,email.bcc.address,keyword,extended,array,bcc.user1@example.com,Email address of BCC recipient
+8.12.0-dev,true,email,email.cc.address,keyword,extended,array,cc.user1@example.com,Email address of CC recipient
+8.12.0-dev,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message.
+8.12.0-dev,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered.
+8.12.0-dev,true,email,email.direction,keyword,extended,,inbound,Direction of the message.
+8.12.0-dev,true,email,email.from.address,keyword,extended,array,sender@example.com,The sender's email address.
+8.12.0-dev,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source.
+8.12.0-dev,true,email,email.message_id,wildcard,extended,,81ce15$8r2j59@mail01.example.com,Value from the Message-ID header.
+8.12.0-dev,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed.
+8.12.0-dev,true,email,email.reply_to.address,keyword,extended,array,reply.here@example.com,Address replies should be delivered to.
+8.12.0-dev,true,email,email.sender.address,keyword,extended,,,Address of the message sender.
+8.12.0-dev,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message.
+8.12.0-dev,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
+8.12.0-dev,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient
+8.12.0-dev,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
+8.12.0-dev,true,error,error.code,keyword,core,,,Error code describing the error.
+8.12.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error.
+8.12.0-dev,true,error,error.message,match_only_text,core,,,Error message.
+8.12.0-dev,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
+8.12.0-dev,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text.
+8.12.0-dev,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
+8.12.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
+8.12.0-dev,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field.
+8.12.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
+8.12.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event.
+8.12.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
+8.12.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
+8.12.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
+8.12.0-dev,true,event,event.end,date,extended,,,`event.end` contains the date when the event ended or when the activity was last observed.
+8.12.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
+8.12.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
+8.12.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
+8.12.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
+8.12.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
+8.12.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
+8.12.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
+8.12.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event.
+8.12.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
+8.12.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
+8.12.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
+8.12.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
+8.12.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event.
+8.12.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event.
+8.12.0-dev,true,event,event.start,date,extended,,,`event.start` contains the date when the event started or when the activity was first observed.
+8.12.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone.
+8.12.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
+8.12.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
+8.12.0-dev,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function.
+8.12.0-dev,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution.
+8.12.0-dev,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function.
+8.12.0-dev,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function.
+8.12.0-dev,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc."
+8.12.0-dev,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution.
+8.12.0-dev,true,faas,faas.version,keyword,extended,,123,The version of a serverless function.
+8.12.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed.
+8.12.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.12.0-dev,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.12.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.12.0-dev,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.12.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.12.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.12.0-dev,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.12.0-dev,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.12.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.12.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.12.0-dev,true,file,file.created,date,extended,,,File creation time.
+8.12.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.12.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
+8.12.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.12.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.12.0-dev,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.12.0-dev,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.12.0-dev,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.12.0-dev,true,file,file.elf.creation_date,date,extended,,,Build or compile date.
+8.12.0-dev,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.12.0-dev,true,file,file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.12.0-dev,true,file,file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.12.0-dev,true,file,file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.12.0-dev,true,file,file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.12.0-dev,true,file,file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.12.0-dev,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.12.0-dev,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.12.0-dev,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.12.0-dev,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.12.0-dev,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.12.0-dev,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.12.0-dev,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.12.0-dev,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.12.0-dev,true,file,file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.12.0-dev,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.12.0-dev,true,file,file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev,true,file,file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.12.0-dev,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.12.0-dev,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.12.0-dev,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.12.0-dev,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.12.0-dev,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.12.0-dev,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.12.0-dev,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.12.0-dev,true,file,file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.12.0-dev,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.12.0-dev,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.12.0-dev,true,file,file.elf.segments,nested,extended,array,,ELF object segment list.
+8.12.0-dev,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.12.0-dev,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.12.0-dev,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.12.0-dev,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.12.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.12.0-dev,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.12.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.12.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
+8.12.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
+8.12.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.12.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.12.0-dev,true,file,file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.12.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.12.0-dev,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.12.0-dev,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.12.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.12.0-dev,true,file,file.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+8.12.0-dev,true,file,file.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.12.0-dev,true,file,file.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.12.0-dev,true,file,file.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.12.0-dev,true,file,file.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.12.0-dev,true,file,file.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+8.12.0-dev,true,file,file.macho.imports,flattened,extended,array,,List of imported element names and types.
+8.12.0-dev,true,file,file.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev,true,file,file.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev,true,file,file.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+8.12.0-dev,true,file,file.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.12.0-dev,true,file,file.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+8.12.0-dev,true,file,file.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+8.12.0-dev,true,file,file.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.12.0-dev,true,file,file.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+8.12.0-dev,true,file,file.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+8.12.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.12.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.12.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified.
+8.12.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.12.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username.
+8.12.0-dev,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.12.0-dev,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.12.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.12.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.12.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.12.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.12.0-dev,true,file,file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.12.0-dev,true,file,file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.12.0-dev,true,file,file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.12.0-dev,true,file,file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.12.0-dev,true,file,file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.12.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.12.0-dev,true,file,file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.12.0-dev,true,file,file.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.12.0-dev,true,file,file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev,true,file,file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.12.0-dev,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.12.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.12.0-dev,true,file,file.pe.sections,nested,extended,array,,Section information of the PE file.
+8.12.0-dev,true,file,file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.12.0-dev,true,file,file.pe.sections.name,keyword,extended,,,PE Section List name.
+8.12.0-dev,true,file,file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.12.0-dev,true,file,file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.12.0-dev,true,file,file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.12.0-dev,true,file,file.size,long,extended,,16384,File size in bytes.
+8.12.0-dev,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
+8.12.0-dev,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.12.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.12.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.12.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.12.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.12.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.12.0-dev,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.12.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.12.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.12.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.12.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.12.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.12.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.12.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.12.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.12.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.12.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.12.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.12.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.12.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.12.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.12.0-dev,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.12.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.12.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.12.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.12.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.12.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.12.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.12.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev,true,group,group.name,keyword,extended,,,Name of the group.
+8.12.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
+8.12.0-dev,true,host,host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id
+8.12.0-dev,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
+8.12.0-dev,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
+8.12.0-dev,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
+8.12.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
+8.12.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
+8.12.0-dev,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
+8.12.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.12.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.12.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
+8.12.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.12.0-dev,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.12.0-dev,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
+8.12.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.12.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
+8.12.0-dev,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.12.0-dev,true,host,host.hostname,keyword,core,,,Hostname of the host.
+8.12.0-dev,true,host,host.id,keyword,core,,,Unique host id.
+8.12.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses.
+8.12.0-dev,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
+8.12.0-dev,true,host,host.name,keyword,core,,,Name of the host.
+8.12.0-dev,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
+8.12.0-dev,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
+8.12.0-dev,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+8.12.0-dev,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
+8.12.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.12.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.12.0-dev,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.12.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.12.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.12.0-dev,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.12.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.12.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+8.12.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.12.0-dev,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode
+8.12.0-dev,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.12.0-dev,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.12.0-dev,true,host,host.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.12.0-dev,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.12.0-dev,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.12.0-dev,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+8.12.0-dev,true,host,host.type,keyword,core,,,Type of host.
+8.12.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
+8.12.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
+8.12.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
+8.12.0-dev,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body.
+8.12.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
+8.12.0-dev,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
+8.12.0-dev,true,http,http.request.method,keyword,extended,,POST,HTTP request method.
+8.12.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
+8.12.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
+8.12.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
+8.12.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
+8.12.0-dev,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body.
+8.12.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
+8.12.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
+8.12.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
+8.12.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version.
+8.12.0-dev,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
+8.12.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event.
+8.12.0-dev,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
+8.12.0-dev,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event.
+8.12.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
+8.12.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
+8.12.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata
+8.12.0-dev,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message.
+8.12.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
+8.12.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
+8.12.0-dev,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message.
+8.12.0-dev,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message.
+8.12.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
+8.12.0-dev,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message.
+8.12.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
+8.12.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
+8.12.0-dev,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages.
+8.12.0-dev,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version.
+8.12.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name.
+8.12.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
+8.12.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
+8.12.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
+8.12.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
+8.12.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
+8.12.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information
+8.12.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.12.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.12.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
+8.12.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
+8.12.0-dev,true,network,network.protocol,keyword,core,,http,Application protocol name.
+8.12.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
+8.12.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
+8.12.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.12.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.12.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information
+8.12.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
+8.12.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
+8.12.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
+8.12.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.12.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.12.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
+8.12.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
+8.12.0-dev,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code.
+8.12.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.12.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.12.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
+8.12.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.12.0-dev,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.12.0-dev,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code.
+8.12.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.12.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
+8.12.0-dev,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.12.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
+8.12.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information
+8.12.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
+8.12.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
+8.12.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
+8.12.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.12.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.12.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
+8.12.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
+8.12.0-dev,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer.
+8.12.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
+8.12.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.12.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.12.0-dev,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.12.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.12.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.12.0-dev,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.12.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.12.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+8.12.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.12.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
+8.12.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
+8.12.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
+8.12.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
+8.12.0-dev,true,observer,observer.version,keyword,core,,,Observer version.
+8.12.0-dev,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action
+8.12.0-dev,true,orchestrator,orchestrator.cluster.id,keyword,extended,,,Unique ID of the cluster.
+8.12.0-dev,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster.
+8.12.0-dev,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster.
+8.12.0-dev,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster.
+8.12.0-dev,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place.
+8.12.0-dev,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups).
+8.12.0-dev,true,orchestrator,orchestrator.resource.annotation,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of annotations added to the resource.
+8.12.0-dev,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon.
+8.12.0-dev,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed.
+8.12.0-dev,true,orchestrator,orchestrator.resource.label,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of labels added to the resource.
+8.12.0-dev,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon.
+8.12.0-dev,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed.
+8.12.0-dev,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon.
+8.12.0-dev,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)."
+8.12.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
+8.12.0-dev,true,organization,organization.name,keyword,extended,,,Organization name.
+8.12.0-dev,true,organization,organization.name.text,match_only_text,extended,,,Organization name.
+8.12.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
+8.12.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
+8.12.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
+8.12.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
+8.12.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
+8.12.0-dev,true,package,package.installed,date,extended,,,Time when package was installed.
+8.12.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
+8.12.0-dev,true,package,package.name,keyword,extended,,go,Package name
+8.12.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
+8.12.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
+8.12.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes.
+8.12.0-dev,true,package,package.type,keyword,extended,,rpm,Package type
+8.12.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version
+8.12.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.12.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array.
+8.12.0-dev,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.12.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.12.0-dev,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.12.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.12.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.12.0-dev,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.12.0-dev,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.12.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.12.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.12.0-dev,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.12.0-dev,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.12.0-dev,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.12.0-dev,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.12.0-dev,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.12.0-dev,true,process,process.elf.creation_date,date,extended,,,Build or compile date.
+8.12.0-dev,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.12.0-dev,true,process,process.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.12.0-dev,true,process,process.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.12.0-dev,true,process,process.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.12.0-dev,true,process,process.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.12.0-dev,true,process,process.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.12.0-dev,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.12.0-dev,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.12.0-dev,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.12.0-dev,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.12.0-dev,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.12.0-dev,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.12.0-dev,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.12.0-dev,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.12.0-dev,true,process,process.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.12.0-dev,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.12.0-dev,true,process,process.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev,true,process,process.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.12.0-dev,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.12.0-dev,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.12.0-dev,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.12.0-dev,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.12.0-dev,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.12.0-dev,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.12.0-dev,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.12.0-dev,true,process,process.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.12.0-dev,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.12.0-dev,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.12.0-dev,true,process,process.elf.segments,nested,extended,array,,ELF object segment list.
+8.12.0-dev,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.12.0-dev,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.12.0-dev,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.12.0-dev,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.12.0-dev,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+8.12.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.12.0-dev,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.12.0-dev,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array.
+8.12.0-dev,true,process,process.entry_leader.attested_groups.name,keyword,extended,,,Name of the group.
+8.12.0-dev,true,process,process.entry_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev,true,process,process.entry_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,process,process.entry_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.12.0-dev,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.12.0-dev,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.12.0-dev,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
+8.12.0-dev,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
+8.12.0-dev,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.12.0-dev,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.12.0-dev,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group.
+8.12.0-dev,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.12.0-dev,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name.
+8.12.0-dev,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name.
+8.12.0-dev,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.12.0-dev,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id.
+8.12.0-dev,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.12.0-dev,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id.
+8.12.0-dev,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.12.0-dev,true,process,process.entry_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
+8.12.0-dev,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.12.0-dev,true,process,process.entry_leader.parent.vpid,long,core,,4242,Virtual process id.
+8.12.0-dev,true,process,process.entry_leader.pid,long,core,,4242,Process id.
+8.12.0-dev,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group.
+8.12.0-dev,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,process,process.entry_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+8.12.0-dev,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group.
+8.12.0-dev,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,process,process.entry_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.12.0-dev,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.12.0-dev,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device.
+8.12.0-dev,true,process,process.entry_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.12.0-dev,true,process,process.entry_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.12.0-dev,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,process,process.entry_leader.vpid,long,core,,4242,Virtual process id.
+8.12.0-dev,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.12.0-dev,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.12.0-dev,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
+8.12.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.12.0-dev,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.12.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process.
+8.12.0-dev,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.12.0-dev,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array.
+8.12.0-dev,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.12.0-dev,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.12.0-dev,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.12.0-dev,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.12.0-dev,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.12.0-dev,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group.
+8.12.0-dev,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.12.0-dev,true,process,process.group_leader.name,keyword,extended,,ssh,Process name.
+8.12.0-dev,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name.
+8.12.0-dev,true,process,process.group_leader.pid,long,core,,4242,Process id.
+8.12.0-dev,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group.
+8.12.0-dev,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,process,process.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+8.12.0-dev,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group.
+8.12.0-dev,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,process,process.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.12.0-dev,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.12.0-dev,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device.
+8.12.0-dev,true,process,process.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.12.0-dev,true,process,process.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.12.0-dev,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,process,process.group_leader.vpid,long,core,,4242,Virtual process id.
+8.12.0-dev,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.12.0-dev,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.12.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
+8.12.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
+8.12.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
+8.12.0-dev,true,process,process.hash.sha384,keyword,extended,,,SHA384 hash.
+8.12.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
+8.12.0-dev,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.12.0-dev,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash.
+8.12.0-dev,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.12.0-dev,true,process,process.io,object,extended,,,A chunk of input or output (IO) from a single process.
+8.12.0-dev,true,process,process.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
+8.12.0-dev,true,process,process.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
+8.12.0-dev,true,process,process.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
+8.12.0-dev,true,process,process.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
+8.12.0-dev,true,process,process.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
+8.12.0-dev,true,process,process.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
+8.12.0-dev,true,process,process.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
+8.12.0-dev,true,process,process.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
+8.12.0-dev,true,process,process.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+8.12.0-dev,true,process,process.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.12.0-dev,true,process,process.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.12.0-dev,true,process,process.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.12.0-dev,true,process,process.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.12.0-dev,true,process,process.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+8.12.0-dev,true,process,process.macho.imports,flattened,extended,array,,List of imported element names and types.
+8.12.0-dev,true,process,process.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev,true,process,process.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev,true,process,process.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+8.12.0-dev,true,process,process.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.12.0-dev,true,process,process.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+8.12.0-dev,true,process,process.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+8.12.0-dev,true,process,process.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.12.0-dev,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+8.12.0-dev,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+8.12.0-dev,true,process,process.name,keyword,extended,,ssh,Process name.
+8.12.0-dev,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
+8.12.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.12.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
+8.12.0-dev,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.12.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.12.0-dev,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.12.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.12.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.12.0-dev,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.12.0-dev,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.12.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.12.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.12.0-dev,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.12.0-dev,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.12.0-dev,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.12.0-dev,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.12.0-dev,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.12.0-dev,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date.
+8.12.0-dev,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.12.0-dev,true,process,process.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.12.0-dev,true,process,process.parent.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.12.0-dev,true,process,process.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.12.0-dev,true,process,process.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.12.0-dev,true,process,process.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.12.0-dev,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.12.0-dev,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.12.0-dev,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.12.0-dev,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.12.0-dev,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.12.0-dev,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.12.0-dev,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.12.0-dev,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.12.0-dev,true,process,process.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.12.0-dev,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.12.0-dev,true,process,process.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev,true,process,process.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.12.0-dev,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.12.0-dev,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.12.0-dev,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.12.0-dev,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.12.0-dev,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.12.0-dev,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.12.0-dev,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.12.0-dev,true,process,process.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.12.0-dev,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.12.0-dev,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.12.0-dev,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list.
+8.12.0-dev,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.12.0-dev,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.12.0-dev,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.12.0-dev,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.12.0-dev,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+8.12.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.12.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.12.0-dev,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.12.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
+8.12.0-dev,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev,true,process,process.parent.group.name,keyword,extended,,,Name of the group.
+8.12.0-dev,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.12.0-dev,true,process,process.parent.group_leader.pid,long,core,,4242,Process id.
+8.12.0-dev,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.12.0-dev,true,process,process.parent.group_leader.vpid,long,core,,4242,Virtual process id.
+8.12.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
+8.12.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
+8.12.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
+8.12.0-dev,true,process,process.parent.hash.sha384,keyword,extended,,,SHA384 hash.
+8.12.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
+8.12.0-dev,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.12.0-dev,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash.
+8.12.0-dev,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.12.0-dev,true,process,process.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+8.12.0-dev,true,process,process.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.12.0-dev,true,process,process.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.12.0-dev,true,process,process.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.12.0-dev,true,process,process.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.12.0-dev,true,process,process.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+8.12.0-dev,true,process,process.parent.macho.imports,flattened,extended,array,,List of imported element names and types.
+8.12.0-dev,true,process,process.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev,true,process,process.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev,true,process,process.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+8.12.0-dev,true,process,process.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.12.0-dev,true,process,process.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+8.12.0-dev,true,process,process.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+8.12.0-dev,true,process,process.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.12.0-dev,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+8.12.0-dev,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+8.12.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name.
+8.12.0-dev,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
+8.12.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.12.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.12.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.12.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.12.0-dev,true,process,process.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.12.0-dev,true,process,process.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.12.0-dev,true,process,process.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.12.0-dev,true,process,process.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.12.0-dev,true,process,process.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.12.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.12.0-dev,true,process,process.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.12.0-dev,true,process,process.parent.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.12.0-dev,true,process,process.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev,true,process,process.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.12.0-dev,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.12.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.12.0-dev,true,process,process.parent.pe.sections,nested,extended,array,,Section information of the PE file.
+8.12.0-dev,true,process,process.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.12.0-dev,true,process,process.parent.pe.sections.name,keyword,extended,,,PE Section List name.
+8.12.0-dev,true,process,process.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.12.0-dev,true,process,process.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.12.0-dev,true,process,process.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.12.0-dev,true,process,process.parent.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
+8.12.0-dev,true,process,process.parent.pid,long,core,,4242,Process id.
+8.12.0-dev,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group.
+8.12.0-dev,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,process,process.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group.
+8.12.0-dev,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,process,process.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.12.0-dev,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.12.0-dev,true,process,process.parent.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
+8.12.0-dev,true,process,process.parent.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
+8.12.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
+8.12.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
+8.12.0-dev,true,process,process.parent.title,keyword,extended,,,Process title.
+8.12.0-dev,true,process,process.parent.title.text,match_only_text,extended,,,Process title.
+8.12.0-dev,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device.
+8.12.0-dev,true,process,process.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.12.0-dev,true,process,process.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.12.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
+8.12.0-dev,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,process,process.parent.vpid,long,core,,4242,Virtual process id.
+8.12.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.12.0-dev,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.12.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.12.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.12.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.12.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.12.0-dev,true,process,process.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.12.0-dev,true,process,process.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.12.0-dev,true,process,process.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.12.0-dev,true,process,process.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.12.0-dev,true,process,process.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.12.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.12.0-dev,true,process,process.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.12.0-dev,true,process,process.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.12.0-dev,true,process,process.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev,true,process,process.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.12.0-dev,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.12.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.12.0-dev,true,process,process.pe.sections,nested,extended,array,,Section information of the PE file.
+8.12.0-dev,true,process,process.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.12.0-dev,true,process,process.pe.sections.name,keyword,extended,,,PE Section List name.
+8.12.0-dev,true,process,process.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.12.0-dev,true,process,process.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.12.0-dev,true,process,process.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.12.0-dev,true,process,process.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
+8.12.0-dev,true,process,process.pid,long,core,,4242,Process id.
+8.12.0-dev,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.12.0-dev,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array.
+8.12.0-dev,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.12.0-dev,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.12.0-dev,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev,true,process,process.real_group.name,keyword,extended,,,Name of the group.
+8.12.0-dev,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,process,process.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev,true,process,process.saved_group.name,keyword,extended,,,Name of the group.
+8.12.0-dev,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,process,process.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.12.0-dev,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array.
+8.12.0-dev,true,process,process.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.12.0-dev,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.12.0-dev,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.12.0-dev,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.12.0-dev,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.12.0-dev,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group.
+8.12.0-dev,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+8.12.0-dev,true,process,process.session_leader.name,keyword,extended,,ssh,Process name.
+8.12.0-dev,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name.
+8.12.0-dev,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.12.0-dev,true,process,process.session_leader.parent.pid,long,core,,4242,Process id.
+8.12.0-dev,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.12.0-dev,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id.
+8.12.0-dev,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.12.0-dev,true,process,process.session_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
+8.12.0-dev,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.12.0-dev,true,process,process.session_leader.parent.vpid,long,core,,4242,Virtual process id.
+8.12.0-dev,true,process,process.session_leader.pid,long,core,,4242,Process id.
+8.12.0-dev,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group.
+8.12.0-dev,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,process,process.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+8.12.0-dev,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group.
+8.12.0-dev,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,process,process.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.12.0-dev,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.12.0-dev,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device.
+8.12.0-dev,true,process,process.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.12.0-dev,true,process,process.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.12.0-dev,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,process,process.session_leader.vpid,long,core,,4242,Virtual process id.
+8.12.0-dev,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.12.0-dev,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.12.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.12.0-dev,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.12.0-dev,true,process,process.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
+8.12.0-dev,true,process,process.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
+8.12.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID.
+8.12.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
+8.12.0-dev,true,process,process.title,keyword,extended,,,Process title.
+8.12.0-dev,true,process,process.title.text,match_only_text,extended,,,Process title.
+8.12.0-dev,true,process,process.tty,object,extended,,,Information about the controlling TTY device.
+8.12.0-dev,true,process,process.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.12.0-dev,true,process,process.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.12.0-dev,true,process,process.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
+8.12.0-dev,true,process,process.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
+8.12.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
+8.12.0-dev,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,process,process.vpid,long,core,,4242,Virtual process id.
+8.12.0-dev,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.12.0-dev,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.12.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.12.0-dev,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.12.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.12.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.12.0-dev,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.12.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.12.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
+8.12.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
+8.12.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
+8.12.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
+8.12.0-dev,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event.
+8.12.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
+8.12.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
+8.12.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
+8.12.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID
+8.12.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
+8.12.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
+8.12.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
+8.12.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
+8.12.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
+8.12.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version
+8.12.0-dev,true,server,server.address,keyword,extended,,,Server network address.
+8.12.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.12.0-dev,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.12.0-dev,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.12.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
+8.12.0-dev,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server.
+8.12.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
+8.12.0-dev,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
+8.12.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.12.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.12.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
+8.12.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.12.0-dev,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.12.0-dev,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
+8.12.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.12.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
+8.12.0-dev,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.12.0-dev,true,server,server.ip,ip,core,,,IP address of the server.
+8.12.0-dev,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
+8.12.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip
+8.12.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port
+8.12.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
+8.12.0-dev,true,server,server.port,long,core,,,Port of the server.
+8.12.0-dev,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
+8.12.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.12.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.12.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.12.0-dev,true,server,server.user.email,keyword,extended,,,User email address.
+8.12.0-dev,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.12.0-dev,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.12.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.12.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group.
+8.12.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.12.0-dev,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.12.0-dev,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.12.0-dev,true,service,service.environment,keyword,extended,,production,Environment of the service.
+8.12.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.12.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.12.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.12.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.12.0-dev,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.12.0-dev,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+8.12.0-dev,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.12.0-dev,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
+8.12.0-dev,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.12.0-dev,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.12.0-dev,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.12.0-dev,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.12.0-dev,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.12.0-dev,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+8.12.0-dev,true,service,service.origin.state,keyword,core,,,Current state of the service.
+8.12.0-dev,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service.
+8.12.0-dev,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service.
+8.12.0-dev,true,service,service.state,keyword,core,,,Current state of the service.
+8.12.0-dev,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.12.0-dev,true,service,service.target.environment,keyword,extended,,production,Environment of the service.
+8.12.0-dev,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.12.0-dev,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.12.0-dev,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.12.0-dev,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.12.0-dev,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+8.12.0-dev,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+8.12.0-dev,true,service,service.target.state,keyword,core,,,Current state of the service.
+8.12.0-dev,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service.
+8.12.0-dev,true,service,service.target.version,keyword,core,,3.2.4,Version of the service.
+8.12.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
+8.12.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service.
+8.12.0-dev,true,source,source.address,keyword,extended,,,Source network address.
+8.12.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.12.0-dev,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.12.0-dev,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.12.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
+8.12.0-dev,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source.
+8.12.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
+8.12.0-dev,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
+8.12.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.12.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.12.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
+8.12.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.12.0-dev,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.12.0-dev,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
+8.12.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.12.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
+8.12.0-dev,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.12.0-dev,true,source,source.ip,ip,core,,,IP address of the source.
+8.12.0-dev,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
+8.12.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip
+8.12.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port
+8.12.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
+8.12.0-dev,true,source,source.port,long,core,,,Port of the source.
+8.12.0-dev,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+8.12.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.12.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.12.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.12.0-dev,true,source,source.user.email,keyword,extended,,,User email address.
+8.12.0-dev,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.12.0-dev,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.12.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.12.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group.
+8.12.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.12.0-dev,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.12.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
+8.12.0-dev,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event.
+8.12.0-dev,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event.
+8.12.0-dev,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.12.0-dev,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.12.0-dev,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.12.0-dev,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
+8.12.0-dev,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
+8.12.0-dev,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.12.0-dev,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.12.0-dev,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
+8.12.0-dev,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name.
+8.12.0-dev,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code.
+8.12.0-dev,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.12.0-dev,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.12.0-dev,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name.
+8.12.0-dev,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.12.0-dev,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.12.0-dev,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code.
+8.12.0-dev,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.12.0-dev,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name.
+8.12.0-dev,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.12.0-dev,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
+8.12.0-dev,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
+8.12.0-dev,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
+8.12.0-dev,true,threat,threat.enrichments.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
+8.12.0-dev,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
+8.12.0-dev,true,threat,threat.enrichments.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
+8.12.0-dev,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
+8.12.0-dev,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
+8.12.0-dev,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
+8.12.0-dev,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.12.0-dev,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.12.0-dev,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.12.0-dev,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.12.0-dev,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.12.0-dev,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.12.0-dev,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
+8.12.0-dev,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics
+8.12.0-dev,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed
+8.12.0-dev,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
+8.12.0-dev,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.12.0-dev,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.12.0-dev,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.12.0-dev,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.12.0-dev,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.12.0-dev,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.12.0-dev,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.12.0-dev,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request.
+8.12.0-dev,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.12.0-dev,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
+8.12.0-dev,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request.
+8.12.0-dev,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.12.0-dev,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
+8.12.0-dev,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.12.0-dev,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.12.0-dev,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request.
+8.12.0-dev,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.12.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.12.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.12.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.12.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.12.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.12.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.12.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.12.0-dev,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.12.0-dev,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.12.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.12.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.12.0-dev,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.12.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.12.0-dev,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.12.0-dev,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.12.0-dev,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.12.0-dev,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.12.0-dev,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.12.0-dev,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.12.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.12.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.12.0-dev,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.12.0-dev,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.12.0-dev,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value
+8.12.0-dev,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field
+8.12.0-dev,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier
+8.12.0-dev,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index
+8.12.0-dev,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05T17:00:58.326Z,Date of match
+8.12.0-dev,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match
+8.12.0-dev,true,threat,threat.feed.dashboard_id,keyword,extended,,5ba16340-72e6-11eb-a3e3-b3cc7c78a70f,Feed dashboard ID.
+8.12.0-dev,true,threat,threat.feed.description,keyword,extended,,Threat feed from the AlienVault Open Threat eXchange network.,Description of the threat feed.
+8.12.0-dev,true,threat,threat.feed.name,keyword,extended,,AlienVault OTX,Name of the threat feed.
+8.12.0-dev,true,threat,threat.feed.reference,keyword,extended,,https://otx.alienvault.com,Reference for the threat feed.
+8.12.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
+8.12.0-dev,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group.
+8.12.0-dev,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group.
+8.12.0-dev,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group.
+8.12.0-dev,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group.
+8.12.0-dev,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.12.0-dev,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.12.0-dev,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.12.0-dev,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
+8.12.0-dev,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
+8.12.0-dev,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
+8.12.0-dev,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed.
+8.12.0-dev,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.12.0-dev,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.12.0-dev,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.12.0-dev,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.12.0-dev,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.12.0-dev,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.12.0-dev,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.12.0-dev,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.12.0-dev,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.12.0-dev,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.12.0-dev,true,threat,threat.indicator.file.created,date,extended,,,File creation time.
+8.12.0-dev,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.12.0-dev,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
+8.12.0-dev,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.12.0-dev,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.12.0-dev,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.12.0-dev,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.12.0-dev,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.12.0-dev,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
+8.12.0-dev,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.12.0-dev,true,threat,threat.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+8.12.0-dev,true,threat,threat.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.12.0-dev,true,threat,threat.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.12.0-dev,true,threat,threat.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.12.0-dev,true,threat,threat.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.12.0-dev,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.12.0-dev,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.12.0-dev,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.12.0-dev,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.12.0-dev,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.12.0-dev,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.12.0-dev,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.12.0-dev,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.12.0-dev,true,threat,threat.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+8.12.0-dev,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.12.0-dev,true,threat,threat.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev,true,threat,threat.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.12.0-dev,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.12.0-dev,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.12.0-dev,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.12.0-dev,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.12.0-dev,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.12.0-dev,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.12.0-dev,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.12.0-dev,true,threat,threat.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.12.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.12.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.12.0-dev,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
+8.12.0-dev,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.12.0-dev,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.12.0-dev,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.12.0-dev,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.12.0-dev,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.12.0-dev,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.12.0-dev,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.12.0-dev,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
+8.12.0-dev,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
+8.12.0-dev,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.12.0-dev,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.12.0-dev,true,threat,threat.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
+8.12.0-dev,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.12.0-dev,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.12.0-dev,true,threat,threat.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
+8.12.0-dev,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.12.0-dev,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.12.0-dev,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.12.0-dev,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified.
+8.12.0-dev,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.12.0-dev,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username.
+8.12.0-dev,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.12.0-dev,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.12.0-dev,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.12.0-dev,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.12.0-dev,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.12.0-dev,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.12.0-dev,true,threat,threat.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+8.12.0-dev,true,threat,threat.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+8.12.0-dev,true,threat,threat.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+8.12.0-dev,true,threat,threat.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+8.12.0-dev,true,threat,threat.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+8.12.0-dev,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.12.0-dev,true,threat,threat.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+8.12.0-dev,true,threat,threat.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
+8.12.0-dev,true,threat,threat.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev,true,threat,threat.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+8.12.0-dev,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.12.0-dev,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+8.12.0-dev,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.12.0-dev,true,threat,threat.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
+8.12.0-dev,true,threat,threat.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.12.0-dev,true,threat,threat.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
+8.12.0-dev,true,threat,threat.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+8.12.0-dev,true,threat,threat.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+8.12.0-dev,true,threat,threat.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+8.12.0-dev,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes.
+8.12.0-dev,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
+8.12.0-dev,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.12.0-dev,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.12.0-dev,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.12.0-dev,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.12.0-dev,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.12.0-dev,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.12.0-dev,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.12.0-dev,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.12.0-dev,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.12.0-dev,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.12.0-dev,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.12.0-dev,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.12.0-dev,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.12.0-dev,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.12.0-dev,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.12.0-dev,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.12.0-dev,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.12.0-dev,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.12.0-dev,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.12.0-dev,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.12.0-dev,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.12.0-dev,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.12.0-dev,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.12.0-dev,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.12.0-dev,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.12.0-dev,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.12.0-dev,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.12.0-dev,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
+8.12.0-dev,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name.
+8.12.0-dev,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code.
+8.12.0-dev,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.12.0-dev,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.12.0-dev,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name.
+8.12.0-dev,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.12.0-dev,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.12.0-dev,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code.
+8.12.0-dev,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.12.0-dev,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name.
+8.12.0-dev,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.12.0-dev,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
+8.12.0-dev,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
+8.12.0-dev,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
+8.12.0-dev,true,threat,threat.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
+8.12.0-dev,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
+8.12.0-dev,true,threat,threat.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
+8.12.0-dev,true,threat,threat.indicator.port,long,extended,,443,Indicator port
+8.12.0-dev,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
+8.12.0-dev,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
+8.12.0-dev,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.12.0-dev,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.12.0-dev,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.12.0-dev,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.12.0-dev,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.12.0-dev,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.12.0-dev,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
+8.12.0-dev,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics
+8.12.0-dev,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed
+8.12.0-dev,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
+8.12.0-dev,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.12.0-dev,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.12.0-dev,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.12.0-dev,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.12.0-dev,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.12.0-dev,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.12.0-dev,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.12.0-dev,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request.
+8.12.0-dev,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.12.0-dev,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
+8.12.0-dev,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request.
+8.12.0-dev,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.12.0-dev,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
+8.12.0-dev,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.12.0-dev,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.12.0-dev,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request.
+8.12.0-dev,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.12.0-dev,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.12.0-dev,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.12.0-dev,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.12.0-dev,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.12.0-dev,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.12.0-dev,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.12.0-dev,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.12.0-dev,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.12.0-dev,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.12.0-dev,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.12.0-dev,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.12.0-dev,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.12.0-dev,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.12.0-dev,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.12.0-dev,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.12.0-dev,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.12.0-dev,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.12.0-dev,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.12.0-dev,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.12.0-dev,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.12.0-dev,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.12.0-dev,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.12.0-dev,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.12.0-dev,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software
+8.12.0-dev,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software
+8.12.0-dev,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software.
+8.12.0-dev,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software.
+8.12.0-dev,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL.
+8.12.0-dev,true,threat,threat.software.type,keyword,extended,,Tool,Software type.
+8.12.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
+8.12.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
+8.12.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
+8.12.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
+8.12.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
+8.12.0-dev,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name.
+8.12.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
+8.12.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
+8.12.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
+8.12.0-dev,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
+8.12.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
+8.12.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
+8.12.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
+8.12.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
+8.12.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
+8.12.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
+8.12.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
+8.12.0-dev,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
+8.12.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
+8.12.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
+8.12.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
+8.12.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
+8.12.0-dev,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
+8.12.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
+8.12.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.12.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.12.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.12.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.12.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.12.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.12.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.12.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.12.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.12.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.12.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.12.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.12.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.12.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.12.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.12.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.12.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.12.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.12.0-dev,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.12.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.12.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.12.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.12.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.12.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.12.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
+8.12.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
+8.12.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
+8.12.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
+8.12.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
+8.12.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
+8.12.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
+8.12.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
+8.12.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
+8.12.0-dev,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
+8.12.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
+8.12.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
+8.12.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
+8.12.0-dev,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
+8.12.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.12.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.12.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+8.12.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.12.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.12.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.12.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.12.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.12.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+8.12.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+8.12.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.12.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.12.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.12.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.12.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.12.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.12.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.12.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+8.12.0-dev,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.12.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.12.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.12.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.12.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.12.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.12.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
+8.12.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
+8.12.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
+8.12.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
+8.12.0-dev,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.12.0-dev,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.12.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.12.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.12.0-dev,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.12.0-dev,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.12.0-dev,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.12.0-dev,true,url,url.password,keyword,extended,,,Password of the request.
+8.12.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.12.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
+8.12.0-dev,true,url,url.query,keyword,extended,,,Query string of the request.
+8.12.0-dev,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.12.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
+8.12.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.12.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.12.0-dev,true,url,url.username,keyword,extended,,,Username of the request.
+8.12.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.12.0-dev,true,user,user.changes.email,keyword,extended,,,User email address.
+8.12.0-dev,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.12.0-dev,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.12.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.12.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
+8.12.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.12.0-dev,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.12.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.12.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.12.0-dev,true,user,user.effective.email,keyword,extended,,,User email address.
+8.12.0-dev,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.12.0-dev,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.12.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.12.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
+8.12.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.12.0-dev,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.12.0-dev,true,user,user.email,keyword,extended,,,User email address.
+8.12.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.12.0-dev,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.12.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.12.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group.
+8.12.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.12.0-dev,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+8.12.0-dev,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+8.12.0-dev,true,user,user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+8.12.0-dev,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.12.0-dev,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+8.12.0-dev,true,user,user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+8.12.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.12.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.12.0-dev,true,user,user.target.email,keyword,extended,,,User email address.
+8.12.0-dev,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.12.0-dev,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.12.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.12.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group.
+8.12.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.12.0-dev,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.12.0-dev,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.12.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.12.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
+8.12.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
+8.12.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+8.12.0-dev,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+8.12.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.12.0-dev,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.12.0-dev,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.12.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.12.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.12.0-dev,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.12.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.12.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+8.12.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.12.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
+8.12.0-dev,true,volume,volume.bus_type,keyword,extended,,FileBackedVirtual,Bus type of the device.
+8.12.0-dev,true,volume,volume.default_access,keyword,extended,,,Bus type of the device.
+8.12.0-dev,true,volume,volume.device_name,keyword,extended,,,Device name of the volume.
+8.12.0-dev,true,volume,volume.device_type,keyword,extended,,CD-ROM File System,Volume device type.
+8.12.0-dev,true,volume,volume.dos_name,keyword,extended,,E:,DOS name of the device.
+8.12.0-dev,true,volume,volume.file_system_type,keyword,extended,,,Volume device file system type.
+8.12.0-dev,true,volume,volume.mount_name,keyword,extended,,,Mount name of the volume.
+8.12.0-dev,true,volume,volume.nt_name,keyword,extended,,\Device\Cdrom1,NT name of the device.
+8.12.0-dev,true,volume,volume.product_id,keyword,extended,,,ProductID of the device.
+8.12.0-dev,true,volume,volume.product_name,keyword,extended,,Virtual DVD-ROM,Produce name of the volume.
+8.12.0-dev,true,volume,volume.removable,boolean,extended,,,Indicates if the volume is removable.
+8.12.0-dev,true,volume,volume.serial_number,keyword,extended,,,Serial number of the device.
+8.12.0-dev,true,volume,volume.size,long,extended,,,Size of the volume device in bytes.
+8.12.0-dev,true,volume,volume.vendor_id,keyword,extended,,,VendorID of the device.
+8.12.0-dev,true,volume,volume.vendor_name,keyword,extended,,Msft,Vendor name of the device.
+8.12.0-dev,true,volume,volume.writable,boolean,extended,,,Indicates if the volume is writable.
+8.12.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
+8.12.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
+8.12.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+8.12.0-dev,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+8.12.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
+8.12.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
+8.12.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
+8.12.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
+8.12.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
+8.12.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
+8.12.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
+8.12.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
+8.12.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
+8.12.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
diff --git a/generated/elasticsearch/composable/component/agent.json b/generated/elasticsearch/composable/component/agent.json
index e207406596..50480c9cbb 100644
--- a/generated/elasticsearch/composable/component/agent.json
+++ b/generated/elasticsearch/composable/component/agent.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html",
-    "ecs_version": "8.11.0-dev"
+    "ecs_version": "8.12.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/base.json b/generated/elasticsearch/composable/component/base.json
index 9c16288bcc..4f23f82647 100644
--- a/generated/elasticsearch/composable/component/base.json
+++ b/generated/elasticsearch/composable/component/base.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
-    "ecs_version": "8.11.0-dev"
+    "ecs_version": "8.12.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/client.json b/generated/elasticsearch/composable/component/client.json
index 24913a8580..12ad20b7eb 100644
--- a/generated/elasticsearch/composable/component/client.json
+++ b/generated/elasticsearch/composable/component/client.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-client.html",
-    "ecs_version": "8.11.0-dev"
+    "ecs_version": "8.12.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/cloud.json b/generated/elasticsearch/composable/component/cloud.json
index 6e0be85020..a8a8b153ce 100644
--- a/generated/elasticsearch/composable/component/cloud.json
+++ b/generated/elasticsearch/composable/component/cloud.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cloud.html",
-    "ecs_version": "8.11.0-dev"
+    "ecs_version": "8.12.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/container.json b/generated/elasticsearch/composable/component/container.json
index dfdf4e007e..c7312c0590 100644
--- a/generated/elasticsearch/composable/component/container.json
+++ b/generated/elasticsearch/composable/component/container.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-container.html",
-    "ecs_version": "8.11.0-dev"
+    "ecs_version": "8.12.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/data_stream.json b/generated/elasticsearch/composable/component/data_stream.json
index e2faeb9785..e651fedd50 100644
--- a/generated/elasticsearch/composable/component/data_stream.json
+++ b/generated/elasticsearch/composable/component/data_stream.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-data_stream.html",
-    "ecs_version": "8.11.0-dev"
+    "ecs_version": "8.12.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/destination.json b/generated/elasticsearch/composable/component/destination.json
index 70dadaec07..590ee3e5a5 100644
--- a/generated/elasticsearch/composable/component/destination.json
+++ b/generated/elasticsearch/composable/component/destination.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-destination.html",
-    "ecs_version": "8.11.0-dev"
+    "ecs_version": "8.12.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/device.json b/generated/elasticsearch/composable/component/device.json
index bf44b66897..e03f268c86 100644
--- a/generated/elasticsearch/composable/component/device.json
+++ b/generated/elasticsearch/composable/component/device.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-device.html",
-    "ecs_version": "8.11.0-dev"
+    "ecs_version": "8.12.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/dll.json b/generated/elasticsearch/composable/component/dll.json
index 4873d9aaf1..d3561dd742 100644
--- a/generated/elasticsearch/composable/component/dll.json
+++ b/generated/elasticsearch/composable/component/dll.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dll.html",
-    "ecs_version": "8.11.0-dev"
+    "ecs_version": "8.12.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/dns.json b/generated/elasticsearch/composable/component/dns.json
index 4b1450b55e..06ca50ac7f 100644
--- a/generated/elasticsearch/composable/component/dns.json
+++ b/generated/elasticsearch/composable/component/dns.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html",
-    "ecs_version": "8.11.0-dev"
+    "ecs_version": "8.12.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/ecs.json b/generated/elasticsearch/composable/component/ecs.json
index 064553bc8b..083fc546bd 100644
--- a/generated/elasticsearch/composable/component/ecs.json
+++ b/generated/elasticsearch/composable/component/ecs.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html",
-    "ecs_version": "8.11.0-dev"
+    "ecs_version": "8.12.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/email.json b/generated/elasticsearch/composable/component/email.json
index 59964f24e3..94e8c70084 100644
--- a/generated/elasticsearch/composable/component/email.json
+++ b/generated/elasticsearch/composable/component/email.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-email.html",
-    "ecs_version": "8.11.0-dev"
+    "ecs_version": "8.12.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/error.json b/generated/elasticsearch/composable/component/error.json
index b064151cb3..826c6bac1a 100644
--- a/generated/elasticsearch/composable/component/error.json
+++ b/generated/elasticsearch/composable/component/error.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-error.html",
-    "ecs_version": "8.11.0-dev"
+    "ecs_version": "8.12.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/event.json b/generated/elasticsearch/composable/component/event.json
index ad7a59e32b..7ae691519c 100644
--- a/generated/elasticsearch/composable/component/event.json
+++ b/generated/elasticsearch/composable/component/event.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html",
-    "ecs_version": "8.11.0-dev"
+    "ecs_version": "8.12.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/faas.json b/generated/elasticsearch/composable/component/faas.json
index 5b2eba8e0f..4f54d3e060 100644
--- a/generated/elasticsearch/composable/component/faas.json
+++ b/generated/elasticsearch/composable/component/faas.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-faas.html",
-    "ecs_version": "8.11.0-dev"
+    "ecs_version": "8.12.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/file.json b/generated/elasticsearch/composable/component/file.json
index 07900489e8..d055adf323 100644
--- a/generated/elasticsearch/composable/component/file.json
+++ b/generated/elasticsearch/composable/component/file.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html",
-    "ecs_version": "8.11.0-dev"
+    "ecs_version": "8.12.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/group.json b/generated/elasticsearch/composable/component/group.json
index 37dc0ff4c0..c7e37d2323 100644
--- a/generated/elasticsearch/composable/component/group.json
+++ b/generated/elasticsearch/composable/component/group.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-group.html",
-    "ecs_version": "8.11.0-dev"
+    "ecs_version": "8.12.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/host.json b/generated/elasticsearch/composable/component/host.json
index e15b54b955..a955778bfe 100644
--- a/generated/elasticsearch/composable/component/host.json
+++ b/generated/elasticsearch/composable/component/host.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-host.html",
-    "ecs_version": "8.11.0-dev"
+    "ecs_version": "8.12.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/http.json b/generated/elasticsearch/composable/component/http.json
index 962c0df94e..9d209b4a3a 100644
--- a/generated/elasticsearch/composable/component/http.json
+++ b/generated/elasticsearch/composable/component/http.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-http.html",
-    "ecs_version": "8.11.0-dev"
+    "ecs_version": "8.12.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/log.json b/generated/elasticsearch/composable/component/log.json
index 639e9572ac..9703a4b497 100644
--- a/generated/elasticsearch/composable/component/log.json
+++ b/generated/elasticsearch/composable/component/log.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-log.html",
-    "ecs_version": "8.11.0-dev"
+    "ecs_version": "8.12.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/network.json b/generated/elasticsearch/composable/component/network.json
index f9e9ba169e..1725824f84 100644
--- a/generated/elasticsearch/composable/component/network.json
+++ b/generated/elasticsearch/composable/component/network.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html",
-    "ecs_version": "8.11.0-dev"
+    "ecs_version": "8.12.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/observer.json b/generated/elasticsearch/composable/component/observer.json
index fb99b023d4..99008f11a8 100644
--- a/generated/elasticsearch/composable/component/observer.json
+++ b/generated/elasticsearch/composable/component/observer.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html",
-    "ecs_version": "8.11.0-dev"
+    "ecs_version": "8.12.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/orchestrator.json b/generated/elasticsearch/composable/component/orchestrator.json
index 23f91636b8..53a1bd6b89 100644
--- a/generated/elasticsearch/composable/component/orchestrator.json
+++ b/generated/elasticsearch/composable/component/orchestrator.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-orchestrator.html",
-    "ecs_version": "8.11.0-dev"
+    "ecs_version": "8.12.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/organization.json b/generated/elasticsearch/composable/component/organization.json
index bf120cd532..56762f3de6 100644
--- a/generated/elasticsearch/composable/component/organization.json
+++ b/generated/elasticsearch/composable/component/organization.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-organization.html",
-    "ecs_version": "8.11.0-dev"
+    "ecs_version": "8.12.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/package.json b/generated/elasticsearch/composable/component/package.json
index 974dc9830e..6376f5b53f 100644
--- a/generated/elasticsearch/composable/component/package.json
+++ b/generated/elasticsearch/composable/component/package.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-package.html",
-    "ecs_version": "8.11.0-dev"
+    "ecs_version": "8.12.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/process.json b/generated/elasticsearch/composable/component/process.json
index 42b78ee2eb..c20dbd00f2 100644
--- a/generated/elasticsearch/composable/component/process.json
+++ b/generated/elasticsearch/composable/component/process.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-process.html",
-    "ecs_version": "8.11.0-dev"
+    "ecs_version": "8.12.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/registry.json b/generated/elasticsearch/composable/component/registry.json
index 4582074524..3856c6e3cb 100644
--- a/generated/elasticsearch/composable/component/registry.json
+++ b/generated/elasticsearch/composable/component/registry.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-registry.html",
-    "ecs_version": "8.11.0-dev"
+    "ecs_version": "8.12.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/related.json b/generated/elasticsearch/composable/component/related.json
index 8b4234770b..cac093b662 100644
--- a/generated/elasticsearch/composable/component/related.json
+++ b/generated/elasticsearch/composable/component/related.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-related.html",
-    "ecs_version": "8.11.0-dev"
+    "ecs_version": "8.12.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/rule.json b/generated/elasticsearch/composable/component/rule.json
index 5736ae5394..a3694fd784 100644
--- a/generated/elasticsearch/composable/component/rule.json
+++ b/generated/elasticsearch/composable/component/rule.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-rule.html",
-    "ecs_version": "8.11.0-dev"
+    "ecs_version": "8.12.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/server.json b/generated/elasticsearch/composable/component/server.json
index d0837d773f..e8978c26ff 100644
--- a/generated/elasticsearch/composable/component/server.json
+++ b/generated/elasticsearch/composable/component/server.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-server.html",
-    "ecs_version": "8.11.0-dev"
+    "ecs_version": "8.12.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/service.json b/generated/elasticsearch/composable/component/service.json
index 2302f448c3..17648ead56 100644
--- a/generated/elasticsearch/composable/component/service.json
+++ b/generated/elasticsearch/composable/component/service.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-service.html",
-    "ecs_version": "8.11.0-dev"
+    "ecs_version": "8.12.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/source.json b/generated/elasticsearch/composable/component/source.json
index 593d2c1154..0555f13234 100644
--- a/generated/elasticsearch/composable/component/source.json
+++ b/generated/elasticsearch/composable/component/source.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-source.html",
-    "ecs_version": "8.11.0-dev"
+    "ecs_version": "8.12.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/threat.json b/generated/elasticsearch/composable/component/threat.json
index ec22b3ddd8..178ab4359c 100644
--- a/generated/elasticsearch/composable/component/threat.json
+++ b/generated/elasticsearch/composable/component/threat.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-threat.html",
-    "ecs_version": "8.11.0-dev"
+    "ecs_version": "8.12.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/tls.json b/generated/elasticsearch/composable/component/tls.json
index fd76fce78b..f3f26026cf 100644
--- a/generated/elasticsearch/composable/component/tls.json
+++ b/generated/elasticsearch/composable/component/tls.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tls.html",
-    "ecs_version": "8.11.0-dev"
+    "ecs_version": "8.12.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/tracing.json b/generated/elasticsearch/composable/component/tracing.json
index 1f13548585..250aa8ed1e 100644
--- a/generated/elasticsearch/composable/component/tracing.json
+++ b/generated/elasticsearch/composable/component/tracing.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tracing.html",
-    "ecs_version": "8.11.0-dev"
+    "ecs_version": "8.12.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/url.json b/generated/elasticsearch/composable/component/url.json
index ef68854e78..c14680686d 100644
--- a/generated/elasticsearch/composable/component/url.json
+++ b/generated/elasticsearch/composable/component/url.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-url.html",
-    "ecs_version": "8.11.0-dev"
+    "ecs_version": "8.12.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/user.json b/generated/elasticsearch/composable/component/user.json
index 19236c6634..a98f31729b 100644
--- a/generated/elasticsearch/composable/component/user.json
+++ b/generated/elasticsearch/composable/component/user.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user.html",
-    "ecs_version": "8.11.0-dev"
+    "ecs_version": "8.12.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/user_agent.json b/generated/elasticsearch/composable/component/user_agent.json
index 1e4acd0efb..9ab60f9068 100644
--- a/generated/elasticsearch/composable/component/user_agent.json
+++ b/generated/elasticsearch/composable/component/user_agent.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html",
-    "ecs_version": "8.11.0-dev"
+    "ecs_version": "8.12.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/volume.json b/generated/elasticsearch/composable/component/volume.json
new file mode 100644
index 0000000000..b83bf621eb
--- /dev/null
+++ b/generated/elasticsearch/composable/component/volume.json
@@ -0,0 +1,77 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-volume.html",
+    "ecs_version": "8.12.0-dev"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "volume": {
+          "properties": {
+            "bus_type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "default_access": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "device_name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "device_type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "dos_name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "file_system_type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "mount_name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "nt_name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "product_id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "product_name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "removable": {
+              "type": "boolean"
+            },
+            "serial_number": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "size": {
+              "type": "long"
+            },
+            "vendor_id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "vendor_name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "writable": {
+              "type": "boolean"
+            }
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/generated/elasticsearch/composable/component/vulnerability.json b/generated/elasticsearch/composable/component/vulnerability.json
index da7d8cc253..58f2df9bb6 100644
--- a/generated/elasticsearch/composable/component/vulnerability.json
+++ b/generated/elasticsearch/composable/component/vulnerability.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html",
-    "ecs_version": "8.11.0-dev"
+    "ecs_version": "8.12.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/template.json b/generated/elasticsearch/composable/template.json
index d44ce68eca..1a16f6ab83 100644
--- a/generated/elasticsearch/composable/template.json
+++ b/generated/elasticsearch/composable/template.json
@@ -1,49 +1,49 @@
 {
   "_meta": {
     "description": "Sample composable template that includes all ECS fields",
-    "ecs_version": "8.11.0-dev"
+    "ecs_version": "8.12.0-dev"
   },
   "composed_of": [
-    "ecs_8.11.0-dev_base",
-    "ecs_8.11.0-dev_agent",
-    "ecs_8.11.0-dev_client",
-    "ecs_8.11.0-dev_cloud",
-    "ecs_8.11.0-dev_container",
-    "ecs_8.11.0-dev_data_stream",
-    "ecs_8.11.0-dev_destination",
-    "ecs_8.11.0-dev_device",
-    "ecs_8.11.0-dev_dll",
-    "ecs_8.11.0-dev_dns",
-    "ecs_8.11.0-dev_ecs",
-    "ecs_8.11.0-dev_email",
-    "ecs_8.11.0-dev_error",
-    "ecs_8.11.0-dev_event",
-    "ecs_8.11.0-dev_faas",
-    "ecs_8.11.0-dev_file",
-    "ecs_8.11.0-dev_group",
-    "ecs_8.11.0-dev_host",
-    "ecs_8.11.0-dev_http",
-    "ecs_8.11.0-dev_log",
-    "ecs_8.11.0-dev_network",
-    "ecs_8.11.0-dev_observer",
-    "ecs_8.11.0-dev_orchestrator",
-    "ecs_8.11.0-dev_organization",
-    "ecs_8.11.0-dev_package",
-    "ecs_8.11.0-dev_process",
-    "ecs_8.11.0-dev_registry",
-    "ecs_8.11.0-dev_related",
-    "ecs_8.11.0-dev_rule",
-    "ecs_8.11.0-dev_server",
-    "ecs_8.11.0-dev_service",
-    "ecs_8.11.0-dev_source",
-    "ecs_8.11.0-dev_threat",
-    "ecs_8.11.0-dev_tls",
-    "ecs_8.11.0-dev_tracing",
-    "ecs_8.11.0-dev_url",
-    "ecs_8.11.0-dev_user_agent",
-    "ecs_8.11.0-dev_user",
-    "ecs_8.11.0-dev_volume",
-    "ecs_8.11.0-dev_vulnerability"
+    "ecs_8.12.0-dev_base",
+    "ecs_8.12.0-dev_agent",
+    "ecs_8.12.0-dev_client",
+    "ecs_8.12.0-dev_cloud",
+    "ecs_8.12.0-dev_container",
+    "ecs_8.12.0-dev_data_stream",
+    "ecs_8.12.0-dev_destination",
+    "ecs_8.12.0-dev_device",
+    "ecs_8.12.0-dev_dll",
+    "ecs_8.12.0-dev_dns",
+    "ecs_8.12.0-dev_ecs",
+    "ecs_8.12.0-dev_email",
+    "ecs_8.12.0-dev_error",
+    "ecs_8.12.0-dev_event",
+    "ecs_8.12.0-dev_faas",
+    "ecs_8.12.0-dev_file",
+    "ecs_8.12.0-dev_group",
+    "ecs_8.12.0-dev_host",
+    "ecs_8.12.0-dev_http",
+    "ecs_8.12.0-dev_log",
+    "ecs_8.12.0-dev_network",
+    "ecs_8.12.0-dev_observer",
+    "ecs_8.12.0-dev_orchestrator",
+    "ecs_8.12.0-dev_organization",
+    "ecs_8.12.0-dev_package",
+    "ecs_8.12.0-dev_process",
+    "ecs_8.12.0-dev_registry",
+    "ecs_8.12.0-dev_related",
+    "ecs_8.12.0-dev_rule",
+    "ecs_8.12.0-dev_server",
+    "ecs_8.12.0-dev_service",
+    "ecs_8.12.0-dev_source",
+    "ecs_8.12.0-dev_threat",
+    "ecs_8.12.0-dev_tls",
+    "ecs_8.12.0-dev_tracing",
+    "ecs_8.12.0-dev_url",
+    "ecs_8.12.0-dev_user_agent",
+    "ecs_8.12.0-dev_user",
+    "ecs_8.12.0-dev_volume",
+    "ecs_8.12.0-dev_vulnerability"
   ],
   "index_patterns": [
     "try-ecs-*"
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index 7da741a2d9..4ac8441518 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -4,7 +4,7 @@
   ],
   "mappings": {
     "_meta": {
-      "version": "8.11.0-dev"
+      "version": "8.12.0-dev"
     },
     "date_detection": false,
     "dynamic_templates": [
diff --git a/version b/version
index f9f9fe18c7..b659a6eb73 100644
--- a/version
+++ b/version
@@ -1 +1 @@
-8.11.0-dev
+8.12.0-dev

From a1333d102673170afae225b5ae8d77178d1a6473 Mon Sep 17 00:00:00 2001
From: Taylor Swanson <90622908+taylor-swanson@users.noreply.github.com>
Date: Tue, 3 Oct 2023 12:37:34 -0500
Subject: [PATCH 127/186] 8.11 FF changelog updates (#2284)

---
 CHANGELOG.next.md | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 1fce70ac4a..029229ee84 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -14,12 +14,8 @@ Thanks, you're awesome :-) -->
 
 #### Bugfixes
 
-* Remove `expected_values` from `threat.*.indicator.name` fields. #2281
-
 #### Added
 
-* Added `volume.*` as beta field set. #2269
-
 #### Improvements
 
 #### Deprecated
@@ -30,14 +26,31 @@ Thanks, you're awesome :-) -->
 
 #### Bugfixes
 
-* Respect reusable.top_level in Beats generator #2278
-
 #### Added
 
 #### Improvements
 
 #### Deprecated
 
+
+## 8.11.0 (Feature Freeze)
+
+### Schema Changes
+
+#### Bugfixes
+
+* Remove `expected_values` from `threat.*.indicator.name` fields. #2281
+
+#### Added
+
+* Added `volume.*` as beta field set. #2269
+
+### Tooling and Artifact Changes
+
+#### Bugfixes
+
+* Respect reusable.top_level in Beats generator #2278
+
 <!-- All empty sections:
 
 ## Unreleased

From 0333980e2725b7e4a9ec4aeb8bf68902d14ed5ca Mon Sep 17 00:00:00 2001
From: Taylor Swanson <90622908+taylor-swanson@users.noreply.github.com>
Date: Tue, 3 Oct 2023 14:31:34 -0500
Subject: [PATCH 128/186] Add 8.11 to backport tool (#2286)

---
 .backportrc.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.backportrc.json b/.backportrc.json
index f5c1697135..e1dd718528 100644
--- a/.backportrc.json
+++ b/.backportrc.json
@@ -2,6 +2,7 @@
   "upstream": "elastic/ecs",
   "branches": [
     { "name": "main", "checked": true },
+    "8.11",
     "8.10",
     "8.9",
     "8.8",

From 417f859f111f48aac92fa8ecd7d358c625d790f8 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 13 Oct 2023 09:56:44 -0500
Subject: [PATCH 129/186] Bump gitpython from 3.1.35 to 3.1.37 in /scripts
 (#2292)

Bumps [gitpython](https://github.com/gitpython-developers/GitPython) from 3.1.35 to 3.1.37.
- [Release notes](https://github.com/gitpython-developers/GitPython/releases)
- [Changelog](https://github.com/gitpython-developers/GitPython/blob/main/CHANGES)
- [Commits](https://github.com/gitpython-developers/GitPython/compare/3.1.35...3.1.37)

---
updated-dependencies:
- dependency-name: gitpython
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 scripts/requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/requirements.txt b/scripts/requirements.txt
index 5de7f32585..35e9656559 100644
--- a/scripts/requirements.txt
+++ b/scripts/requirements.txt
@@ -2,6 +2,6 @@ pip
 # License: MIT
 PyYAML==6.0
 # License: BSD
-gitpython==3.1.35
+gitpython==3.1.37
 # License: BSD
 Jinja2==3.0.3

From e8a8d5aaafb6a3f1a54ceb272e21316202569329 Mon Sep 17 00:00:00 2001
From: Kylie Meli <kylie.geller@elastic.co>
Date: Tue, 7 Nov 2023 14:24:26 -0500
Subject: [PATCH 130/186] Upgrading pyyaml dependency to fix build failures
 (#2300)

* Update pyyaml from 6.0 to 6.0.1

* switching to .format from fstring

* formatting
---
 scripts/requirements.txt  | 2 +-
 scripts/schema/cleaner.py | 9 ++++++---
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/scripts/requirements.txt b/scripts/requirements.txt
index 35e9656559..899c2a872e 100644
--- a/scripts/requirements.txt
+++ b/scripts/requirements.txt
@@ -1,6 +1,6 @@
 pip
 # License: MIT
-PyYAML==6.0
+PyYAML==6.0.1
 # License: BSD
 gitpython==3.1.37
 # License: BSD
diff --git a/scripts/schema/cleaner.py b/scripts/schema/cleaner.py
index f6c68f4337..10e54213ec 100644
--- a/scripts/schema/cleaner.py
+++ b/scripts/schema/cleaner.py
@@ -281,7 +281,8 @@ def check_example_value(field: Union[List, FieldEntry], strict: Optional[bool] =
 
     if isinstance(example_value, (list, dict)):
         field_name: str = field['field_details']['name']
-        msg: str = f"Example value for field `{field_name}` contains an object or array which must be quoted to avoid YAML interpretation."
+        msg: str = "Example value for field `{}` contains an object or array which must be quoted to avoid YAML interpretation.".format(
+            field_name)
         strict_warning_handler(msg, strict)
 
     # Examples with arrays must be handled
@@ -295,13 +296,15 @@ def check_example_value(field: Union[List, FieldEntry], strict: Optional[bool] =
         for example_value in example_values:
             match = re.match(pattern, example_value)
             if not match:
-                msg = f"Example value for field `{name}` does not match the regex defined in the pattern attribute: `{pattern}`."
+                msg = "Example value for field `{}` does not match the regex defined in the pattern attribute: `{}`.".format(
+                    name, pattern)
                 strict_warning_handler(msg, strict)
 
     if expected_values:
         for example_value in example_values:
             if example_value not in expected_values:
-                msg = f"Example value `{example_value}` for field `{name}` is not one of the values defined in `expected_value`: {expected_values}."
+                msg = "Example value `{}` for field `{}` is not one of the values defined in `expected_value`: {}.".format(
+                    example_value, name, example_values)
                 strict_warning_handler(msg, strict)
 
 

From 03dc05284cf3917b5c4c3cf0cb719d8faa446cce Mon Sep 17 00:00:00 2001
From: Taylor Swanson <90622908+taylor-swanson@users.noreply.github.com>
Date: Tue, 7 Nov 2023 13:50:53 -0600
Subject: [PATCH 131/186] Finalize 8.11 changelog (#2296)

- Forward port of #2295

Co-authored-by: Kylie Meli <kylie.geller@elastic.co>
---
 CHANGELOG.md | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index fa9f43fc4b..dedb5ccaea 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,24 @@
 # CHANGELOG
 All notable changes to this project will be documented in this file based on the [Keep a Changelog](http://keepachangelog.com/) Standard. This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [8.11.0](https://github.com/elastic/ecs/compare/v8.10.0...v8.11.0)
+
+### Schema Changes
+
+#### Bugfixes
+
+* Remove `expected_values` from `threat.*.indicator.name` fields. #2281
+
+#### Added
+
+* Added `volume.*` as beta field set. #2269
+
+### Tooling and Artifact Changes
+
+#### Bugfixes
+
+* Respect reusable.top_level in Beats generator #2278
+
 ## [8.10.0](https://github.com/elastic/ecs/compare/v8.9.0...v8.10.0)
 
 ### Schema Changes

From e37a287104de5e7db50f2cd2838cc1088f3d17f6 Mon Sep 17 00:00:00 2001
From: Taylor Swanson <90622908+taylor-swanson@users.noreply.github.com>
Date: Tue, 7 Nov 2023 14:10:15 -0600
Subject: [PATCH 132/186] Release notes for 8.11 (#2298)

Co-authored-by: Kylie Meli <kylie.geller@elastic.co>
---
 docs/release-notes/8.11.asciidoc  | 28 ++++++++++++++++++++++++++++
 docs/release-notes/index.asciidoc |  2 ++
 2 files changed, 30 insertions(+)
 create mode 100644 docs/release-notes/8.11.asciidoc

diff --git a/docs/release-notes/8.11.asciidoc b/docs/release-notes/8.11.asciidoc
new file mode 100644
index 0000000000..91d35adfc9
--- /dev/null
+++ b/docs/release-notes/8.11.asciidoc
@@ -0,0 +1,28 @@
+[[ecs-release-notes-8.11.0]]
+=== 8.11.0
+
+[[schema-changes-8.11.0]]
+[float]
+==== Schema changes
+
+[[schema-bugfixes-8.11.0]]
+[float]
+===== Bugfixes
+
+* Remove `expected_values` from `threat.*.indicator.name` fields. {ecs_pull}2281[#2281]
+
+[[schema-added-8.11.0]]
+[float]
+===== Added
+
+* Added `volume.*` as beta field set. {ecs_pull}2269[#2269]
+
+[[tooling-changes-8.11.0]]
+[float]
+==== Tooling and artifact changes
+
+[[tooling-bugfixes-8.11.0]]
+[float]
+===== Bugfixes
+
+* Respect reusable.top_level in Beats generator {ecs_pull}2278[#2278]
diff --git a/docs/release-notes/index.asciidoc b/docs/release-notes/index.asciidoc
index 2029cbdb48..968c6f62d9 100644
--- a/docs/release-notes/index.asciidoc
+++ b/docs/release-notes/index.asciidoc
@@ -3,6 +3,7 @@
 
 This section summarizes the changes in each release.
 
+* <<ecs-release-notes-8.11.0, {ecs} version 8.11.0>>
 * <<ecs-release-notes-8.10.0, {ecs} version 8.10.0>>
 * <<ecs-release-notes-8.9.0, {ecs} version 8.9.0>>
 * <<ecs-release-notes-8.8.0, {ecs} version 8.8.0>>
@@ -26,6 +27,7 @@ This section summarizes the changes in each release.
 :issue: https://github.com/elastic/ecs/issues/
 :pull: https://github.com/elastic/ecs/pull/
 
+include::8.11.asciidoc[]
 include::8.10.asciidoc[]
 include::8.9.asciidoc[]
 include::8.8.asciidoc[]

From 6e77915b54b8c16081ef9827086a14c5f15f2378 Mon Sep 17 00:00:00 2001
From: Kylie Meli <kylie.geller@elastic.co>
Date: Wed, 6 Dec 2023 16:32:56 -0500
Subject: [PATCH 133/186] [main] Adding changelog for volume field set addition
 (#2304)

* Finalize 8.11 changelog (#2295)

* removing entry for volume field set addition (#2303)

* add entry for volume beta field set

---------

Co-authored-by: Taylor Swanson <90622908+taylor-swanson@users.noreply.github.com>
---
 CHANGELOG.md      |  4 ----
 CHANGELOG.next.md | 21 ++-------------------
 2 files changed, 2 insertions(+), 23 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index dedb5ccaea..dde2819ff2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,10 +11,6 @@ All notable changes to this project will be documented in this file based on the
 
 * Remove `expected_values` from `threat.*.indicator.name` fields. #2281
 
-#### Added
-
-* Added `volume.*` as beta field set. #2269
-
 ### Tooling and Artifact Changes
 
 #### Bugfixes
diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 029229ee84..64e3c1b3a7 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -16,6 +16,8 @@ Thanks, you're awesome :-) -->
 
 #### Added
 
+* Added `volume.*` as beta field set. #2269
+
 #### Improvements
 
 #### Deprecated
@@ -32,25 +34,6 @@ Thanks, you're awesome :-) -->
 
 #### Deprecated
 
-
-## 8.11.0 (Feature Freeze)
-
-### Schema Changes
-
-#### Bugfixes
-
-* Remove `expected_values` from `threat.*.indicator.name` fields. #2281
-
-#### Added
-
-* Added `volume.*` as beta field set. #2269
-
-### Tooling and Artifact Changes
-
-#### Bugfixes
-
-* Respect reusable.top_level in Beats generator #2278
-
 <!-- All empty sections:
 
 ## Unreleased

From 742d005a9ba206c0467c04626a9544992d807229 Mon Sep 17 00:00:00 2001
From: Yamin Tian <56367679+Trinity2019@users.noreply.github.com>
Date: Wed, 13 Dec 2023 11:00:53 -0800
Subject: [PATCH 134/186] [RFC] Stage 3 for volume device (#2279)

* stage3 commit

* update stage3 pr

* update document

* cleanup

* cleanup

* set date

---------

Co-authored-by: Eric Beahan <eric.beahan@elastic.co>
---
 rfcs/text/0040-volume-device.md | 153 ++++++++++++++++++++++++++++----
 1 file changed, 137 insertions(+), 16 deletions(-)

diff --git a/rfcs/text/0040-volume-device.md b/rfcs/text/0040-volume-device.md
index 7d8b687150..b4b05ce823 100644
--- a/rfcs/text/0040-volume-device.md
+++ b/rfcs/text/0040-volume-device.md
@@ -1,8 +1,8 @@
 # 0040: Volume device
 <!-- Leave this ID at 0000. The ECS team will assign a unique, contiguous RFC number upon merging the initial stage of this RFC. -->
 
-- Stage: **2 (candidate)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
-- Date: **2023-09-11** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
+- Stage: **3 (finished)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
+- Date: **2023-12-12** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
 
 <!--
 As you work on your RFC, use the "Stage N" comments to guide you in what you should focus on, for the stage you're targeting.
@@ -195,14 +195,17 @@ These fields can also be used by the products and features to manage such device
 
 ## Source data
 
-The source of this data comes from monitoring a host, a Virtual Machine, or a k8s node.
+The source of this data comes from monitoring a host, or a Virtual Machine.
 
 <!--
 Stage 1: Provide a high-level description of example sources of data. This does not yet need to be a concrete example of a source document, but instead can simply describe a potential source (e.g. nginx access log). This will ultimately be fleshed out to include literal source examples in a future stage. The goal here is to identify practical sources for these fields in the real world. ~1-3 sentences or unordered list.
 -->
+
+### Volume device event from a host
+
 ```json
 {
-    "@timestamp":"2023-08-24T12:37:59.9817807Z",
+    "@timestamp":"2023-10-04T06:04:02.1449425Z",
     "agent":
     {
         "id":"ada69fee-8801-4248-9ea5-acada41cef88",
@@ -232,13 +235,13 @@ Stage 1: Provide a high-level description of example sources of data. This does
         "category": [
             "volume_device"
         ],
-        "created":"2023-08-24T12:37:59.9817807Z",
+        "created":"2023-10-04T06:04:02.1449425Z",
         "dataset":"endpoint.events.volume_device",
-        "id":"NCRD4OiOt10Kj8r9++++++e0",
+        "id":"NFo+FezAt1+c7ZVs++++++Lm",
         "kind":"event",
         "module":"endpoint",
         "outcome":"success",
-        "sequence":1759,
+        "sequence":1656,
         "type": [
             "start"
         ]
@@ -246,7 +249,7 @@ Stage 1: Provide a high-level description of example sources of data. This does
     "host":
     {
         "architecture":"x86_64",
-        "hostname":"win11vm",
+        "hostname":"win11-laptop",
         "id":"01d52cf8-1917-4fab-8317-100076ab9aab",
         "ip":
         [
@@ -255,7 +258,7 @@ Stage 1: Provide a high-level description of example sources of data. This does
         "mac": [
             "00-0a-9d-b2-55-61"
         ],
-        "name":"win11vm",
+        "name":"win11-laptop",
         "os":
         {
             "Ext":
@@ -292,16 +295,16 @@ Stage 1: Provide a high-level description of example sources of data. This does
             "subject_name":"Microsoft Windows",
             "trusted":true
         },
-        "entity_id":"NWRhNjlkZWUtODgwNS00MjZiLTllYTUtYmM5ZGE0MGMwZjc3LTY1ODAtMTY5Mjc1ODgyNC40OTIxMjU5MDA=",
+        "entity_id":"MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTcwMDAtMTY5NjA4NDk2My40MjAxMDc1MDA=",
         "executable":"C:\\Windows\\explorer.exe",
         "name":"explorer.exe",
-        "pid":6580
+        "pid":7000
     },
     "user":
     {
-        "domain":"WIN11VM",
-        "id":"S-1-5-21-3464081356-156823451-1687200008-1001",
-        "name":"john"
+        "domain":"win11-laptop",
+        "id":"S-1-5-21-3464081356-168676461-1647206113-1001",
+        "name":"john doe"
     },
     "volume":
     {
@@ -313,8 +316,124 @@ Stage 1: Provide a high-level description of example sources of data. This does
         "product_name":"Virtual DVD-ROM",
         "serial_number":"",
         "vendor_name":"Msft",
-        "size": 1000,000,000,
-        "removable": true
+        "size": 1439744,
+        "removable": true,
+        "writable": false
+    }
+}
+```
+
+### Volume device event from an AWS EC2 instance:
+
+```
+{
+    "@timestamp": "2023-10-03T09:11:44.7139082Z",
+    "agent": {
+        "id": "01010101-0101-0101-0101-010101010101",
+        "type": "endpoint",
+        "version": "8.11.0-SNAPSHOT"
+    },
+    "data_stream": {
+        "dataset": "endpoint.events.volume_device",
+        "namespace": "default",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "1.11.0"
+    },
+    "elastic": {
+        "agent": {
+            "id": "01010101-0101-0101-0101-010101010101"
+        }
+    },
+    "event": {
+        "action": "mount",
+        "category": [
+            "volume_device"
+        ],
+        "created": "2023-10-03T09:11:44.7139082Z",
+        "dataset": "endpoint.events.volume_device",
+        "id": "NFjOC63JOYrK5sD+++++++hN",
+        "kind": "event",
+        "module": "endpoint",
+        "outcome": "success",
+        "sequence": 1859,
+        "type": [
+            "start"
+        ]
+    },
+    "host": {
+        "architecture": "x86_64",
+        "hostname": "ec2amaz-9c327o5",
+        "id": "00000000-0000-0000-0000-000000000000",
+        "ip": [
+            "172.31.0.74",
+            "fe80::be8c:c386:ee1d:7361",
+            "127.0.0.1",
+            "::1"
+        ],
+        "mac": [
+            "02-86-18-1a-ff-5b"
+        ],
+        "name": "ec2amaz-9c327o5",
+        "os": {
+            "Ext": {
+                "variant": "Windows Server 2022 Datacenter"
+            },
+            "family": "windows",
+            "full": "Windows Server 2022 Datacenter 21H2 (10.0.20348.1970)",
+            "kernel": "21H2 (10.0.20348.1970)",
+            "name": "Windows",
+            "platform": "windows",
+            "type": "windows",
+            "version": "21H2 (10.0.20348.1970)"
+        }
+    },
+    "message": "Endpoint volume device event",
+    "process": {
+        "Ext": {
+            "ancestry": [
+                "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTg4MC0xNjk2MzIwNDUzLjgxMjk5NTEwMA==",
+                "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTc3Mi0xNjk2MzIwNDUyLjc3NjA4MTUwMA==",
+                "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTY2MC0xNjk2MzIwNDUyLjUwMDIxMzQwMA=="
+            ],
+            "code_signature": [
+                {
+                    "exists": true,
+                    "status": "trusted",
+                    "subject_name": "Microsoft Windows",
+                    "trusted": true
+                }
+            ]
+        },
+        "code_signature": {
+            "exists": true,
+            "status": "trusted",
+            "subject_name": "Microsoft Windows",
+            "trusted": true
+        },
+        "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTU5NTItMTY5NjMyNDMwMS44NjM1NzI0MDA=",
+        "executable": "C:\\Windows\\System32\\dllhost.exe",
+        "name": "dllhost.exe",
+        "pid": 5952
+    },
+    "user": {
+        "domain": "EC2AMAZ-9C327O5",
+        "id": "S-1-5-21-1707753557-122306462-275618382-500",
+        "name": "Administrator"
+    },
+    "volume": {
+        "bus_type": "Ssa",
+        "device_type": "CD-ROM File System",
+        "dos_name": "D:",
+        "file_system_type": "UDF",
+        "nt_name": "\\Device\\CdRom1",
+        "product_name": "Virtual DVD-ROM",
+        "size": 1511424,
+        "serial_number": "",
+        "vendor_name": "Msft",
+        "removable": true,
+        "writable": false
     }
 }
 ```
@@ -394,6 +513,8 @@ https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%2
 
 * Stage 2: https://github.com/elastic/ecs/pull/2260
 
+* Stage 3: https://github.com/elastic/ecs/pull/2279
+
 <!--
 * Stage 1: https://github.com/elastic/ecs/pull/NNN
 ...

From 375a4dd01549286b1f79413ffcf4541bdb0ac2d1 Mon Sep 17 00:00:00 2001
From: Michael Wolf <michael.wolf@elastic.co>
Date: Mon, 15 Jan 2024 11:30:17 -0800
Subject: [PATCH 135/186] Promote process.env_vars to GA (#2315)

The process.env_vars field has been stabalized and in use for some time now,
so it should be promoted to GA status.
---
 CHANGELOG.next.md                         | 1 +
 docs/fields/field-details.asciidoc        | 4 +---
 experimental/generated/ecs/ecs_flat.yml   | 1 -
 experimental/generated/ecs/ecs_nested.yml | 1 -
 generated/ecs/ecs_flat.yml                | 1 -
 generated/ecs/ecs_nested.yml              | 1 -
 schemas/process.yml                       | 1 -
 7 files changed, 2 insertions(+), 8 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 64e3c1b3a7..198542f139 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -17,6 +17,7 @@ Thanks, you're awesome :-) -->
 #### Added
 
 * Added `volume.*` as beta field set. #2269
+* Advanced `process.env_vars` to GA. #2315
 
 #### Improvements
 
diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index b71ae31f60..52a4f8769b 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -8101,9 +8101,7 @@ type: keyword
 [[field-process-env-vars]]
 <<field-process-env-vars, process.env_vars>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-Array of environment variable bindings. Captured from a snapshot of the environment at the time of execution.
+a| Array of environment variable bindings. Captured from a snapshot of the environment at the time of execution.
 
 May be filtered to protect sensitive information.
 
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 9b74b8e01a..5d9d5b098b 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -8888,7 +8888,6 @@ process.entry_leader.working_directory:
   short: The working directory of the process.
   type: keyword
 process.env_vars:
-  beta: This field is beta and subject to change.
   dashed_name: process-env-vars
   description: 'Array of environment variable bindings. Captured from a snapshot of
     the environment at the time of execution.
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 0eee0300d9..fad9d210b0 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -11098,7 +11098,6 @@ process:
       short: The working directory of the process.
       type: keyword
     process.env_vars:
-      beta: This field is beta and subject to change.
       dashed_name: process-env-vars
       description: 'Array of environment variable bindings. Captured from a snapshot
         of the environment at the time of execution.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index e5f035baa7..5246b72cc7 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -8819,7 +8819,6 @@ process.entry_leader.working_directory:
   short: The working directory of the process.
   type: keyword
 process.env_vars:
-  beta: This field is beta and subject to change.
   dashed_name: process-env-vars
   description: 'Array of environment variable bindings. Captured from a snapshot of
     the environment at the time of execution.
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 048948d37f..4556bda9e7 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -11018,7 +11018,6 @@ process:
       short: The working directory of the process.
       type: keyword
     process.env_vars:
-      beta: This field is beta and subject to change.
       dashed_name: process-env-vars
       description: 'Array of environment variable bindings. Captured from a snapshot
         of the environment at the time of execution.
diff --git a/schemas/process.yml b/schemas/process.yml
index 674cfae2b6..2447d1a51f 100644
--- a/schemas/process.yml
+++ b/schemas/process.yml
@@ -307,7 +307,6 @@
     - name: env_vars
       level: extended
       type: keyword
-      beta: This field is beta and subject to change.
       short: Array of environment variable bindings.
       description: >
         Array of environment variable bindings.

From 7ba62a3614916bd50032aa241aa39e4527fe4696 Mon Sep 17 00:00:00 2001
From: Michael Wolf <michael.wolf@elastic.co>
Date: Wed, 24 Jan 2024 10:46:05 -0800
Subject: [PATCH 136/186] Promote process.io and process.tty fields to GA
 (#2317)

Remove process.io and process.tty fields from beta, and promote to GA.

These fields have stabilized and are used in released features, so they can
leave beta.
---
 CHANGELOG.next.md                         |  1 +
 docs/fields/field-details.asciidoc        | 44 ++++++-----------------
 experimental/generated/ecs/ecs_flat.yml   | 11 ------
 experimental/generated/ecs/ecs_nested.yml | 11 ------
 generated/ecs/ecs_flat.yml                | 11 ------
 generated/ecs/ecs_nested.yml              | 11 ------
 schemas/process.yml                       | 11 ------
 7 files changed, 12 insertions(+), 88 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 198542f139..b67cd5af89 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -18,6 +18,7 @@ Thanks, you're awesome :-) -->
 
 * Added `volume.*` as beta field set. #2269
 * Advanced `process.env_vars` to GA. #2315
+* Advanced `process.io` and `process.tty` fields to GA. #2317
 
 #### Improvements
 
diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index 52a4f8769b..ad2f9d8ab1 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -8182,9 +8182,7 @@ example: `True`
 [[field-process-io]]
 <<field-process-io, process.io>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-A chunk of input or output (IO) from a single process.
+a| A chunk of input or output (IO) from a single process.
 
 This field only appears on the top level process object, which is the process that wrote the output or read the input.
 
@@ -8202,9 +8200,7 @@ type: object
 [[field-process-io-bytes-skipped]]
 <<field-process-io-bytes-skipped, process.io.bytes_skipped>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-An array of byte offsets and lengths denoting where IO data has been skipped.
+a| An array of byte offsets and lengths denoting where IO data has been skipped.
 
 type: object
 
@@ -8223,9 +8219,7 @@ Note: this field should contain an array of values.
 [[field-process-io-bytes-skipped-length]]
 <<field-process-io-bytes-skipped-length, process.io.bytes_skipped.length>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-The length of bytes skipped.
+a| The length of bytes skipped.
 
 type: long
 
@@ -8241,9 +8235,7 @@ type: long
 [[field-process-io-bytes-skipped-offset]]
 <<field-process-io-bytes-skipped-offset, process.io.bytes_skipped.offset>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
+a| The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
 
 type: long
 
@@ -8259,9 +8251,7 @@ type: long
 [[field-process-io-max-bytes-per-process-exceeded]]
 <<field-process-io-max-bytes-per-process-exceeded, process.io.max_bytes_per_process_exceeded>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting.
+a| If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting.
 
 type: boolean
 
@@ -8277,9 +8267,7 @@ type: boolean
 [[field-process-io-text]]
 <<field-process-io-text, process.io.text>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-A chunk of output or input sanitized to UTF-8.
+a| A chunk of output or input sanitized to UTF-8.
 
 Best efforts are made to ensure complete lines are captured in these events. Assumptions should NOT be made that multiple lines will appear in the same event. TTY output may contain terminal control codes such as for cursor movement, so some string queries may not match due to terminal codes inserted between characters of a word.
 
@@ -8297,9 +8285,7 @@ type: wildcard
 [[field-process-io-total-bytes-captured]]
 <<field-process-io-total-bytes-captured, process.io.total_bytes_captured>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-The total number of bytes captured in this event.
+a| The total number of bytes captured in this event.
 
 type: long
 
@@ -8315,9 +8301,7 @@ type: long
 [[field-process-io-total-bytes-skipped]]
 <<field-process-io-total-bytes-skipped, process.io.total_bytes_skipped>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-The total number of bytes that were not captured due to implementation restrictions such as buffer size limits. Implementors should strive to ensure this value is always zero
+a| The total number of bytes that were not captured due to implementation restrictions such as buffer size limits. Implementors should strive to ensure this value is always zero
 
 type: long
 
@@ -8333,9 +8317,7 @@ type: long
 [[field-process-io-type]]
 <<field-process-io-type, process.io.type>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-The type of object on which the IO action (read or write) was taken.
+a| The type of object on which the IO action (read or write) was taken.
 
 Currently only 'tty' is supported. Other types may be added in the future for 'file' and 'socket' support.
 
@@ -8593,9 +8575,7 @@ example: `1`
 [[field-process-tty-columns]]
 <<field-process-tty-columns, process.tty.columns>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-The number of character columns per line. e.g terminal width
+a| The number of character columns per line. e.g terminal width
 
 Terminal sizes can change, so this value reflects the maximum value for a given IO event. i.e. where event.action = 'text_output'
 
@@ -8613,9 +8593,7 @@ example: `80`
 [[field-process-tty-rows]]
 <<field-process-tty-rows, process.tty.rows>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-The number of character rows in the terminal. e.g terminal height
+a| The number of character rows in the terminal. e.g terminal height
 
 Terminal sizes can change, so this value reflects the maximum value for a given IO event. i.e. where event.action = 'text_output'
 
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 5d9d5b098b..e3c678dd5c 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -9448,7 +9448,6 @@ process.interactive:
   short: Whether the process is connected to an interactive shell.
   type: boolean
 process.io:
-  beta: This field is beta and subject to change.
   dashed_name: process-io
   description: 'A chunk of input or output (IO) from a single process.
 
@@ -9461,7 +9460,6 @@ process.io:
   short: A chunk of input or output (IO) from a single process.
   type: object
 process.io.bytes_skipped:
-  beta: This field is beta and subject to change.
   dashed_name: process-io-bytes-skipped
   description: An array of byte offsets and lengths denoting where IO data has been
     skipped.
@@ -9473,7 +9471,6 @@ process.io.bytes_skipped:
   short: An array of byte offsets and lengths denoting where IO data has been skipped.
   type: object
 process.io.bytes_skipped.length:
-  beta: This field is beta and subject to change.
   dashed_name: process-io-bytes-skipped-length
   description: The length of bytes skipped.
   flat_name: process.io.bytes_skipped.length
@@ -9483,7 +9480,6 @@ process.io.bytes_skipped.length:
   short: The length of bytes skipped.
   type: long
 process.io.bytes_skipped.offset:
-  beta: This field is beta and subject to change.
   dashed_name: process-io-bytes-skipped-offset
   description: The byte offset into this event's io.text (or io.bytes in the future)
     where length bytes were skipped.
@@ -9495,7 +9491,6 @@ process.io.bytes_skipped.offset:
     length bytes were skipped.
   type: long
 process.io.max_bytes_per_process_exceeded:
-  beta: This field is beta and subject to change.
   dashed_name: process-io-max-bytes-per-process-exceeded
   description: If true, the process producing the output has exceeded the max_kilobytes_per_process
     configuration setting.
@@ -9507,7 +9502,6 @@ process.io.max_bytes_per_process_exceeded:
     configuration setting.
   type: boolean
 process.io.text:
-  beta: This field is beta and subject to change.
   dashed_name: process-io-text
   description: 'A chunk of output or input sanitized to UTF-8.
 
@@ -9522,7 +9516,6 @@ process.io.text:
   short: A chunk of output or input sanitized to UTF-8.
   type: wildcard
 process.io.total_bytes_captured:
-  beta: This field is beta and subject to change.
   dashed_name: process-io-total-bytes-captured
   description: The total number of bytes captured in this event.
   flat_name: process.io.total_bytes_captured
@@ -9532,7 +9525,6 @@ process.io.total_bytes_captured:
   short: The total number of bytes captured in this event.
   type: long
 process.io.total_bytes_skipped:
-  beta: This field is beta and subject to change.
   dashed_name: process-io-total-bytes-skipped
   description: The total number of bytes that were not captured due to implementation
     restrictions such as buffer size limits. Implementors should strive to ensure
@@ -9545,7 +9537,6 @@ process.io.total_bytes_skipped:
     such as buffer size limits.
   type: long
 process.io.type:
-  beta: This field is beta and subject to change.
   dashed_name: process-io-type
   description: 'The type of object on which the IO action (read or write) was taken.
 
@@ -12602,7 +12593,6 @@ process.tty.char_device.minor:
   short: The TTY character device's minor number.
   type: long
 process.tty.columns:
-  beta: This field is beta and subject to change.
   dashed_name: process-tty-columns
   description: 'The number of character columns per line. e.g terminal width
 
@@ -12616,7 +12606,6 @@ process.tty.columns:
   short: The number of character columns per line. e.g terminal width
   type: long
 process.tty.rows:
-  beta: This field is beta and subject to change.
   dashed_name: process-tty-rows
   description: 'The number of character rows in the terminal. e.g terminal height
 
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index fad9d210b0..dd47d98b2f 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -11658,7 +11658,6 @@ process:
       short: Whether the process is connected to an interactive shell.
       type: boolean
     process.io:
-      beta: This field is beta and subject to change.
       dashed_name: process-io
       description: 'A chunk of input or output (IO) from a single process.
 
@@ -11671,7 +11670,6 @@ process:
       short: A chunk of input or output (IO) from a single process.
       type: object
     process.io.bytes_skipped:
-      beta: This field is beta and subject to change.
       dashed_name: process-io-bytes-skipped
       description: An array of byte offsets and lengths denoting where IO data has
         been skipped.
@@ -11684,7 +11682,6 @@ process:
         skipped.
       type: object
     process.io.bytes_skipped.length:
-      beta: This field is beta and subject to change.
       dashed_name: process-io-bytes-skipped-length
       description: The length of bytes skipped.
       flat_name: process.io.bytes_skipped.length
@@ -11694,7 +11691,6 @@ process:
       short: The length of bytes skipped.
       type: long
     process.io.bytes_skipped.offset:
-      beta: This field is beta and subject to change.
       dashed_name: process-io-bytes-skipped-offset
       description: The byte offset into this event's io.text (or io.bytes in the future)
         where length bytes were skipped.
@@ -11706,7 +11702,6 @@ process:
         where length bytes were skipped.
       type: long
     process.io.max_bytes_per_process_exceeded:
-      beta: This field is beta and subject to change.
       dashed_name: process-io-max-bytes-per-process-exceeded
       description: If true, the process producing the output has exceeded the max_kilobytes_per_process
         configuration setting.
@@ -11718,7 +11713,6 @@ process:
         configuration setting.
       type: boolean
     process.io.text:
-      beta: This field is beta and subject to change.
       dashed_name: process-io-text
       description: 'A chunk of output or input sanitized to UTF-8.
 
@@ -11734,7 +11728,6 @@ process:
       short: A chunk of output or input sanitized to UTF-8.
       type: wildcard
     process.io.total_bytes_captured:
-      beta: This field is beta and subject to change.
       dashed_name: process-io-total-bytes-captured
       description: The total number of bytes captured in this event.
       flat_name: process.io.total_bytes_captured
@@ -11744,7 +11737,6 @@ process:
       short: The total number of bytes captured in this event.
       type: long
     process.io.total_bytes_skipped:
-      beta: This field is beta and subject to change.
       dashed_name: process-io-total-bytes-skipped
       description: The total number of bytes that were not captured due to implementation
         restrictions such as buffer size limits. Implementors should strive to ensure
@@ -11757,7 +11749,6 @@ process:
         restrictions such as buffer size limits.
       type: long
     process.io.type:
-      beta: This field is beta and subject to change.
       dashed_name: process-io-type
       description: 'The type of object on which the IO action (read or write) was
         taken.
@@ -14820,7 +14811,6 @@ process:
       short: The TTY character device's minor number.
       type: long
     process.tty.columns:
-      beta: This field is beta and subject to change.
       dashed_name: process-tty-columns
       description: 'The number of character columns per line. e.g terminal width
 
@@ -14834,7 +14824,6 @@ process:
       short: The number of character columns per line. e.g terminal width
       type: long
     process.tty.rows:
-      beta: This field is beta and subject to change.
       dashed_name: process-tty-rows
       description: 'The number of character rows in the terminal. e.g terminal height
 
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 5246b72cc7..468e30d9c6 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -9379,7 +9379,6 @@ process.interactive:
   short: Whether the process is connected to an interactive shell.
   type: boolean
 process.io:
-  beta: This field is beta and subject to change.
   dashed_name: process-io
   description: 'A chunk of input or output (IO) from a single process.
 
@@ -9392,7 +9391,6 @@ process.io:
   short: A chunk of input or output (IO) from a single process.
   type: object
 process.io.bytes_skipped:
-  beta: This field is beta and subject to change.
   dashed_name: process-io-bytes-skipped
   description: An array of byte offsets and lengths denoting where IO data has been
     skipped.
@@ -9404,7 +9402,6 @@ process.io.bytes_skipped:
   short: An array of byte offsets and lengths denoting where IO data has been skipped.
   type: object
 process.io.bytes_skipped.length:
-  beta: This field is beta and subject to change.
   dashed_name: process-io-bytes-skipped-length
   description: The length of bytes skipped.
   flat_name: process.io.bytes_skipped.length
@@ -9414,7 +9411,6 @@ process.io.bytes_skipped.length:
   short: The length of bytes skipped.
   type: long
 process.io.bytes_skipped.offset:
-  beta: This field is beta and subject to change.
   dashed_name: process-io-bytes-skipped-offset
   description: The byte offset into this event's io.text (or io.bytes in the future)
     where length bytes were skipped.
@@ -9426,7 +9422,6 @@ process.io.bytes_skipped.offset:
     length bytes were skipped.
   type: long
 process.io.max_bytes_per_process_exceeded:
-  beta: This field is beta and subject to change.
   dashed_name: process-io-max-bytes-per-process-exceeded
   description: If true, the process producing the output has exceeded the max_kilobytes_per_process
     configuration setting.
@@ -9438,7 +9433,6 @@ process.io.max_bytes_per_process_exceeded:
     configuration setting.
   type: boolean
 process.io.text:
-  beta: This field is beta and subject to change.
   dashed_name: process-io-text
   description: 'A chunk of output or input sanitized to UTF-8.
 
@@ -9453,7 +9447,6 @@ process.io.text:
   short: A chunk of output or input sanitized to UTF-8.
   type: wildcard
 process.io.total_bytes_captured:
-  beta: This field is beta and subject to change.
   dashed_name: process-io-total-bytes-captured
   description: The total number of bytes captured in this event.
   flat_name: process.io.total_bytes_captured
@@ -9463,7 +9456,6 @@ process.io.total_bytes_captured:
   short: The total number of bytes captured in this event.
   type: long
 process.io.total_bytes_skipped:
-  beta: This field is beta and subject to change.
   dashed_name: process-io-total-bytes-skipped
   description: The total number of bytes that were not captured due to implementation
     restrictions such as buffer size limits. Implementors should strive to ensure
@@ -9476,7 +9468,6 @@ process.io.total_bytes_skipped:
     such as buffer size limits.
   type: long
 process.io.type:
-  beta: This field is beta and subject to change.
   dashed_name: process-io-type
   description: 'The type of object on which the IO action (read or write) was taken.
 
@@ -12533,7 +12524,6 @@ process.tty.char_device.minor:
   short: The TTY character device's minor number.
   type: long
 process.tty.columns:
-  beta: This field is beta and subject to change.
   dashed_name: process-tty-columns
   description: 'The number of character columns per line. e.g terminal width
 
@@ -12547,7 +12537,6 @@ process.tty.columns:
   short: The number of character columns per line. e.g terminal width
   type: long
 process.tty.rows:
-  beta: This field is beta and subject to change.
   dashed_name: process-tty-rows
   description: 'The number of character rows in the terminal. e.g terminal height
 
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 4556bda9e7..4aec3d3fd5 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -11578,7 +11578,6 @@ process:
       short: Whether the process is connected to an interactive shell.
       type: boolean
     process.io:
-      beta: This field is beta and subject to change.
       dashed_name: process-io
       description: 'A chunk of input or output (IO) from a single process.
 
@@ -11591,7 +11590,6 @@ process:
       short: A chunk of input or output (IO) from a single process.
       type: object
     process.io.bytes_skipped:
-      beta: This field is beta and subject to change.
       dashed_name: process-io-bytes-skipped
       description: An array of byte offsets and lengths denoting where IO data has
         been skipped.
@@ -11604,7 +11602,6 @@ process:
         skipped.
       type: object
     process.io.bytes_skipped.length:
-      beta: This field is beta and subject to change.
       dashed_name: process-io-bytes-skipped-length
       description: The length of bytes skipped.
       flat_name: process.io.bytes_skipped.length
@@ -11614,7 +11611,6 @@ process:
       short: The length of bytes skipped.
       type: long
     process.io.bytes_skipped.offset:
-      beta: This field is beta and subject to change.
       dashed_name: process-io-bytes-skipped-offset
       description: The byte offset into this event's io.text (or io.bytes in the future)
         where length bytes were skipped.
@@ -11626,7 +11622,6 @@ process:
         where length bytes were skipped.
       type: long
     process.io.max_bytes_per_process_exceeded:
-      beta: This field is beta and subject to change.
       dashed_name: process-io-max-bytes-per-process-exceeded
       description: If true, the process producing the output has exceeded the max_kilobytes_per_process
         configuration setting.
@@ -11638,7 +11633,6 @@ process:
         configuration setting.
       type: boolean
     process.io.text:
-      beta: This field is beta and subject to change.
       dashed_name: process-io-text
       description: 'A chunk of output or input sanitized to UTF-8.
 
@@ -11654,7 +11648,6 @@ process:
       short: A chunk of output or input sanitized to UTF-8.
       type: wildcard
     process.io.total_bytes_captured:
-      beta: This field is beta and subject to change.
       dashed_name: process-io-total-bytes-captured
       description: The total number of bytes captured in this event.
       flat_name: process.io.total_bytes_captured
@@ -11664,7 +11657,6 @@ process:
       short: The total number of bytes captured in this event.
       type: long
     process.io.total_bytes_skipped:
-      beta: This field is beta and subject to change.
       dashed_name: process-io-total-bytes-skipped
       description: The total number of bytes that were not captured due to implementation
         restrictions such as buffer size limits. Implementors should strive to ensure
@@ -11677,7 +11669,6 @@ process:
         restrictions such as buffer size limits.
       type: long
     process.io.type:
-      beta: This field is beta and subject to change.
       dashed_name: process-io-type
       description: 'The type of object on which the IO action (read or write) was
         taken.
@@ -14740,7 +14731,6 @@ process:
       short: The TTY character device's minor number.
       type: long
     process.tty.columns:
-      beta: This field is beta and subject to change.
       dashed_name: process-tty-columns
       description: 'The number of character columns per line. e.g terminal width
 
@@ -14754,7 +14744,6 @@ process:
       short: The number of character columns per line. e.g terminal width
       type: long
     process.tty.rows:
-      beta: This field is beta and subject to change.
       dashed_name: process-tty-rows
       description: 'The number of character rows in the terminal. e.g terminal height
 
diff --git a/schemas/process.yml b/schemas/process.yml
index 2447d1a51f..91c8ef98ef 100644
--- a/schemas/process.yml
+++ b/schemas/process.yml
@@ -361,7 +361,6 @@
     - name: tty.rows
       level: extended
       type: long
-      beta: This field is beta and subject to change.
       short: The number of character rows in the terminal. e.g terminal height
       description: >
         The number of character rows in the terminal. e.g terminal height
@@ -372,7 +371,6 @@
     - name: tty.columns
       level: extended
       type: long
-      beta: This field is beta and subject to change.
       short: The number of character columns per line. e.g terminal width
       description: >
         The number of character columns per line. e.g terminal width
@@ -383,7 +381,6 @@
     - name: io
       level: extended
       type: object
-      beta: This field is beta and subject to change.
       short: A chunk of input or output (IO) from a single process.
       description: >
         A chunk of input or output (IO) from a single process.
@@ -393,7 +390,6 @@
     - name: io.type
       level: extended
       type: keyword
-      beta: This field is beta and subject to change.
       short: The type of object on which the IO action (read or write) was taken.
       description: >
         The type of object on which the IO action (read or write) was taken.
@@ -403,7 +399,6 @@
     - name: io.text
       level: extended
       type: wildcard
-      beta: This field is beta and subject to change.
       short: A chunk of output or input sanitized to UTF-8.
       description: >
         A chunk of output or input sanitized to UTF-8.
@@ -413,14 +408,12 @@
     - name: io.total_bytes_captured
       level: extended
       type: long
-      beta: This field is beta and subject to change.
       description: >
         The total number of bytes captured in this event.
 
     - name: io.total_bytes_skipped
       level: extended
       type: long
-      beta: This field is beta and subject to change.
       short: The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
       description: >
         The total number of bytes that were not captured due to implementation restrictions such as buffer size limits. Implementors should strive to ensure this value is always zero
@@ -428,14 +421,12 @@
     - name: io.max_bytes_per_process_exceeded
       level: extended
       type: boolean
-      beta: This field is beta and subject to change.
       description: >
         If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting.
 
     - name: io.bytes_skipped
       level: extended
       type: object
-      beta: This field is beta and subject to change.
       description: >
         An array of byte offsets and lengths denoting where IO data has been skipped.
 
@@ -445,13 +436,11 @@
     - name: io.bytes_skipped.offset
       level: extended
       type: long
-      beta: This field is beta and subject to change.
       description: >
         The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
 
     - name: io.bytes_skipped.length
       level: extended
       type: long
-      beta: This field is beta and subject to change.
       description: >
         The length of bytes skipped.

From 4115b40ecb52c1c1e6d549d4e406dd53ced9bcab Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Mon, 5 Feb 2024 14:17:05 -0600
Subject: [PATCH 137/186] bring CONTRIBUTING doc up-to-date (#2316)

---
 CONTRIBUTING.md | 21 +++++++++------------
 1 file changed, 9 insertions(+), 12 deletions(-)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 41319de4a5..0e9c40ddce 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -99,19 +99,10 @@ Please follow these guidelines when submitting Issues:
 
 ## Feature freezes and branching
 
-ECS follows a two-stage feature freeze approach using the concepts of Soft Feature Freezes (SFF) and Hard Feature Freezes (HFF).
+For an upcoming release, ECS uses a feature freeze (FF) approach. A release branch is cut from `main` for an upcoming
+release. When a branch is frozen, changes are limited to bug fixes or doc updates.
 
-Once a branch enters SFF, only minor and low-impact features can be added. The ECS team will rely on the “scope of impact” assessment in the ECS RFC process to help assess the potential impact of a proposed change.
-
-When a branch enters HFF, from that point onward all new features of any size must be contributed to the next ECS version.
-
-For people contributing to the ECS repo, this change means there are two branches at any given time that are accepting at least some sort of feature changes. Here's an example using ECS 8.1:
-
-| Branch | Version | Change scope |
-| ------ | ------- | ------------ |
-| `main`  | 8.2    | Any enhancements or otherwise |
-| `8.1`   | 8.1    | SFF: Can have low impact enhancements |
-| `8.0`   | 8.0    | HFF: Only bug fixes, tooling, docs, etc |
+Any schema changes or tooling updates will be merged into `main` for the next ECS version.
 
 ### Changelogs
 
@@ -222,6 +213,12 @@ The [schemas](schemas) directory contains the files which define the Elastic Com
 
 Users consuming ECS to generate something for other use cases should use the `generated/ecs/*.yml` files. More detail can be found [here](generated/README.md).
 
+### Subset Files
+
+The [schemas/subsets](schemas/subsets/) directory contains the configuration to control advanced field nesting use cases.
+The config is used with the `--subset` option to control which field sets or specific fields appear in the final generated
+artifacts.
+
 ## Additional Resources
 
 * [ECS Guidelines and Best Practices](https://www.elastic.co/guide/en/ecs/current/ecs-guidelines.html)

From ceacf7b6b383b30f22f0a3e16729a1ab1f5e72d8 Mon Sep 17 00:00:00 2001
From: Nassim Kammah <nkammah@gmail.com>
Date: Fri, 9 Feb 2024 20:33:10 +0100
Subject: [PATCH 138/186] Update docs-preview link (#2318)

Following the migration from Jenkins to Buildkite, docs previews are now available at <repo>_bk_<PR>.

More context in https://github.com/elastic/docs/pull/2898
---
 .github/workflows/docs-preview-comment.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/docs-preview-comment.yml b/.github/workflows/docs-preview-comment.yml
index 484e1b83d0..34371e767b 100644
--- a/.github/workflows/docs-preview-comment.yml
+++ b/.github/workflows/docs-preview-comment.yml
@@ -15,7 +15,7 @@ jobs:
         with:
           script: |
             const pr = context.payload.pull_request;
-            const comment = `Documentation changes preview: https://${context.repo.repo}_${pr.number}.docs-preview.app.elstc.co/diff`;
+            const comment = `Documentation changes preview: https://${context.repo.repo}_bk_${pr.number}.docs-preview.app.elstc.co/diff`;
 
             github.rest.issues.createComment({
               issue_number: context.issue.number,

From f62887bfc0ebb606c56b457e53ef4833c0a3ea19 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Tue, 20 Feb 2024 21:28:11 -0600
Subject: [PATCH 139/186] ECS project board no longer used (#2319)

---
 .github/workflows/add-to-ecs-project.yml | 50 ------------------------
 1 file changed, 50 deletions(-)
 delete mode 100644 .github/workflows/add-to-ecs-project.yml

diff --git a/.github/workflows/add-to-ecs-project.yml b/.github/workflows/add-to-ecs-project.yml
deleted file mode 100644
index 842c88a5ee..0000000000
--- a/.github/workflows/add-to-ecs-project.yml
+++ /dev/null
@@ -1,50 +0,0 @@
-name: Add to ECS project board
-on:
-  issues:
-    types:
-      - opened
-      - reopened
-
-env:
-  PROJECT_ID: PN_kwDOAGc3Zs4ABESq
-  STATUS_FIELD_ID: MDE2OlByb2plY3ROZXh0RmllbGQyNjE4MDM4
-  TRIAGE_VALUE: f75ad846
-  GITHUB_TOKEN: ${{ secrets.GH_ACTIONS_TOKEN }}
-
-jobs:
-  issue_opened_or_reopened:
-    runs-on: ubuntu-latest
-    if: github.event_name == 'issues' && (github.event.action == 'opened' || github.event.action == 'reopened')
-    steps:
-      - name: Add issue to project
-        uses: octokit/graphql-action@v2.x
-        id: add_to_project
-        with:
-          headers: '{"GraphQL-Features": "projects_next_graphql"}'
-          query: |
-            mutation add_to_project($projectid:ID!,$contentid:ID!) {
-              addProjectNextItem(input:{projectId:$projectid contentId:$contentid}) {
-                projectNextItem {
-                  id
-                }
-              }
-            }
-          projectid: ${{ env.PROJECT_ID }}
-          contentid: ${{ github.event.issue.node_id }}
-      - name: Set status to 'Triage' on board
-        uses: octokit/graphql-action@v2.x
-        id: set_status
-        with:
-          headers: '{"GraphQL-Features": "projects_next_graphql"}'
-          query: |
-            mutation label_team($projectid:ID!,$itemid:ID!,$fieldid:ID!,$value:String!) {
-              updateProjectNextItemField(input: { projectId:$projectid itemId:$itemid fieldId:$fieldid value:$value }) {
-                projectNextItem {
-                  id
-                }
-              }
-            }
-          projectid: ${{ env.PROJECT_ID }}
-          itemid: ${{ fromJSON(steps.add_to_project.outputs.data).addProjectNextItem.projectNextItem.id }}
-          fieldid: ${{ env.STATUS_FIELD_ID }}
-          value: ${{ env.TRIAGE_VALUE }}

From 7cbb3562d2ab787ee143f3f9de854fdfca06a33f Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 14 Mar 2024 11:02:59 -0700
Subject: [PATCH 140/186] Bump gitpython from 3.1.37 to 3.1.41 in /scripts
 (#2313)

Bumps [gitpython](https://github.com/gitpython-developers/GitPython) from 3.1.37 to 3.1.41.
- [Release notes](https://github.com/gitpython-developers/GitPython/releases)
- [Changelog](https://github.com/gitpython-developers/GitPython/blob/main/CHANGES)
- [Commits](https://github.com/gitpython-developers/GitPython/compare/3.1.37...3.1.41)

---
updated-dependencies:
- dependency-name: gitpython
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Michael Wolf <michael.wolf@elastic.co>
---
 scripts/requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/requirements.txt b/scripts/requirements.txt
index 899c2a872e..b0a6ff15b4 100644
--- a/scripts/requirements.txt
+++ b/scripts/requirements.txt
@@ -2,6 +2,6 @@ pip
 # License: MIT
 PyYAML==6.0.1
 # License: BSD
-gitpython==3.1.37
+gitpython==3.1.41
 # License: BSD
 Jinja2==3.0.3

From ee4e0979dbaa91c915a1b31a26e1ea814bfe75aa Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 14 Mar 2024 11:22:53 -0700
Subject: [PATCH 141/186] Bump jinja2 from 3.0.3 to 3.1.3 in /scripts (#2314)

Bumps [jinja2](https://github.com/pallets/jinja) from 3.0.3 to 3.1.3.
- [Release notes](https://github.com/pallets/jinja/releases)
- [Changelog](https://github.com/pallets/jinja/blob/main/CHANGES.rst)
- [Commits](https://github.com/pallets/jinja/compare/3.0.3...3.1.3)

---
updated-dependencies:
- dependency-name: jinja2
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Eric Beahan <eric.beahan@elastic.co>
Co-authored-by: Michael Wolf <michael.wolf@elastic.co>
---
 scripts/requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/requirements.txt b/scripts/requirements.txt
index b0a6ff15b4..30f66a6c8e 100644
--- a/scripts/requirements.txt
+++ b/scripts/requirements.txt
@@ -4,4 +4,4 @@ PyYAML==6.0.1
 # License: BSD
 gitpython==3.1.41
 # License: BSD
-Jinja2==3.0.3
+Jinja2==3.1.3

From 2a066283143a7daed84284e965165ae3c0a4e1c8 Mon Sep 17 00:00:00 2001
From: Brett Fitzpatrick <brett.fitzpatrick@klaviyo.com>
Date: Thu, 28 Mar 2024 17:53:05 -0400
Subject: [PATCH 142/186] [RFC] added new field: threat.indicator.id - resolves
 GH-2252 (#2324)

Added threat.indicator.id field. Resolves #2252.

The new field threat.indicator.id will allow for security systems to append a threat.indicator.id. This field can have multiple values to allow for the identification of the same indicator across systems that use different ID formats.
---
 CHANGELOG.next.md                             |  1 +
 docs/fields/field-details.asciidoc            | 21 +++++++++++++++++++
 experimental/generated/beats/fields.ecs.yml   | 11 ++++++++++
 experimental/generated/csv/fields.csv         |  1 +
 experimental/generated/ecs/ecs_flat.yml       | 16 ++++++++++++++
 experimental/generated/ecs/ecs_nested.yml     | 16 ++++++++++++++
 .../composable/component/threat.json          |  4 ++++
 .../elasticsearch/legacy/template.json        |  4 ++++
 generated/beats/fields.ecs.yml                | 11 ++++++++++
 generated/csv/fields.csv                      |  1 +
 generated/ecs/ecs_flat.yml                    | 16 ++++++++++++++
 generated/ecs/ecs_nested.yml                  | 16 ++++++++++++++
 .../composable/component/threat.json          |  4 ++++
 generated/elasticsearch/legacy/template.json  |  4 ++++
 schemas/threat.yml                            | 14 +++++++++++++
 15 files changed, 140 insertions(+)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index b67cd5af89..7e9715ae7b 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -19,6 +19,7 @@ Thanks, you're awesome :-) -->
 * Added `volume.*` as beta field set. #2269
 * Advanced `process.env_vars` to GA. #2315
 * Advanced `process.io` and `process.tty` fields to GA. #2317
+* Added `threat.indicator.id`. #2324
 
 #### Improvements
 
diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index ad2f9d8ab1..c2d5cade31 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -10953,6 +10953,27 @@ example: `2020-11-05T17:25:47.000Z`
 
 // ===============================================================
 
+|
+[[field-threat-indicator-id]]
+<<field-threat-indicator-id, threat.indicator.id>>
+
+a| The ID of the indicator used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. This field can have multiple values to allow for the identification of the same indicator across systems that use different ID formats.
+
+While not required, a common approach is to use a STIX 2.x indicator ID.
+
+type: keyword
+
+
+Note: this field should contain an array of values.
+
+
+
+example: `[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37]`
+
+| extended
+
+// ===============================================================
+
 |
 [[field-threat-indicator-ip]]
 <<field-threat-indicator-ip, threat.indicator.ip>>
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 27ee873efa..2ba8ee01ac 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -11645,6 +11645,17 @@
       description: The time zone of the location, such as IANA time zone name.
       example: America/Argentina/Buenos_Aires
       default_field: false
+    - name: indicator.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: "The ID of the indicator used by this threat to conduct behavior\
+        \ commonly modeled using MITRE ATT&CK\xAE. This field can have multiple values\
+        \ to allow for the identification of the same indicator across systems that\
+        \ use different ID formats.\nWhile not required, a common approach is to use\
+        \ a STIX 2.x indicator ID."
+      example: '[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37]'
+      default_field: false
     - name: indicator.ip
       level: extended
       type: ip
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index 2f9837c989..360d885076 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -1500,6 +1500,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
 8.12.0-dev+exp,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name.
 8.12.0-dev+exp,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.12.0-dev+exp,true,threat,threat.indicator.id,keyword,extended,array,[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37],ID of the indicator
 8.12.0-dev+exp,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
 8.12.0-dev+exp,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
 8.12.0-dev+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index e3c678dd5c..766b646865 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -18960,6 +18960,22 @@ threat.indicator.geo.timezone:
   original_fieldset: geo
   short: Time zone.
   type: keyword
+threat.indicator.id:
+  dashed_name: threat-indicator-id
+  description: "The ID of the indicator used by this threat to conduct behavior commonly\
+    \ modeled using MITRE ATT&CK\xAE. This field can have multiple values to allow\
+    \ for the identification of the same indicator across systems that use different\
+    \ ID formats.\nWhile not required, a common approach is to use a STIX 2.x indicator\
+    \ ID."
+  example: '[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37]'
+  flat_name: threat.indicator.id
+  ignore_above: 1024
+  level: extended
+  name: indicator.id
+  normalize:
+  - array
+  short: ID of the indicator
+  type: keyword
 threat.indicator.ip:
   dashed_name: threat-indicator-ip
   description: Identifies a threat indicator as an IP address (irrespective of direction).
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index dd47d98b2f..5ffa13984b 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -21632,6 +21632,22 @@ threat:
       original_fieldset: geo
       short: Time zone.
       type: keyword
+    threat.indicator.id:
+      dashed_name: threat-indicator-id
+      description: "The ID of the indicator used by this threat to conduct behavior\
+        \ commonly modeled using MITRE ATT&CK\xAE. This field can have multiple values\
+        \ to allow for the identification of the same indicator across systems that\
+        \ use different ID formats.\nWhile not required, a common approach is to use\
+        \ a STIX 2.x indicator ID."
+      example: '[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37]'
+      flat_name: threat.indicator.id
+      ignore_above: 1024
+      level: extended
+      name: indicator.id
+      normalize:
+      - array
+      short: ID of the indicator
+      type: keyword
     threat.indicator.ip:
       dashed_name: threat-indicator-ip
       description: Identifies a threat indicator as an IP address (irrespective of
diff --git a/experimental/generated/elasticsearch/composable/component/threat.json b/experimental/generated/elasticsearch/composable/component/threat.json
index c49f845733..7f002d5bb7 100644
--- a/experimental/generated/elasticsearch/composable/component/threat.json
+++ b/experimental/generated/elasticsearch/composable/component/threat.json
@@ -1522,6 +1522,10 @@
                     }
                   }
                 },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "ip": {
                   "type": "ip"
                 },
diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json
index 6ecdd5d57e..1dc48de290 100644
--- a/experimental/generated/elasticsearch/legacy/template.json
+++ b/experimental/generated/elasticsearch/legacy/template.json
@@ -6727,6 +6727,10 @@
                   }
                 }
               },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "ip": {
                 "type": "ip"
               },
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 0c45bd930d..af875b79f0 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -11595,6 +11595,17 @@
       description: The time zone of the location, such as IANA time zone name.
       example: America/Argentina/Buenos_Aires
       default_field: false
+    - name: indicator.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: "The ID of the indicator used by this threat to conduct behavior\
+        \ commonly modeled using MITRE ATT&CK\xAE. This field can have multiple values\
+        \ to allow for the identification of the same indicator across systems that\
+        \ use different ID formats.\nWhile not required, a common approach is to use\
+        \ a STIX 2.x indicator ID."
+      example: '[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37]'
+      default_field: false
     - name: indicator.ip
       level: extended
       type: ip
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index d9bd84920e..3ca25f1445 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -1493,6 +1493,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
 8.12.0-dev,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name.
 8.12.0-dev,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.12.0-dev,true,threat,threat.indicator.id,keyword,extended,array,[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37],ID of the indicator
 8.12.0-dev,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
 8.12.0-dev,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
 8.12.0-dev,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 468e30d9c6..e867cae5e6 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -18891,6 +18891,22 @@ threat.indicator.geo.timezone:
   original_fieldset: geo
   short: Time zone.
   type: keyword
+threat.indicator.id:
+  dashed_name: threat-indicator-id
+  description: "The ID of the indicator used by this threat to conduct behavior commonly\
+    \ modeled using MITRE ATT&CK\xAE. This field can have multiple values to allow\
+    \ for the identification of the same indicator across systems that use different\
+    \ ID formats.\nWhile not required, a common approach is to use a STIX 2.x indicator\
+    \ ID."
+  example: '[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37]'
+  flat_name: threat.indicator.id
+  ignore_above: 1024
+  level: extended
+  name: indicator.id
+  normalize:
+  - array
+  short: ID of the indicator
+  type: keyword
 threat.indicator.ip:
   dashed_name: threat-indicator-ip
   description: Identifies a threat indicator as an IP address (irrespective of direction).
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 4aec3d3fd5..004d353e36 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -21552,6 +21552,22 @@ threat:
       original_fieldset: geo
       short: Time zone.
       type: keyword
+    threat.indicator.id:
+      dashed_name: threat-indicator-id
+      description: "The ID of the indicator used by this threat to conduct behavior\
+        \ commonly modeled using MITRE ATT&CK\xAE. This field can have multiple values\
+        \ to allow for the identification of the same indicator across systems that\
+        \ use different ID formats.\nWhile not required, a common approach is to use\
+        \ a STIX 2.x indicator ID."
+      example: '[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37]'
+      flat_name: threat.indicator.id
+      ignore_above: 1024
+      level: extended
+      name: indicator.id
+      normalize:
+      - array
+      short: ID of the indicator
+      type: keyword
     threat.indicator.ip:
       dashed_name: threat-indicator-ip
       description: Identifies a threat indicator as an IP address (irrespective of
diff --git a/generated/elasticsearch/composable/component/threat.json b/generated/elasticsearch/composable/component/threat.json
index 178ab4359c..17d9b1e77f 100644
--- a/generated/elasticsearch/composable/component/threat.json
+++ b/generated/elasticsearch/composable/component/threat.json
@@ -1522,6 +1522,10 @@
                     }
                   }
                 },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "ip": {
                   "type": "ip"
                 },
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index 4ac8441518..0e26f73020 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -6685,6 +6685,10 @@
                   }
                 }
               },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "ip": {
                 "type": "ip"
               },
diff --git a/schemas/threat.yml b/schemas/threat.yml
index a9cb544948..fd8d875102 100644
--- a/schemas/threat.yml
+++ b/schemas/threat.yml
@@ -514,6 +514,20 @@
         The name of the indicator's provider.
       example: lrz_urlhaus
 
+    - name: indicator.id
+      level: extended
+      type: keyword
+      short: ID of the indicator
+      description: >
+        The ID of the indicator used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.
+        This field can have multiple values to allow for the identification of the same indicator across systems
+        that use different ID formats.
+
+        While not required, a common approach is to use a STIX 2.x indicator ID.
+      example: "[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37]"
+      normalize:
+        - array
+
     - name: software.id
       level: extended
       type: keyword

From 64f715c6720083d1a41507cc625a50c1b954b9b9 Mon Sep 17 00:00:00 2001
From: Nic <nicpenning@gmail.com>
Date: Wed, 3 Apr 2024 14:19:29 -0500
Subject: [PATCH 143/186] Fix broken link for vulnerabilty.id (#2328)

Fix vulnerability.id broken link
---
 CHANGELOG.next.md                           | 1 +
 docs/fields/field-details.asciidoc          | 2 +-
 experimental/generated/beats/fields.ecs.yml | 4 ++--
 experimental/generated/ecs/ecs_flat.yml     | 4 ++--
 experimental/generated/ecs/ecs_nested.yml   | 4 ++--
 generated/beats/fields.ecs.yml              | 4 ++--
 generated/ecs/ecs_flat.yml                  | 4 ++--
 generated/ecs/ecs_nested.yml                | 4 ++--
 schemas/vulnerability.yml                   | 2 +-
 9 files changed, 15 insertions(+), 14 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 7e9715ae7b..4a9cd6c1fa 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -13,6 +13,7 @@ Thanks, you're awesome :-) -->
 #### Breaking changes
 
 #### Bugfixes
+* Fix broken link in docs for vulnerability.id. #2328
 
 #### Added
 
diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index c2d5cade31..31273d8c4b 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -13321,7 +13321,7 @@ example: `CVE`
 [[field-vulnerability-id]]
 <<field-vulnerability-id, vulnerability.id>>
 
-a| The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID]
+a| The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id[Common Vulnerabilities and Exposure CVE ID])
 
 type: keyword
 
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 2ba8ee01ac..61e5088661 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -13647,8 +13647,8 @@
       ignore_above: 1024
       description: The identification (ID) is the number portion of a vulnerability
         entry. It includes a unique identification number for the vulnerability. For
-        example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities
-        and Exposure CVE ID]
+        example (https://cve.mitre.org/about/faqs.html#what_is_cve_id[Common Vulnerabilities
+        and Exposure CVE ID])
       example: CVE-2019-00001
       default_field: false
     - name: reference
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 766b646865..56716a240c 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -22174,8 +22174,8 @@ vulnerability.id:
   dashed_name: vulnerability-id
   description: The identification (ID) is the number portion of a vulnerability entry.
     It includes a unique identification number for the vulnerability. For example
-    (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities
-    and Exposure CVE ID]
+    (https://cve.mitre.org/about/faqs.html#what_is_cve_id[Common Vulnerabilities and
+    Exposure CVE ID])
   example: CVE-2019-00001
   flat_name: vulnerability.id
   ignore_above: 1024
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 5ffa13984b..312cf49b80 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -25158,8 +25158,8 @@ vulnerability:
       dashed_name: vulnerability-id
       description: The identification (ID) is the number portion of a vulnerability
         entry. It includes a unique identification number for the vulnerability. For
-        example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities
-        and Exposure CVE ID]
+        example (https://cve.mitre.org/about/faqs.html#what_is_cve_id[Common Vulnerabilities
+        and Exposure CVE ID])
       example: CVE-2019-00001
       flat_name: vulnerability.id
       ignore_above: 1024
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index af875b79f0..b88a755686 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -13597,8 +13597,8 @@
       ignore_above: 1024
       description: The identification (ID) is the number portion of a vulnerability
         entry. It includes a unique identification number for the vulnerability. For
-        example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities
-        and Exposure CVE ID]
+        example (https://cve.mitre.org/about/faqs.html#what_is_cve_id[Common Vulnerabilities
+        and Exposure CVE ID])
       example: CVE-2019-00001
       default_field: false
     - name: reference
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index e867cae5e6..50e16f1826 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -22105,8 +22105,8 @@ vulnerability.id:
   dashed_name: vulnerability-id
   description: The identification (ID) is the number portion of a vulnerability entry.
     It includes a unique identification number for the vulnerability. For example
-    (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities
-    and Exposure CVE ID]
+    (https://cve.mitre.org/about/faqs.html#what_is_cve_id[Common Vulnerabilities and
+    Exposure CVE ID])
   example: CVE-2019-00001
   flat_name: vulnerability.id
   ignore_above: 1024
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 004d353e36..fa5f354d5f 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -25078,8 +25078,8 @@ vulnerability:
       dashed_name: vulnerability-id
       description: The identification (ID) is the number portion of a vulnerability
         entry. It includes a unique identification number for the vulnerability. For
-        example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities
-        and Exposure CVE ID]
+        example (https://cve.mitre.org/about/faqs.html#what_is_cve_id[Common Vulnerabilities
+        and Exposure CVE ID])
       example: CVE-2019-00001
       flat_name: vulnerability.id
       ignore_above: 1024
diff --git a/schemas/vulnerability.yml b/schemas/vulnerability.yml
index 70b52a875b..d2a6636b9b 100644
--- a/schemas/vulnerability.yml
+++ b/schemas/vulnerability.yml
@@ -147,7 +147,7 @@
       description: >
         The identification (ID) is the number portion of a vulnerability entry. It
         includes a unique identification number for the vulnerability.
-        For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID]
+        For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id[Common Vulnerabilities and Exposure CVE ID])
 
       example: CVE-2019-00001
 

From 3f184b9fa9fae821f3dbe950c7c7f7b370c88a44 Mon Sep 17 00:00:00 2001
From: Norrie Taylor <91171431+norrietaylor@users.noreply.github.com>
Date: Fri, 5 Apr 2024 11:55:58 -0700
Subject: [PATCH 144/186] Special guidance for ECS contribtions during ECS
 donation (#2325)

---
 CHANGELOG.next.md |  2 ++
 CONTRIBUTING.md   | 57 ++++++++++++++++++++++++++++++++++++++++++-----
 README.md         |  9 ++++++++
 3 files changed, 63 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 4a9cd6c1fa..5996082bf8 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -34,6 +34,8 @@ Thanks, you're awesome :-) -->
 
 #### Added
 
+* Documentation in README.md providing instruction on contributions to ECS during the OTel donation #2325
+
 #### Improvements
 
 #### Deprecated
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 0e9c40ddce..7424f80467 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -7,7 +7,8 @@ ECS is an open source project and we love to receive contributions from our comm
 
 ## Table of Contents
 
-- [How to Contribute](#how-to-contribute)
+- [How to contribute](#how-to-contribute)
+- - [Special guidance during OTel donation of ECS](#special-guidance-during-otel-donation-of-ecs)
   - [Dev Tools](#dev-tools)
   - [Submitting Changes](#submitting-changes)
 - [Git and Github Guidelines](#git-and-github-guidelines)
@@ -22,12 +23,58 @@ ECS is an open source project and we love to receive contributions from our comm
 - [Schema Files](#schema-files)
 - [Additional Resources](#additional-resources)
 
-## How to Contribute
 
-There are two primary ways in which you can contribute to ECS.
+## How to contribute
 
-1. The [RFC process](./rfcs/README.md) is used for significant additions or breaking changes to the schema itself.
-2. For bug fixes or incremental, non-controversial additions to ECS, changes can be made directly to the ECS project and submitted as pull request.
+## ECS Donation to OpenTelemetry
+In April 2023, OpenTelemetry and Elastic made an [important joint announcement](https://opentelemetry.io/blog/2023/ecs-otel-semconv-convergence/). In this announcement Elastic
+shared its intention to achieve convergence of ECS and OTel Semantic Conventions into a single standard maintained
+by OpenTelemetry.
+
+The stated plan has been to keep ECS in a frozen state during the transition. However, it is also apparent that these
+things take time. It takes time for the OTel community to adopt donated fields, and it will take time for development
+teams to build OTel native constructs in the Elastic stack. In the meantime, ECS users need to be able to develop
+features for Elastic that rely on continued contributions to the schemas that drive our technology.
+
+For these reasons, we need a process and guidelines for contributing to these data schemas during this period that
+allows us to avoid breaking changes.
+
+### How to contribute during OTel donation of ECS
+
+Bug fixes or minor field addition changes can be made directly to the ECS project and submitted as pull requests.
+
+Significant changes that add new use cases, top-level fieldsets, or could be considered controversial are
+considered material. The general rule for contributing new material changes to schemas during the transition period is
+
+- First, merge a pull request to
+[OTel Semantic Conventions](https://github.com/open-telemetry/semantic-conventions/blob/main/CONTRIBUTING.md) with new
+fields, namespaces or schemas
+- Second, to backport those changes to ECS at the starting point indicated in the table below
+- Finally, once the Semantic Conventions changes are marked as stable, remove the Beta designation in ECS
+
+This will ensure that the latest changes are included in OTel Semantic Conventions, where schema evolution will continue
+as the merger proceeds. It will also allow teams and users to continue using ECS while OTel migration tools and guidance
+are being developed. Finally, this will reduce the risk of breaking changes if new fields are merged first to ECS, and
+then require changes before being adopted in Semantic Conventions.
+
+_There are some exceptions to this rule._
+
+1. My contribution to OTel Semantic Conventions is stalled. We are waiting for a sign-off from a second company.
+In the meantime, our Elastic feature is blocked.
+2. I want to build a workflow in Elastic, and the fields I need to proceed are already in OTel but not in ECS where I
+need them today.
+
+In these cases, the recommendation is to make a contribution to ECS to unblock development. The appropriate ECS starting
+point can be an [RFC](./rfcs/README.md) or pull request based on the maturity of the Otel changes. Please see the
+following table.
+
+| OTel submission maturity                                                                                                                                                             | Breaking changes expected | ECS starting point                                   |
+|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------|------------------------------------------------------|
+| OTel working groups accepts the premise of the addition and commits to considering this proposal as it advances.                                                                     | Major                     | RFC Stage 1                                          |
+| The initial field definitions comprehensively model the addition to the schema. Fundamental questions and concerns are resolved, though some less significant questions remain open. | Iterative                 | RFC Stage 2                                          |
+| All requested changes from codeowners have been addressed, and there are no open discussions.                                                                                        | Iterative                 | Open an ECS pull request with new fields marked Beta |
+| Fields, schema, namespace exists in OTel and are designated experimental                                                                                                             | Iterative                 | Open an ECS pull request with new fields marked Beta |
+| Fields, schema, namespace exists in OTel and are designated stable                                                                                                                   | None                      | Open an ECS pull request with new fields marked GA   |
 
 ### Dev Tools
 
diff --git a/README.md b/README.md
index 16cf9e4125..5b7d78fc5c 100644
--- a/README.md
+++ b/README.md
@@ -9,9 +9,18 @@ ingesting data into Elasticsearch. A common schema helps you correlate
 data from sources like logs and metrics or IT operations
 analytics and security analytics.
 
+## ECS Donation to OpenTelemetry
+In April 2023, OpenTelemetry and Elastic made an
+[important joint announcement](https://opentelemetry.io/blog/2023/ecs-otel-semconv-convergence/).
+In this announcement, we shared our intention to achieve convergence of ECS and OTel
+Semantic Conventions into a single standard maintained by OpenTelemetry.
+
+Special guidance is provided during the donation period. Please review the [contribution guide](CONTRIBUTING.md).
+
 ## Documentation
 
 The ECS reference is published on the main Elastic documentation website.
+
 Visit [the official ECS Reference Documentation](https://www.elastic.co/guide/en/ecs/current/index.html).
 
 ## Getting Started

From be84b7da61af81afc68377eb85310bbfe8f5b0fe Mon Sep 17 00:00:00 2001
From: Norrie Taylor <91171431+norrietaylor@users.noreply.github.com>
Date: Fri, 5 Apr 2024 13:34:11 -0700
Subject: [PATCH 145/186] Clarification of release process during Otel
 donatrion period (#2332)

---
 CONTRIBUTING.md | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 7424f80467..3d92ba5900 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -26,7 +26,7 @@ ECS is an open source project and we love to receive contributions from our comm
 
 ## How to contribute
 
-## ECS Donation to OpenTelemetry
+## ECS donation to OpenTelemetry
 In April 2023, OpenTelemetry and Elastic made an [important joint announcement](https://opentelemetry.io/blog/2023/ecs-otel-semconv-convergence/). In this announcement Elastic
 shared its intention to achieve convergence of ECS and OTel Semantic Conventions into a single standard maintained
 by OpenTelemetry.
@@ -39,6 +39,15 @@ features for Elastic that rely on continued contributions to the schemas that dr
 For these reasons, we need a process and guidelines for contributing to these data schemas during this period that
 allows us to avoid breaking changes.
 
+### ECS releases during the donation to OpenTelemetry
+Historically, ECS has shipped a new version with every minor release of the Elastic stack. While the schema is
+effectively frozen during the Otel donation period, this approach has been halted.
+
+Moving forward, we will release ECS at the team's discretion as new material changes to the schema are adopted.
+
+While the decision to release will be discretionary, any release will still coincide with a minor Elastic stack release;
+however, not every minor version will warrant a new release of the stack.
+
 ### How to contribute during OTel donation of ECS
 
 Bug fixes or minor field addition changes can be made directly to the ECS project and submitted as pull requests.

From 247d128bd73b53b7a7df66f75c6613f78d00286f Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 8 May 2024 09:18:01 -0700
Subject: [PATCH 146/186] Bump jinja2 from 3.1.3 to 3.1.4 in /scripts (#2339)

Bumps [jinja2](https://github.com/pallets/jinja) from 3.1.3 to 3.1.4.
- [Release notes](https://github.com/pallets/jinja/releases)
- [Changelog](https://github.com/pallets/jinja/blob/main/CHANGES.rst)
- [Commits](https://github.com/pallets/jinja/compare/3.1.3...3.1.4)

---
updated-dependencies:
- dependency-name: jinja2
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 scripts/requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/requirements.txt b/scripts/requirements.txt
index 30f66a6c8e..e703c6ad50 100644
--- a/scripts/requirements.txt
+++ b/scripts/requirements.txt
@@ -4,4 +4,4 @@ PyYAML==6.0.1
 # License: BSD
 gitpython==3.1.41
 # License: BSD
-Jinja2==3.1.3
+Jinja2==3.1.4

From 4b2c7c6c4596b8d4acdd420907952a04e20c8c23 Mon Sep 17 00:00:00 2001
From: Michael Wolf <michael.wolf@elastic.co>
Date: Wed, 22 May 2024 13:27:18 -0700
Subject: [PATCH 147/186] Add `process.group` fields to generated schemas
 (#2335)

Add process.group fields as the effective group for the process schema. process.group was (probably mistakenly) being excluded from the schema, as it wasn't part of schemas/subsets/main.yml. The other related process group fields are already included in the schema (real_group, saved_group), and process.group is defined with field re-use in group.yml.

---------

Co-authored-by: Alexandra Konrad <alexandra.konrad@elastic.co>
---
 CHANGELOG.next.md                             |  1 +
 experimental/generated/beats/fields.ecs.yml   | 12 ++++++++++
 experimental/generated/csv/fields.csv         |  2 ++
 experimental/generated/ecs/ecs_flat.yml       | 22 +++++++++++++++++++
 experimental/generated/ecs/ecs_nested.yml     | 22 +++++++++++++++++++
 .../composable/component/process.json         | 12 ++++++++++
 .../elasticsearch/legacy/template.json        | 12 ++++++++++
 generated/beats/fields.ecs.yml                | 12 ++++++++++
 generated/csv/fields.csv                      |  2 ++
 generated/ecs/ecs_flat.yml                    | 22 +++++++++++++++++++
 generated/ecs/ecs_nested.yml                  | 22 +++++++++++++++++++
 .../composable/component/process.json         | 12 ++++++++++
 generated/elasticsearch/legacy/template.json  | 12 ++++++++++
 schemas/subsets/main.yml                      |  4 ++++
 14 files changed, 169 insertions(+)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 5996082bf8..9613fb89e6 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -21,6 +21,7 @@ Thanks, you're awesome :-) -->
 * Advanced `process.env_vars` to GA. #2315
 * Advanced `process.io` and `process.tty` fields to GA. #2317
 * Added `threat.indicator.id`. #2324
+* Added `process.group` to generated schemas. #2335
 
 #### Improvements
 
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 61e5088661..bc95a6db22 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -5496,6 +5496,18 @@
         start).'
       example: 137
       default_field: false
+    - name: group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
     - name: group_leader.args
       level: extended
       type: keyword
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index 360d885076..292ac5f917 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -690,6 +690,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev+exp,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev+exp,true,process,process.exit_code,long,extended,,137,The exit code of the process.
+8.12.0-dev+exp,true,process,process.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev+exp,true,process,process.group.name,keyword,extended,,,Name of the group.
 8.12.0-dev+exp,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
 8.12.0-dev+exp,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array.
 8.12.0-dev+exp,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 56716a240c..02b972886f 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -8930,6 +8930,28 @@ process.exit_code:
   normalize: []
   short: The exit code of the process.
   type: long
+process.group.id:
+  dashed_name: process-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.group.name:
+  dashed_name: process-group-name
+  description: Name of the group.
+  flat_name: process.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
 process.group_leader.args:
   dashed_name: process-group-leader-args
   description: 'Array of process arguments, starting with the absolute path to the
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 312cf49b80..f600ab293a 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -11140,6 +11140,28 @@ process:
       normalize: []
       short: The exit code of the process.
       type: long
+    process.group.id:
+      dashed_name: process-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.group.name:
+      dashed_name: process-group-name
+      description: Name of the group.
+      flat_name: process.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
     process.group_leader.args:
       dashed_name: process-group-leader-args
       description: 'Array of process arguments, starting with the absolute path to
diff --git a/experimental/generated/elasticsearch/composable/component/process.json b/experimental/generated/elasticsearch/composable/component/process.json
index 3f144db017..f4dd52c1ce 100644
--- a/experimental/generated/elasticsearch/composable/component/process.json
+++ b/experimental/generated/elasticsearch/composable/component/process.json
@@ -481,6 +481,18 @@
             "exit_code": {
               "type": "long"
             },
+            "group": {
+              "properties": {
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
             "group_leader": {
               "properties": {
                 "args": {
diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json
index 1dc48de290..18386e190c 100644
--- a/experimental/generated/elasticsearch/legacy/template.json
+++ b/experimental/generated/elasticsearch/legacy/template.json
@@ -3202,6 +3202,18 @@
           "exit_code": {
             "type": "long"
           },
+          "group": {
+            "properties": {
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
           "group_leader": {
             "properties": {
               "args": {
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index b88a755686..fa0007884b 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -5446,6 +5446,18 @@
         start).'
       example: 137
       default_field: false
+    - name: group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
     - name: group_leader.args
       level: extended
       type: keyword
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index 3ca25f1445..c31a8de31c 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -683,6 +683,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process.
+8.12.0-dev,true,process,process.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.12.0-dev,true,process,process.group.name,keyword,extended,,,Name of the group.
 8.12.0-dev,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
 8.12.0-dev,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array.
 8.12.0-dev,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 50e16f1826..2022bddaf4 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -8861,6 +8861,28 @@ process.exit_code:
   normalize: []
   short: The exit code of the process.
   type: long
+process.group.id:
+  dashed_name: process-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.group.name:
+  dashed_name: process-group-name
+  description: Name of the group.
+  flat_name: process.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
 process.group_leader.args:
   dashed_name: process-group-leader-args
   description: 'Array of process arguments, starting with the absolute path to the
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index fa5f354d5f..8057eeed15 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -11060,6 +11060,28 @@ process:
       normalize: []
       short: The exit code of the process.
       type: long
+    process.group.id:
+      dashed_name: process-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.group.name:
+      dashed_name: process-group-name
+      description: Name of the group.
+      flat_name: process.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
     process.group_leader.args:
       dashed_name: process-group-leader-args
       description: 'Array of process arguments, starting with the absolute path to
diff --git a/generated/elasticsearch/composable/component/process.json b/generated/elasticsearch/composable/component/process.json
index c20dbd00f2..6cc1382d11 100644
--- a/generated/elasticsearch/composable/component/process.json
+++ b/generated/elasticsearch/composable/component/process.json
@@ -481,6 +481,18 @@
             "exit_code": {
               "type": "long"
             },
+            "group": {
+              "properties": {
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
             "group_leader": {
               "properties": {
                 "args": {
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index 0e26f73020..a6b67033e2 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -3160,6 +3160,18 @@
           "exit_code": {
             "type": "long"
           },
+          "group": {
+            "properties": {
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
           "group_leader": {
             "properties": {
               "args": {
diff --git a/schemas/subsets/main.yml b/schemas/subsets/main.yml
index 69391cf839..ebefde9e2e 100644
--- a/schemas/subsets/main.yml
+++ b/schemas/subsets/main.yml
@@ -360,6 +360,10 @@ fields:
           args: {}
           args_count: {}
           executable: {}
+      group:
+        fields:
+          id: {}
+          name: {}
       real_group:
         fields:
           id: {}

From 7815b3f9f316aa4f179d08c1f74e24d804ad4886 Mon Sep 17 00:00:00 2001
From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Date: Wed, 10 Jul 2024 10:35:32 -0300
Subject: [PATCH 148/186] Add .caseless subfield to process.name &
 process.executable (#2341)

Adds a subfield to the process.name and process.executable fields to improve the compatibility of data sources like System, Sysmon, etc., with our Elastic Defend data, which enables us to handle language limitations in KQL more effectively.
---
 CHANGELOG.next.md                             |  2 +
 docs/fields/field-details.asciidoc            |  6 ++
 experimental/generated/beats/fields.ecs.yml   | 46 ++++++++++++++++
 experimental/generated/csv/fields.csv         | 11 ++++
 experimental/generated/ecs/ecs_flat.yml       | 55 +++++++++++++++++++
 experimental/generated/ecs/ecs_nested.yml     | 55 +++++++++++++++++++
 .../composable/component/process.json         | 55 +++++++++++++++++++
 .../elasticsearch/legacy/template.json        | 55 +++++++++++++++++++
 generated/beats/fields.ecs.yml                | 46 ++++++++++++++++
 generated/csv/fields.csv                      | 11 ++++
 generated/ecs/ecs_flat.yml                    | 55 +++++++++++++++++++
 generated/ecs/ecs_nested.yml                  | 55 +++++++++++++++++++
 .../composable/component/process.json         | 55 +++++++++++++++++++
 generated/elasticsearch/legacy/template.json  | 55 +++++++++++++++++++
 schemas/process.yml                           |  8 +++
 15 files changed, 570 insertions(+)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 9613fb89e6..85035153ba 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -25,6 +25,8 @@ Thanks, you're awesome :-) -->
 
 #### Improvements
 
+* Added `.caseless` subfield to `process.name` and `process.executable`. #2341
+
 #### Deprecated
 
 ### Tooling and Artifact Changes
diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index 31273d8c4b..3d817d46ce 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -8128,6 +8128,9 @@ type: keyword
 
 Multi-fields:
 
+* process.executable.caseless (type: keyword)
+
+
 * process.executable.text (type: match_only_text)
 
 
@@ -8343,6 +8346,9 @@ type: keyword
 
 Multi-fields:
 
+* process.name.caseless (type: keyword)
+
+
 * process.name.text (type: match_only_text)
 
 
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index bc95a6db22..7f63fa34e9 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -5175,6 +5175,10 @@
       type: keyword
       ignore_above: 1024
       multi_fields:
+      - name: caseless
+        type: keyword
+        normalizer: lowercase
+        ignore_above: 1024
       - name: text
         type: match_only_text
       description: Absolute path to the process executable.
@@ -5213,6 +5217,10 @@
       type: keyword
       ignore_above: 1024
       multi_fields:
+      - name: caseless
+        type: keyword
+        normalizer: lowercase
+        ignore_above: 1024
       - name: text
         type: match_only_text
       description: 'Process name.
@@ -5482,6 +5490,11 @@
       type: keyword
       ignore_above: 1024
       multi_fields:
+      - name: caseless
+        type: keyword
+        normalizer: lowercase
+        ignore_above: 1024
+        default_field: false
       - name: text
         type: match_only_text
         default_field: false
@@ -5560,6 +5573,10 @@
       type: keyword
       ignore_above: 1024
       multi_fields:
+      - name: caseless
+        type: keyword
+        normalizer: lowercase
+        ignore_above: 1024
       - name: text
         type: match_only_text
       description: Absolute path to the process executable.
@@ -5598,6 +5615,10 @@
       type: keyword
       ignore_above: 1024
       multi_fields:
+      - name: caseless
+        type: keyword
+        normalizer: lowercase
+        ignore_above: 1024
       - name: text
         type: match_only_text
       description: 'Process name.
@@ -6012,6 +6033,11 @@
       type: keyword
       ignore_above: 1024
       multi_fields:
+      - name: caseless
+        type: keyword
+        normalizer: lowercase
+        ignore_above: 1024
+        default_field: false
       - name: text
         type: match_only_text
         default_field: false
@@ -6401,6 +6427,10 @@
       type: keyword
       ignore_above: 1024
       multi_fields:
+      - name: caseless
+        type: keyword
+        normalizer: lowercase
+        ignore_above: 1024
       - name: text
         type: match_only_text
       description: Absolute path to the process executable.
@@ -6644,6 +6674,10 @@
       type: keyword
       ignore_above: 1024
       multi_fields:
+      - name: caseless
+        type: keyword
+        normalizer: lowercase
+        ignore_above: 1024
       - name: text
         type: match_only_text
       description: 'Process name.
@@ -7230,6 +7264,10 @@
       type: keyword
       ignore_above: 1024
       multi_fields:
+      - name: caseless
+        type: keyword
+        normalizer: lowercase
+        ignore_above: 1024
       - name: text
         type: match_only_text
       description: Absolute path to the process executable.
@@ -7345,6 +7383,10 @@
       type: keyword
       ignore_above: 1024
       multi_fields:
+      - name: caseless
+        type: keyword
+        normalizer: lowercase
+        ignore_above: 1024
       - name: text
         type: match_only_text
       description: Absolute path to the process executable.
@@ -7383,6 +7425,10 @@
       type: keyword
       ignore_above: 1024
       multi_fields:
+      - name: caseless
+        type: keyword
+        normalizer: lowercase
+        ignore_above: 1024
       - name: text
         type: match_only_text
       description: 'Process name.
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index 292ac5f917..5c51865b5d 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -648,11 +648,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
 8.12.0-dev+exp,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
 8.12.0-dev+exp,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.12.0-dev+exp,true,process,process.entry_leader.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev+exp,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev+exp,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 8.12.0-dev+exp,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group.
 8.12.0-dev+exp,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
 8.12.0-dev+exp,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name.
+8.12.0-dev+exp,true,process,process.entry_leader.name.caseless,keyword,extended,,ssh,Process name.
 8.12.0-dev+exp,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name.
 8.12.0-dev+exp,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
 8.12.0-dev+exp,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id.
@@ -688,6 +690,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
 8.12.0-dev+exp,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
 8.12.0-dev+exp,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.12.0-dev+exp,true,process,process.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev+exp,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev+exp,true,process,process.exit_code,long,extended,,137,The exit code of the process.
 8.12.0-dev+exp,true,process,process.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
@@ -698,11 +701,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
 8.12.0-dev+exp,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
 8.12.0-dev+exp,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.12.0-dev+exp,true,process,process.group_leader.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev+exp,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev+exp,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 8.12.0-dev+exp,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group.
 8.12.0-dev+exp,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
 8.12.0-dev+exp,true,process,process.group_leader.name,keyword,extended,,ssh,Process name.
+8.12.0-dev+exp,true,process,process.group_leader.name.caseless,keyword,extended,,ssh,Process name.
 8.12.0-dev+exp,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name.
 8.12.0-dev+exp,true,process,process.group_leader.pid,long,core,,4242,Process id.
 8.12.0-dev+exp,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
@@ -762,6 +767,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
 8.12.0-dev+exp,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
 8.12.0-dev+exp,true,process,process.name,keyword,extended,,ssh,Process name.
+8.12.0-dev+exp,true,process,process.name.caseless,keyword,extended,,ssh,Process name.
 8.12.0-dev+exp,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
 8.12.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
 8.12.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
@@ -817,6 +823,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
 8.12.0-dev+exp,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
 8.12.0-dev+exp,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.12.0-dev+exp,true,process,process.parent.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev+exp,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev+exp,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
 8.12.0-dev+exp,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
@@ -850,6 +857,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
 8.12.0-dev+exp,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
 8.12.0-dev+exp,true,process,process.parent.name,keyword,extended,,ssh,Process name.
+8.12.0-dev+exp,true,process,process.parent.name.caseless,keyword,extended,,ssh,Process name.
 8.12.0-dev+exp,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
 8.12.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
 8.12.0-dev+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
@@ -933,6 +941,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
 8.12.0-dev+exp,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array.
 8.12.0-dev+exp,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.12.0-dev+exp,true,process,process.previous.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev+exp,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev+exp,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 8.12.0-dev+exp,true,process,process.real_group.name,keyword,extended,,,Name of the group.
@@ -950,11 +959,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
 8.12.0-dev+exp,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
 8.12.0-dev+exp,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.12.0-dev+exp,true,process,process.session_leader.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev+exp,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev+exp,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 8.12.0-dev+exp,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group.
 8.12.0-dev+exp,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
 8.12.0-dev+exp,true,process,process.session_leader.name,keyword,extended,,ssh,Process name.
+8.12.0-dev+exp,true,process,process.session_leader.name.caseless,keyword,extended,,ssh,Process name.
 8.12.0-dev+exp,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name.
 8.12.0-dev+exp,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
 8.12.0-dev+exp,true,process,process.session_leader.parent.pid,long,core,,4242,Process id.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 02b972886f..65448363e9 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -8426,6 +8426,11 @@ process.entry_leader.executable:
   ignore_above: 1024
   level: extended
   multi_fields:
+  - flat_name: process.entry_leader.executable.caseless
+    ignore_above: 1024
+    name: caseless
+    normalizer: lowercase
+    type: keyword
   - flat_name: process.entry_leader.executable.text
     name: text
     type: match_only_text
@@ -8487,6 +8492,11 @@ process.entry_leader.name:
   ignore_above: 1024
   level: extended
   multi_fields:
+  - flat_name: process.entry_leader.name.caseless
+    ignore_above: 1024
+    name: caseless
+    normalizer: lowercase
+    type: keyword
   - flat_name: process.entry_leader.name.text
     name: text
     type: match_only_text
@@ -8910,6 +8920,11 @@ process.executable:
   ignore_above: 1024
   level: extended
   multi_fields:
+  - flat_name: process.executable.caseless
+    ignore_above: 1024
+    name: caseless
+    normalizer: lowercase
+    type: keyword
   - flat_name: process.executable.text
     name: text
     type: match_only_text
@@ -9029,6 +9044,11 @@ process.group_leader.executable:
   ignore_above: 1024
   level: extended
   multi_fields:
+  - flat_name: process.group_leader.executable.caseless
+    ignore_above: 1024
+    name: caseless
+    normalizer: lowercase
+    type: keyword
   - flat_name: process.group_leader.executable.text
     name: text
     type: match_only_text
@@ -9090,6 +9110,11 @@ process.group_leader.name:
   ignore_above: 1024
   level: extended
   multi_fields:
+  - flat_name: process.group_leader.name.caseless
+    ignore_above: 1024
+    name: caseless
+    normalizer: lowercase
+    type: keyword
   - flat_name: process.group_leader.name.text
     name: text
     type: match_only_text
@@ -9779,6 +9804,11 @@ process.name:
   ignore_above: 1024
   level: extended
   multi_fields:
+  - flat_name: process.name.caseless
+    ignore_above: 1024
+    name: caseless
+    normalizer: lowercase
+    type: keyword
   - flat_name: process.name.text
     name: text
     type: match_only_text
@@ -10440,6 +10470,11 @@ process.parent.executable:
   ignore_above: 1024
   level: extended
   multi_fields:
+  - flat_name: process.parent.executable.caseless
+    ignore_above: 1024
+    name: caseless
+    normalizer: lowercase
+    type: keyword
   - flat_name: process.parent.executable.text
     name: text
     type: match_only_text
@@ -10849,6 +10884,11 @@ process.parent.name:
   ignore_above: 1024
   level: extended
   multi_fields:
+  - flat_name: process.parent.name.caseless
+    ignore_above: 1024
+    name: caseless
+    normalizer: lowercase
+    type: keyword
   - flat_name: process.parent.name.text
     name: text
     type: match_only_text
@@ -11833,6 +11873,11 @@ process.previous.executable:
   ignore_above: 1024
   level: extended
   multi_fields:
+  - flat_name: process.previous.executable.caseless
+    ignore_above: 1024
+    name: caseless
+    normalizer: lowercase
+    type: keyword
   - flat_name: process.previous.executable.text
     name: text
     type: match_only_text
@@ -12018,6 +12063,11 @@ process.session_leader.executable:
   ignore_above: 1024
   level: extended
   multi_fields:
+  - flat_name: process.session_leader.executable.caseless
+    ignore_above: 1024
+    name: caseless
+    normalizer: lowercase
+    type: keyword
   - flat_name: process.session_leader.executable.text
     name: text
     type: match_only_text
@@ -12079,6 +12129,11 @@ process.session_leader.name:
   ignore_above: 1024
   level: extended
   multi_fields:
+  - flat_name: process.session_leader.name.caseless
+    ignore_above: 1024
+    name: caseless
+    normalizer: lowercase
+    type: keyword
   - flat_name: process.session_leader.name.text
     name: text
     type: match_only_text
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index f600ab293a..9c39b3b5ae 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -10636,6 +10636,11 @@ process:
       ignore_above: 1024
       level: extended
       multi_fields:
+      - flat_name: process.entry_leader.executable.caseless
+        ignore_above: 1024
+        name: caseless
+        normalizer: lowercase
+        type: keyword
       - flat_name: process.entry_leader.executable.text
         name: text
         type: match_only_text
@@ -10697,6 +10702,11 @@ process:
       ignore_above: 1024
       level: extended
       multi_fields:
+      - flat_name: process.entry_leader.name.caseless
+        ignore_above: 1024
+        name: caseless
+        normalizer: lowercase
+        type: keyword
       - flat_name: process.entry_leader.name.text
         name: text
         type: match_only_text
@@ -11120,6 +11130,11 @@ process:
       ignore_above: 1024
       level: extended
       multi_fields:
+      - flat_name: process.executable.caseless
+        ignore_above: 1024
+        name: caseless
+        normalizer: lowercase
+        type: keyword
       - flat_name: process.executable.text
         name: text
         type: match_only_text
@@ -11239,6 +11254,11 @@ process:
       ignore_above: 1024
       level: extended
       multi_fields:
+      - flat_name: process.group_leader.executable.caseless
+        ignore_above: 1024
+        name: caseless
+        normalizer: lowercase
+        type: keyword
       - flat_name: process.group_leader.executable.text
         name: text
         type: match_only_text
@@ -11300,6 +11320,11 @@ process:
       ignore_above: 1024
       level: extended
       multi_fields:
+      - flat_name: process.group_leader.name.caseless
+        ignore_above: 1024
+        name: caseless
+        normalizer: lowercase
+        type: keyword
       - flat_name: process.group_leader.name.text
         name: text
         type: match_only_text
@@ -11993,6 +12018,11 @@ process:
       ignore_above: 1024
       level: extended
       multi_fields:
+      - flat_name: process.name.caseless
+        ignore_above: 1024
+        name: caseless
+        normalizer: lowercase
+        type: keyword
       - flat_name: process.name.text
         name: text
         type: match_only_text
@@ -12655,6 +12685,11 @@ process:
       ignore_above: 1024
       level: extended
       multi_fields:
+      - flat_name: process.parent.executable.caseless
+        ignore_above: 1024
+        name: caseless
+        normalizer: lowercase
+        type: keyword
       - flat_name: process.parent.executable.text
         name: text
         type: match_only_text
@@ -13065,6 +13100,11 @@ process:
       ignore_above: 1024
       level: extended
       multi_fields:
+      - flat_name: process.parent.name.caseless
+        ignore_above: 1024
+        name: caseless
+        normalizer: lowercase
+        type: keyword
       - flat_name: process.parent.name.text
         name: text
         type: match_only_text
@@ -14051,6 +14091,11 @@ process:
       ignore_above: 1024
       level: extended
       multi_fields:
+      - flat_name: process.previous.executable.caseless
+        ignore_above: 1024
+        name: caseless
+        normalizer: lowercase
+        type: keyword
       - flat_name: process.previous.executable.text
         name: text
         type: match_only_text
@@ -14236,6 +14281,11 @@ process:
       ignore_above: 1024
       level: extended
       multi_fields:
+      - flat_name: process.session_leader.executable.caseless
+        ignore_above: 1024
+        name: caseless
+        normalizer: lowercase
+        type: keyword
       - flat_name: process.session_leader.executable.text
         name: text
         type: match_only_text
@@ -14297,6 +14347,11 @@ process:
       ignore_above: 1024
       level: extended
       multi_fields:
+      - flat_name: process.session_leader.name.caseless
+        ignore_above: 1024
+        name: caseless
+        normalizer: lowercase
+        type: keyword
       - flat_name: process.session_leader.name.text
         name: text
         type: match_only_text
diff --git a/experimental/generated/elasticsearch/composable/component/process.json b/experimental/generated/elasticsearch/composable/component/process.json
index f4dd52c1ce..21bc93af56 100644
--- a/experimental/generated/elasticsearch/composable/component/process.json
+++ b/experimental/generated/elasticsearch/composable/component/process.json
@@ -275,6 +275,11 @@
                 },
                 "executable": {
                   "fields": {
+                    "caseless": {
+                      "ignore_above": 1024,
+                      "normalizer": "lowercase",
+                      "type": "keyword"
+                    },
                     "text": {
                       "type": "match_only_text"
                     }
@@ -299,6 +304,11 @@
                 },
                 "name": {
                   "fields": {
+                    "caseless": {
+                      "ignore_above": 1024,
+                      "normalizer": "lowercase",
+                      "type": "keyword"
+                    },
                     "text": {
                       "type": "match_only_text"
                     }
@@ -471,6 +481,11 @@
             },
             "executable": {
               "fields": {
+                "caseless": {
+                  "ignore_above": 1024,
+                  "normalizer": "lowercase",
+                  "type": "keyword"
+                },
                 "text": {
                   "type": "match_only_text"
                 }
@@ -516,6 +531,11 @@
                 },
                 "executable": {
                   "fields": {
+                    "caseless": {
+                      "ignore_above": 1024,
+                      "normalizer": "lowercase",
+                      "type": "keyword"
+                    },
                     "text": {
                       "type": "match_only_text"
                     }
@@ -540,6 +560,11 @@
                 },
                 "name": {
                   "fields": {
+                    "caseless": {
+                      "ignore_above": 1024,
+                      "normalizer": "lowercase",
+                      "type": "keyword"
+                    },
                     "text": {
                       "type": "match_only_text"
                     }
@@ -799,6 +824,11 @@
             },
             "name": {
               "fields": {
+                "caseless": {
+                  "ignore_above": 1024,
+                  "normalizer": "lowercase",
+                  "type": "keyword"
+                },
                 "text": {
                   "type": "match_only_text"
                 }
@@ -1014,6 +1044,11 @@
                 },
                 "executable": {
                   "fields": {
+                    "caseless": {
+                      "ignore_above": 1024,
+                      "normalizer": "lowercase",
+                      "type": "keyword"
+                    },
                     "text": {
                       "type": "match_only_text"
                     }
@@ -1148,6 +1183,11 @@
                 },
                 "name": {
                   "fields": {
+                    "caseless": {
+                      "ignore_above": 1024,
+                      "normalizer": "lowercase",
+                      "type": "keyword"
+                    },
                     "text": {
                       "type": "match_only_text"
                     }
@@ -1504,6 +1544,11 @@
                 },
                 "executable": {
                   "fields": {
+                    "caseless": {
+                      "ignore_above": 1024,
+                      "normalizer": "lowercase",
+                      "type": "keyword"
+                    },
                     "text": {
                       "type": "match_only_text"
                     }
@@ -1594,6 +1639,11 @@
                 },
                 "executable": {
                   "fields": {
+                    "caseless": {
+                      "ignore_above": 1024,
+                      "normalizer": "lowercase",
+                      "type": "keyword"
+                    },
                     "text": {
                       "type": "match_only_text"
                     }
@@ -1618,6 +1668,11 @@
                 },
                 "name": {
                   "fields": {
+                    "caseless": {
+                      "ignore_above": 1024,
+                      "normalizer": "lowercase",
+                      "type": "keyword"
+                    },
                     "text": {
                       "type": "match_only_text"
                     }
diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json
index 18386e190c..4e7c38235a 100644
--- a/experimental/generated/elasticsearch/legacy/template.json
+++ b/experimental/generated/elasticsearch/legacy/template.json
@@ -2996,6 +2996,11 @@
               },
               "executable": {
                 "fields": {
+                  "caseless": {
+                    "ignore_above": 1024,
+                    "normalizer": "lowercase",
+                    "type": "keyword"
+                  },
                   "text": {
                     "type": "match_only_text"
                   }
@@ -3020,6 +3025,11 @@
               },
               "name": {
                 "fields": {
+                  "caseless": {
+                    "ignore_above": 1024,
+                    "normalizer": "lowercase",
+                    "type": "keyword"
+                  },
                   "text": {
                     "type": "match_only_text"
                   }
@@ -3192,6 +3202,11 @@
           },
           "executable": {
             "fields": {
+              "caseless": {
+                "ignore_above": 1024,
+                "normalizer": "lowercase",
+                "type": "keyword"
+              },
               "text": {
                 "type": "match_only_text"
               }
@@ -3237,6 +3252,11 @@
               },
               "executable": {
                 "fields": {
+                  "caseless": {
+                    "ignore_above": 1024,
+                    "normalizer": "lowercase",
+                    "type": "keyword"
+                  },
                   "text": {
                     "type": "match_only_text"
                   }
@@ -3261,6 +3281,11 @@
               },
               "name": {
                 "fields": {
+                  "caseless": {
+                    "ignore_above": 1024,
+                    "normalizer": "lowercase",
+                    "type": "keyword"
+                  },
                   "text": {
                     "type": "match_only_text"
                   }
@@ -3520,6 +3545,11 @@
           },
           "name": {
             "fields": {
+              "caseless": {
+                "ignore_above": 1024,
+                "normalizer": "lowercase",
+                "type": "keyword"
+              },
               "text": {
                 "type": "match_only_text"
               }
@@ -3735,6 +3765,11 @@
               },
               "executable": {
                 "fields": {
+                  "caseless": {
+                    "ignore_above": 1024,
+                    "normalizer": "lowercase",
+                    "type": "keyword"
+                  },
                   "text": {
                     "type": "match_only_text"
                   }
@@ -3869,6 +3904,11 @@
               },
               "name": {
                 "fields": {
+                  "caseless": {
+                    "ignore_above": 1024,
+                    "normalizer": "lowercase",
+                    "type": "keyword"
+                  },
                   "text": {
                     "type": "match_only_text"
                   }
@@ -4225,6 +4265,11 @@
               },
               "executable": {
                 "fields": {
+                  "caseless": {
+                    "ignore_above": 1024,
+                    "normalizer": "lowercase",
+                    "type": "keyword"
+                  },
                   "text": {
                     "type": "match_only_text"
                   }
@@ -4315,6 +4360,11 @@
               },
               "executable": {
                 "fields": {
+                  "caseless": {
+                    "ignore_above": 1024,
+                    "normalizer": "lowercase",
+                    "type": "keyword"
+                  },
                   "text": {
                     "type": "match_only_text"
                   }
@@ -4339,6 +4389,11 @@
               },
               "name": {
                 "fields": {
+                  "caseless": {
+                    "ignore_above": 1024,
+                    "normalizer": "lowercase",
+                    "type": "keyword"
+                  },
                   "text": {
                     "type": "match_only_text"
                   }
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index fa0007884b..bd55fe7727 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -5125,6 +5125,10 @@
       type: keyword
       ignore_above: 1024
       multi_fields:
+      - name: caseless
+        type: keyword
+        normalizer: lowercase
+        ignore_above: 1024
       - name: text
         type: match_only_text
       description: Absolute path to the process executable.
@@ -5163,6 +5167,10 @@
       type: keyword
       ignore_above: 1024
       multi_fields:
+      - name: caseless
+        type: keyword
+        normalizer: lowercase
+        ignore_above: 1024
       - name: text
         type: match_only_text
       description: 'Process name.
@@ -5432,6 +5440,11 @@
       type: keyword
       ignore_above: 1024
       multi_fields:
+      - name: caseless
+        type: keyword
+        normalizer: lowercase
+        ignore_above: 1024
+        default_field: false
       - name: text
         type: match_only_text
         default_field: false
@@ -5510,6 +5523,10 @@
       type: keyword
       ignore_above: 1024
       multi_fields:
+      - name: caseless
+        type: keyword
+        normalizer: lowercase
+        ignore_above: 1024
       - name: text
         type: match_only_text
       description: Absolute path to the process executable.
@@ -5548,6 +5565,10 @@
       type: keyword
       ignore_above: 1024
       multi_fields:
+      - name: caseless
+        type: keyword
+        normalizer: lowercase
+        ignore_above: 1024
       - name: text
         type: match_only_text
       description: 'Process name.
@@ -5962,6 +5983,11 @@
       type: keyword
       ignore_above: 1024
       multi_fields:
+      - name: caseless
+        type: keyword
+        normalizer: lowercase
+        ignore_above: 1024
+        default_field: false
       - name: text
         type: match_only_text
         default_field: false
@@ -6351,6 +6377,10 @@
       type: keyword
       ignore_above: 1024
       multi_fields:
+      - name: caseless
+        type: keyword
+        normalizer: lowercase
+        ignore_above: 1024
       - name: text
         type: match_only_text
       description: Absolute path to the process executable.
@@ -6594,6 +6624,10 @@
       type: keyword
       ignore_above: 1024
       multi_fields:
+      - name: caseless
+        type: keyword
+        normalizer: lowercase
+        ignore_above: 1024
       - name: text
         type: match_only_text
       description: 'Process name.
@@ -7180,6 +7214,10 @@
       type: keyword
       ignore_above: 1024
       multi_fields:
+      - name: caseless
+        type: keyword
+        normalizer: lowercase
+        ignore_above: 1024
       - name: text
         type: match_only_text
       description: Absolute path to the process executable.
@@ -7295,6 +7333,10 @@
       type: keyword
       ignore_above: 1024
       multi_fields:
+      - name: caseless
+        type: keyword
+        normalizer: lowercase
+        ignore_above: 1024
       - name: text
         type: match_only_text
       description: Absolute path to the process executable.
@@ -7333,6 +7375,10 @@
       type: keyword
       ignore_above: 1024
       multi_fields:
+      - name: caseless
+        type: keyword
+        normalizer: lowercase
+        ignore_above: 1024
       - name: text
         type: match_only_text
       description: 'Process name.
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index c31a8de31c..299f4aa1a7 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -641,11 +641,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
 8.12.0-dev,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
 8.12.0-dev,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.12.0-dev,true,process,process.entry_leader.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 8.12.0-dev,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group.
 8.12.0-dev,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
 8.12.0-dev,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name.
+8.12.0-dev,true,process,process.entry_leader.name.caseless,keyword,extended,,ssh,Process name.
 8.12.0-dev,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name.
 8.12.0-dev,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
 8.12.0-dev,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id.
@@ -681,6 +683,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
 8.12.0-dev,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
 8.12.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.12.0-dev,true,process,process.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process.
 8.12.0-dev,true,process,process.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
@@ -691,11 +694,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
 8.12.0-dev,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
 8.12.0-dev,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.12.0-dev,true,process,process.group_leader.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 8.12.0-dev,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group.
 8.12.0-dev,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
 8.12.0-dev,true,process,process.group_leader.name,keyword,extended,,ssh,Process name.
+8.12.0-dev,true,process,process.group_leader.name.caseless,keyword,extended,,ssh,Process name.
 8.12.0-dev,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name.
 8.12.0-dev,true,process,process.group_leader.pid,long,core,,4242,Process id.
 8.12.0-dev,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
@@ -755,6 +760,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
 8.12.0-dev,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
 8.12.0-dev,true,process,process.name,keyword,extended,,ssh,Process name.
+8.12.0-dev,true,process,process.name.caseless,keyword,extended,,ssh,Process name.
 8.12.0-dev,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
 8.12.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
 8.12.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
@@ -810,6 +816,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
 8.12.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
 8.12.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.12.0-dev,true,process,process.parent.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
 8.12.0-dev,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
@@ -843,6 +850,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
 8.12.0-dev,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
 8.12.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name.
+8.12.0-dev,true,process,process.parent.name.caseless,keyword,extended,,ssh,Process name.
 8.12.0-dev,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
 8.12.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
 8.12.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
@@ -926,6 +934,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
 8.12.0-dev,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array.
 8.12.0-dev,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.12.0-dev,true,process,process.previous.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 8.12.0-dev,true,process,process.real_group.name,keyword,extended,,,Name of the group.
@@ -943,11 +952,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
 8.12.0-dev,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
 8.12.0-dev,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.12.0-dev,true,process,process.session_leader.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 8.12.0-dev,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group.
 8.12.0-dev,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
 8.12.0-dev,true,process,process.session_leader.name,keyword,extended,,ssh,Process name.
+8.12.0-dev,true,process,process.session_leader.name.caseless,keyword,extended,,ssh,Process name.
 8.12.0-dev,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name.
 8.12.0-dev,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
 8.12.0-dev,true,process,process.session_leader.parent.pid,long,core,,4242,Process id.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 2022bddaf4..2ff10f67c0 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -8357,6 +8357,11 @@ process.entry_leader.executable:
   ignore_above: 1024
   level: extended
   multi_fields:
+  - flat_name: process.entry_leader.executable.caseless
+    ignore_above: 1024
+    name: caseless
+    normalizer: lowercase
+    type: keyword
   - flat_name: process.entry_leader.executable.text
     name: text
     type: match_only_text
@@ -8418,6 +8423,11 @@ process.entry_leader.name:
   ignore_above: 1024
   level: extended
   multi_fields:
+  - flat_name: process.entry_leader.name.caseless
+    ignore_above: 1024
+    name: caseless
+    normalizer: lowercase
+    type: keyword
   - flat_name: process.entry_leader.name.text
     name: text
     type: match_only_text
@@ -8841,6 +8851,11 @@ process.executable:
   ignore_above: 1024
   level: extended
   multi_fields:
+  - flat_name: process.executable.caseless
+    ignore_above: 1024
+    name: caseless
+    normalizer: lowercase
+    type: keyword
   - flat_name: process.executable.text
     name: text
     type: match_only_text
@@ -8960,6 +8975,11 @@ process.group_leader.executable:
   ignore_above: 1024
   level: extended
   multi_fields:
+  - flat_name: process.group_leader.executable.caseless
+    ignore_above: 1024
+    name: caseless
+    normalizer: lowercase
+    type: keyword
   - flat_name: process.group_leader.executable.text
     name: text
     type: match_only_text
@@ -9021,6 +9041,11 @@ process.group_leader.name:
   ignore_above: 1024
   level: extended
   multi_fields:
+  - flat_name: process.group_leader.name.caseless
+    ignore_above: 1024
+    name: caseless
+    normalizer: lowercase
+    type: keyword
   - flat_name: process.group_leader.name.text
     name: text
     type: match_only_text
@@ -9710,6 +9735,11 @@ process.name:
   ignore_above: 1024
   level: extended
   multi_fields:
+  - flat_name: process.name.caseless
+    ignore_above: 1024
+    name: caseless
+    normalizer: lowercase
+    type: keyword
   - flat_name: process.name.text
     name: text
     type: match_only_text
@@ -10371,6 +10401,11 @@ process.parent.executable:
   ignore_above: 1024
   level: extended
   multi_fields:
+  - flat_name: process.parent.executable.caseless
+    ignore_above: 1024
+    name: caseless
+    normalizer: lowercase
+    type: keyword
   - flat_name: process.parent.executable.text
     name: text
     type: match_only_text
@@ -10780,6 +10815,11 @@ process.parent.name:
   ignore_above: 1024
   level: extended
   multi_fields:
+  - flat_name: process.parent.name.caseless
+    ignore_above: 1024
+    name: caseless
+    normalizer: lowercase
+    type: keyword
   - flat_name: process.parent.name.text
     name: text
     type: match_only_text
@@ -11764,6 +11804,11 @@ process.previous.executable:
   ignore_above: 1024
   level: extended
   multi_fields:
+  - flat_name: process.previous.executable.caseless
+    ignore_above: 1024
+    name: caseless
+    normalizer: lowercase
+    type: keyword
   - flat_name: process.previous.executable.text
     name: text
     type: match_only_text
@@ -11949,6 +11994,11 @@ process.session_leader.executable:
   ignore_above: 1024
   level: extended
   multi_fields:
+  - flat_name: process.session_leader.executable.caseless
+    ignore_above: 1024
+    name: caseless
+    normalizer: lowercase
+    type: keyword
   - flat_name: process.session_leader.executable.text
     name: text
     type: match_only_text
@@ -12010,6 +12060,11 @@ process.session_leader.name:
   ignore_above: 1024
   level: extended
   multi_fields:
+  - flat_name: process.session_leader.name.caseless
+    ignore_above: 1024
+    name: caseless
+    normalizer: lowercase
+    type: keyword
   - flat_name: process.session_leader.name.text
     name: text
     type: match_only_text
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 8057eeed15..cc11243d59 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -10556,6 +10556,11 @@ process:
       ignore_above: 1024
       level: extended
       multi_fields:
+      - flat_name: process.entry_leader.executable.caseless
+        ignore_above: 1024
+        name: caseless
+        normalizer: lowercase
+        type: keyword
       - flat_name: process.entry_leader.executable.text
         name: text
         type: match_only_text
@@ -10617,6 +10622,11 @@ process:
       ignore_above: 1024
       level: extended
       multi_fields:
+      - flat_name: process.entry_leader.name.caseless
+        ignore_above: 1024
+        name: caseless
+        normalizer: lowercase
+        type: keyword
       - flat_name: process.entry_leader.name.text
         name: text
         type: match_only_text
@@ -11040,6 +11050,11 @@ process:
       ignore_above: 1024
       level: extended
       multi_fields:
+      - flat_name: process.executable.caseless
+        ignore_above: 1024
+        name: caseless
+        normalizer: lowercase
+        type: keyword
       - flat_name: process.executable.text
         name: text
         type: match_only_text
@@ -11159,6 +11174,11 @@ process:
       ignore_above: 1024
       level: extended
       multi_fields:
+      - flat_name: process.group_leader.executable.caseless
+        ignore_above: 1024
+        name: caseless
+        normalizer: lowercase
+        type: keyword
       - flat_name: process.group_leader.executable.text
         name: text
         type: match_only_text
@@ -11220,6 +11240,11 @@ process:
       ignore_above: 1024
       level: extended
       multi_fields:
+      - flat_name: process.group_leader.name.caseless
+        ignore_above: 1024
+        name: caseless
+        normalizer: lowercase
+        type: keyword
       - flat_name: process.group_leader.name.text
         name: text
         type: match_only_text
@@ -11913,6 +11938,11 @@ process:
       ignore_above: 1024
       level: extended
       multi_fields:
+      - flat_name: process.name.caseless
+        ignore_above: 1024
+        name: caseless
+        normalizer: lowercase
+        type: keyword
       - flat_name: process.name.text
         name: text
         type: match_only_text
@@ -12575,6 +12605,11 @@ process:
       ignore_above: 1024
       level: extended
       multi_fields:
+      - flat_name: process.parent.executable.caseless
+        ignore_above: 1024
+        name: caseless
+        normalizer: lowercase
+        type: keyword
       - flat_name: process.parent.executable.text
         name: text
         type: match_only_text
@@ -12985,6 +13020,11 @@ process:
       ignore_above: 1024
       level: extended
       multi_fields:
+      - flat_name: process.parent.name.caseless
+        ignore_above: 1024
+        name: caseless
+        normalizer: lowercase
+        type: keyword
       - flat_name: process.parent.name.text
         name: text
         type: match_only_text
@@ -13971,6 +14011,11 @@ process:
       ignore_above: 1024
       level: extended
       multi_fields:
+      - flat_name: process.previous.executable.caseless
+        ignore_above: 1024
+        name: caseless
+        normalizer: lowercase
+        type: keyword
       - flat_name: process.previous.executable.text
         name: text
         type: match_only_text
@@ -14156,6 +14201,11 @@ process:
       ignore_above: 1024
       level: extended
       multi_fields:
+      - flat_name: process.session_leader.executable.caseless
+        ignore_above: 1024
+        name: caseless
+        normalizer: lowercase
+        type: keyword
       - flat_name: process.session_leader.executable.text
         name: text
         type: match_only_text
@@ -14217,6 +14267,11 @@ process:
       ignore_above: 1024
       level: extended
       multi_fields:
+      - flat_name: process.session_leader.name.caseless
+        ignore_above: 1024
+        name: caseless
+        normalizer: lowercase
+        type: keyword
       - flat_name: process.session_leader.name.text
         name: text
         type: match_only_text
diff --git a/generated/elasticsearch/composable/component/process.json b/generated/elasticsearch/composable/component/process.json
index 6cc1382d11..a4b1e5e1f0 100644
--- a/generated/elasticsearch/composable/component/process.json
+++ b/generated/elasticsearch/composable/component/process.json
@@ -275,6 +275,11 @@
                 },
                 "executable": {
                   "fields": {
+                    "caseless": {
+                      "ignore_above": 1024,
+                      "normalizer": "lowercase",
+                      "type": "keyword"
+                    },
                     "text": {
                       "type": "match_only_text"
                     }
@@ -299,6 +304,11 @@
                 },
                 "name": {
                   "fields": {
+                    "caseless": {
+                      "ignore_above": 1024,
+                      "normalizer": "lowercase",
+                      "type": "keyword"
+                    },
                     "text": {
                       "type": "match_only_text"
                     }
@@ -471,6 +481,11 @@
             },
             "executable": {
               "fields": {
+                "caseless": {
+                  "ignore_above": 1024,
+                  "normalizer": "lowercase",
+                  "type": "keyword"
+                },
                 "text": {
                   "type": "match_only_text"
                 }
@@ -516,6 +531,11 @@
                 },
                 "executable": {
                   "fields": {
+                    "caseless": {
+                      "ignore_above": 1024,
+                      "normalizer": "lowercase",
+                      "type": "keyword"
+                    },
                     "text": {
                       "type": "match_only_text"
                     }
@@ -540,6 +560,11 @@
                 },
                 "name": {
                   "fields": {
+                    "caseless": {
+                      "ignore_above": 1024,
+                      "normalizer": "lowercase",
+                      "type": "keyword"
+                    },
                     "text": {
                       "type": "match_only_text"
                     }
@@ -799,6 +824,11 @@
             },
             "name": {
               "fields": {
+                "caseless": {
+                  "ignore_above": 1024,
+                  "normalizer": "lowercase",
+                  "type": "keyword"
+                },
                 "text": {
                   "type": "match_only_text"
                 }
@@ -1014,6 +1044,11 @@
                 },
                 "executable": {
                   "fields": {
+                    "caseless": {
+                      "ignore_above": 1024,
+                      "normalizer": "lowercase",
+                      "type": "keyword"
+                    },
                     "text": {
                       "type": "match_only_text"
                     }
@@ -1148,6 +1183,11 @@
                 },
                 "name": {
                   "fields": {
+                    "caseless": {
+                      "ignore_above": 1024,
+                      "normalizer": "lowercase",
+                      "type": "keyword"
+                    },
                     "text": {
                       "type": "match_only_text"
                     }
@@ -1504,6 +1544,11 @@
                 },
                 "executable": {
                   "fields": {
+                    "caseless": {
+                      "ignore_above": 1024,
+                      "normalizer": "lowercase",
+                      "type": "keyword"
+                    },
                     "text": {
                       "type": "match_only_text"
                     }
@@ -1594,6 +1639,11 @@
                 },
                 "executable": {
                   "fields": {
+                    "caseless": {
+                      "ignore_above": 1024,
+                      "normalizer": "lowercase",
+                      "type": "keyword"
+                    },
                     "text": {
                       "type": "match_only_text"
                     }
@@ -1618,6 +1668,11 @@
                 },
                 "name": {
                   "fields": {
+                    "caseless": {
+                      "ignore_above": 1024,
+                      "normalizer": "lowercase",
+                      "type": "keyword"
+                    },
                     "text": {
                       "type": "match_only_text"
                     }
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index a6b67033e2..1d343b5050 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -2954,6 +2954,11 @@
               },
               "executable": {
                 "fields": {
+                  "caseless": {
+                    "ignore_above": 1024,
+                    "normalizer": "lowercase",
+                    "type": "keyword"
+                  },
                   "text": {
                     "type": "match_only_text"
                   }
@@ -2978,6 +2983,11 @@
               },
               "name": {
                 "fields": {
+                  "caseless": {
+                    "ignore_above": 1024,
+                    "normalizer": "lowercase",
+                    "type": "keyword"
+                  },
                   "text": {
                     "type": "match_only_text"
                   }
@@ -3150,6 +3160,11 @@
           },
           "executable": {
             "fields": {
+              "caseless": {
+                "ignore_above": 1024,
+                "normalizer": "lowercase",
+                "type": "keyword"
+              },
               "text": {
                 "type": "match_only_text"
               }
@@ -3195,6 +3210,11 @@
               },
               "executable": {
                 "fields": {
+                  "caseless": {
+                    "ignore_above": 1024,
+                    "normalizer": "lowercase",
+                    "type": "keyword"
+                  },
                   "text": {
                     "type": "match_only_text"
                   }
@@ -3219,6 +3239,11 @@
               },
               "name": {
                 "fields": {
+                  "caseless": {
+                    "ignore_above": 1024,
+                    "normalizer": "lowercase",
+                    "type": "keyword"
+                  },
                   "text": {
                     "type": "match_only_text"
                   }
@@ -3478,6 +3503,11 @@
           },
           "name": {
             "fields": {
+              "caseless": {
+                "ignore_above": 1024,
+                "normalizer": "lowercase",
+                "type": "keyword"
+              },
               "text": {
                 "type": "match_only_text"
               }
@@ -3693,6 +3723,11 @@
               },
               "executable": {
                 "fields": {
+                  "caseless": {
+                    "ignore_above": 1024,
+                    "normalizer": "lowercase",
+                    "type": "keyword"
+                  },
                   "text": {
                     "type": "match_only_text"
                   }
@@ -3827,6 +3862,11 @@
               },
               "name": {
                 "fields": {
+                  "caseless": {
+                    "ignore_above": 1024,
+                    "normalizer": "lowercase",
+                    "type": "keyword"
+                  },
                   "text": {
                     "type": "match_only_text"
                   }
@@ -4183,6 +4223,11 @@
               },
               "executable": {
                 "fields": {
+                  "caseless": {
+                    "ignore_above": 1024,
+                    "normalizer": "lowercase",
+                    "type": "keyword"
+                  },
                   "text": {
                     "type": "match_only_text"
                   }
@@ -4273,6 +4318,11 @@
               },
               "executable": {
                 "fields": {
+                  "caseless": {
+                    "ignore_above": 1024,
+                    "normalizer": "lowercase",
+                    "type": "keyword"
+                  },
                   "text": {
                     "type": "match_only_text"
                   }
@@ -4297,6 +4347,11 @@
               },
               "name": {
                 "fields": {
+                  "caseless": {
+                    "ignore_above": 1024,
+                    "normalizer": "lowercase",
+                    "type": "keyword"
+                  },
                   "text": {
                     "type": "match_only_text"
                   }
diff --git a/schemas/process.yml b/schemas/process.yml
index 91c8ef98ef..b1acf8945c 100644
--- a/schemas/process.yml
+++ b/schemas/process.yml
@@ -112,6 +112,10 @@
         Sometimes called program name or similar.
       example: ssh
       multi_fields:
+        - name: caseless
+          ignore_above: 1024
+          normalizer: lowercase
+          type: keyword
         - type: match_only_text
           name: text
 
@@ -171,6 +175,10 @@
         Absolute path to the process executable.
       example: /usr/bin/ssh
       multi_fields:
+        - name: caseless
+          ignore_above: 1024
+          normalizer: lowercase
+          type: keyword
         - type: match_only_text
           name: text
 

From 146c96aae530af83b4d3f7283cf2f081fb51f442 Mon Sep 17 00:00:00 2001
From: Andrew Kroh <andrew.kroh@elastic.co>
Date: Tue, 23 Jul 2024 15:17:29 -0400
Subject: [PATCH 149/186] Revert "Add .caseless subfield to process.name &
 process.executable" (#2350)

This reverts commit 7815b3f9f316aa4f179d08c1f74e24d804ad4886 from #2341.

This is being reverted due to storage concerns. The goal will be to advance the native querying capabilities (ES|QL, KQL) of the Elastic stack such that this extra normalized multi-field is not necessary. In the meantime, localized overrides of the ECS field definition will be used to add the additional multi-field where needed. The downside of localized overrides are that it creates inconsistency across usages of the this field.
---
 CHANGELOG.next.md                             |  2 -
 docs/fields/field-details.asciidoc            |  6 --
 experimental/generated/beats/fields.ecs.yml   | 46 ----------------
 experimental/generated/csv/fields.csv         | 11 ----
 experimental/generated/ecs/ecs_flat.yml       | 55 -------------------
 experimental/generated/ecs/ecs_nested.yml     | 55 -------------------
 .../composable/component/process.json         | 55 -------------------
 .../elasticsearch/legacy/template.json        | 55 -------------------
 generated/beats/fields.ecs.yml                | 46 ----------------
 generated/csv/fields.csv                      | 11 ----
 generated/ecs/ecs_flat.yml                    | 55 -------------------
 generated/ecs/ecs_nested.yml                  | 55 -------------------
 .../composable/component/process.json         | 55 -------------------
 generated/elasticsearch/legacy/template.json  | 55 -------------------
 schemas/process.yml                           |  8 ---
 15 files changed, 570 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 85035153ba..9613fb89e6 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -25,8 +25,6 @@ Thanks, you're awesome :-) -->
 
 #### Improvements
 
-* Added `.caseless` subfield to `process.name` and `process.executable`. #2341
-
 #### Deprecated
 
 ### Tooling and Artifact Changes
diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index 3d817d46ce..31273d8c4b 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -8128,9 +8128,6 @@ type: keyword
 
 Multi-fields:
 
-* process.executable.caseless (type: keyword)
-
-
 * process.executable.text (type: match_only_text)
 
 
@@ -8346,9 +8343,6 @@ type: keyword
 
 Multi-fields:
 
-* process.name.caseless (type: keyword)
-
-
 * process.name.text (type: match_only_text)
 
 
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 7f63fa34e9..bc95a6db22 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -5175,10 +5175,6 @@
       type: keyword
       ignore_above: 1024
       multi_fields:
-      - name: caseless
-        type: keyword
-        normalizer: lowercase
-        ignore_above: 1024
       - name: text
         type: match_only_text
       description: Absolute path to the process executable.
@@ -5217,10 +5213,6 @@
       type: keyword
       ignore_above: 1024
       multi_fields:
-      - name: caseless
-        type: keyword
-        normalizer: lowercase
-        ignore_above: 1024
       - name: text
         type: match_only_text
       description: 'Process name.
@@ -5490,11 +5482,6 @@
       type: keyword
       ignore_above: 1024
       multi_fields:
-      - name: caseless
-        type: keyword
-        normalizer: lowercase
-        ignore_above: 1024
-        default_field: false
       - name: text
         type: match_only_text
         default_field: false
@@ -5573,10 +5560,6 @@
       type: keyword
       ignore_above: 1024
       multi_fields:
-      - name: caseless
-        type: keyword
-        normalizer: lowercase
-        ignore_above: 1024
       - name: text
         type: match_only_text
       description: Absolute path to the process executable.
@@ -5615,10 +5598,6 @@
       type: keyword
       ignore_above: 1024
       multi_fields:
-      - name: caseless
-        type: keyword
-        normalizer: lowercase
-        ignore_above: 1024
       - name: text
         type: match_only_text
       description: 'Process name.
@@ -6033,11 +6012,6 @@
       type: keyword
       ignore_above: 1024
       multi_fields:
-      - name: caseless
-        type: keyword
-        normalizer: lowercase
-        ignore_above: 1024
-        default_field: false
       - name: text
         type: match_only_text
         default_field: false
@@ -6427,10 +6401,6 @@
       type: keyword
       ignore_above: 1024
       multi_fields:
-      - name: caseless
-        type: keyword
-        normalizer: lowercase
-        ignore_above: 1024
       - name: text
         type: match_only_text
       description: Absolute path to the process executable.
@@ -6674,10 +6644,6 @@
       type: keyword
       ignore_above: 1024
       multi_fields:
-      - name: caseless
-        type: keyword
-        normalizer: lowercase
-        ignore_above: 1024
       - name: text
         type: match_only_text
       description: 'Process name.
@@ -7264,10 +7230,6 @@
       type: keyword
       ignore_above: 1024
       multi_fields:
-      - name: caseless
-        type: keyword
-        normalizer: lowercase
-        ignore_above: 1024
       - name: text
         type: match_only_text
       description: Absolute path to the process executable.
@@ -7383,10 +7345,6 @@
       type: keyword
       ignore_above: 1024
       multi_fields:
-      - name: caseless
-        type: keyword
-        normalizer: lowercase
-        ignore_above: 1024
       - name: text
         type: match_only_text
       description: Absolute path to the process executable.
@@ -7425,10 +7383,6 @@
       type: keyword
       ignore_above: 1024
       multi_fields:
-      - name: caseless
-        type: keyword
-        normalizer: lowercase
-        ignore_above: 1024
       - name: text
         type: match_only_text
       description: 'Process name.
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index 5c51865b5d..292ac5f917 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -648,13 +648,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
 8.12.0-dev+exp,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
 8.12.0-dev+exp,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.12.0-dev+exp,true,process,process.entry_leader.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev+exp,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev+exp,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 8.12.0-dev+exp,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group.
 8.12.0-dev+exp,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
 8.12.0-dev+exp,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name.
-8.12.0-dev+exp,true,process,process.entry_leader.name.caseless,keyword,extended,,ssh,Process name.
 8.12.0-dev+exp,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name.
 8.12.0-dev+exp,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
 8.12.0-dev+exp,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id.
@@ -690,7 +688,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
 8.12.0-dev+exp,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
 8.12.0-dev+exp,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.12.0-dev+exp,true,process,process.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev+exp,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev+exp,true,process,process.exit_code,long,extended,,137,The exit code of the process.
 8.12.0-dev+exp,true,process,process.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
@@ -701,13 +698,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
 8.12.0-dev+exp,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
 8.12.0-dev+exp,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.12.0-dev+exp,true,process,process.group_leader.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev+exp,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev+exp,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 8.12.0-dev+exp,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group.
 8.12.0-dev+exp,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
 8.12.0-dev+exp,true,process,process.group_leader.name,keyword,extended,,ssh,Process name.
-8.12.0-dev+exp,true,process,process.group_leader.name.caseless,keyword,extended,,ssh,Process name.
 8.12.0-dev+exp,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name.
 8.12.0-dev+exp,true,process,process.group_leader.pid,long,core,,4242,Process id.
 8.12.0-dev+exp,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
@@ -767,7 +762,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
 8.12.0-dev+exp,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
 8.12.0-dev+exp,true,process,process.name,keyword,extended,,ssh,Process name.
-8.12.0-dev+exp,true,process,process.name.caseless,keyword,extended,,ssh,Process name.
 8.12.0-dev+exp,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
 8.12.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
 8.12.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
@@ -823,7 +817,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
 8.12.0-dev+exp,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
 8.12.0-dev+exp,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.12.0-dev+exp,true,process,process.parent.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev+exp,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev+exp,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
 8.12.0-dev+exp,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
@@ -857,7 +850,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
 8.12.0-dev+exp,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
 8.12.0-dev+exp,true,process,process.parent.name,keyword,extended,,ssh,Process name.
-8.12.0-dev+exp,true,process,process.parent.name.caseless,keyword,extended,,ssh,Process name.
 8.12.0-dev+exp,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
 8.12.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
 8.12.0-dev+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
@@ -941,7 +933,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
 8.12.0-dev+exp,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array.
 8.12.0-dev+exp,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.12.0-dev+exp,true,process,process.previous.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev+exp,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev+exp,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 8.12.0-dev+exp,true,process,process.real_group.name,keyword,extended,,,Name of the group.
@@ -959,13 +950,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
 8.12.0-dev+exp,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
 8.12.0-dev+exp,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.12.0-dev+exp,true,process,process.session_leader.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev+exp,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev+exp,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 8.12.0-dev+exp,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group.
 8.12.0-dev+exp,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
 8.12.0-dev+exp,true,process,process.session_leader.name,keyword,extended,,ssh,Process name.
-8.12.0-dev+exp,true,process,process.session_leader.name.caseless,keyword,extended,,ssh,Process name.
 8.12.0-dev+exp,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name.
 8.12.0-dev+exp,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
 8.12.0-dev+exp,true,process,process.session_leader.parent.pid,long,core,,4242,Process id.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 65448363e9..02b972886f 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -8426,11 +8426,6 @@ process.entry_leader.executable:
   ignore_above: 1024
   level: extended
   multi_fields:
-  - flat_name: process.entry_leader.executable.caseless
-    ignore_above: 1024
-    name: caseless
-    normalizer: lowercase
-    type: keyword
   - flat_name: process.entry_leader.executable.text
     name: text
     type: match_only_text
@@ -8492,11 +8487,6 @@ process.entry_leader.name:
   ignore_above: 1024
   level: extended
   multi_fields:
-  - flat_name: process.entry_leader.name.caseless
-    ignore_above: 1024
-    name: caseless
-    normalizer: lowercase
-    type: keyword
   - flat_name: process.entry_leader.name.text
     name: text
     type: match_only_text
@@ -8920,11 +8910,6 @@ process.executable:
   ignore_above: 1024
   level: extended
   multi_fields:
-  - flat_name: process.executable.caseless
-    ignore_above: 1024
-    name: caseless
-    normalizer: lowercase
-    type: keyword
   - flat_name: process.executable.text
     name: text
     type: match_only_text
@@ -9044,11 +9029,6 @@ process.group_leader.executable:
   ignore_above: 1024
   level: extended
   multi_fields:
-  - flat_name: process.group_leader.executable.caseless
-    ignore_above: 1024
-    name: caseless
-    normalizer: lowercase
-    type: keyword
   - flat_name: process.group_leader.executable.text
     name: text
     type: match_only_text
@@ -9110,11 +9090,6 @@ process.group_leader.name:
   ignore_above: 1024
   level: extended
   multi_fields:
-  - flat_name: process.group_leader.name.caseless
-    ignore_above: 1024
-    name: caseless
-    normalizer: lowercase
-    type: keyword
   - flat_name: process.group_leader.name.text
     name: text
     type: match_only_text
@@ -9804,11 +9779,6 @@ process.name:
   ignore_above: 1024
   level: extended
   multi_fields:
-  - flat_name: process.name.caseless
-    ignore_above: 1024
-    name: caseless
-    normalizer: lowercase
-    type: keyword
   - flat_name: process.name.text
     name: text
     type: match_only_text
@@ -10470,11 +10440,6 @@ process.parent.executable:
   ignore_above: 1024
   level: extended
   multi_fields:
-  - flat_name: process.parent.executable.caseless
-    ignore_above: 1024
-    name: caseless
-    normalizer: lowercase
-    type: keyword
   - flat_name: process.parent.executable.text
     name: text
     type: match_only_text
@@ -10884,11 +10849,6 @@ process.parent.name:
   ignore_above: 1024
   level: extended
   multi_fields:
-  - flat_name: process.parent.name.caseless
-    ignore_above: 1024
-    name: caseless
-    normalizer: lowercase
-    type: keyword
   - flat_name: process.parent.name.text
     name: text
     type: match_only_text
@@ -11873,11 +11833,6 @@ process.previous.executable:
   ignore_above: 1024
   level: extended
   multi_fields:
-  - flat_name: process.previous.executable.caseless
-    ignore_above: 1024
-    name: caseless
-    normalizer: lowercase
-    type: keyword
   - flat_name: process.previous.executable.text
     name: text
     type: match_only_text
@@ -12063,11 +12018,6 @@ process.session_leader.executable:
   ignore_above: 1024
   level: extended
   multi_fields:
-  - flat_name: process.session_leader.executable.caseless
-    ignore_above: 1024
-    name: caseless
-    normalizer: lowercase
-    type: keyword
   - flat_name: process.session_leader.executable.text
     name: text
     type: match_only_text
@@ -12129,11 +12079,6 @@ process.session_leader.name:
   ignore_above: 1024
   level: extended
   multi_fields:
-  - flat_name: process.session_leader.name.caseless
-    ignore_above: 1024
-    name: caseless
-    normalizer: lowercase
-    type: keyword
   - flat_name: process.session_leader.name.text
     name: text
     type: match_only_text
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 9c39b3b5ae..f600ab293a 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -10636,11 +10636,6 @@ process:
       ignore_above: 1024
       level: extended
       multi_fields:
-      - flat_name: process.entry_leader.executable.caseless
-        ignore_above: 1024
-        name: caseless
-        normalizer: lowercase
-        type: keyword
       - flat_name: process.entry_leader.executable.text
         name: text
         type: match_only_text
@@ -10702,11 +10697,6 @@ process:
       ignore_above: 1024
       level: extended
       multi_fields:
-      - flat_name: process.entry_leader.name.caseless
-        ignore_above: 1024
-        name: caseless
-        normalizer: lowercase
-        type: keyword
       - flat_name: process.entry_leader.name.text
         name: text
         type: match_only_text
@@ -11130,11 +11120,6 @@ process:
       ignore_above: 1024
       level: extended
       multi_fields:
-      - flat_name: process.executable.caseless
-        ignore_above: 1024
-        name: caseless
-        normalizer: lowercase
-        type: keyword
       - flat_name: process.executable.text
         name: text
         type: match_only_text
@@ -11254,11 +11239,6 @@ process:
       ignore_above: 1024
       level: extended
       multi_fields:
-      - flat_name: process.group_leader.executable.caseless
-        ignore_above: 1024
-        name: caseless
-        normalizer: lowercase
-        type: keyword
       - flat_name: process.group_leader.executable.text
         name: text
         type: match_only_text
@@ -11320,11 +11300,6 @@ process:
       ignore_above: 1024
       level: extended
       multi_fields:
-      - flat_name: process.group_leader.name.caseless
-        ignore_above: 1024
-        name: caseless
-        normalizer: lowercase
-        type: keyword
       - flat_name: process.group_leader.name.text
         name: text
         type: match_only_text
@@ -12018,11 +11993,6 @@ process:
       ignore_above: 1024
       level: extended
       multi_fields:
-      - flat_name: process.name.caseless
-        ignore_above: 1024
-        name: caseless
-        normalizer: lowercase
-        type: keyword
       - flat_name: process.name.text
         name: text
         type: match_only_text
@@ -12685,11 +12655,6 @@ process:
       ignore_above: 1024
       level: extended
       multi_fields:
-      - flat_name: process.parent.executable.caseless
-        ignore_above: 1024
-        name: caseless
-        normalizer: lowercase
-        type: keyword
       - flat_name: process.parent.executable.text
         name: text
         type: match_only_text
@@ -13100,11 +13065,6 @@ process:
       ignore_above: 1024
       level: extended
       multi_fields:
-      - flat_name: process.parent.name.caseless
-        ignore_above: 1024
-        name: caseless
-        normalizer: lowercase
-        type: keyword
       - flat_name: process.parent.name.text
         name: text
         type: match_only_text
@@ -14091,11 +14051,6 @@ process:
       ignore_above: 1024
       level: extended
       multi_fields:
-      - flat_name: process.previous.executable.caseless
-        ignore_above: 1024
-        name: caseless
-        normalizer: lowercase
-        type: keyword
       - flat_name: process.previous.executable.text
         name: text
         type: match_only_text
@@ -14281,11 +14236,6 @@ process:
       ignore_above: 1024
       level: extended
       multi_fields:
-      - flat_name: process.session_leader.executable.caseless
-        ignore_above: 1024
-        name: caseless
-        normalizer: lowercase
-        type: keyword
       - flat_name: process.session_leader.executable.text
         name: text
         type: match_only_text
@@ -14347,11 +14297,6 @@ process:
       ignore_above: 1024
       level: extended
       multi_fields:
-      - flat_name: process.session_leader.name.caseless
-        ignore_above: 1024
-        name: caseless
-        normalizer: lowercase
-        type: keyword
       - flat_name: process.session_leader.name.text
         name: text
         type: match_only_text
diff --git a/experimental/generated/elasticsearch/composable/component/process.json b/experimental/generated/elasticsearch/composable/component/process.json
index 21bc93af56..f4dd52c1ce 100644
--- a/experimental/generated/elasticsearch/composable/component/process.json
+++ b/experimental/generated/elasticsearch/composable/component/process.json
@@ -275,11 +275,6 @@
                 },
                 "executable": {
                   "fields": {
-                    "caseless": {
-                      "ignore_above": 1024,
-                      "normalizer": "lowercase",
-                      "type": "keyword"
-                    },
                     "text": {
                       "type": "match_only_text"
                     }
@@ -304,11 +299,6 @@
                 },
                 "name": {
                   "fields": {
-                    "caseless": {
-                      "ignore_above": 1024,
-                      "normalizer": "lowercase",
-                      "type": "keyword"
-                    },
                     "text": {
                       "type": "match_only_text"
                     }
@@ -481,11 +471,6 @@
             },
             "executable": {
               "fields": {
-                "caseless": {
-                  "ignore_above": 1024,
-                  "normalizer": "lowercase",
-                  "type": "keyword"
-                },
                 "text": {
                   "type": "match_only_text"
                 }
@@ -531,11 +516,6 @@
                 },
                 "executable": {
                   "fields": {
-                    "caseless": {
-                      "ignore_above": 1024,
-                      "normalizer": "lowercase",
-                      "type": "keyword"
-                    },
                     "text": {
                       "type": "match_only_text"
                     }
@@ -560,11 +540,6 @@
                 },
                 "name": {
                   "fields": {
-                    "caseless": {
-                      "ignore_above": 1024,
-                      "normalizer": "lowercase",
-                      "type": "keyword"
-                    },
                     "text": {
                       "type": "match_only_text"
                     }
@@ -824,11 +799,6 @@
             },
             "name": {
               "fields": {
-                "caseless": {
-                  "ignore_above": 1024,
-                  "normalizer": "lowercase",
-                  "type": "keyword"
-                },
                 "text": {
                   "type": "match_only_text"
                 }
@@ -1044,11 +1014,6 @@
                 },
                 "executable": {
                   "fields": {
-                    "caseless": {
-                      "ignore_above": 1024,
-                      "normalizer": "lowercase",
-                      "type": "keyword"
-                    },
                     "text": {
                       "type": "match_only_text"
                     }
@@ -1183,11 +1148,6 @@
                 },
                 "name": {
                   "fields": {
-                    "caseless": {
-                      "ignore_above": 1024,
-                      "normalizer": "lowercase",
-                      "type": "keyword"
-                    },
                     "text": {
                       "type": "match_only_text"
                     }
@@ -1544,11 +1504,6 @@
                 },
                 "executable": {
                   "fields": {
-                    "caseless": {
-                      "ignore_above": 1024,
-                      "normalizer": "lowercase",
-                      "type": "keyword"
-                    },
                     "text": {
                       "type": "match_only_text"
                     }
@@ -1639,11 +1594,6 @@
                 },
                 "executable": {
                   "fields": {
-                    "caseless": {
-                      "ignore_above": 1024,
-                      "normalizer": "lowercase",
-                      "type": "keyword"
-                    },
                     "text": {
                       "type": "match_only_text"
                     }
@@ -1668,11 +1618,6 @@
                 },
                 "name": {
                   "fields": {
-                    "caseless": {
-                      "ignore_above": 1024,
-                      "normalizer": "lowercase",
-                      "type": "keyword"
-                    },
                     "text": {
                       "type": "match_only_text"
                     }
diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json
index 4e7c38235a..18386e190c 100644
--- a/experimental/generated/elasticsearch/legacy/template.json
+++ b/experimental/generated/elasticsearch/legacy/template.json
@@ -2996,11 +2996,6 @@
               },
               "executable": {
                 "fields": {
-                  "caseless": {
-                    "ignore_above": 1024,
-                    "normalizer": "lowercase",
-                    "type": "keyword"
-                  },
                   "text": {
                     "type": "match_only_text"
                   }
@@ -3025,11 +3020,6 @@
               },
               "name": {
                 "fields": {
-                  "caseless": {
-                    "ignore_above": 1024,
-                    "normalizer": "lowercase",
-                    "type": "keyword"
-                  },
                   "text": {
                     "type": "match_only_text"
                   }
@@ -3202,11 +3192,6 @@
           },
           "executable": {
             "fields": {
-              "caseless": {
-                "ignore_above": 1024,
-                "normalizer": "lowercase",
-                "type": "keyword"
-              },
               "text": {
                 "type": "match_only_text"
               }
@@ -3252,11 +3237,6 @@
               },
               "executable": {
                 "fields": {
-                  "caseless": {
-                    "ignore_above": 1024,
-                    "normalizer": "lowercase",
-                    "type": "keyword"
-                  },
                   "text": {
                     "type": "match_only_text"
                   }
@@ -3281,11 +3261,6 @@
               },
               "name": {
                 "fields": {
-                  "caseless": {
-                    "ignore_above": 1024,
-                    "normalizer": "lowercase",
-                    "type": "keyword"
-                  },
                   "text": {
                     "type": "match_only_text"
                   }
@@ -3545,11 +3520,6 @@
           },
           "name": {
             "fields": {
-              "caseless": {
-                "ignore_above": 1024,
-                "normalizer": "lowercase",
-                "type": "keyword"
-              },
               "text": {
                 "type": "match_only_text"
               }
@@ -3765,11 +3735,6 @@
               },
               "executable": {
                 "fields": {
-                  "caseless": {
-                    "ignore_above": 1024,
-                    "normalizer": "lowercase",
-                    "type": "keyword"
-                  },
                   "text": {
                     "type": "match_only_text"
                   }
@@ -3904,11 +3869,6 @@
               },
               "name": {
                 "fields": {
-                  "caseless": {
-                    "ignore_above": 1024,
-                    "normalizer": "lowercase",
-                    "type": "keyword"
-                  },
                   "text": {
                     "type": "match_only_text"
                   }
@@ -4265,11 +4225,6 @@
               },
               "executable": {
                 "fields": {
-                  "caseless": {
-                    "ignore_above": 1024,
-                    "normalizer": "lowercase",
-                    "type": "keyword"
-                  },
                   "text": {
                     "type": "match_only_text"
                   }
@@ -4360,11 +4315,6 @@
               },
               "executable": {
                 "fields": {
-                  "caseless": {
-                    "ignore_above": 1024,
-                    "normalizer": "lowercase",
-                    "type": "keyword"
-                  },
                   "text": {
                     "type": "match_only_text"
                   }
@@ -4389,11 +4339,6 @@
               },
               "name": {
                 "fields": {
-                  "caseless": {
-                    "ignore_above": 1024,
-                    "normalizer": "lowercase",
-                    "type": "keyword"
-                  },
                   "text": {
                     "type": "match_only_text"
                   }
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index bd55fe7727..fa0007884b 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -5125,10 +5125,6 @@
       type: keyword
       ignore_above: 1024
       multi_fields:
-      - name: caseless
-        type: keyword
-        normalizer: lowercase
-        ignore_above: 1024
       - name: text
         type: match_only_text
       description: Absolute path to the process executable.
@@ -5167,10 +5163,6 @@
       type: keyword
       ignore_above: 1024
       multi_fields:
-      - name: caseless
-        type: keyword
-        normalizer: lowercase
-        ignore_above: 1024
       - name: text
         type: match_only_text
       description: 'Process name.
@@ -5440,11 +5432,6 @@
       type: keyword
       ignore_above: 1024
       multi_fields:
-      - name: caseless
-        type: keyword
-        normalizer: lowercase
-        ignore_above: 1024
-        default_field: false
       - name: text
         type: match_only_text
         default_field: false
@@ -5523,10 +5510,6 @@
       type: keyword
       ignore_above: 1024
       multi_fields:
-      - name: caseless
-        type: keyword
-        normalizer: lowercase
-        ignore_above: 1024
       - name: text
         type: match_only_text
       description: Absolute path to the process executable.
@@ -5565,10 +5548,6 @@
       type: keyword
       ignore_above: 1024
       multi_fields:
-      - name: caseless
-        type: keyword
-        normalizer: lowercase
-        ignore_above: 1024
       - name: text
         type: match_only_text
       description: 'Process name.
@@ -5983,11 +5962,6 @@
       type: keyword
       ignore_above: 1024
       multi_fields:
-      - name: caseless
-        type: keyword
-        normalizer: lowercase
-        ignore_above: 1024
-        default_field: false
       - name: text
         type: match_only_text
         default_field: false
@@ -6377,10 +6351,6 @@
       type: keyword
       ignore_above: 1024
       multi_fields:
-      - name: caseless
-        type: keyword
-        normalizer: lowercase
-        ignore_above: 1024
       - name: text
         type: match_only_text
       description: Absolute path to the process executable.
@@ -6624,10 +6594,6 @@
       type: keyword
       ignore_above: 1024
       multi_fields:
-      - name: caseless
-        type: keyword
-        normalizer: lowercase
-        ignore_above: 1024
       - name: text
         type: match_only_text
       description: 'Process name.
@@ -7214,10 +7180,6 @@
       type: keyword
       ignore_above: 1024
       multi_fields:
-      - name: caseless
-        type: keyword
-        normalizer: lowercase
-        ignore_above: 1024
       - name: text
         type: match_only_text
       description: Absolute path to the process executable.
@@ -7333,10 +7295,6 @@
       type: keyword
       ignore_above: 1024
       multi_fields:
-      - name: caseless
-        type: keyword
-        normalizer: lowercase
-        ignore_above: 1024
       - name: text
         type: match_only_text
       description: Absolute path to the process executable.
@@ -7375,10 +7333,6 @@
       type: keyword
       ignore_above: 1024
       multi_fields:
-      - name: caseless
-        type: keyword
-        normalizer: lowercase
-        ignore_above: 1024
       - name: text
         type: match_only_text
       description: 'Process name.
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index 299f4aa1a7..c31a8de31c 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -641,13 +641,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
 8.12.0-dev,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
 8.12.0-dev,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.12.0-dev,true,process,process.entry_leader.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 8.12.0-dev,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group.
 8.12.0-dev,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
 8.12.0-dev,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name.
-8.12.0-dev,true,process,process.entry_leader.name.caseless,keyword,extended,,ssh,Process name.
 8.12.0-dev,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name.
 8.12.0-dev,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
 8.12.0-dev,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id.
@@ -683,7 +681,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
 8.12.0-dev,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
 8.12.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.12.0-dev,true,process,process.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process.
 8.12.0-dev,true,process,process.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
@@ -694,13 +691,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
 8.12.0-dev,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
 8.12.0-dev,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.12.0-dev,true,process,process.group_leader.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 8.12.0-dev,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group.
 8.12.0-dev,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
 8.12.0-dev,true,process,process.group_leader.name,keyword,extended,,ssh,Process name.
-8.12.0-dev,true,process,process.group_leader.name.caseless,keyword,extended,,ssh,Process name.
 8.12.0-dev,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name.
 8.12.0-dev,true,process,process.group_leader.pid,long,core,,4242,Process id.
 8.12.0-dev,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
@@ -760,7 +755,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
 8.12.0-dev,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
 8.12.0-dev,true,process,process.name,keyword,extended,,ssh,Process name.
-8.12.0-dev,true,process,process.name.caseless,keyword,extended,,ssh,Process name.
 8.12.0-dev,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
 8.12.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
 8.12.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
@@ -816,7 +810,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
 8.12.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
 8.12.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.12.0-dev,true,process,process.parent.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
 8.12.0-dev,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
@@ -850,7 +843,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
 8.12.0-dev,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
 8.12.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name.
-8.12.0-dev,true,process,process.parent.name.caseless,keyword,extended,,ssh,Process name.
 8.12.0-dev,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
 8.12.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
 8.12.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
@@ -934,7 +926,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
 8.12.0-dev,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array.
 8.12.0-dev,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.12.0-dev,true,process,process.previous.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 8.12.0-dev,true,process,process.real_group.name,keyword,extended,,,Name of the group.
@@ -952,13 +943,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
 8.12.0-dev,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
 8.12.0-dev,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.12.0-dev,true,process,process.session_leader.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.12.0-dev,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 8.12.0-dev,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group.
 8.12.0-dev,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
 8.12.0-dev,true,process,process.session_leader.name,keyword,extended,,ssh,Process name.
-8.12.0-dev,true,process,process.session_leader.name.caseless,keyword,extended,,ssh,Process name.
 8.12.0-dev,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name.
 8.12.0-dev,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
 8.12.0-dev,true,process,process.session_leader.parent.pid,long,core,,4242,Process id.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 2ff10f67c0..2022bddaf4 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -8357,11 +8357,6 @@ process.entry_leader.executable:
   ignore_above: 1024
   level: extended
   multi_fields:
-  - flat_name: process.entry_leader.executable.caseless
-    ignore_above: 1024
-    name: caseless
-    normalizer: lowercase
-    type: keyword
   - flat_name: process.entry_leader.executable.text
     name: text
     type: match_only_text
@@ -8423,11 +8418,6 @@ process.entry_leader.name:
   ignore_above: 1024
   level: extended
   multi_fields:
-  - flat_name: process.entry_leader.name.caseless
-    ignore_above: 1024
-    name: caseless
-    normalizer: lowercase
-    type: keyword
   - flat_name: process.entry_leader.name.text
     name: text
     type: match_only_text
@@ -8851,11 +8841,6 @@ process.executable:
   ignore_above: 1024
   level: extended
   multi_fields:
-  - flat_name: process.executable.caseless
-    ignore_above: 1024
-    name: caseless
-    normalizer: lowercase
-    type: keyword
   - flat_name: process.executable.text
     name: text
     type: match_only_text
@@ -8975,11 +8960,6 @@ process.group_leader.executable:
   ignore_above: 1024
   level: extended
   multi_fields:
-  - flat_name: process.group_leader.executable.caseless
-    ignore_above: 1024
-    name: caseless
-    normalizer: lowercase
-    type: keyword
   - flat_name: process.group_leader.executable.text
     name: text
     type: match_only_text
@@ -9041,11 +9021,6 @@ process.group_leader.name:
   ignore_above: 1024
   level: extended
   multi_fields:
-  - flat_name: process.group_leader.name.caseless
-    ignore_above: 1024
-    name: caseless
-    normalizer: lowercase
-    type: keyword
   - flat_name: process.group_leader.name.text
     name: text
     type: match_only_text
@@ -9735,11 +9710,6 @@ process.name:
   ignore_above: 1024
   level: extended
   multi_fields:
-  - flat_name: process.name.caseless
-    ignore_above: 1024
-    name: caseless
-    normalizer: lowercase
-    type: keyword
   - flat_name: process.name.text
     name: text
     type: match_only_text
@@ -10401,11 +10371,6 @@ process.parent.executable:
   ignore_above: 1024
   level: extended
   multi_fields:
-  - flat_name: process.parent.executable.caseless
-    ignore_above: 1024
-    name: caseless
-    normalizer: lowercase
-    type: keyword
   - flat_name: process.parent.executable.text
     name: text
     type: match_only_text
@@ -10815,11 +10780,6 @@ process.parent.name:
   ignore_above: 1024
   level: extended
   multi_fields:
-  - flat_name: process.parent.name.caseless
-    ignore_above: 1024
-    name: caseless
-    normalizer: lowercase
-    type: keyword
   - flat_name: process.parent.name.text
     name: text
     type: match_only_text
@@ -11804,11 +11764,6 @@ process.previous.executable:
   ignore_above: 1024
   level: extended
   multi_fields:
-  - flat_name: process.previous.executable.caseless
-    ignore_above: 1024
-    name: caseless
-    normalizer: lowercase
-    type: keyword
   - flat_name: process.previous.executable.text
     name: text
     type: match_only_text
@@ -11994,11 +11949,6 @@ process.session_leader.executable:
   ignore_above: 1024
   level: extended
   multi_fields:
-  - flat_name: process.session_leader.executable.caseless
-    ignore_above: 1024
-    name: caseless
-    normalizer: lowercase
-    type: keyword
   - flat_name: process.session_leader.executable.text
     name: text
     type: match_only_text
@@ -12060,11 +12010,6 @@ process.session_leader.name:
   ignore_above: 1024
   level: extended
   multi_fields:
-  - flat_name: process.session_leader.name.caseless
-    ignore_above: 1024
-    name: caseless
-    normalizer: lowercase
-    type: keyword
   - flat_name: process.session_leader.name.text
     name: text
     type: match_only_text
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index cc11243d59..8057eeed15 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -10556,11 +10556,6 @@ process:
       ignore_above: 1024
       level: extended
       multi_fields:
-      - flat_name: process.entry_leader.executable.caseless
-        ignore_above: 1024
-        name: caseless
-        normalizer: lowercase
-        type: keyword
       - flat_name: process.entry_leader.executable.text
         name: text
         type: match_only_text
@@ -10622,11 +10617,6 @@ process:
       ignore_above: 1024
       level: extended
       multi_fields:
-      - flat_name: process.entry_leader.name.caseless
-        ignore_above: 1024
-        name: caseless
-        normalizer: lowercase
-        type: keyword
       - flat_name: process.entry_leader.name.text
         name: text
         type: match_only_text
@@ -11050,11 +11040,6 @@ process:
       ignore_above: 1024
       level: extended
       multi_fields:
-      - flat_name: process.executable.caseless
-        ignore_above: 1024
-        name: caseless
-        normalizer: lowercase
-        type: keyword
       - flat_name: process.executable.text
         name: text
         type: match_only_text
@@ -11174,11 +11159,6 @@ process:
       ignore_above: 1024
       level: extended
       multi_fields:
-      - flat_name: process.group_leader.executable.caseless
-        ignore_above: 1024
-        name: caseless
-        normalizer: lowercase
-        type: keyword
       - flat_name: process.group_leader.executable.text
         name: text
         type: match_only_text
@@ -11240,11 +11220,6 @@ process:
       ignore_above: 1024
       level: extended
       multi_fields:
-      - flat_name: process.group_leader.name.caseless
-        ignore_above: 1024
-        name: caseless
-        normalizer: lowercase
-        type: keyword
       - flat_name: process.group_leader.name.text
         name: text
         type: match_only_text
@@ -11938,11 +11913,6 @@ process:
       ignore_above: 1024
       level: extended
       multi_fields:
-      - flat_name: process.name.caseless
-        ignore_above: 1024
-        name: caseless
-        normalizer: lowercase
-        type: keyword
       - flat_name: process.name.text
         name: text
         type: match_only_text
@@ -12605,11 +12575,6 @@ process:
       ignore_above: 1024
       level: extended
       multi_fields:
-      - flat_name: process.parent.executable.caseless
-        ignore_above: 1024
-        name: caseless
-        normalizer: lowercase
-        type: keyword
       - flat_name: process.parent.executable.text
         name: text
         type: match_only_text
@@ -13020,11 +12985,6 @@ process:
       ignore_above: 1024
       level: extended
       multi_fields:
-      - flat_name: process.parent.name.caseless
-        ignore_above: 1024
-        name: caseless
-        normalizer: lowercase
-        type: keyword
       - flat_name: process.parent.name.text
         name: text
         type: match_only_text
@@ -14011,11 +13971,6 @@ process:
       ignore_above: 1024
       level: extended
       multi_fields:
-      - flat_name: process.previous.executable.caseless
-        ignore_above: 1024
-        name: caseless
-        normalizer: lowercase
-        type: keyword
       - flat_name: process.previous.executable.text
         name: text
         type: match_only_text
@@ -14201,11 +14156,6 @@ process:
       ignore_above: 1024
       level: extended
       multi_fields:
-      - flat_name: process.session_leader.executable.caseless
-        ignore_above: 1024
-        name: caseless
-        normalizer: lowercase
-        type: keyword
       - flat_name: process.session_leader.executable.text
         name: text
         type: match_only_text
@@ -14267,11 +14217,6 @@ process:
       ignore_above: 1024
       level: extended
       multi_fields:
-      - flat_name: process.session_leader.name.caseless
-        ignore_above: 1024
-        name: caseless
-        normalizer: lowercase
-        type: keyword
       - flat_name: process.session_leader.name.text
         name: text
         type: match_only_text
diff --git a/generated/elasticsearch/composable/component/process.json b/generated/elasticsearch/composable/component/process.json
index a4b1e5e1f0..6cc1382d11 100644
--- a/generated/elasticsearch/composable/component/process.json
+++ b/generated/elasticsearch/composable/component/process.json
@@ -275,11 +275,6 @@
                 },
                 "executable": {
                   "fields": {
-                    "caseless": {
-                      "ignore_above": 1024,
-                      "normalizer": "lowercase",
-                      "type": "keyword"
-                    },
                     "text": {
                       "type": "match_only_text"
                     }
@@ -304,11 +299,6 @@
                 },
                 "name": {
                   "fields": {
-                    "caseless": {
-                      "ignore_above": 1024,
-                      "normalizer": "lowercase",
-                      "type": "keyword"
-                    },
                     "text": {
                       "type": "match_only_text"
                     }
@@ -481,11 +471,6 @@
             },
             "executable": {
               "fields": {
-                "caseless": {
-                  "ignore_above": 1024,
-                  "normalizer": "lowercase",
-                  "type": "keyword"
-                },
                 "text": {
                   "type": "match_only_text"
                 }
@@ -531,11 +516,6 @@
                 },
                 "executable": {
                   "fields": {
-                    "caseless": {
-                      "ignore_above": 1024,
-                      "normalizer": "lowercase",
-                      "type": "keyword"
-                    },
                     "text": {
                       "type": "match_only_text"
                     }
@@ -560,11 +540,6 @@
                 },
                 "name": {
                   "fields": {
-                    "caseless": {
-                      "ignore_above": 1024,
-                      "normalizer": "lowercase",
-                      "type": "keyword"
-                    },
                     "text": {
                       "type": "match_only_text"
                     }
@@ -824,11 +799,6 @@
             },
             "name": {
               "fields": {
-                "caseless": {
-                  "ignore_above": 1024,
-                  "normalizer": "lowercase",
-                  "type": "keyword"
-                },
                 "text": {
                   "type": "match_only_text"
                 }
@@ -1044,11 +1014,6 @@
                 },
                 "executable": {
                   "fields": {
-                    "caseless": {
-                      "ignore_above": 1024,
-                      "normalizer": "lowercase",
-                      "type": "keyword"
-                    },
                     "text": {
                       "type": "match_only_text"
                     }
@@ -1183,11 +1148,6 @@
                 },
                 "name": {
                   "fields": {
-                    "caseless": {
-                      "ignore_above": 1024,
-                      "normalizer": "lowercase",
-                      "type": "keyword"
-                    },
                     "text": {
                       "type": "match_only_text"
                     }
@@ -1544,11 +1504,6 @@
                 },
                 "executable": {
                   "fields": {
-                    "caseless": {
-                      "ignore_above": 1024,
-                      "normalizer": "lowercase",
-                      "type": "keyword"
-                    },
                     "text": {
                       "type": "match_only_text"
                     }
@@ -1639,11 +1594,6 @@
                 },
                 "executable": {
                   "fields": {
-                    "caseless": {
-                      "ignore_above": 1024,
-                      "normalizer": "lowercase",
-                      "type": "keyword"
-                    },
                     "text": {
                       "type": "match_only_text"
                     }
@@ -1668,11 +1618,6 @@
                 },
                 "name": {
                   "fields": {
-                    "caseless": {
-                      "ignore_above": 1024,
-                      "normalizer": "lowercase",
-                      "type": "keyword"
-                    },
                     "text": {
                       "type": "match_only_text"
                     }
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index 1d343b5050..a6b67033e2 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -2954,11 +2954,6 @@
               },
               "executable": {
                 "fields": {
-                  "caseless": {
-                    "ignore_above": 1024,
-                    "normalizer": "lowercase",
-                    "type": "keyword"
-                  },
                   "text": {
                     "type": "match_only_text"
                   }
@@ -2983,11 +2978,6 @@
               },
               "name": {
                 "fields": {
-                  "caseless": {
-                    "ignore_above": 1024,
-                    "normalizer": "lowercase",
-                    "type": "keyword"
-                  },
                   "text": {
                     "type": "match_only_text"
                   }
@@ -3160,11 +3150,6 @@
           },
           "executable": {
             "fields": {
-              "caseless": {
-                "ignore_above": 1024,
-                "normalizer": "lowercase",
-                "type": "keyword"
-              },
               "text": {
                 "type": "match_only_text"
               }
@@ -3210,11 +3195,6 @@
               },
               "executable": {
                 "fields": {
-                  "caseless": {
-                    "ignore_above": 1024,
-                    "normalizer": "lowercase",
-                    "type": "keyword"
-                  },
                   "text": {
                     "type": "match_only_text"
                   }
@@ -3239,11 +3219,6 @@
               },
               "name": {
                 "fields": {
-                  "caseless": {
-                    "ignore_above": 1024,
-                    "normalizer": "lowercase",
-                    "type": "keyword"
-                  },
                   "text": {
                     "type": "match_only_text"
                   }
@@ -3503,11 +3478,6 @@
           },
           "name": {
             "fields": {
-              "caseless": {
-                "ignore_above": 1024,
-                "normalizer": "lowercase",
-                "type": "keyword"
-              },
               "text": {
                 "type": "match_only_text"
               }
@@ -3723,11 +3693,6 @@
               },
               "executable": {
                 "fields": {
-                  "caseless": {
-                    "ignore_above": 1024,
-                    "normalizer": "lowercase",
-                    "type": "keyword"
-                  },
                   "text": {
                     "type": "match_only_text"
                   }
@@ -3862,11 +3827,6 @@
               },
               "name": {
                 "fields": {
-                  "caseless": {
-                    "ignore_above": 1024,
-                    "normalizer": "lowercase",
-                    "type": "keyword"
-                  },
                   "text": {
                     "type": "match_only_text"
                   }
@@ -4223,11 +4183,6 @@
               },
               "executable": {
                 "fields": {
-                  "caseless": {
-                    "ignore_above": 1024,
-                    "normalizer": "lowercase",
-                    "type": "keyword"
-                  },
                   "text": {
                     "type": "match_only_text"
                   }
@@ -4318,11 +4273,6 @@
               },
               "executable": {
                 "fields": {
-                  "caseless": {
-                    "ignore_above": 1024,
-                    "normalizer": "lowercase",
-                    "type": "keyword"
-                  },
                   "text": {
                     "type": "match_only_text"
                   }
@@ -4347,11 +4297,6 @@
               },
               "name": {
                 "fields": {
-                  "caseless": {
-                    "ignore_above": 1024,
-                    "normalizer": "lowercase",
-                    "type": "keyword"
-                  },
                   "text": {
                     "type": "match_only_text"
                   }
diff --git a/schemas/process.yml b/schemas/process.yml
index b1acf8945c..91c8ef98ef 100644
--- a/schemas/process.yml
+++ b/schemas/process.yml
@@ -112,10 +112,6 @@
         Sometimes called program name or similar.
       example: ssh
       multi_fields:
-        - name: caseless
-          ignore_above: 1024
-          normalizer: lowercase
-          type: keyword
         - type: match_only_text
           name: text
 
@@ -175,10 +171,6 @@
         Absolute path to the process executable.
       example: /usr/bin/ssh
       multi_fields:
-        - name: caseless
-          ignore_above: 1024
-          normalizer: lowercase
-          type: keyword
         - type: match_only_text
           name: text
 

From fa370236b9237764e8b493ddef05875911571b14 Mon Sep 17 00:00:00 2001
From: Thijs Xhaflaire <thijsxhaflaire31@hotmail.com>
Date: Tue, 13 Aug 2024 20:48:13 +0200
Subject: [PATCH 150/186] [RFC] Apple Platform specific fields (#2338)

Adds RFS stage 0

---------

Co-authored-by: Alexandra Konrad <alexandra.konrad@elastic.co>
Co-authored-by: Michael Wolf <michael.wolf@elastic.co>
---
 ...0044-add-apple-platform-specific-fields.md | 119 ++++++++++++++++++
 rfcs/text/0044/code_signature.yml             |  10 ++
 rfcs/text/0044/device.yml                     |  10 ++
 rfcs/text/0044/hash.yml                       |   9 ++
 rfcs/text/0044/process.yml                    |  36 ++++++
 5 files changed, 184 insertions(+)
 create mode 100644 rfcs/text/0044-add-apple-platform-specific-fields.md
 create mode 100644 rfcs/text/0044/code_signature.yml
 create mode 100644 rfcs/text/0044/device.yml
 create mode 100644 rfcs/text/0044/hash.yml
 create mode 100644 rfcs/text/0044/process.yml

diff --git a/rfcs/text/0044-add-apple-platform-specific-fields.md b/rfcs/text/0044-add-apple-platform-specific-fields.md
new file mode 100644
index 0000000000..8b14a79d5d
--- /dev/null
+++ b/rfcs/text/0044-add-apple-platform-specific-fields.md
@@ -0,0 +1,119 @@
+# 0000: Name of RFC
+<!-- Leave this ID at 0000. The ECS team will assign a unique, contiguous RFC number upon merging the initial stage of this RFC. -->
+
+- Stage: **0 (strawperson)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
+- Date: **TBD** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
+
+
+### Summary
+This RFC proposes the addition of Apple platform-specific fields to the ECS schema. This enhancement will enable security software vendors to more accurately map out data, particularly for Apple platforms.
+
+The following feelds needs to be considered being added:
+
+## Fields
+
+##### Proposed New Fields for Process object
+
+Field | Type | Example | Description
+--- | --- | --- | ---
+responsible	| keyword	| Terminal.app	| The responsible process on macOS, from an ancestry perspective, is the process that originally launched or spawned a given process.
+platform_binary	| boolean	| true	| Indicates wethether this process executable is a default platform binary shipped with the operating system.
+endpoint_security_client	| boolean	| true	| Indicates wethether this process executable is an Endpoint Security client.
+
+##### Proposed New Fields for Code Signature object
+
+Field | Type | Example | Description
+--- | --- | --- | ---
+flags	| string	| 570522385	| The flags used to sign the process.
+
+##### Proposed New Fields for Hash object
+
+Field | Type | Example | Description
+--- | --- | --- | ---
+cdhash	| keyword	| 3783b4052fd474dbe30676b45c329e7a6d44acd9	| The Code Directory (CD) hash of an executable
+
+##### Proposed New Fields for Device object
+
+Field | Type | Example | Description
+--- | --- | --- | ---
+serial_number	| keyword	| DJGAQS4CW5	| The unique serial number serves as a distinct identifier for each device, aiding in inventory management and device authentication.
+
+### Motivation
+
+As the number of Apple endpoints in enterprises grows, having the right fields to map data becomes increasingly valuable. This enables security researchers using Elastic, particularly those focusing on macOS, to query data more effectively by leveraging enriched data sets.
+
+## Usage
+
+As a developer at Jamf, working on the Elastic integration for Jamf Protect, our goal is to map as many fields as possible, especially as Jamf specializes in Apple platform security. While developing the integration, we've identified some gaps related to mapping events to ECS.
+
+These new fields offer versatile methods. For instance, they facilitate querying process executions by platform binaries or endpoint security clients without requiring specific identifiers. The added hash fields are particularly valuable for tracking the hash of an application bundle alongside the hash of the executable in the directory itself, while the others are self-explanatory.
+
+## Source data
+
+This data originates from Endpoint Security software operating on a macOS host and can be transmitted through various methods, including an Elastic Agent and as example the use of the Jamf Protect integration, which supports AWS S3 or HTTPs.
+
+<!--
+Stage 2: Included a real world example source document. Ideally this example comes from the source(s) identified in stage 1. If not, it should replace them. The goal here is to validate the utility of these field changes in the context of a real world example. Format with the source name as a ### header and the example document in a GitHub code block with json formatting, or if on the larger side, add them to the corresponding RFC folder.
+-->
+
+<!--
+Stage 3: Add more real world example source documents so we have at least 2 total, but ideally 3. Format as described in stage 2.
+-->
+
+<!--## Scope of impact
+
+<!--
+Stage 2: Identifies scope of impact of changes. Are breaking changes required? Should deprecation strategies be adopted? Will significant refactoring be involved? Break the impact down into:
+ * Ingestion mechanisms (e.g. beats/logstash)
+ * Usage mechanisms (e.g. Kibana applications, detections)
+ * ECS project (e.g. docs, tooling)
+The goal here is to research and understand the impact of these changes on users in the community and development teams across Elastic. 2-5 sentences each.
+-->
+
+<!--## Concerns
+
+<!--
+Stage 1: Identify potential concerns, implementation challenges, or complexity. Spend some time on this. Play devil's advocate. Try to identify the sort of non-obvious challenges that tend to surface later. The goal here is to surface risks early, allow everyone the time to work through them, and ultimately document resolution for posterity's sake.
+-->
+
+<!--
+Stage 2: Document new concerns or resolutions to previously listed concerns. It's not critical that all concerns have resolutions at this point, but it would be helpful if resolutions were taking shape for the most significant concerns.
+-->
+
+<!--
+Stage 3: Document resolutions for all existing concerns. Any new concerns should be documented along with their resolution. The goal here is to eliminate risk of churn and instability by ensuring all concerns have been addressed.
+-->
+
+## People
+
+The following are the people that consulted on the contents of this RFC.
+
+* txhaflaire | author
+
+<!--
+Who will be or has been consulted on the contents of this RFC? Identify authorship and sponsorship, and optionally identify the nature of involvement of others. Link to GitHub aliases where possible. This list will likely change or grow stage after stage.
+
+e.g.:
+
+* @Yasmina | author
+* @Monique | sponsor
+* @EunJung | subject matter expert
+* @JaneDoe | grammar, spelling, prose
+* @Mariana
+-->
+
+
+## References
+
+<!-- Insert any links appropriate to this RFC in this section. -->
+
+### RFC Pull Requests
+
+<!-- An RFC should link to the PRs for each of it stage advancements. -->
+
+* Stage 0: https://github.com/elastic/ecs/pull/2338
+
+<!--
+* Stage 1: https://github.com/elastic/ecs/pull/NNN
+...
+-->
diff --git a/rfcs/text/0044/code_signature.yml b/rfcs/text/0044/code_signature.yml
new file mode 100644
index 0000000000..091339048d
--- /dev/null
+++ b/rfcs/text/0044/code_signature.yml
@@ -0,0 +1,10 @@
+---
+- name: code_signature
+  fields:
+    - name: flags
+      level: extended
+      type: string
+      short: Code signing flags of the process
+      description: >
+          The flags used to sign the process.
+      example: 570522385
\ No newline at end of file
diff --git a/rfcs/text/0044/device.yml b/rfcs/text/0044/device.yml
new file mode 100644
index 0000000000..5bfdcdb161
--- /dev/null
+++ b/rfcs/text/0044/device.yml
@@ -0,0 +1,10 @@
+---
+- name: device
+  fields:
+    - name: serial_number
+      level: core
+      type: keyword
+      short: Serial Number of the device
+      description: >
+        The unique serial number serves as a distinct identifier for each device, aiding in inventory management and device authentication.
+      example: DJGAQS4CW5
\ No newline at end of file
diff --git a/rfcs/text/0044/hash.yml b/rfcs/text/0044/hash.yml
new file mode 100644
index 0000000000..9d76c4957c
--- /dev/null
+++ b/rfcs/text/0044/hash.yml
@@ -0,0 +1,9 @@
+---
+- name: file
+  fields:
+    - name: cdhash
+      level: extended
+      type: keyword
+      short: The Code Directory (CD) hash of an executable.
+      description: Code directory hash, utilized to uniquely identify and authenticate the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
\ No newline at end of file
diff --git a/rfcs/text/0044/process.yml b/rfcs/text/0044/process.yml
new file mode 100644
index 0000000000..d9e8691439
--- /dev/null
+++ b/rfcs/text/0044/process.yml
@@ -0,0 +1,36 @@
+---
+- name: process
+  title: Process
+  group: 2
+  short: These fields contain information about a process.
+  description: >
+    These fields contain information about a process.
+
+    These fields can help you correlate metrics information with a process id/name
+    from a log message.  The `process.pid` often stays in the metric itself and is
+    copied to the global field for correlation.
+  type: group
+  reusable:
+    top_level: true
+    expected:
+      - at: process
+        as: responsible
+        short_override: Information about the responsible process.
+
+- name: process
+  fields:
+    - name: platform_binary
+      level: extended
+      type: boolean
+      short: Indicates whether this process executable is a default platform binary shipped with the operating system.
+      description: >
+          Binaries that are shipped by the operating system are defined as platform binaries, this value is then set to true. 
+      example: true
+
+    - name: endpoint_security_client
+      level: extended
+      type: boolean
+      short: Indicates whether this process executable is an Endpoint Security client.
+      description: >
+          Processes that have an endpoint security client must have the com.apple.endpointsecurity entitlement and the value is set to true in the message.
+      example: true
\ No newline at end of file

From a664f225c07188beb2ec8739cfd6a71e9e927e4a Mon Sep 17 00:00:00 2001
From: "elastic-renovate-prod[bot]"
 <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
Date: Tue, 13 Aug 2024 13:39:17 -0700
Subject: [PATCH 151/186] Add renovate.json (#2352)

Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
Co-authored-by: Michael Wolf <michael.wolf@elastic.co>
---
 renovate.json | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 renovate.json

diff --git a/renovate.json b/renovate.json
new file mode 100644
index 0000000000..36a1298021
--- /dev/null
+++ b/renovate.json
@@ -0,0 +1,6 @@
+{
+    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+    "extends": [
+        "local>elastic/renovate-config"
+    ]
+}

From e3f0f0e4e628a17cd7e95504ae43be921a4871a1 Mon Sep 17 00:00:00 2001
From: Michael Wolf <michael.wolf@elastic.co>
Date: Mon, 19 Aug 2024 08:40:35 -0700
Subject: [PATCH 152/186] Update template fields (#2354)

Update some templated fields that were missed before merging the RFC
---
 rfcs/text/0044-add-apple-platform-specific-fields.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rfcs/text/0044-add-apple-platform-specific-fields.md b/rfcs/text/0044-add-apple-platform-specific-fields.md
index 8b14a79d5d..68d0da3214 100644
--- a/rfcs/text/0044-add-apple-platform-specific-fields.md
+++ b/rfcs/text/0044-add-apple-platform-specific-fields.md
@@ -1,8 +1,8 @@
-# 0000: Name of RFC
+# 0044: Apple Platform specific fields
 <!-- Leave this ID at 0000. The ECS team will assign a unique, contiguous RFC number upon merging the initial stage of this RFC. -->
 
 - Stage: **0 (strawperson)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
-- Date: **TBD** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
+- Date:  **2024-08-13** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
 
 
 ### Summary

From 86791b1500b4d9fbf00324998330d21fbaa6ca16 Mon Sep 17 00:00:00 2001
From: "elastic-renovate-prod[bot]"
 <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
Date: Mon, 19 Aug 2024 09:32:59 -0700
Subject: [PATCH 153/186] Pin dependencies (#2355)

Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
Co-authored-by: Michael Wolf <michael.wolf@elastic.co>
---
 .github/workflows/docs-preview-comment.yml | 2 +-
 .github/workflows/stale.yml                | 2 +-
 .github/workflows/test.yml                 | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/docs-preview-comment.yml b/.github/workflows/docs-preview-comment.yml
index 34371e767b..7edee4d477 100644
--- a/.github/workflows/docs-preview-comment.yml
+++ b/.github/workflows/docs-preview-comment.yml
@@ -10,7 +10,7 @@ jobs:
   doc-preview:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/github-script@v6
+      - uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6
         name: Add doc preview links
         with:
           script: |
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 7d2d2e6526..20bd20e379 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -15,7 +15,7 @@ jobs:
 
     steps:
     - name: "Check PRs"
-      uses: actions/stale@v4
+      uses: actions/stale@a20b814fb01b71def3bd6f56e7494d667ddf28da # v4
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         stale-pr-message: 'This PR is stale because it has been open for 60 days with no activity.'
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 70ae6ad400..c61715c973 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -7,8 +7,8 @@ jobs:
     runs-on: ubuntu-20.04
     name: Unit Tests
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
+      - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
+      - uses: actions/setup-python@e9aba2c848f5ebd159c070c61ea2c4e2b122355e # v2
         with:
           python-version: '3.x'
       - run: git fetch --prune --unshallow --tags

From 529cca7983257d9efc5fc5c32bf6c50710a95138 Mon Sep 17 00:00:00 2001
From: "elastic-renovate-prod[bot]"
 <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
Date: Mon, 19 Aug 2024 10:11:54 -0700
Subject: [PATCH 154/186] Update dependency PyYAML to v6.0.2 (#2356)

Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
Co-authored-by: Michael Wolf <michael.wolf@elastic.co>
---
 scripts/requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/requirements.txt b/scripts/requirements.txt
index e703c6ad50..b3ca161f29 100644
--- a/scripts/requirements.txt
+++ b/scripts/requirements.txt
@@ -1,6 +1,6 @@
 pip
 # License: MIT
-PyYAML==6.0.1
+PyYAML==6.0.2
 # License: BSD
 gitpython==3.1.41
 # License: BSD

From 33662b6879207e7833457594ef4f7b64c8a0701b Mon Sep 17 00:00:00 2001
From: "elastic-renovate-prod[bot]"
 <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
Date: Mon, 19 Aug 2024 11:59:11 -0700
Subject: [PATCH 155/186] Update dependency gitpython to v3.1.43 (#2358)

Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
Co-authored-by: Michael Wolf <michael.wolf@elastic.co>
---
 scripts/requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/requirements.txt b/scripts/requirements.txt
index b3ca161f29..106d1de1b0 100644
--- a/scripts/requirements.txt
+++ b/scripts/requirements.txt
@@ -2,6 +2,6 @@ pip
 # License: MIT
 PyYAML==6.0.2
 # License: BSD
-gitpython==3.1.41
+gitpython==3.1.43
 # License: BSD
 Jinja2==3.1.4

From 229312ae834b0dc673dfa866458a092081ab46f6 Mon Sep 17 00:00:00 2001
From: "elastic-renovate-prod[bot]"
 <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
Date: Mon, 19 Aug 2024 16:44:50 -0700
Subject: [PATCH 156/186] Update dependency yamllint to v1.35.1 (#2361)

Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
Co-authored-by: Michael Wolf <michael.wolf@elastic.co>
---
 scripts/requirements-dev.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/requirements-dev.txt b/scripts/requirements-dev.txt
index cb5626221a..6c73c2552e 100644
--- a/scripts/requirements-dev.txt
+++ b/scripts/requirements-dev.txt
@@ -3,4 +3,4 @@ autopep8==1.6.0
 # License: BSD
 mock==4.0.3
 # License: GPLv3
-yamllint==1.26.3
+yamllint==1.35.1

From 22a03bce8e9eb28fb374077c3e9e026bc8b0f1a1 Mon Sep 17 00:00:00 2001
From: Michael Wolf <michael.wolf@elastic.co>
Date: Tue, 20 Aug 2024 02:12:57 -0700
Subject: [PATCH 157/186] Update stale PR message (#2369)

Add a friendlier stale PR message, based from the
[Beats stale message](https://github.com/elastic/beats/blob/main/.github/stale.yml#L63-L74).

This will hopefully also prompt contributors to respond, so we'll be better able to track PRs
people are still interested in contributing.
---
 .github/workflows/stale.yml | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 20bd20e379..b2f5e26547 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -18,7 +18,18 @@ jobs:
       uses: actions/stale@a20b814fb01b71def3bd6f56e7494d667ddf28da # v4
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
-        stale-pr-message: 'This PR is stale because it has been open for 60 days with no activity.'
+        stale-pr-message: |
+          Hi!
+
+          We just realized that we haven't looked into this PR in a while. We're
+          sorry!
+
+          We're labeling this PR as `Stale` to make it hit our filters and
+          make sure we get back to it as soon as possible. In the meantime, it'd
+          be extremely helpful if you could take a look at it as well and confirm its
+          relevance. A simple comment with a nice emoji will be enough `:+1`.
+
+          Thank you for your contribution!
         stale-pr-label: 'stale'
         ascending: true
         days-before-pr-stale: 60

From 70f4bcae7e29b2448d29596eea2a828f208db760 Mon Sep 17 00:00:00 2001
From: "elastic-renovate-prod[bot]"
 <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
Date: Tue, 20 Aug 2024 10:49:31 -0700
Subject: [PATCH 158/186] Update actions/checkout action to v4 (#2362)

Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
Co-authored-by: Michael Wolf <michael.wolf@elastic.co>
---
 .github/workflows/test.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index c61715c973..62b7a5d214 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -7,7 +7,7 @@ jobs:
     runs-on: ubuntu-20.04
     name: Unit Tests
     steps:
-      - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
       - uses: actions/setup-python@e9aba2c848f5ebd159c070c61ea2c4e2b122355e # v2
         with:
           python-version: '3.x'

From c097a0e014ef05fdb702c12d89ce7f88c1ddf17e Mon Sep 17 00:00:00 2001
From: "elastic-renovate-prod[bot]"
 <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
Date: Tue, 20 Aug 2024 11:32:21 -0700
Subject: [PATCH 159/186] Update actions/github-script action to v7 (#2363)

Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
Co-authored-by: Michael Wolf <michael.wolf@elastic.co>
---
 .github/workflows/docs-preview-comment.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/docs-preview-comment.yml b/.github/workflows/docs-preview-comment.yml
index 7edee4d477..52c5ca16a8 100644
--- a/.github/workflows/docs-preview-comment.yml
+++ b/.github/workflows/docs-preview-comment.yml
@@ -10,7 +10,7 @@ jobs:
   doc-preview:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6
+      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
         name: Add doc preview links
         with:
           script: |

From 22d5d35609de2e3d9c49e8396a9abc95612c2c90 Mon Sep 17 00:00:00 2001
From: "elastic-renovate-prod[bot]"
 <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
Date: Wed, 21 Aug 2024 11:15:59 -0700
Subject: [PATCH 160/186] Update actions/setup-python action to v5 (#2364)

Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
Co-authored-by: Michael Wolf <michael.wolf@elastic.co>
---
 .github/workflows/test.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 62b7a5d214..f4969c765b 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -8,7 +8,7 @@ jobs:
     name: Unit Tests
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
-      - uses: actions/setup-python@e9aba2c848f5ebd159c070c61ea2c4e2b122355e # v2
+      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5
         with:
           python-version: '3.x'
       - run: git fetch --prune --unshallow --tags

From 07ffbd1e730be7e309e9a8db8211a1a7a89900d4 Mon Sep 17 00:00:00 2001
From: "elastic-renovate-prod[bot]"
 <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
Date: Wed, 21 Aug 2024 16:30:05 -0700
Subject: [PATCH 161/186] Update actions/stale action to v9 (#2365)

Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
Co-authored-by: Michael Wolf <michael.wolf@elastic.co>
---
 .github/workflows/stale.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index b2f5e26547..1bd28c751e 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -15,7 +15,7 @@ jobs:
 
     steps:
     - name: "Check PRs"
-      uses: actions/stale@a20b814fb01b71def3bd6f56e7494d667ddf28da # v4
+      uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         stale-pr-message: |

From 71a5e5dddb16430a761063db6356c448f7713c4e Mon Sep 17 00:00:00 2001
From: "elastic-renovate-prod[bot]"
 <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
Date: Wed, 21 Aug 2024 17:07:17 -0700
Subject: [PATCH 162/186] Update dependency mock to v5 (#2367)

Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
Co-authored-by: Michael Wolf <michael.wolf@elastic.co>
---
 scripts/requirements-dev.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/requirements-dev.txt b/scripts/requirements-dev.txt
index 6c73c2552e..9a9650f135 100644
--- a/scripts/requirements-dev.txt
+++ b/scripts/requirements-dev.txt
@@ -1,6 +1,6 @@
 # License: MIT
 autopep8==1.6.0
 # License: BSD
-mock==4.0.3
+mock==5.1.0
 # License: GPLv3
 yamllint==1.35.1

From 53765702d7036414a520b87bbe7b8a12b1e7be30 Mon Sep 17 00:00:00 2001
From: "elastic-renovate-prod[bot]"
 <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
Date: Wed, 21 Aug 2024 17:26:47 -0700
Subject: [PATCH 163/186] Update dependency ubuntu to v22 (#2368)

Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
Co-authored-by: Michael Wolf <michael.wolf@elastic.co>
---
 .github/workflows/test.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index f4969c765b..a804fb2b06 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -4,7 +4,7 @@ on: [push, pull_request]
 
 jobs:
   tests:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     name: Unit Tests
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4

From a793bb2f62e4e7e25233acf3c73859a030bfd14a Mon Sep 17 00:00:00 2001
From: "elastic-renovate-prod[bot]"
 <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
Date: Tue, 27 Aug 2024 12:16:27 -0700
Subject: [PATCH 164/186] Update dependency autopep8 to v1.7.0 (#2359)

Update dependency autopep8 to v1.7.0

---------

Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
Co-authored-by: Michael Wolf <michael.wolf@elastic.co>
---
 scripts/requirements-dev.txt    | 2 +-
 scripts/schema/subset_filter.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/requirements-dev.txt b/scripts/requirements-dev.txt
index 9a9650f135..35c40a6198 100644
--- a/scripts/requirements-dev.txt
+++ b/scripts/requirements-dev.txt
@@ -1,5 +1,5 @@
 # License: MIT
-autopep8==1.6.0
+autopep8==1.7.0
 # License: BSD
 mock==5.1.0
 # License: GPLv3
diff --git a/scripts/schema/subset_filter.py b/scripts/schema/subset_filter.py
index 8b5f0d1762..9f72205777 100644
--- a/scripts/schema/subset_filter.py
+++ b/scripts/schema/subset_filter.py
@@ -121,7 +121,7 @@ def remove_docs_only_entries(paths: List[str], fields: Dict[str, FieldEntry]) ->
         split_path = path.split('.')
         field_set = split_path[0]
         field = split_path[1]
-        del(fields[field_set]['fields'][field])
+        del (fields[field_set]['fields'][field])
     return fields
 
 

From e3e73de6d26c48f22126f6fbbcebdf07032044a9 Mon Sep 17 00:00:00 2001
From: "elastic-renovate-prod[bot]"
 <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
Date: Tue, 27 Aug 2024 13:34:37 -0700
Subject: [PATCH 165/186] Update dependency autopep8 to v2 (#2366)

* Update dependency autopep8 to v2

---------

Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
Co-authored-by: Michael Wolf <michael.wolf@elastic.co>
---
 scripts/requirements-dev.txt          | 2 +-
 scripts/tests/test_asciidoc_fields.py | 2 +-
 scripts/tests/test_ecs_helpers.py     | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/scripts/requirements-dev.txt b/scripts/requirements-dev.txt
index 35c40a6198..d9d2c538a8 100644
--- a/scripts/requirements-dev.txt
+++ b/scripts/requirements-dev.txt
@@ -1,5 +1,5 @@
 # License: MIT
-autopep8==1.7.0
+autopep8==2.3.1
 # License: BSD
 mock==5.1.0
 # License: GPLv3
diff --git a/scripts/tests/test_asciidoc_fields.py b/scripts/tests/test_asciidoc_fields.py
index 0516ac3093..1e0388c6c2 100644
--- a/scripts/tests/test_asciidoc_fields.py
+++ b/scripts/tests/test_asciidoc_fields.py
@@ -186,7 +186,7 @@ def dummy_nested_event_fieldset(self):
 
     def test_validate_sort_fieldset(self):
         sorted_foo_fields = asciidoc_fields.sort_fields(self.foo_fieldset)
-        #import pdb;pdb.set_trace()
+        # import pdb;pdb.set_trace()
         self.assertIsInstance(sorted_foo_fields, list)
 
         # `allowed_value_names` always present
diff --git a/scripts/tests/test_ecs_helpers.py b/scripts/tests/test_ecs_helpers.py
index a1b2af4fc0..8ad616c4f4 100644
--- a/scripts/tests/test_ecs_helpers.py
+++ b/scripts/tests/test_ecs_helpers.py
@@ -144,7 +144,7 @@ def test_glob_yaml_files(self):
         self.assertEqual(ecs_helpers.glob_yaml_files('non_existent_wildcard.*'), [])
         self.assertEqual(ecs_helpers.glob_yaml_files('schemas/base.yml'), ['schemas/base.yml'])
         self.assertEqual(ecs_helpers.glob_yaml_files(['schemas/base.yml']), ['schemas/base.yml'])
-        # convert to set as element order is not being tested
+        #  convert to set as element order is not being tested
         self.assertEqual(set(ecs_helpers.glob_yaml_files(
             ['schemas/base.yml', 'schemas/log.yml'])), {'schemas/base.yml', 'schemas/log.yml'})
         self.assertTrue(set(ecs_helpers.glob_yaml_files('schemas/b*.yml')).intersection({'schemas/base.yml'}) != set())

From 3f3ff683c9be28ffaa4bd4f6fc1c3667524635e8 Mon Sep 17 00:00:00 2001
From: Stefan Bischof <bipolis@bipolis.org>
Date: Fri, 6 Sep 2024 02:05:16 +0200
Subject: [PATCH 166/186] add license header (#2377)

---
 schemas/device.yml       | 16 ++++++++++++++++
 schemas/email.yml        | 17 +++++++++++++++++
 schemas/risk.yml         | 16 ++++++++++++++++
 schemas/subsets/main.yml | 16 ++++++++++++++++
 4 files changed, 65 insertions(+)

diff --git a/schemas/device.yml b/schemas/device.yml
index 9e9e7613d6..38fe123937 100644
--- a/schemas/device.yml
+++ b/schemas/device.yml
@@ -1,3 +1,19 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
 ---
 - name: device
   title: Device
diff --git a/schemas/email.yml b/schemas/email.yml
index 1982edb7d9..82bfd5b219 100644
--- a/schemas/email.yml
+++ b/schemas/email.yml
@@ -1,3 +1,20 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+---
 - name: email
   title: Email
   group: 2
diff --git a/schemas/risk.yml b/schemas/risk.yml
index b70640c473..84835f08e2 100644
--- a/schemas/risk.yml
+++ b/schemas/risk.yml
@@ -1,3 +1,19 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
 ---
 - name: risk
   title: Risk information
diff --git a/schemas/subsets/main.yml b/schemas/subsets/main.yml
index ebefde9e2e..63b44449fc 100644
--- a/schemas/subsets/main.yml
+++ b/schemas/subsets/main.yml
@@ -1,3 +1,19 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
 ---
 name: main
 fields:

From 93453f477a25b1f77a9106c7c822927c362f5ebb Mon Sep 17 00:00:00 2001
From: "elastic-renovate-prod[bot]"
 <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
Date: Fri, 6 Sep 2024 10:46:53 -0700
Subject: [PATCH 167/186] Update actions/setup-python digest to f677139 (#2374)

Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
Co-authored-by: Michael Wolf <michael.wolf@elastic.co>
---
 .github/workflows/test.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index a804fb2b06..b618b7394b 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -8,7 +8,7 @@ jobs:
     name: Unit Tests
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
-      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5
+      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5
         with:
           python-version: '3.x'
       - run: git fetch --prune --unshallow --tags

From 029cf00ada5e63375fe9967632f80ba4cb20efeb Mon Sep 17 00:00:00 2001
From: Smriti <152067238+smriti0321@users.noreply.github.com>
Date: Tue, 10 Sep 2024 12:24:36 +0200
Subject: [PATCH 168/186] [RFC] Stage 0: Introducing new field in rule
 namespace (#2330)

* Update 0000-rfc-template.md

Updating the temaplate for RFC Stage 0 for adding 2 new rule fields: rule.tags and rule.remediation

* Update 0000-rfc-template.md

Incorporating review comments.

* Renaming the template file with recommended name

* Resolving conflicts

* Removing Tag Field

* Resolving comments from @trisch-me

* Moving file to rfcs/text folder as per @trisch-me comment. using next number in series.

* I saw number 44 was used in a recent RFC, using next number in series

---------

Co-authored-by: Eric Beahan <eric.beahan@elastic.co>
Co-authored-by: Alexandra Konrad <alexandra.konrad@elastic.co>
---
 .../0046-additional-rule-field.md}            | 44 +++++++------------
 1 file changed, 16 insertions(+), 28 deletions(-)
 rename rfcs/{0000-rfc-template.md => text/0046-additional-rule-field.md} (63%)

diff --git a/rfcs/0000-rfc-template.md b/rfcs/text/0046-additional-rule-field.md
similarity index 63%
rename from rfcs/0000-rfc-template.md
rename to rfcs/text/0046-additional-rule-field.md
index 1ac7c95052..f9354ce2f2 100644
--- a/rfcs/0000-rfc-template.md
+++ b/rfcs/text/0046-additional-rule-field.md
@@ -1,35 +1,27 @@
-# 0000: Name of RFC
+# 0000: Additional Rule Field
 <!-- Leave this ID at 0000. The ECS team will assign a unique, contiguous RFC number upon merging the initial stage of this RFC. -->
 
 - Stage: **0 (strawperson)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
 - Date: **TBD** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
 
-<!--
-As you work on your RFC, use the "Stage N" comments to guide you in what you should focus on, for the stage you're targeting.
-Feel free to remove these comments as you go along.
--->
+
 
 <!--
 Stage 0: Provide a high level summary of the premise of these changes. Briefly describe the nature, purpose, and impact of the changes. ~2-5 sentences.
 -->
+This RFC proposes addition of 1 new field (rule.remediation) in rule fieldset to the Elastic Common Schema (ECS). The goal of this field is to provide more context to the users in the rule fieldset, rule.remediation will be used to capture the remediation instructions associated with rules, it is generally provided by the benchmark or framework from which the rule is published. 
 
-<!--
-Stage 1: If the changes include field additions or modifications, please create a folder titled as the RFC number under rfcs/text/. This will be where proposed schema changes as standalone YAML files or extended example mappings and larger source documents will go as the RFC is iterated upon.
--->
 
-<!--
-Stage X: Provide a brief explanation of why the proposal is being marked as abandoned. This is useful context for anyone revisiting this proposal or considering similar changes later on.
--->
 
 ## Fields
 
-<!--
-Stage 1: Describe at a high level how this change affects fields. Include new or updated yml field definitions for all of the essential fields in this draft. While not exhaustive, the fields documented here should be comprehensive enough to deeply evaluate the technical considerations of this change. The goal here is to validate the technical details for all essential fields and to provide a basis for adding experimental field definitions to the schema. Use GitHub code blocks with yml syntax formatting, and add them to the corresponding RFC folder.
--->
+The `rule` fields being proposed are as follows:
+
+Field | Type | Example | Description/Usage
+-- | -- | -- | --
+rule.remediation | array | Enable encryption on all S3 buckets | Used to capture remediation instructions that come from the benchmark / framework the rule is from 
+
 
-<!--
-Stage 2: Add or update all remaining field definitions. The list should now be exhaustive. The goal here is to validate the technical details of all remaining fields and to provide a basis for releasing these field definitions as beta in the schema. Use GitHub code blocks with yml syntax formatting, and add them to the corresponding RFC folder.
--->
 
 ## Usage
 
@@ -79,25 +71,21 @@ Stage 3: Document resolutions for all existing concerns. Any new concerns should
 
 The following are the people that consulted on the contents of this RFC.
 
-* TBD | author
+* @smriti0321 | author
+* @tinnytintin10 | Product Manager
+* @oren-zohar | Engineering Manager
+* @orouz | Engineer
+* @trisch-me | Security ECS team
 
-<!--
-Who will be or has been consulted on the contents of this RFC? Identify authorship and sponsorship, and optionally identify the nature of involvement of others. Link to GitHub aliases where possible. This list will likely change or grow stage after stage.
 
-e.g.:
-
-* @Yasmina | author
-* @Monique | sponsor
-* @EunJung | subject matter expert
-* @JaneDoe | grammar, spelling, prose
-* @Mariana
--->
 
 
 ## References
 
 <!-- Insert any links appropriate to this RFC in this section. -->
 
+
+
 ### RFC Pull Requests
 
 <!-- An RFC should link to the PRs for each of it stage advancements. -->

From 149a4cc023462acc25c49ae94ad921a813b99ee4 Mon Sep 17 00:00:00 2001
From: Thijs Xhaflaire <thijsxhaflaire31@hotmail.com>
Date: Wed, 11 Sep 2024 23:28:06 +0200
Subject: [PATCH 169/186] [RFC] Stage 2: Adding Apple Platform specific fields
 (#2370)

Updating the RFC and moving it to stage two.
---
 docs/fields/field-details.asciidoc            |  64 +++++
 experimental/generated/beats/fields.ecs.yml   | 100 ++++++++
 experimental/generated/csv/fields.csv         |  14 ++
 experimental/generated/ecs/ecs_flat.yml       | 183 +++++++++++++++
 experimental/generated/ecs/ecs_nested.yml     | 219 ++++++++++++++++++
 .../composable/component/device.json          |   4 +
 .../composable/component/dll.json             |   7 +
 .../composable/component/email.json           |   4 +
 .../composable/component/file.json            |   7 +
 .../composable/component/process.json         |  14 ++
 .../composable/component/threat.json          |  14 ++
 .../elasticsearch/legacy/template.json        |  50 ++++
 generated/beats/fields.ecs.yml                | 100 ++++++++
 generated/csv/fields.csv                      |  14 ++
 generated/ecs/ecs_flat.yml                    | 183 +++++++++++++++
 generated/ecs/ecs_nested.yml                  | 219 ++++++++++++++++++
 .../composable/component/device.json          |   4 +
 .../composable/component/dll.json             |   7 +
 .../composable/component/email.json           |   4 +
 .../composable/component/file.json            |   7 +
 .../composable/component/process.json         |  14 ++
 .../composable/component/threat.json          |  14 ++
 generated/elasticsearch/legacy/template.json  |  50 ++++
 ...0044-add-apple-platform-specific-fields.md |  24 +-
 schemas/code_signature.yml                    |   9 +
 schemas/device.yml                            |  10 +-
 schemas/hash.yml                              |   8 +
 schemas/process.yml                           |  20 ++
 28 files changed, 1363 insertions(+), 4 deletions(-)

diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index 31273d8c4b..4d7f9f959b 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -865,6 +865,24 @@ example: `true`
 
 // ===============================================================
 
+|
+[[field-code-signature-flags]]
+<<field-code-signature-flags, code_signature.flags>>
+
+a| beta:[ This field is beta and subject to change. ]
+
+The flags used to sign the process.
+
+type: string
+
+
+
+example: `570522385`
+
+| extended
+
+// ===============================================================
+
 |
 [[field-code-signature-signing-id]]
 <<field-code-signature-signing-id, code_signature.signing_id>>
@@ -1693,6 +1711,24 @@ example: `Samsung Galaxy S6`
 
 // ===============================================================
 
+|
+[[field-device-serial-number]]
+<<field-device-serial-number, device.serial_number>>
+
+a| beta:[ This field is beta and subject to change. ]
+
+The unique serial number serves as a distinct identifier for each device, aiding in inventory management and device authentication.
+
+type: keyword
+
+
+
+example: `DJGAQS4CW5`
+
+| core
+
+// ===============================================================
+
 |=====
 
 
@@ -4811,6 +4847,24 @@ Note that this fieldset is used for common hashes that may be computed over a ra
 
 // ===============================================================
 
+|
+[[field-hash-cdhash]]
+<<field-hash-cdhash, hash.cdhash>>
+
+a| beta:[ This field is beta and subject to change. ]
+
+Code directory hash, utilized to uniquely identify and authenticate the integrity of the executable code.
+
+type: keyword
+
+
+
+example: `3783b4052fd474dbe30676b45c329e7a6d44acd9`
+
+| extended
+
+// ===============================================================
+
 |
 [[field-hash-md5]]
 <<field-hash-md5, hash.md5>>
@@ -8685,6 +8739,8 @@ The `process` fields are expected to be nested at:
 
 * `process.previous`
 
+* `process.responsible`
+
 * `process.session_leader`
 
 * `process.session_leader.parent`
@@ -8839,6 +8895,14 @@ Note: this reuse should contain an array of process field set objects.
 // ===============================================================
 
 
+| `process.responsible.*`
+| <<ecs-process,process>>| beta:[ This field is beta and subject to change.]
+
+Responsible process in macOS tracks the originating process of an app, key for understanding permissions and hierarchy.
+
+// ===============================================================
+
+
 | `process.saved_group.*`
 | <<ecs-group,group>>
 | The saved group (sgid).
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index bc95a6db22..f39b2c42e0 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -1227,6 +1227,14 @@
       description: The human readable marketing name of the device model.
       example: Samsung Galaxy S6
       default_field: false
+    - name: serial_number
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The unique serial number serves as a distinct identifier for each
+        device, aiding in inventory management and device authentication.
+      example: DJGAQS4CW5
+      default_field: false
   - name: dll
     title: DLL
     group: 2
@@ -1261,6 +1269,12 @@
       description: Boolean to capture if a signature is present.
       example: 'true'
       default_field: false
+    - name: code_signature.flags
+      level: extended
+      type: string
+      description: The flags used to sign the process.
+      example: 570522385
+      default_field: false
     - name: code_signature.signing_id
       level: extended
       type: keyword
@@ -1323,6 +1337,14 @@
         Leave unpopulated if a certificate was unchecked.'
       example: 'true'
       default_field: false
+    - name: hash.cdhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      default_field: false
     - name: hash.md5
       level: extended
       type: keyword
@@ -1760,6 +1782,14 @@
       description: Attachment file extension, excluding the leading dot.
       example: txt
       default_field: false
+    - name: attachments.file.hash.cdhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      default_field: false
     - name: attachments.file.hash.md5
       level: extended
       type: keyword
@@ -2405,6 +2435,12 @@
       description: Boolean to capture if a signature is present.
       example: 'true'
       default_field: false
+    - name: code_signature.flags
+      level: extended
+      type: string
+      description: The flags used to sign the process.
+      example: 570522385
+      default_field: false
     - name: code_signature.signing_id
       level: extended
       type: keyword
@@ -2789,6 +2825,14 @@
       ignore_above: 1024
       description: Primary group name of the file.
       example: alice
+    - name: hash.cdhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      default_field: false
     - name: hash.md5
       level: extended
       type: keyword
@@ -4745,6 +4789,12 @@
       description: Boolean to capture if a signature is present.
       example: 'true'
       default_field: false
+    - name: code_signature.flags
+      level: extended
+      type: string
+      description: The flags used to sign the process.
+      example: 570522385
+      default_field: false
     - name: code_signature.signing_id
       level: extended
       type: keyword
@@ -5774,6 +5824,14 @@
       description: The working directory of the process.
       example: /home/alice
       default_field: false
+    - name: hash.cdhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      default_field: false
     - name: hash.md5
       level: extended
       type: keyword
@@ -6055,6 +6113,12 @@
       description: Boolean to capture if a signature is present.
       example: 'true'
       default_field: false
+    - name: parent.code_signature.flags
+      level: extended
+      type: string
+      description: The flags used to sign the process.
+      example: 570522385
+      default_field: false
     - name: parent.code_signature.signing_id
       level: extended
       type: keyword
@@ -6466,6 +6530,14 @@
         the process exists within.'
       example: 4242
       default_field: false
+    - name: parent.hash.cdhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      default_field: false
     - name: parent.hash.md5
       level: extended
       type: keyword
@@ -9101,6 +9173,12 @@
       description: Boolean to capture if a signature is present.
       example: 'true'
       default_field: false
+    - name: enrichments.indicator.file.code_signature.flags
+      level: extended
+      type: string
+      description: The flags used to sign the process.
+      example: 570522385
+      default_field: false
     - name: enrichments.indicator.file.code_signature.signing_id
       level: extended
       type: keyword
@@ -9492,6 +9570,14 @@
       description: Primary group name of the file.
       example: alice
       default_field: false
+    - name: enrichments.indicator.file.hash.cdhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      default_field: false
     - name: enrichments.indicator.file.hash.md5
       level: extended
       type: keyword
@@ -10708,6 +10794,12 @@
       description: Boolean to capture if a signature is present.
       example: 'true'
       default_field: false
+    - name: indicator.file.code_signature.flags
+      level: extended
+      type: string
+      description: The flags used to sign the process.
+      example: 570522385
+      default_field: false
     - name: indicator.file.code_signature.signing_id
       level: extended
       type: keyword
@@ -11099,6 +11191,14 @@
       description: Primary group name of the file.
       example: alice
       default_field: false
+    - name: indicator.file.hash.cdhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      default_field: false
     - name: indicator.file.hash.md5
       level: extended
       type: keyword
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index 292ac5f917..85f24dce13 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -146,8 +146,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer.
 8.12.0-dev+exp,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model.
 8.12.0-dev+exp,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model.
+8.12.0-dev+exp,true,device,device.serial_number,keyword,core,,DJGAQS4CW5,Serial Number of the device
 8.12.0-dev+exp,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
 8.12.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.12.0-dev+exp,true,dll,dll.code_signature.flags,string,extended,,570522385,Code signing flags of the process
 8.12.0-dev+exp,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 8.12.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 8.12.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
@@ -155,6 +157,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
 8.12.0-dev+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
 8.12.0-dev+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.12.0-dev+exp,true,dll,dll.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
 8.12.0-dev+exp,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
 8.12.0-dev+exp,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
 8.12.0-dev+exp,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
@@ -208,6 +211,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
 8.12.0-dev+exp,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
 8.12.0-dev+exp,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
+8.12.0-dev+exp,true,email,email.attachments.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
 8.12.0-dev+exp,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash.
 8.12.0-dev+exp,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash.
 8.12.0-dev+exp,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash.
@@ -276,6 +280,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
 8.12.0-dev+exp,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
 8.12.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.12.0-dev+exp,true,file,file.code_signature.flags,string,extended,,570522385,Code signing flags of the process
 8.12.0-dev+exp,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 8.12.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 8.12.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
@@ -330,6 +335,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
 8.12.0-dev+exp,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
 8.12.0-dev+exp,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
+8.12.0-dev+exp,true,file,file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
 8.12.0-dev+exp,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
 8.12.0-dev+exp,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
 8.12.0-dev+exp,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
@@ -587,6 +593,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array.
 8.12.0-dev+exp,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
 8.12.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.12.0-dev+exp,true,process,process.code_signature.flags,string,extended,,570522385,Code signing flags of the process
 8.12.0-dev+exp,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 8.12.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 8.12.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
@@ -728,6 +735,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,process,process.group_leader.vpid,long,core,,4242,Virtual process id.
 8.12.0-dev+exp,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
 8.12.0-dev+exp,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.12.0-dev+exp,true,process,process.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
 8.12.0-dev+exp,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
 8.12.0-dev+exp,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
 8.12.0-dev+exp,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
@@ -767,6 +775,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
 8.12.0-dev+exp,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
 8.12.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.12.0-dev+exp,true,process,process.parent.code_signature.flags,string,extended,,570522385,Code signing flags of the process
 8.12.0-dev+exp,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 8.12.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 8.12.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
@@ -825,6 +834,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,process,process.parent.group_leader.pid,long,core,,4242,Process id.
 8.12.0-dev+exp,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
 8.12.0-dev+exp,true,process,process.parent.group_leader.vpid,long,core,,4242,Virtual process id.
+8.12.0-dev+exp,true,process,process.parent.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
 8.12.0-dev+exp,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
 8.12.0-dev+exp,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
 8.12.0-dev+exp,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
@@ -1152,6 +1162,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.flags,string,extended,,570522385,Code signing flags of the process
 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
@@ -1206,6 +1217,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
@@ -1369,6 +1381,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
 8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
 8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.flags,string,extended,,570522385,Code signing flags of the process
 8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
@@ -1423,6 +1436,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
 8.12.0-dev+exp,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
 8.12.0-dev+exp,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
+8.12.0-dev+exp,true,threat,threat.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
 8.12.0-dev+exp,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
 8.12.0-dev+exp,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
 8.12.0-dev+exp,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 02b972886f..131fbdeb3e 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -1759,6 +1759,19 @@ device.model.name:
   normalize: []
   short: The human readable marketing name of the device model.
   type: keyword
+device.serial_number:
+  beta: This field is beta and subject to change.
+  dashed_name: device-serial-number
+  description: The unique serial number serves as a distinct identifier for each device,
+    aiding in inventory management and device authentication.
+  example: DJGAQS4CW5
+  flat_name: device.serial_number
+  ignore_above: 1024
+  level: core
+  name: serial_number
+  normalize: []
+  short: Serial Number of the device
+  type: keyword
 dll.code_signature.digest_algorithm:
   dashed_name: dll-code-signature-digest-algorithm
   description: 'The hashing algorithm used to sign the process.
@@ -1785,6 +1798,18 @@ dll.code_signature.exists:
   original_fieldset: code_signature
   short: Boolean to capture if a signature is present.
   type: boolean
+dll.code_signature.flags:
+  beta: This field is beta and subject to change.
+  dashed_name: dll-code-signature-flags
+  description: The flags used to sign the process.
+  example: 570522385
+  flat_name: dll.code_signature.flags
+  level: extended
+  name: flags
+  normalize: []
+  original_fieldset: code_signature
+  short: Code signing flags of the process
+  type: string
 dll.code_signature.signing_id:
   dashed_name: dll-code-signature-signing-id
   description: 'The identifier used to sign the process.
@@ -1883,6 +1908,20 @@ dll.code_signature.valid:
   short: Boolean to capture if the digital signature is verified against the binary
     content.
   type: boolean
+dll.hash.cdhash:
+  beta: This field is beta and subject to change.
+  dashed_name: dll-hash-cdhash
+  description: Code directory hash, utilized to uniquely identify and authenticate
+    the integrity of the executable code.
+  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+  flat_name: dll.hash.cdhash
+  ignore_above: 1024
+  level: extended
+  name: cdhash
+  normalize: []
+  original_fieldset: hash
+  short: The Code Directory (CD) hash of an executable.
+  type: keyword
 dll.hash.md5:
   dashed_name: dll-hash-md5
   description: MD5 hash.
@@ -2566,6 +2605,20 @@ email.attachments.file.extension:
   normalize: []
   short: Attachment file extension.
   type: keyword
+email.attachments.file.hash.cdhash:
+  beta: This field is beta and subject to change.
+  dashed_name: email-attachments-file-hash-cdhash
+  description: Code directory hash, utilized to uniquely identify and authenticate
+    the integrity of the executable code.
+  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+  flat_name: email.attachments.file.hash.cdhash
+  ignore_above: 1024
+  level: extended
+  name: cdhash
+  normalize: []
+  original_fieldset: hash
+  short: The Code Directory (CD) hash of an executable.
+  type: keyword
 email.attachments.file.hash.md5:
   dashed_name: email-attachments-file-hash-md5
   description: MD5 hash.
@@ -3896,6 +3949,18 @@ file.code_signature.exists:
   original_fieldset: code_signature
   short: Boolean to capture if a signature is present.
   type: boolean
+file.code_signature.flags:
+  beta: This field is beta and subject to change.
+  dashed_name: file-code-signature-flags
+  description: The flags used to sign the process.
+  example: 570522385
+  flat_name: file.code_signature.flags
+  level: extended
+  name: flags
+  normalize: []
+  original_fieldset: code_signature
+  short: Code signing flags of the process
+  type: string
 file.code_signature.signing_id:
   dashed_name: file-code-signature-signing-id
   description: 'The identifier used to sign the process.
@@ -4555,6 +4620,20 @@ file.group:
   normalize: []
   short: Primary group name of the file.
   type: keyword
+file.hash.cdhash:
+  beta: This field is beta and subject to change.
+  dashed_name: file-hash-cdhash
+  description: Code directory hash, utilized to uniquely identify and authenticate
+    the integrity of the executable code.
+  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+  flat_name: file.hash.cdhash
+  ignore_above: 1024
+  level: extended
+  name: cdhash
+  normalize: []
+  original_fieldset: hash
+  short: The Code Directory (CD) hash of an executable.
+  type: keyword
 file.hash.md5:
   dashed_name: file-hash-md5
   description: MD5 hash.
@@ -7700,6 +7779,18 @@ process.code_signature.exists:
   original_fieldset: code_signature
   short: Boolean to capture if a signature is present.
   type: boolean
+process.code_signature.flags:
+  beta: This field is beta and subject to change.
+  dashed_name: process-code-signature-flags
+  description: The flags used to sign the process.
+  example: 570522385
+  flat_name: process.code_signature.flags
+  level: extended
+  name: flags
+  normalize: []
+  original_fieldset: code_signature
+  short: Code signing flags of the process
+  type: string
 process.code_signature.signing_id:
   dashed_name: process-code-signature-signing-id
   description: 'The identifier used to sign the process.
@@ -9372,6 +9463,20 @@ process.group_leader.working_directory:
   original_fieldset: process
   short: The working directory of the process.
   type: keyword
+process.hash.cdhash:
+  beta: This field is beta and subject to change.
+  dashed_name: process-hash-cdhash
+  description: Code directory hash, utilized to uniquely identify and authenticate
+    the integrity of the executable code.
+  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+  flat_name: process.hash.cdhash
+  ignore_above: 1024
+  level: extended
+  name: cdhash
+  normalize: []
+  original_fieldset: hash
+  short: The Code Directory (CD) hash of an executable.
+  type: keyword
 process.hash.md5:
   dashed_name: process-hash-md5
   description: MD5 hash.
@@ -9843,6 +9948,18 @@ process.parent.code_signature.exists:
   original_fieldset: code_signature
   short: Boolean to capture if a signature is present.
   type: boolean
+process.parent.code_signature.flags:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-code-signature-flags
+  description: The flags used to sign the process.
+  example: 570522385
+  flat_name: process.parent.code_signature.flags
+  level: extended
+  name: flags
+  normalize: []
+  original_fieldset: code_signature
+  short: Code signing flags of the process
+  type: string
 process.parent.code_signature.signing_id:
   dashed_name: process-parent-code-signature-signing-id
   description: 'The identifier used to sign the process.
@@ -10543,6 +10660,20 @@ process.parent.group_leader.vpid:
   original_fieldset: process
   short: Virtual process id.
   type: long
+process.parent.hash.cdhash:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-hash-cdhash
+  description: Code directory hash, utilized to uniquely identify and authenticate
+    the integrity of the executable code.
+  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+  flat_name: process.parent.hash.cdhash
+  ignore_above: 1024
+  level: extended
+  name: cdhash
+  normalize: []
+  original_fieldset: hash
+  short: The Code Directory (CD) hash of an executable.
+  type: keyword
 process.parent.hash.md5:
   dashed_name: process-parent-hash-md5
   description: MD5 hash.
@@ -14643,6 +14774,18 @@ threat.enrichments.indicator.file.code_signature.exists:
   original_fieldset: code_signature
   short: Boolean to capture if a signature is present.
   type: boolean
+threat.enrichments.indicator.file.code_signature.flags:
+  beta: This field is beta and subject to change.
+  dashed_name: threat-enrichments-indicator-file-code-signature-flags
+  description: The flags used to sign the process.
+  example: 570522385
+  flat_name: threat.enrichments.indicator.file.code_signature.flags
+  level: extended
+  name: flags
+  normalize: []
+  original_fieldset: code_signature
+  short: Code signing flags of the process
+  type: string
 threat.enrichments.indicator.file.code_signature.signing_id:
   dashed_name: threat-enrichments-indicator-file-code-signature-signing-id
   description: 'The identifier used to sign the process.
@@ -15311,6 +15454,20 @@ threat.enrichments.indicator.file.group:
   original_fieldset: file
   short: Primary group name of the file.
   type: keyword
+threat.enrichments.indicator.file.hash.cdhash:
+  beta: This field is beta and subject to change.
+  dashed_name: threat-enrichments-indicator-file-hash-cdhash
+  description: Code directory hash, utilized to uniquely identify and authenticate
+    the integrity of the executable code.
+  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+  flat_name: threat.enrichments.indicator.file.hash.cdhash
+  ignore_above: 1024
+  level: extended
+  name: cdhash
+  normalize: []
+  original_fieldset: hash
+  short: The Code Directory (CD) hash of an executable.
+  type: keyword
 threat.enrichments.indicator.file.hash.md5:
   dashed_name: threat-enrichments-indicator-file-hash-md5
   description: MD5 hash.
@@ -17353,6 +17510,18 @@ threat.indicator.file.code_signature.exists:
   original_fieldset: code_signature
   short: Boolean to capture if a signature is present.
   type: boolean
+threat.indicator.file.code_signature.flags:
+  beta: This field is beta and subject to change.
+  dashed_name: threat-indicator-file-code-signature-flags
+  description: The flags used to sign the process.
+  example: 570522385
+  flat_name: threat.indicator.file.code_signature.flags
+  level: extended
+  name: flags
+  normalize: []
+  original_fieldset: code_signature
+  short: Code signing flags of the process
+  type: string
 threat.indicator.file.code_signature.signing_id:
   dashed_name: threat-indicator-file-code-signature-signing-id
   description: 'The identifier used to sign the process.
@@ -18021,6 +18190,20 @@ threat.indicator.file.group:
   original_fieldset: file
   short: Primary group name of the file.
   type: keyword
+threat.indicator.file.hash.cdhash:
+  beta: This field is beta and subject to change.
+  dashed_name: threat-indicator-file-hash-cdhash
+  description: Code directory hash, utilized to uniquely identify and authenticate
+    the integrity of the executable code.
+  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+  flat_name: threat.indicator.file.hash.cdhash
+  ignore_above: 1024
+  level: extended
+  name: cdhash
+  normalize: []
+  original_fieldset: hash
+  short: The Code Directory (CD) hash of an executable.
+  type: keyword
 threat.indicator.file.hash.md5:
   dashed_name: threat-indicator-file-hash-md5
   description: MD5 hash.
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index f600ab293a..c7bb8e8af7 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -1320,6 +1320,17 @@ code_signature:
       normalize: []
       short: Boolean to capture if a signature is present.
       type: boolean
+    code_signature.flags:
+      beta: This field is beta and subject to change.
+      dashed_name: code-signature-flags
+      description: The flags used to sign the process.
+      example: 570522385
+      flat_name: code_signature.flags
+      level: extended
+      name: flags
+      normalize: []
+      short: Code signing flags of the process
+      type: string
     code_signature.signing_id:
       dashed_name: code-signature-signing-id
       description: 'The identifier used to sign the process.
@@ -2211,6 +2222,19 @@ device:
       normalize: []
       short: The human readable marketing name of the device model.
       type: keyword
+    device.serial_number:
+      beta: This field is beta and subject to change.
+      dashed_name: device-serial-number
+      description: The unique serial number serves as a distinct identifier for each
+        device, aiding in inventory management and device authentication.
+      example: DJGAQS4CW5
+      flat_name: device.serial_number
+      ignore_above: 1024
+      level: core
+      name: serial_number
+      normalize: []
+      short: Serial Number of the device
+      type: keyword
   group: 2
   name: device
   prefix: device.
@@ -2258,6 +2282,18 @@ dll:
       original_fieldset: code_signature
       short: Boolean to capture if a signature is present.
       type: boolean
+    dll.code_signature.flags:
+      beta: This field is beta and subject to change.
+      dashed_name: dll-code-signature-flags
+      description: The flags used to sign the process.
+      example: 570522385
+      flat_name: dll.code_signature.flags
+      level: extended
+      name: flags
+      normalize: []
+      original_fieldset: code_signature
+      short: Code signing flags of the process
+      type: string
     dll.code_signature.signing_id:
       dashed_name: dll-code-signature-signing-id
       description: 'The identifier used to sign the process.
@@ -2356,6 +2392,20 @@ dll:
       short: Boolean to capture if the digital signature is verified against the binary
         content.
       type: boolean
+    dll.hash.cdhash:
+      beta: This field is beta and subject to change.
+      dashed_name: dll-hash-cdhash
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      flat_name: dll.hash.cdhash
+      ignore_above: 1024
+      level: extended
+      name: cdhash
+      normalize: []
+      original_fieldset: hash
+      short: The Code Directory (CD) hash of an executable.
+      type: keyword
     dll.hash.md5:
       dashed_name: dll-hash-md5
       description: MD5 hash.
@@ -3518,6 +3568,20 @@ email:
       normalize: []
       short: Attachment file extension.
       type: keyword
+    email.attachments.file.hash.cdhash:
+      beta: This field is beta and subject to change.
+      dashed_name: email-attachments-file-hash-cdhash
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      flat_name: email.attachments.file.hash.cdhash
+      ignore_above: 1024
+      level: extended
+      name: cdhash
+      normalize: []
+      original_fieldset: hash
+      short: The Code Directory (CD) hash of an executable.
+      type: keyword
     email.attachments.file.hash.md5:
       dashed_name: email-attachments-file-hash-md5
       description: MD5 hash.
@@ -4929,6 +4993,18 @@ file:
       original_fieldset: code_signature
       short: Boolean to capture if a signature is present.
       type: boolean
+    file.code_signature.flags:
+      beta: This field is beta and subject to change.
+      dashed_name: file-code-signature-flags
+      description: The flags used to sign the process.
+      example: 570522385
+      flat_name: file.code_signature.flags
+      level: extended
+      name: flags
+      normalize: []
+      original_fieldset: code_signature
+      short: Code signing flags of the process
+      type: string
     file.code_signature.signing_id:
       dashed_name: file-code-signature-signing-id
       description: 'The identifier used to sign the process.
@@ -5589,6 +5665,20 @@ file:
       normalize: []
       short: Primary group name of the file.
       type: keyword
+    file.hash.cdhash:
+      beta: This field is beta and subject to change.
+      dashed_name: file-hash-cdhash
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      flat_name: file.hash.cdhash
+      ignore_above: 1024
+      level: extended
+      name: cdhash
+      normalize: []
+      original_fieldset: hash
+      short: The Code Directory (CD) hash of an executable.
+      type: keyword
     file.hash.md5:
       dashed_name: file-hash-md5
       description: MD5 hash.
@@ -6886,6 +6976,19 @@ hash:
     range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed
     in the fieldsets to which they relate (tls and pe, respectively).'
   fields:
+    hash.cdhash:
+      beta: This field is beta and subject to change.
+      dashed_name: hash-cdhash
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      flat_name: hash.cdhash
+      ignore_above: 1024
+      level: extended
+      name: cdhash
+      normalize: []
+      short: The Code Directory (CD) hash of an executable.
+      type: keyword
     hash.md5:
       dashed_name: hash-md5
       description: MD5 hash.
@@ -9909,6 +10012,18 @@ process:
       original_fieldset: code_signature
       short: Boolean to capture if a signature is present.
       type: boolean
+    process.code_signature.flags:
+      beta: This field is beta and subject to change.
+      dashed_name: process-code-signature-flags
+      description: The flags used to sign the process.
+      example: 570522385
+      flat_name: process.code_signature.flags
+      level: extended
+      name: flags
+      normalize: []
+      original_fieldset: code_signature
+      short: Code signing flags of the process
+      type: string
     process.code_signature.signing_id:
       dashed_name: process-code-signature-signing-id
       description: 'The identifier used to sign the process.
@@ -11582,6 +11697,20 @@ process:
       original_fieldset: process
       short: The working directory of the process.
       type: keyword
+    process.hash.cdhash:
+      beta: This field is beta and subject to change.
+      dashed_name: process-hash-cdhash
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      flat_name: process.hash.cdhash
+      ignore_above: 1024
+      level: extended
+      name: cdhash
+      normalize: []
+      original_fieldset: hash
+      short: The Code Directory (CD) hash of an executable.
+      type: keyword
     process.hash.md5:
       dashed_name: process-hash-md5
       description: MD5 hash.
@@ -12057,6 +12186,18 @@ process:
       original_fieldset: code_signature
       short: Boolean to capture if a signature is present.
       type: boolean
+    process.parent.code_signature.flags:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-code-signature-flags
+      description: The flags used to sign the process.
+      example: 570522385
+      flat_name: process.parent.code_signature.flags
+      level: extended
+      name: flags
+      normalize: []
+      original_fieldset: code_signature
+      short: Code signing flags of the process
+      type: string
     process.parent.code_signature.signing_id:
       dashed_name: process-parent-code-signature-signing-id
       description: 'The identifier used to sign the process.
@@ -12758,6 +12899,20 @@ process:
       original_fieldset: process
       short: Virtual process id.
       type: long
+    process.parent.hash.cdhash:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-hash-cdhash
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      flat_name: process.parent.hash.cdhash
+      ignore_above: 1024
+      level: extended
+      name: cdhash
+      normalize: []
+      original_fieldset: hash
+      short: The Code Directory (CD) hash of an executable.
+      type: keyword
     process.parent.hash.md5:
       dashed_name: process-parent-hash-md5
       description: MD5 hash.
@@ -14947,6 +15102,7 @@ process:
   - process.previous
   - process.real_group
   - process.real_user
+  - process.responsible
   - process.saved_group
   - process.saved_user
   - process.session_leader
@@ -15008,6 +15164,12 @@ process:
       - array
       short_override: An array of previous executions for the process, including the
         initial fork. Only executable and args are set.
+    - as: responsible
+      at: process
+      beta: This field is beta and subject to change.
+      full: process.responsible
+      short_override: Responsible process in macOS tracks the originating process
+        of an app, key for understanding permissions and hierarchy.
     top_level: true
   reused_here:
   - full: process.group
@@ -15105,6 +15267,11 @@ process:
     schema_name: process
     short: An array of previous executions for the process, including the initial
       fork. Only executable and args are set.
+  - beta: This field is beta and subject to change.
+    full: process.responsible
+    schema_name: process
+    short: Responsible process in macOS tracks the originating process of an app,
+      key for understanding permissions and hierarchy.
   short: These fields contain information about a process.
   title: Process
   type: group
@@ -17307,6 +17474,18 @@ threat:
       original_fieldset: code_signature
       short: Boolean to capture if a signature is present.
       type: boolean
+    threat.enrichments.indicator.file.code_signature.flags:
+      beta: This field is beta and subject to change.
+      dashed_name: threat-enrichments-indicator-file-code-signature-flags
+      description: The flags used to sign the process.
+      example: 570522385
+      flat_name: threat.enrichments.indicator.file.code_signature.flags
+      level: extended
+      name: flags
+      normalize: []
+      original_fieldset: code_signature
+      short: Code signing flags of the process
+      type: string
     threat.enrichments.indicator.file.code_signature.signing_id:
       dashed_name: threat-enrichments-indicator-file-code-signature-signing-id
       description: 'The identifier used to sign the process.
@@ -17976,6 +18155,20 @@ threat:
       original_fieldset: file
       short: Primary group name of the file.
       type: keyword
+    threat.enrichments.indicator.file.hash.cdhash:
+      beta: This field is beta and subject to change.
+      dashed_name: threat-enrichments-indicator-file-hash-cdhash
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      flat_name: threat.enrichments.indicator.file.hash.cdhash
+      ignore_above: 1024
+      level: extended
+      name: cdhash
+      normalize: []
+      original_fieldset: hash
+      short: The Code Directory (CD) hash of an executable.
+      type: keyword
     threat.enrichments.indicator.file.hash.md5:
       dashed_name: threat-enrichments-indicator-file-hash-md5
       description: MD5 hash.
@@ -20023,6 +20216,18 @@ threat:
       original_fieldset: code_signature
       short: Boolean to capture if a signature is present.
       type: boolean
+    threat.indicator.file.code_signature.flags:
+      beta: This field is beta and subject to change.
+      dashed_name: threat-indicator-file-code-signature-flags
+      description: The flags used to sign the process.
+      example: 570522385
+      flat_name: threat.indicator.file.code_signature.flags
+      level: extended
+      name: flags
+      normalize: []
+      original_fieldset: code_signature
+      short: Code signing flags of the process
+      type: string
     threat.indicator.file.code_signature.signing_id:
       dashed_name: threat-indicator-file-code-signature-signing-id
       description: 'The identifier used to sign the process.
@@ -20692,6 +20897,20 @@ threat:
       original_fieldset: file
       short: Primary group name of the file.
       type: keyword
+    threat.indicator.file.hash.cdhash:
+      beta: This field is beta and subject to change.
+      dashed_name: threat-indicator-file-hash-cdhash
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      flat_name: threat.indicator.file.hash.cdhash
+      ignore_above: 1024
+      level: extended
+      name: cdhash
+      normalize: []
+      original_fieldset: hash
+      short: The Code Directory (CD) hash of an executable.
+      type: keyword
     threat.indicator.file.hash.md5:
       dashed_name: threat-indicator-file-hash-md5
       description: MD5 hash.
diff --git a/experimental/generated/elasticsearch/composable/component/device.json b/experimental/generated/elasticsearch/composable/component/device.json
index cf66d72b06..215d046175 100644
--- a/experimental/generated/elasticsearch/composable/component/device.json
+++ b/experimental/generated/elasticsearch/composable/component/device.json
@@ -27,6 +27,10 @@
                   "type": "keyword"
                 }
               }
+            },
+            "serial_number": {
+              "ignore_above": 1024,
+              "type": "keyword"
             }
           }
         }
diff --git a/experimental/generated/elasticsearch/composable/component/dll.json b/experimental/generated/elasticsearch/composable/component/dll.json
index 2de113a6ea..55e2246263 100644
--- a/experimental/generated/elasticsearch/composable/component/dll.json
+++ b/experimental/generated/elasticsearch/composable/component/dll.json
@@ -17,6 +17,9 @@
                 "exists": {
                   "type": "boolean"
                 },
+                "flags": {
+                  "type": "string"
+                },
                 "signing_id": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -46,6 +49,10 @@
             },
             "hash": {
               "properties": {
+                "cdhash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "md5": {
                   "ignore_above": 1024,
                   "type": "keyword"
diff --git a/experimental/generated/elasticsearch/composable/component/email.json b/experimental/generated/elasticsearch/composable/component/email.json
index 83863c9c0c..5de733e5f7 100644
--- a/experimental/generated/elasticsearch/composable/component/email.json
+++ b/experimental/generated/elasticsearch/composable/component/email.json
@@ -18,6 +18,10 @@
                     },
                     "hash": {
                       "properties": {
+                        "cdhash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
                         "md5": {
                           "ignore_above": 1024,
                           "type": "keyword"
diff --git a/experimental/generated/elasticsearch/composable/component/file.json b/experimental/generated/elasticsearch/composable/component/file.json
index a04643e7d9..adb9d1d8ec 100644
--- a/experimental/generated/elasticsearch/composable/component/file.json
+++ b/experimental/generated/elasticsearch/composable/component/file.json
@@ -24,6 +24,9 @@
                 "exists": {
                   "type": "boolean"
                 },
+                "flags": {
+                  "type": "string"
+                },
                 "signing_id": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -233,6 +236,10 @@
             },
             "hash": {
               "properties": {
+                "cdhash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "md5": {
                   "ignore_above": 1024,
                   "type": "keyword"
diff --git a/experimental/generated/elasticsearch/composable/component/process.json b/experimental/generated/elasticsearch/composable/component/process.json
index f4dd52c1ce..de0be5f249 100644
--- a/experimental/generated/elasticsearch/composable/component/process.json
+++ b/experimental/generated/elasticsearch/composable/component/process.json
@@ -24,6 +24,9 @@
                 "exists": {
                   "type": "boolean"
                 },
+                "flags": {
+                  "type": "string"
+                },
                 "signing_id": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -674,6 +677,10 @@
             },
             "hash": {
               "properties": {
+                "cdhash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "md5": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -824,6 +831,9 @@
                     "exists": {
                       "type": "boolean"
                     },
+                    "flags": {
+                      "type": "string"
+                    },
                     "signing_id": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -1055,6 +1065,10 @@
                 },
                 "hash": {
                   "properties": {
+                    "cdhash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
                     "md5": {
                       "ignore_above": 1024,
                       "type": "keyword"
diff --git a/experimental/generated/elasticsearch/composable/component/threat.json b/experimental/generated/elasticsearch/composable/component/threat.json
index 7f002d5bb7..cdcbbd7ae6 100644
--- a/experimental/generated/elasticsearch/composable/component/threat.json
+++ b/experimental/generated/elasticsearch/composable/component/threat.json
@@ -66,6 +66,9 @@
                             "exists": {
                               "type": "boolean"
                             },
+                            "flags": {
+                              "type": "string"
+                            },
                             "signing_id": {
                               "ignore_above": 1024,
                               "type": "keyword"
@@ -275,6 +278,10 @@
                         },
                         "hash": {
                           "properties": {
+                            "cdhash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
                             "md5": {
                               "ignore_above": 1024,
                               "type": "keyword"
@@ -987,6 +994,9 @@
                         "exists": {
                           "type": "boolean"
                         },
+                        "flags": {
+                          "type": "string"
+                        },
                         "signing_id": {
                           "ignore_above": 1024,
                           "type": "keyword"
@@ -1196,6 +1206,10 @@
                     },
                     "hash": {
                       "properties": {
+                        "cdhash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
                         "md5": {
                           "ignore_above": 1024,
                           "type": "keyword"
diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json
index 18386e190c..6b9172fe34 100644
--- a/experimental/generated/elasticsearch/legacy/template.json
+++ b/experimental/generated/elasticsearch/legacy/template.json
@@ -782,6 +782,10 @@
                 "type": "keyword"
               }
             }
+          },
+          "serial_number": {
+            "ignore_above": 1024,
+            "type": "keyword"
           }
         }
       },
@@ -796,6 +800,9 @@
               "exists": {
                 "type": "boolean"
               },
+              "flags": {
+                "type": "string"
+              },
               "signing_id": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -825,6 +832,10 @@
           },
           "hash": {
             "properties": {
+              "cdhash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "md5": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -1050,6 +1061,10 @@
                   },
                   "hash": {
                     "properties": {
+                      "cdhash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
                       "md5": {
                         "ignore_above": 1024,
                         "type": "keyword"
@@ -1360,6 +1375,9 @@
               "exists": {
                 "type": "boolean"
               },
+              "flags": {
+                "type": "string"
+              },
               "signing_id": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -1569,6 +1587,10 @@
           },
           "hash": {
             "properties": {
+              "cdhash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "md5": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -2745,6 +2767,9 @@
               "exists": {
                 "type": "boolean"
               },
+              "flags": {
+                "type": "string"
+              },
               "signing_id": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -3395,6 +3420,10 @@
           },
           "hash": {
             "properties": {
+              "cdhash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "md5": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -3545,6 +3574,9 @@
                   "exists": {
                     "type": "boolean"
                   },
+                  "flags": {
+                    "type": "string"
+                  },
                   "signing_id": {
                     "ignore_above": 1024,
                     "type": "keyword"
@@ -3776,6 +3808,10 @@
               },
               "hash": {
                 "properties": {
+                  "cdhash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
                   "md5": {
                     "ignore_above": 1024,
                     "type": "keyword"
@@ -5283,6 +5319,9 @@
                           "exists": {
                             "type": "boolean"
                           },
+                          "flags": {
+                            "type": "string"
+                          },
                           "signing_id": {
                             "ignore_above": 1024,
                             "type": "keyword"
@@ -5492,6 +5531,10 @@
                       },
                       "hash": {
                         "properties": {
+                          "cdhash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
                           "md5": {
                             "ignore_above": 1024,
                             "type": "keyword"
@@ -6204,6 +6247,9 @@
                       "exists": {
                         "type": "boolean"
                       },
+                      "flags": {
+                        "type": "string"
+                      },
                       "signing_id": {
                         "ignore_above": 1024,
                         "type": "keyword"
@@ -6413,6 +6459,10 @@
                   },
                   "hash": {
                     "properties": {
+                      "cdhash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
                       "md5": {
                         "ignore_above": 1024,
                         "type": "keyword"
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index fa0007884b..bbe911f6ce 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -1177,6 +1177,14 @@
       description: The human readable marketing name of the device model.
       example: Samsung Galaxy S6
       default_field: false
+    - name: serial_number
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The unique serial number serves as a distinct identifier for each
+        device, aiding in inventory management and device authentication.
+      example: DJGAQS4CW5
+      default_field: false
   - name: dll
     title: DLL
     group: 2
@@ -1211,6 +1219,12 @@
       description: Boolean to capture if a signature is present.
       example: 'true'
       default_field: false
+    - name: code_signature.flags
+      level: extended
+      type: string
+      description: The flags used to sign the process.
+      example: 570522385
+      default_field: false
     - name: code_signature.signing_id
       level: extended
       type: keyword
@@ -1273,6 +1287,14 @@
         Leave unpopulated if a certificate was unchecked.'
       example: 'true'
       default_field: false
+    - name: hash.cdhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      default_field: false
     - name: hash.md5
       level: extended
       type: keyword
@@ -1710,6 +1732,14 @@
       description: Attachment file extension, excluding the leading dot.
       example: txt
       default_field: false
+    - name: attachments.file.hash.cdhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      default_field: false
     - name: attachments.file.hash.md5
       level: extended
       type: keyword
@@ -2355,6 +2385,12 @@
       description: Boolean to capture if a signature is present.
       example: 'true'
       default_field: false
+    - name: code_signature.flags
+      level: extended
+      type: string
+      description: The flags used to sign the process.
+      example: 570522385
+      default_field: false
     - name: code_signature.signing_id
       level: extended
       type: keyword
@@ -2739,6 +2775,14 @@
       ignore_above: 1024
       description: Primary group name of the file.
       example: alice
+    - name: hash.cdhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      default_field: false
     - name: hash.md5
       level: extended
       type: keyword
@@ -4695,6 +4739,12 @@
       description: Boolean to capture if a signature is present.
       example: 'true'
       default_field: false
+    - name: code_signature.flags
+      level: extended
+      type: string
+      description: The flags used to sign the process.
+      example: 570522385
+      default_field: false
     - name: code_signature.signing_id
       level: extended
       type: keyword
@@ -5724,6 +5774,14 @@
       description: The working directory of the process.
       example: /home/alice
       default_field: false
+    - name: hash.cdhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      default_field: false
     - name: hash.md5
       level: extended
       type: keyword
@@ -6005,6 +6063,12 @@
       description: Boolean to capture if a signature is present.
       example: 'true'
       default_field: false
+    - name: parent.code_signature.flags
+      level: extended
+      type: string
+      description: The flags used to sign the process.
+      example: 570522385
+      default_field: false
     - name: parent.code_signature.signing_id
       level: extended
       type: keyword
@@ -6416,6 +6480,14 @@
         the process exists within.'
       example: 4242
       default_field: false
+    - name: parent.hash.cdhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      default_field: false
     - name: parent.hash.md5
       level: extended
       type: keyword
@@ -9051,6 +9123,12 @@
       description: Boolean to capture if a signature is present.
       example: 'true'
       default_field: false
+    - name: enrichments.indicator.file.code_signature.flags
+      level: extended
+      type: string
+      description: The flags used to sign the process.
+      example: 570522385
+      default_field: false
     - name: enrichments.indicator.file.code_signature.signing_id
       level: extended
       type: keyword
@@ -9442,6 +9520,14 @@
       description: Primary group name of the file.
       example: alice
       default_field: false
+    - name: enrichments.indicator.file.hash.cdhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      default_field: false
     - name: enrichments.indicator.file.hash.md5
       level: extended
       type: keyword
@@ -10658,6 +10744,12 @@
       description: Boolean to capture if a signature is present.
       example: 'true'
       default_field: false
+    - name: indicator.file.code_signature.flags
+      level: extended
+      type: string
+      description: The flags used to sign the process.
+      example: 570522385
+      default_field: false
     - name: indicator.file.code_signature.signing_id
       level: extended
       type: keyword
@@ -11049,6 +11141,14 @@
       description: Primary group name of the file.
       example: alice
       default_field: false
+    - name: indicator.file.hash.cdhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      default_field: false
     - name: indicator.file.hash.md5
       level: extended
       type: keyword
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index c31a8de31c..a7210ad73b 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -139,8 +139,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer.
 8.12.0-dev,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model.
 8.12.0-dev,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model.
+8.12.0-dev,true,device,device.serial_number,keyword,core,,DJGAQS4CW5,Serial Number of the device
 8.12.0-dev,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
 8.12.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.12.0-dev,true,dll,dll.code_signature.flags,string,extended,,570522385,Code signing flags of the process
 8.12.0-dev,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 8.12.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 8.12.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
@@ -148,6 +150,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
 8.12.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
 8.12.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.12.0-dev,true,dll,dll.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
 8.12.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
 8.12.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
 8.12.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
@@ -201,6 +204,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
 8.12.0-dev,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
 8.12.0-dev,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
+8.12.0-dev,true,email,email.attachments.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
 8.12.0-dev,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash.
 8.12.0-dev,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash.
 8.12.0-dev,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash.
@@ -269,6 +273,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
 8.12.0-dev,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
 8.12.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.12.0-dev,true,file,file.code_signature.flags,string,extended,,570522385,Code signing flags of the process
 8.12.0-dev,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 8.12.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 8.12.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
@@ -323,6 +328,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
 8.12.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
 8.12.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
+8.12.0-dev,true,file,file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
 8.12.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
 8.12.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
 8.12.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
@@ -580,6 +586,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array.
 8.12.0-dev,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
 8.12.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.12.0-dev,true,process,process.code_signature.flags,string,extended,,570522385,Code signing flags of the process
 8.12.0-dev,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 8.12.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 8.12.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
@@ -721,6 +728,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev,true,process,process.group_leader.vpid,long,core,,4242,Virtual process id.
 8.12.0-dev,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
 8.12.0-dev,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.12.0-dev,true,process,process.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
 8.12.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
 8.12.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
 8.12.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
@@ -760,6 +768,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
 8.12.0-dev,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
 8.12.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.12.0-dev,true,process,process.parent.code_signature.flags,string,extended,,570522385,Code signing flags of the process
 8.12.0-dev,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 8.12.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 8.12.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
@@ -818,6 +827,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev,true,process,process.parent.group_leader.pid,long,core,,4242,Process id.
 8.12.0-dev,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
 8.12.0-dev,true,process,process.parent.group_leader.vpid,long,core,,4242,Virtual process id.
+8.12.0-dev,true,process,process.parent.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
 8.12.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
 8.12.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
 8.12.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
@@ -1145,6 +1155,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
 8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
 8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.flags,string,extended,,570522385,Code signing flags of the process
 8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
@@ -1199,6 +1210,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
 8.12.0-dev,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
 8.12.0-dev,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
 8.12.0-dev,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
 8.12.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
 8.12.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
@@ -1362,6 +1374,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
 8.12.0-dev,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
 8.12.0-dev,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.12.0-dev,true,threat,threat.indicator.file.code_signature.flags,string,extended,,570522385,Code signing flags of the process
 8.12.0-dev,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 8.12.0-dev,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 8.12.0-dev,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
@@ -1416,6 +1429,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
 8.12.0-dev,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
 8.12.0-dev,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
+8.12.0-dev,true,threat,threat.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
 8.12.0-dev,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
 8.12.0-dev,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
 8.12.0-dev,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 2022bddaf4..28f3e7d65c 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -1690,6 +1690,19 @@ device.model.name:
   normalize: []
   short: The human readable marketing name of the device model.
   type: keyword
+device.serial_number:
+  beta: This field is beta and subject to change.
+  dashed_name: device-serial-number
+  description: The unique serial number serves as a distinct identifier for each device,
+    aiding in inventory management and device authentication.
+  example: DJGAQS4CW5
+  flat_name: device.serial_number
+  ignore_above: 1024
+  level: core
+  name: serial_number
+  normalize: []
+  short: Serial Number of the device
+  type: keyword
 dll.code_signature.digest_algorithm:
   dashed_name: dll-code-signature-digest-algorithm
   description: 'The hashing algorithm used to sign the process.
@@ -1716,6 +1729,18 @@ dll.code_signature.exists:
   original_fieldset: code_signature
   short: Boolean to capture if a signature is present.
   type: boolean
+dll.code_signature.flags:
+  beta: This field is beta and subject to change.
+  dashed_name: dll-code-signature-flags
+  description: The flags used to sign the process.
+  example: 570522385
+  flat_name: dll.code_signature.flags
+  level: extended
+  name: flags
+  normalize: []
+  original_fieldset: code_signature
+  short: Code signing flags of the process
+  type: string
 dll.code_signature.signing_id:
   dashed_name: dll-code-signature-signing-id
   description: 'The identifier used to sign the process.
@@ -1814,6 +1839,20 @@ dll.code_signature.valid:
   short: Boolean to capture if the digital signature is verified against the binary
     content.
   type: boolean
+dll.hash.cdhash:
+  beta: This field is beta and subject to change.
+  dashed_name: dll-hash-cdhash
+  description: Code directory hash, utilized to uniquely identify and authenticate
+    the integrity of the executable code.
+  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+  flat_name: dll.hash.cdhash
+  ignore_above: 1024
+  level: extended
+  name: cdhash
+  normalize: []
+  original_fieldset: hash
+  short: The Code Directory (CD) hash of an executable.
+  type: keyword
 dll.hash.md5:
   dashed_name: dll-hash-md5
   description: MD5 hash.
@@ -2497,6 +2536,20 @@ email.attachments.file.extension:
   normalize: []
   short: Attachment file extension.
   type: keyword
+email.attachments.file.hash.cdhash:
+  beta: This field is beta and subject to change.
+  dashed_name: email-attachments-file-hash-cdhash
+  description: Code directory hash, utilized to uniquely identify and authenticate
+    the integrity of the executable code.
+  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+  flat_name: email.attachments.file.hash.cdhash
+  ignore_above: 1024
+  level: extended
+  name: cdhash
+  normalize: []
+  original_fieldset: hash
+  short: The Code Directory (CD) hash of an executable.
+  type: keyword
 email.attachments.file.hash.md5:
   dashed_name: email-attachments-file-hash-md5
   description: MD5 hash.
@@ -3827,6 +3880,18 @@ file.code_signature.exists:
   original_fieldset: code_signature
   short: Boolean to capture if a signature is present.
   type: boolean
+file.code_signature.flags:
+  beta: This field is beta and subject to change.
+  dashed_name: file-code-signature-flags
+  description: The flags used to sign the process.
+  example: 570522385
+  flat_name: file.code_signature.flags
+  level: extended
+  name: flags
+  normalize: []
+  original_fieldset: code_signature
+  short: Code signing flags of the process
+  type: string
 file.code_signature.signing_id:
   dashed_name: file-code-signature-signing-id
   description: 'The identifier used to sign the process.
@@ -4486,6 +4551,20 @@ file.group:
   normalize: []
   short: Primary group name of the file.
   type: keyword
+file.hash.cdhash:
+  beta: This field is beta and subject to change.
+  dashed_name: file-hash-cdhash
+  description: Code directory hash, utilized to uniquely identify and authenticate
+    the integrity of the executable code.
+  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+  flat_name: file.hash.cdhash
+  ignore_above: 1024
+  level: extended
+  name: cdhash
+  normalize: []
+  original_fieldset: hash
+  short: The Code Directory (CD) hash of an executable.
+  type: keyword
 file.hash.md5:
   dashed_name: file-hash-md5
   description: MD5 hash.
@@ -7631,6 +7710,18 @@ process.code_signature.exists:
   original_fieldset: code_signature
   short: Boolean to capture if a signature is present.
   type: boolean
+process.code_signature.flags:
+  beta: This field is beta and subject to change.
+  dashed_name: process-code-signature-flags
+  description: The flags used to sign the process.
+  example: 570522385
+  flat_name: process.code_signature.flags
+  level: extended
+  name: flags
+  normalize: []
+  original_fieldset: code_signature
+  short: Code signing flags of the process
+  type: string
 process.code_signature.signing_id:
   dashed_name: process-code-signature-signing-id
   description: 'The identifier used to sign the process.
@@ -9303,6 +9394,20 @@ process.group_leader.working_directory:
   original_fieldset: process
   short: The working directory of the process.
   type: keyword
+process.hash.cdhash:
+  beta: This field is beta and subject to change.
+  dashed_name: process-hash-cdhash
+  description: Code directory hash, utilized to uniquely identify and authenticate
+    the integrity of the executable code.
+  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+  flat_name: process.hash.cdhash
+  ignore_above: 1024
+  level: extended
+  name: cdhash
+  normalize: []
+  original_fieldset: hash
+  short: The Code Directory (CD) hash of an executable.
+  type: keyword
 process.hash.md5:
   dashed_name: process-hash-md5
   description: MD5 hash.
@@ -9774,6 +9879,18 @@ process.parent.code_signature.exists:
   original_fieldset: code_signature
   short: Boolean to capture if a signature is present.
   type: boolean
+process.parent.code_signature.flags:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-code-signature-flags
+  description: The flags used to sign the process.
+  example: 570522385
+  flat_name: process.parent.code_signature.flags
+  level: extended
+  name: flags
+  normalize: []
+  original_fieldset: code_signature
+  short: Code signing flags of the process
+  type: string
 process.parent.code_signature.signing_id:
   dashed_name: process-parent-code-signature-signing-id
   description: 'The identifier used to sign the process.
@@ -10474,6 +10591,20 @@ process.parent.group_leader.vpid:
   original_fieldset: process
   short: Virtual process id.
   type: long
+process.parent.hash.cdhash:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-hash-cdhash
+  description: Code directory hash, utilized to uniquely identify and authenticate
+    the integrity of the executable code.
+  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+  flat_name: process.parent.hash.cdhash
+  ignore_above: 1024
+  level: extended
+  name: cdhash
+  normalize: []
+  original_fieldset: hash
+  short: The Code Directory (CD) hash of an executable.
+  type: keyword
 process.parent.hash.md5:
   dashed_name: process-parent-hash-md5
   description: MD5 hash.
@@ -14574,6 +14705,18 @@ threat.enrichments.indicator.file.code_signature.exists:
   original_fieldset: code_signature
   short: Boolean to capture if a signature is present.
   type: boolean
+threat.enrichments.indicator.file.code_signature.flags:
+  beta: This field is beta and subject to change.
+  dashed_name: threat-enrichments-indicator-file-code-signature-flags
+  description: The flags used to sign the process.
+  example: 570522385
+  flat_name: threat.enrichments.indicator.file.code_signature.flags
+  level: extended
+  name: flags
+  normalize: []
+  original_fieldset: code_signature
+  short: Code signing flags of the process
+  type: string
 threat.enrichments.indicator.file.code_signature.signing_id:
   dashed_name: threat-enrichments-indicator-file-code-signature-signing-id
   description: 'The identifier used to sign the process.
@@ -15242,6 +15385,20 @@ threat.enrichments.indicator.file.group:
   original_fieldset: file
   short: Primary group name of the file.
   type: keyword
+threat.enrichments.indicator.file.hash.cdhash:
+  beta: This field is beta and subject to change.
+  dashed_name: threat-enrichments-indicator-file-hash-cdhash
+  description: Code directory hash, utilized to uniquely identify and authenticate
+    the integrity of the executable code.
+  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+  flat_name: threat.enrichments.indicator.file.hash.cdhash
+  ignore_above: 1024
+  level: extended
+  name: cdhash
+  normalize: []
+  original_fieldset: hash
+  short: The Code Directory (CD) hash of an executable.
+  type: keyword
 threat.enrichments.indicator.file.hash.md5:
   dashed_name: threat-enrichments-indicator-file-hash-md5
   description: MD5 hash.
@@ -17284,6 +17441,18 @@ threat.indicator.file.code_signature.exists:
   original_fieldset: code_signature
   short: Boolean to capture if a signature is present.
   type: boolean
+threat.indicator.file.code_signature.flags:
+  beta: This field is beta and subject to change.
+  dashed_name: threat-indicator-file-code-signature-flags
+  description: The flags used to sign the process.
+  example: 570522385
+  flat_name: threat.indicator.file.code_signature.flags
+  level: extended
+  name: flags
+  normalize: []
+  original_fieldset: code_signature
+  short: Code signing flags of the process
+  type: string
 threat.indicator.file.code_signature.signing_id:
   dashed_name: threat-indicator-file-code-signature-signing-id
   description: 'The identifier used to sign the process.
@@ -17952,6 +18121,20 @@ threat.indicator.file.group:
   original_fieldset: file
   short: Primary group name of the file.
   type: keyword
+threat.indicator.file.hash.cdhash:
+  beta: This field is beta and subject to change.
+  dashed_name: threat-indicator-file-hash-cdhash
+  description: Code directory hash, utilized to uniquely identify and authenticate
+    the integrity of the executable code.
+  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+  flat_name: threat.indicator.file.hash.cdhash
+  ignore_above: 1024
+  level: extended
+  name: cdhash
+  normalize: []
+  original_fieldset: hash
+  short: The Code Directory (CD) hash of an executable.
+  type: keyword
 threat.indicator.file.hash.md5:
   dashed_name: threat-indicator-file-hash-md5
   description: MD5 hash.
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 8057eeed15..fe512c7afd 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -1240,6 +1240,17 @@ code_signature:
       normalize: []
       short: Boolean to capture if a signature is present.
       type: boolean
+    code_signature.flags:
+      beta: This field is beta and subject to change.
+      dashed_name: code-signature-flags
+      description: The flags used to sign the process.
+      example: 570522385
+      flat_name: code_signature.flags
+      level: extended
+      name: flags
+      normalize: []
+      short: Code signing flags of the process
+      type: string
     code_signature.signing_id:
       dashed_name: code-signature-signing-id
       description: 'The identifier used to sign the process.
@@ -2131,6 +2142,19 @@ device:
       normalize: []
       short: The human readable marketing name of the device model.
       type: keyword
+    device.serial_number:
+      beta: This field is beta and subject to change.
+      dashed_name: device-serial-number
+      description: The unique serial number serves as a distinct identifier for each
+        device, aiding in inventory management and device authentication.
+      example: DJGAQS4CW5
+      flat_name: device.serial_number
+      ignore_above: 1024
+      level: core
+      name: serial_number
+      normalize: []
+      short: Serial Number of the device
+      type: keyword
   group: 2
   name: device
   prefix: device.
@@ -2178,6 +2202,18 @@ dll:
       original_fieldset: code_signature
       short: Boolean to capture if a signature is present.
       type: boolean
+    dll.code_signature.flags:
+      beta: This field is beta and subject to change.
+      dashed_name: dll-code-signature-flags
+      description: The flags used to sign the process.
+      example: 570522385
+      flat_name: dll.code_signature.flags
+      level: extended
+      name: flags
+      normalize: []
+      original_fieldset: code_signature
+      short: Code signing flags of the process
+      type: string
     dll.code_signature.signing_id:
       dashed_name: dll-code-signature-signing-id
       description: 'The identifier used to sign the process.
@@ -2276,6 +2312,20 @@ dll:
       short: Boolean to capture if the digital signature is verified against the binary
         content.
       type: boolean
+    dll.hash.cdhash:
+      beta: This field is beta and subject to change.
+      dashed_name: dll-hash-cdhash
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      flat_name: dll.hash.cdhash
+      ignore_above: 1024
+      level: extended
+      name: cdhash
+      normalize: []
+      original_fieldset: hash
+      short: The Code Directory (CD) hash of an executable.
+      type: keyword
     dll.hash.md5:
       dashed_name: dll-hash-md5
       description: MD5 hash.
@@ -3438,6 +3488,20 @@ email:
       normalize: []
       short: Attachment file extension.
       type: keyword
+    email.attachments.file.hash.cdhash:
+      beta: This field is beta and subject to change.
+      dashed_name: email-attachments-file-hash-cdhash
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      flat_name: email.attachments.file.hash.cdhash
+      ignore_above: 1024
+      level: extended
+      name: cdhash
+      normalize: []
+      original_fieldset: hash
+      short: The Code Directory (CD) hash of an executable.
+      type: keyword
     email.attachments.file.hash.md5:
       dashed_name: email-attachments-file-hash-md5
       description: MD5 hash.
@@ -4849,6 +4913,18 @@ file:
       original_fieldset: code_signature
       short: Boolean to capture if a signature is present.
       type: boolean
+    file.code_signature.flags:
+      beta: This field is beta and subject to change.
+      dashed_name: file-code-signature-flags
+      description: The flags used to sign the process.
+      example: 570522385
+      flat_name: file.code_signature.flags
+      level: extended
+      name: flags
+      normalize: []
+      original_fieldset: code_signature
+      short: Code signing flags of the process
+      type: string
     file.code_signature.signing_id:
       dashed_name: file-code-signature-signing-id
       description: 'The identifier used to sign the process.
@@ -5509,6 +5585,20 @@ file:
       normalize: []
       short: Primary group name of the file.
       type: keyword
+    file.hash.cdhash:
+      beta: This field is beta and subject to change.
+      dashed_name: file-hash-cdhash
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      flat_name: file.hash.cdhash
+      ignore_above: 1024
+      level: extended
+      name: cdhash
+      normalize: []
+      original_fieldset: hash
+      short: The Code Directory (CD) hash of an executable.
+      type: keyword
     file.hash.md5:
       dashed_name: file-hash-md5
       description: MD5 hash.
@@ -6806,6 +6896,19 @@ hash:
     range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed
     in the fieldsets to which they relate (tls and pe, respectively).'
   fields:
+    hash.cdhash:
+      beta: This field is beta and subject to change.
+      dashed_name: hash-cdhash
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      flat_name: hash.cdhash
+      ignore_above: 1024
+      level: extended
+      name: cdhash
+      normalize: []
+      short: The Code Directory (CD) hash of an executable.
+      type: keyword
     hash.md5:
       dashed_name: hash-md5
       description: MD5 hash.
@@ -9829,6 +9932,18 @@ process:
       original_fieldset: code_signature
       short: Boolean to capture if a signature is present.
       type: boolean
+    process.code_signature.flags:
+      beta: This field is beta and subject to change.
+      dashed_name: process-code-signature-flags
+      description: The flags used to sign the process.
+      example: 570522385
+      flat_name: process.code_signature.flags
+      level: extended
+      name: flags
+      normalize: []
+      original_fieldset: code_signature
+      short: Code signing flags of the process
+      type: string
     process.code_signature.signing_id:
       dashed_name: process-code-signature-signing-id
       description: 'The identifier used to sign the process.
@@ -11502,6 +11617,20 @@ process:
       original_fieldset: process
       short: The working directory of the process.
       type: keyword
+    process.hash.cdhash:
+      beta: This field is beta and subject to change.
+      dashed_name: process-hash-cdhash
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      flat_name: process.hash.cdhash
+      ignore_above: 1024
+      level: extended
+      name: cdhash
+      normalize: []
+      original_fieldset: hash
+      short: The Code Directory (CD) hash of an executable.
+      type: keyword
     process.hash.md5:
       dashed_name: process-hash-md5
       description: MD5 hash.
@@ -11977,6 +12106,18 @@ process:
       original_fieldset: code_signature
       short: Boolean to capture if a signature is present.
       type: boolean
+    process.parent.code_signature.flags:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-code-signature-flags
+      description: The flags used to sign the process.
+      example: 570522385
+      flat_name: process.parent.code_signature.flags
+      level: extended
+      name: flags
+      normalize: []
+      original_fieldset: code_signature
+      short: Code signing flags of the process
+      type: string
     process.parent.code_signature.signing_id:
       dashed_name: process-parent-code-signature-signing-id
       description: 'The identifier used to sign the process.
@@ -12678,6 +12819,20 @@ process:
       original_fieldset: process
       short: Virtual process id.
       type: long
+    process.parent.hash.cdhash:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-hash-cdhash
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      flat_name: process.parent.hash.cdhash
+      ignore_above: 1024
+      level: extended
+      name: cdhash
+      normalize: []
+      original_fieldset: hash
+      short: The Code Directory (CD) hash of an executable.
+      type: keyword
     process.parent.hash.md5:
       dashed_name: process-parent-hash-md5
       description: MD5 hash.
@@ -14867,6 +15022,7 @@ process:
   - process.previous
   - process.real_group
   - process.real_user
+  - process.responsible
   - process.saved_group
   - process.saved_user
   - process.session_leader
@@ -14928,6 +15084,12 @@ process:
       - array
       short_override: An array of previous executions for the process, including the
         initial fork. Only executable and args are set.
+    - as: responsible
+      at: process
+      beta: This field is beta and subject to change.
+      full: process.responsible
+      short_override: Responsible process in macOS tracks the originating process
+        of an app, key for understanding permissions and hierarchy.
     top_level: true
   reused_here:
   - full: process.group
@@ -15025,6 +15187,11 @@ process:
     schema_name: process
     short: An array of previous executions for the process, including the initial
       fork. Only executable and args are set.
+  - beta: This field is beta and subject to change.
+    full: process.responsible
+    schema_name: process
+    short: Responsible process in macOS tracks the originating process of an app,
+      key for understanding permissions and hierarchy.
   short: These fields contain information about a process.
   title: Process
   type: group
@@ -17227,6 +17394,18 @@ threat:
       original_fieldset: code_signature
       short: Boolean to capture if a signature is present.
       type: boolean
+    threat.enrichments.indicator.file.code_signature.flags:
+      beta: This field is beta and subject to change.
+      dashed_name: threat-enrichments-indicator-file-code-signature-flags
+      description: The flags used to sign the process.
+      example: 570522385
+      flat_name: threat.enrichments.indicator.file.code_signature.flags
+      level: extended
+      name: flags
+      normalize: []
+      original_fieldset: code_signature
+      short: Code signing flags of the process
+      type: string
     threat.enrichments.indicator.file.code_signature.signing_id:
       dashed_name: threat-enrichments-indicator-file-code-signature-signing-id
       description: 'The identifier used to sign the process.
@@ -17896,6 +18075,20 @@ threat:
       original_fieldset: file
       short: Primary group name of the file.
       type: keyword
+    threat.enrichments.indicator.file.hash.cdhash:
+      beta: This field is beta and subject to change.
+      dashed_name: threat-enrichments-indicator-file-hash-cdhash
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      flat_name: threat.enrichments.indicator.file.hash.cdhash
+      ignore_above: 1024
+      level: extended
+      name: cdhash
+      normalize: []
+      original_fieldset: hash
+      short: The Code Directory (CD) hash of an executable.
+      type: keyword
     threat.enrichments.indicator.file.hash.md5:
       dashed_name: threat-enrichments-indicator-file-hash-md5
       description: MD5 hash.
@@ -19943,6 +20136,18 @@ threat:
       original_fieldset: code_signature
       short: Boolean to capture if a signature is present.
       type: boolean
+    threat.indicator.file.code_signature.flags:
+      beta: This field is beta and subject to change.
+      dashed_name: threat-indicator-file-code-signature-flags
+      description: The flags used to sign the process.
+      example: 570522385
+      flat_name: threat.indicator.file.code_signature.flags
+      level: extended
+      name: flags
+      normalize: []
+      original_fieldset: code_signature
+      short: Code signing flags of the process
+      type: string
     threat.indicator.file.code_signature.signing_id:
       dashed_name: threat-indicator-file-code-signature-signing-id
       description: 'The identifier used to sign the process.
@@ -20612,6 +20817,20 @@ threat:
       original_fieldset: file
       short: Primary group name of the file.
       type: keyword
+    threat.indicator.file.hash.cdhash:
+      beta: This field is beta and subject to change.
+      dashed_name: threat-indicator-file-hash-cdhash
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      flat_name: threat.indicator.file.hash.cdhash
+      ignore_above: 1024
+      level: extended
+      name: cdhash
+      normalize: []
+      original_fieldset: hash
+      short: The Code Directory (CD) hash of an executable.
+      type: keyword
     threat.indicator.file.hash.md5:
       dashed_name: threat-indicator-file-hash-md5
       description: MD5 hash.
diff --git a/generated/elasticsearch/composable/component/device.json b/generated/elasticsearch/composable/component/device.json
index e03f268c86..741cf82323 100644
--- a/generated/elasticsearch/composable/component/device.json
+++ b/generated/elasticsearch/composable/component/device.json
@@ -27,6 +27,10 @@
                   "type": "keyword"
                 }
               }
+            },
+            "serial_number": {
+              "ignore_above": 1024,
+              "type": "keyword"
             }
           }
         }
diff --git a/generated/elasticsearch/composable/component/dll.json b/generated/elasticsearch/composable/component/dll.json
index d3561dd742..b5f52995c5 100644
--- a/generated/elasticsearch/composable/component/dll.json
+++ b/generated/elasticsearch/composable/component/dll.json
@@ -17,6 +17,9 @@
                 "exists": {
                   "type": "boolean"
                 },
+                "flags": {
+                  "type": "string"
+                },
                 "signing_id": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -46,6 +49,10 @@
             },
             "hash": {
               "properties": {
+                "cdhash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "md5": {
                   "ignore_above": 1024,
                   "type": "keyword"
diff --git a/generated/elasticsearch/composable/component/email.json b/generated/elasticsearch/composable/component/email.json
index 94e8c70084..4046e33558 100644
--- a/generated/elasticsearch/composable/component/email.json
+++ b/generated/elasticsearch/composable/component/email.json
@@ -18,6 +18,10 @@
                     },
                     "hash": {
                       "properties": {
+                        "cdhash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
                         "md5": {
                           "ignore_above": 1024,
                           "type": "keyword"
diff --git a/generated/elasticsearch/composable/component/file.json b/generated/elasticsearch/composable/component/file.json
index d055adf323..cc12f10be1 100644
--- a/generated/elasticsearch/composable/component/file.json
+++ b/generated/elasticsearch/composable/component/file.json
@@ -24,6 +24,9 @@
                 "exists": {
                   "type": "boolean"
                 },
+                "flags": {
+                  "type": "string"
+                },
                 "signing_id": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -233,6 +236,10 @@
             },
             "hash": {
               "properties": {
+                "cdhash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "md5": {
                   "ignore_above": 1024,
                   "type": "keyword"
diff --git a/generated/elasticsearch/composable/component/process.json b/generated/elasticsearch/composable/component/process.json
index 6cc1382d11..610ff74848 100644
--- a/generated/elasticsearch/composable/component/process.json
+++ b/generated/elasticsearch/composable/component/process.json
@@ -24,6 +24,9 @@
                 "exists": {
                   "type": "boolean"
                 },
+                "flags": {
+                  "type": "string"
+                },
                 "signing_id": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -674,6 +677,10 @@
             },
             "hash": {
               "properties": {
+                "cdhash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "md5": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -824,6 +831,9 @@
                     "exists": {
                       "type": "boolean"
                     },
+                    "flags": {
+                      "type": "string"
+                    },
                     "signing_id": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -1055,6 +1065,10 @@
                 },
                 "hash": {
                   "properties": {
+                    "cdhash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
                     "md5": {
                       "ignore_above": 1024,
                       "type": "keyword"
diff --git a/generated/elasticsearch/composable/component/threat.json b/generated/elasticsearch/composable/component/threat.json
index 17d9b1e77f..c9030c4167 100644
--- a/generated/elasticsearch/composable/component/threat.json
+++ b/generated/elasticsearch/composable/component/threat.json
@@ -66,6 +66,9 @@
                             "exists": {
                               "type": "boolean"
                             },
+                            "flags": {
+                              "type": "string"
+                            },
                             "signing_id": {
                               "ignore_above": 1024,
                               "type": "keyword"
@@ -275,6 +278,10 @@
                         },
                         "hash": {
                           "properties": {
+                            "cdhash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
                             "md5": {
                               "ignore_above": 1024,
                               "type": "keyword"
@@ -987,6 +994,9 @@
                         "exists": {
                           "type": "boolean"
                         },
+                        "flags": {
+                          "type": "string"
+                        },
                         "signing_id": {
                           "ignore_above": 1024,
                           "type": "keyword"
@@ -1196,6 +1206,10 @@
                     },
                     "hash": {
                       "properties": {
+                        "cdhash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
                         "md5": {
                           "ignore_above": 1024,
                           "type": "keyword"
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index a6b67033e2..6725cae44d 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -740,6 +740,10 @@
                 "type": "keyword"
               }
             }
+          },
+          "serial_number": {
+            "ignore_above": 1024,
+            "type": "keyword"
           }
         }
       },
@@ -754,6 +758,9 @@
               "exists": {
                 "type": "boolean"
               },
+              "flags": {
+                "type": "string"
+              },
               "signing_id": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -783,6 +790,10 @@
           },
           "hash": {
             "properties": {
+              "cdhash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "md5": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -1008,6 +1019,10 @@
                   },
                   "hash": {
                     "properties": {
+                      "cdhash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
                       "md5": {
                         "ignore_above": 1024,
                         "type": "keyword"
@@ -1318,6 +1333,9 @@
               "exists": {
                 "type": "boolean"
               },
+              "flags": {
+                "type": "string"
+              },
               "signing_id": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -1527,6 +1545,10 @@
           },
           "hash": {
             "properties": {
+              "cdhash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "md5": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -2703,6 +2725,9 @@
               "exists": {
                 "type": "boolean"
               },
+              "flags": {
+                "type": "string"
+              },
               "signing_id": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -3353,6 +3378,10 @@
           },
           "hash": {
             "properties": {
+              "cdhash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "md5": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -3503,6 +3532,9 @@
                   "exists": {
                     "type": "boolean"
                   },
+                  "flags": {
+                    "type": "string"
+                  },
                   "signing_id": {
                     "ignore_above": 1024,
                     "type": "keyword"
@@ -3734,6 +3766,10 @@
               },
               "hash": {
                 "properties": {
+                  "cdhash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
                   "md5": {
                     "ignore_above": 1024,
                     "type": "keyword"
@@ -5241,6 +5277,9 @@
                           "exists": {
                             "type": "boolean"
                           },
+                          "flags": {
+                            "type": "string"
+                          },
                           "signing_id": {
                             "ignore_above": 1024,
                             "type": "keyword"
@@ -5450,6 +5489,10 @@
                       },
                       "hash": {
                         "properties": {
+                          "cdhash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
                           "md5": {
                             "ignore_above": 1024,
                             "type": "keyword"
@@ -6162,6 +6205,9 @@
                       "exists": {
                         "type": "boolean"
                       },
+                      "flags": {
+                        "type": "string"
+                      },
                       "signing_id": {
                         "ignore_above": 1024,
                         "type": "keyword"
@@ -6371,6 +6417,10 @@
                   },
                   "hash": {
                     "properties": {
+                      "cdhash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
                       "md5": {
                         "ignore_above": 1024,
                         "type": "keyword"
diff --git a/rfcs/text/0044-add-apple-platform-specific-fields.md b/rfcs/text/0044-add-apple-platform-specific-fields.md
index 68d0da3214..1c58a32b94 100644
--- a/rfcs/text/0044-add-apple-platform-specific-fields.md
+++ b/rfcs/text/0044-add-apple-platform-specific-fields.md
@@ -1,8 +1,8 @@
 # 0044: Apple Platform specific fields
 <!-- Leave this ID at 0000. The ECS team will assign a unique, contiguous RFC number upon merging the initial stage of this RFC. -->
 
-- Stage: **0 (strawperson)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
-- Date:  **2024-08-13** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
+- Stage: **2 (Candidate)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
+- Date:  **2024-09-11** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
 
 
 ### Summary
@@ -60,7 +60,11 @@ Stage 2: Included a real world example source document. Ideally this example com
 Stage 3: Add more real world example source documents so we have at least 2 total, but ideally 3. Format as described in stage 2.
 -->
 
-<!--## Scope of impact
+# Scope of impact
+
+As this RFC involves the creation of new fields, no breaking
+changes are envisaged. Some existing tooling might need updates to factor in the
+new fieldset's availability, however.
 
 <!--
 Stage 2: Identifies scope of impact of changes. Are breaking changes required? Should deprecation strategies be adopted? Will significant refactoring be involved? Break the impact down into:
@@ -89,6 +93,9 @@ Stage 3: Document resolutions for all existing concerns. Any new concerns should
 The following are the people that consulted on the contents of this RFC.
 
 * txhaflaire | author
+* mjwolf | reviewer
+* trisch-me | reviewer
+* jamiehynds | subject matter expert
 
 <!--
 Who will be or has been consulted on the contents of this RFC? Identify authorship and sponsorship, and optionally identify the nature of involvement of others. Link to GitHub aliases where possible. This list will likely change or grow stage after stage.
@@ -107,11 +114,22 @@ e.g.:
 
 <!-- Insert any links appropriate to this RFC in this section. -->
 
+https://developer.apple.com/documentation/endpointsecurity/es_process_t/3228978-is_es_client
+
+https://developer.apple.com/documentation/endpointsecurity/es_process_t/3228979-is_platform_binary
+
+https://developer.apple.com/documentation/endpointsecurity/es_process_t/3684982-responsible_audit_token
+
+https://developer.apple.com/documentation/endpointsecurity/es_process_t/3334987-codesigning_flags
+
+https://developer.apple.com/documentation/endpointsecurity/es_process_t/3228976-cdhash
+
 ### RFC Pull Requests
 
 <!-- An RFC should link to the PRs for each of it stage advancements. -->
 
 * Stage 0: https://github.com/elastic/ecs/pull/2338
+* Stage 2: https://github.com/elastic/ecs/pull/2370
 
 <!--
 * Stage 1: https://github.com/elastic/ecs/pull/NNN
diff --git a/schemas/code_signature.yml b/schemas/code_signature.yml
index 056262370f..67e6a5da4a 100644
--- a/schemas/code_signature.yml
+++ b/schemas/code_signature.yml
@@ -35,6 +35,15 @@
       description: Boolean to capture if a signature is present.
       example: "true"
 
+    - name: flags
+      level: extended
+      type: string
+      short: Code signing flags of the process
+      description: >
+          The flags used to sign the process.
+      example: 570522385
+      beta: This field is beta and subject to change.
+
     - name: subject_name
       level: core
       type: keyword
diff --git a/schemas/device.yml b/schemas/device.yml
index 38fe123937..e9fdb2f158 100644
--- a/schemas/device.yml
+++ b/schemas/device.yml
@@ -58,4 +58,12 @@
       example: Samsung
       type: keyword
       description: >
-        The vendor name of the device manufacturer. 
+        The vendor name of the device manufacturer.
+    - name: serial_number
+      level: core
+      type: keyword
+      short: Serial Number of the device
+      description: >
+        The unique serial number serves as a distinct identifier for each device, aiding in inventory management and device authentication.
+      example: DJGAQS4CW5
+      beta: This field is beta and subject to change. 
diff --git a/schemas/hash.yml b/schemas/hash.yml
index ab3d4ed83b..b9e4b64c29 100644
--- a/schemas/hash.yml
+++ b/schemas/hash.yml
@@ -42,6 +42,14 @@
 
   fields:
 
+    - name: cdhash
+      level: extended
+      type: keyword
+      short: The Code Directory (CD) hash of an executable.
+      description: Code directory hash, utilized to uniquely identify and authenticate the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      beta: This field is beta and subject to change.
+
     - name: md5
       level: extended
       type: keyword
diff --git a/schemas/process.yml b/schemas/process.yml
index 91c8ef98ef..abb5366d00 100644
--- a/schemas/process.yml
+++ b/schemas/process.yml
@@ -61,9 +61,21 @@
         short_override: An array of previous executions for the process, including the initial fork. Only executable and args are set.
         normalize:
           - array
+      - at: process
+        as: responsible
+        short_override: Responsible process in macOS tracks the originating process of an app, key for understanding permissions and hierarchy.
+        beta: This field is beta and subject to change.
 
   fields:
 
+    - name: endpoint_security_client
+      level: extended
+      type: boolean
+      short: Indicates whether this process executable is an Endpoint Security client.
+      description: >
+          Processes that have an endpoint security client must have the com.apple.endpointsecurity entitlement and the value is set to true in the message.
+      beta: This field is beta and subject to change.
+
     - name: pid
       format: string
       level: core
@@ -174,6 +186,14 @@
         - type: match_only_text
           name: text
 
+    - name: platform_binary
+      level: extended
+      type: boolean
+      short: Indicates whether this process executable is a default platform binary shipped with the operating system.
+      description: >
+          Binaries that are shipped by the operating system are defined as platform binaries, this value is then set to true.
+      beta: This field is beta and subject to change.
+
     - name: title
       level: extended
       type: keyword

From a967d854ad451a4fb1e661b6938b723f421746ce Mon Sep 17 00:00:00 2001
From: Stefan Bischof <bipolis@bipolis.org>
Date: Thu, 12 Sep 2024 00:07:00 +0200
Subject: [PATCH 170/186] code blocks specified language yaml (#2380)

Co-authored-by: Michael Wolf <michael.wolf@elastic.co>
---
 schemas/README.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/schemas/README.md b/schemas/README.md
index 7762616e13..bb9e9fce3e 100644
--- a/schemas/README.md
+++ b/schemas/README.md
@@ -92,7 +92,7 @@ which can be thought of loosely as a "role".
 A good example is nesting `process` at `process.parent`, to capture the parent of a process.
 In these cases, we replace the "flat" key name with a small object with keys `at` and `as`:
 
-```
+```YAML
   reusable:
     top_level: true
     expected:
@@ -115,7 +115,7 @@ The above defines all process fields in both places:
 The `beta` marker can optionally be used along with `at` and `as` to include a beta marker in the field reuses section, marking specific reuse locations as beta.
 Beta notices should not have newlines.
 
-```
+```YAML
   reusable:
     top_level: true
     expected:
@@ -127,7 +127,7 @@ Beta notices should not have newlines.
 The `short_override` marker can optionally be used along with `at` and `as` to set the short description of the nested field, instead of defaulting to the top-level fieldset's short description.
 Like short, descriptions must not have newlines.
 
-```
+```YAML
   reusable:
     top_level: true
     expected:

From 71d285d641e2308eaef3b1a96696f6814285df0a Mon Sep 17 00:00:00 2001
From: Stefan Bischof <bipolis@bipolis.org>
Date: Thu, 12 Sep 2024 00:27:10 +0200
Subject: [PATCH 171/186] trim trailing whitespace in schema (#2379)

Co-authored-by: Michael Wolf <michael.wolf@elastic.co>
---
 docs/fields/field-details.asciidoc          |  6 +++---
 experimental/generated/beats/fields.ecs.yml | 22 +++++++++++----------
 experimental/generated/ecs/ecs_flat.yml     | 16 ++++++++-------
 experimental/generated/ecs/ecs_nested.yml   | 22 +++++++++++----------
 generated/beats/fields.ecs.yml              | 22 +++++++++++----------
 generated/ecs/ecs_flat.yml                  | 16 ++++++++-------
 generated/ecs/ecs_nested.yml                | 22 +++++++++++----------
 schemas/device.yml                          | 10 +++++-----
 schemas/risk.yml                            |  4 ++--
 9 files changed, 76 insertions(+), 64 deletions(-)

diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index 4d7f9f959b..f2259fb87e 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -1628,7 +1628,7 @@ example: `co.uk`
 [[ecs-device]]
 === Device Fields
 
-Fields that describe a device instance and its characteristics.  Data collected for applications and processes running on a (mobile) device can be enriched with these fields to describe the identity, type and other characteristics of the device.
+Fields that describe a device instance and its characteristics. Data collected for applications and processes running on a (mobile) device can be enriched with these fields to describe the identity, type and other characteristics of the device.
 
 This field group definition is based on the Device namespace of the OpenTelemetry Semantic Conventions (https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/device/).
 
@@ -1647,7 +1647,7 @@ beta::[ These fields are in beta and are subject to change.]
 [[field-device-id]]
 <<field-device-id, device.id>>
 
-a| The unique identifier of a device. The identifier must not change across application sessions but stay fixed for an instance of a (mobile) device. 
+a| The unique identifier of a device. The identifier must not change across application sessions but stay fixed for an instance of a (mobile) device.
 
 On iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor). On Android, this value must be equal to the Firebase Installation ID or a globally unique UUID which is persisted across sessions in your application.
 
@@ -9206,7 +9206,7 @@ Note: this field should contain an array of values.
 [[ecs-risk]]
 === Risk information Fields
 
-Fields for describing risk score and risk level of entities such as hosts and users.  These fields are not allowed to be nested under `event.*`. Please continue to use  `event.risk_score` and `event.risk_score_norm` for event risk.
+Fields for describing risk score and risk level of entities such as hosts and users. These fields are not allowed to be nested under `event.*`. Please continue to use `event.risk_score` and `event.risk_score_norm` for event risk.
 
 beta::[ These fields are in beta and are subject to change.]
 
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index f39b2c42e0..625206235f 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -1183,9 +1183,9 @@
   - name: device
     title: Device
     group: 2
-    description: 'Fields that describe a device instance and its characteristics.  Data
-      collected for applications and processes running on a (mobile) device can be
-      enriched with these fields to describe the identity, type and other characteristics
+    description: 'Fields that describe a device instance and its characteristics.
+      Data collected for applications and processes running on a (mobile) device can
+      be enriched with these fields to describe the identity, type and other characteristics
       of the device.
 
       This field group definition is based on the Device namespace of the OpenTelemetry
@@ -1197,13 +1197,15 @@
       level: extended
       type: keyword
       ignore_above: 1024
-      description: "The unique identifier of a device. The identifier must not change\
-        \ across application sessions but stay fixed for an instance of a (mobile)\
-        \ device. \nOn iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor).\
-        \ On Android, this value must be equal to the Firebase Installation ID or\
-        \ a globally unique UUID which is persisted across sessions in your application.\n\
-        For GDPR and data protection law reasons this identifier should not carry\
-        \ information that would allow to identify a user."
+      description: 'The unique identifier of a device. The identifier must not change
+        across application sessions but stay fixed for an instance of a (mobile) device.
+
+        On iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor).
+        On Android, this value must be equal to the Firebase Installation ID or a
+        globally unique UUID which is persisted across sessions in your application.
+
+        For GDPR and data protection law reasons this identifier should not carry
+        information that would allow to identify a user.'
       example: 00000000-54b3-e7c7-0000-000046bffd97
       default_field: false
     - name: manufacturer
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 131fbdeb3e..6e09b7f52f 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -1711,13 +1711,15 @@ destination.user.roles:
   type: keyword
 device.id:
   dashed_name: device-id
-  description: "The unique identifier of a device. The identifier must not change\
-    \ across application sessions but stay fixed for an instance of a (mobile) device.\
-    \ \nOn iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor).\
-    \ On Android, this value must be equal to the Firebase Installation ID or a globally\
-    \ unique UUID which is persisted across sessions in your application.\nFor GDPR\
-    \ and data protection law reasons this identifier should not carry information\
-    \ that would allow to identify a user."
+  description: 'The unique identifier of a device. The identifier must not change
+    across application sessions but stay fixed for an instance of a (mobile) device.
+
+    On iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor).
+    On Android, this value must be equal to the Firebase Installation ID or a globally
+    unique UUID which is persisted across sessions in your application.
+
+    For GDPR and data protection law reasons this identifier should not carry information
+    that would allow to identify a user.'
   example: 00000000-54b3-e7c7-0000-000046bffd97
   flat_name: device.id
   ignore_above: 1024
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index c7bb8e8af7..1f7f9648b7 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -2164,7 +2164,7 @@ destination:
   type: group
 device:
   beta: These fields are in beta and are subject to change.
-  description: 'Fields that describe a device instance and its characteristics.  Data
+  description: 'Fields that describe a device instance and its characteristics. Data
     collected for applications and processes running on a (mobile) device can be enriched
     with these fields to describe the identity, type and other characteristics of
     the device.
@@ -2174,13 +2174,15 @@ device:
   fields:
     device.id:
       dashed_name: device-id
-      description: "The unique identifier of a device. The identifier must not change\
-        \ across application sessions but stay fixed for an instance of a (mobile)\
-        \ device. \nOn iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor).\
-        \ On Android, this value must be equal to the Firebase Installation ID or\
-        \ a globally unique UUID which is persisted across sessions in your application.\n\
-        For GDPR and data protection law reasons this identifier should not carry\
-        \ information that would allow to identify a user."
+      description: 'The unique identifier of a device. The identifier must not change
+        across application sessions but stay fixed for an instance of a (mobile) device.
+
+        On iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor).
+        On Android, this value must be equal to the Firebase Installation ID or a
+        globally unique UUID which is persisted across sessions in your application.
+
+        For GDPR and data protection law reasons this identifier should not carry
+        information that would allow to identify a user.'
       example: 00000000-54b3-e7c7-0000-000046bffd97
       flat_name: device.id
       ignore_above: 1024
@@ -15448,8 +15450,8 @@ related:
 risk:
   beta: These fields are in beta and are subject to change.
   description: Fields for describing risk score and risk level of entities such as
-    hosts and users.  These fields are not allowed to be nested under `event.*`. Please
-    continue to use  `event.risk_score` and `event.risk_score_norm` for event risk.
+    hosts and users. These fields are not allowed to be nested under `event.*`. Please
+    continue to use `event.risk_score` and `event.risk_score_norm` for event risk.
   fields:
     risk.calculated_level:
       dashed_name: risk-calculated-level
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index bbe911f6ce..77f9536d95 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -1133,9 +1133,9 @@
   - name: device
     title: Device
     group: 2
-    description: 'Fields that describe a device instance and its characteristics.  Data
-      collected for applications and processes running on a (mobile) device can be
-      enriched with these fields to describe the identity, type and other characteristics
+    description: 'Fields that describe a device instance and its characteristics.
+      Data collected for applications and processes running on a (mobile) device can
+      be enriched with these fields to describe the identity, type and other characteristics
       of the device.
 
       This field group definition is based on the Device namespace of the OpenTelemetry
@@ -1147,13 +1147,15 @@
       level: extended
       type: keyword
       ignore_above: 1024
-      description: "The unique identifier of a device. The identifier must not change\
-        \ across application sessions but stay fixed for an instance of a (mobile)\
-        \ device. \nOn iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor).\
-        \ On Android, this value must be equal to the Firebase Installation ID or\
-        \ a globally unique UUID which is persisted across sessions in your application.\n\
-        For GDPR and data protection law reasons this identifier should not carry\
-        \ information that would allow to identify a user."
+      description: 'The unique identifier of a device. The identifier must not change
+        across application sessions but stay fixed for an instance of a (mobile) device.
+
+        On iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor).
+        On Android, this value must be equal to the Firebase Installation ID or a
+        globally unique UUID which is persisted across sessions in your application.
+
+        For GDPR and data protection law reasons this identifier should not carry
+        information that would allow to identify a user.'
       example: 00000000-54b3-e7c7-0000-000046bffd97
       default_field: false
     - name: manufacturer
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 28f3e7d65c..7e504589db 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -1642,13 +1642,15 @@ destination.user.roles:
   type: keyword
 device.id:
   dashed_name: device-id
-  description: "The unique identifier of a device. The identifier must not change\
-    \ across application sessions but stay fixed for an instance of a (mobile) device.\
-    \ \nOn iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor).\
-    \ On Android, this value must be equal to the Firebase Installation ID or a globally\
-    \ unique UUID which is persisted across sessions in your application.\nFor GDPR\
-    \ and data protection law reasons this identifier should not carry information\
-    \ that would allow to identify a user."
+  description: 'The unique identifier of a device. The identifier must not change
+    across application sessions but stay fixed for an instance of a (mobile) device.
+
+    On iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor).
+    On Android, this value must be equal to the Firebase Installation ID or a globally
+    unique UUID which is persisted across sessions in your application.
+
+    For GDPR and data protection law reasons this identifier should not carry information
+    that would allow to identify a user.'
   example: 00000000-54b3-e7c7-0000-000046bffd97
   flat_name: device.id
   ignore_above: 1024
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index fe512c7afd..b08955b69b 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -2084,7 +2084,7 @@ destination:
   type: group
 device:
   beta: These fields are in beta and are subject to change.
-  description: 'Fields that describe a device instance and its characteristics.  Data
+  description: 'Fields that describe a device instance and its characteristics. Data
     collected for applications and processes running on a (mobile) device can be enriched
     with these fields to describe the identity, type and other characteristics of
     the device.
@@ -2094,13 +2094,15 @@ device:
   fields:
     device.id:
       dashed_name: device-id
-      description: "The unique identifier of a device. The identifier must not change\
-        \ across application sessions but stay fixed for an instance of a (mobile)\
-        \ device. \nOn iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor).\
-        \ On Android, this value must be equal to the Firebase Installation ID or\
-        \ a globally unique UUID which is persisted across sessions in your application.\n\
-        For GDPR and data protection law reasons this identifier should not carry\
-        \ information that would allow to identify a user."
+      description: 'The unique identifier of a device. The identifier must not change
+        across application sessions but stay fixed for an instance of a (mobile) device.
+
+        On iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor).
+        On Android, this value must be equal to the Firebase Installation ID or a
+        globally unique UUID which is persisted across sessions in your application.
+
+        For GDPR and data protection law reasons this identifier should not carry
+        information that would allow to identify a user.'
       example: 00000000-54b3-e7c7-0000-000046bffd97
       flat_name: device.id
       ignore_above: 1024
@@ -15368,8 +15370,8 @@ related:
 risk:
   beta: These fields are in beta and are subject to change.
   description: Fields for describing risk score and risk level of entities such as
-    hosts and users.  These fields are not allowed to be nested under `event.*`. Please
-    continue to use  `event.risk_score` and `event.risk_score_norm` for event risk.
+    hosts and users. These fields are not allowed to be nested under `event.*`. Please
+    continue to use `event.risk_score` and `event.risk_score_norm` for event risk.
   fields:
     risk.calculated_level:
       dashed_name: risk-calculated-level
diff --git a/schemas/device.yml b/schemas/device.yml
index e9fdb2f158..3e03e4ab1d 100644
--- a/schemas/device.yml
+++ b/schemas/device.yml
@@ -20,7 +20,7 @@
   group: 2
   short: Fields characterizing a (mobile) device a process or application is running on.
   description: >
-    Fields that describe a device instance and its characteristics. 
+    Fields that describe a device instance and its characteristics.
     Data collected for applications and processes running on a (mobile) device can be enriched with these fields
     to describe the identity, type and other characteristics of the device.
 
@@ -33,14 +33,14 @@
       level: extended
       example: 00000000-54b3-e7c7-0000-000046bffd97
       type: keyword
-      short: The unique identifier of a device. 
+      short: The unique identifier of a device.
       description: >
-        The unique identifier of a device. The identifier must not change across application sessions but stay fixed for an instance of a (mobile) device. 
+        The unique identifier of a device. The identifier must not change across application sessions but stay fixed for an instance of a (mobile) device.
 
         On iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor).
         On Android, this value must be equal to the Firebase Installation ID or a globally unique UUID which is persisted across sessions in your application.
 
-        For GDPR and data protection law reasons this identifier should not carry information that would allow to identify a user. 
+        For GDPR and data protection law reasons this identifier should not carry information that would allow to identify a user.
     - name: model.name
       level: extended
       example: Samsung Galaxy S6
@@ -66,4 +66,4 @@
       description: >
         The unique serial number serves as a distinct identifier for each device, aiding in inventory management and device authentication.
       example: DJGAQS4CW5
-      beta: This field is beta and subject to change. 
+      beta: This field is beta and subject to change.
diff --git a/schemas/risk.yml b/schemas/risk.yml
index 84835f08e2..8c54f392b5 100644
--- a/schemas/risk.yml
+++ b/schemas/risk.yml
@@ -22,8 +22,8 @@
   beta: >
     These fields are in beta and are subject to change.
   description: >
-     Fields for describing risk score and risk level of entities such as hosts and users. 
-     These fields are not allowed to be nested under `event.*`. Please continue to use 
+     Fields for describing risk score and risk level of entities such as hosts and users.
+     These fields are not allowed to be nested under `event.*`. Please continue to use
      `event.risk_score` and `event.risk_score_norm` for event risk.
   reusable:
     top_level: false

From 8be4ed7d2e7e89ed34566f324fb6d65e1055c27b Mon Sep 17 00:00:00 2001
From: Smriti <152067238+smriti0321@users.noreply.github.com>
Date: Tue, 17 Sep 2024 15:55:29 +0200
Subject: [PATCH 172/186] [RFC] Stage 0: Introducing new fields in ECS
 vulnerability field set (#2331)

* RFC to add new fields in ECS vulnerability field set

RFC to add new fields in ECS vulnerability field set

* Moving to separate file

* set title and add stage 0 PR #

* clean up fields table markdown

* Moving to (rfcs/text) and renaming file to next number in series.

* Resolving the comments from @trisch-me

* Update rfcs/text/0045-additional-vulnerability-fields.md

Co-authored-by: Alexandra Konrad <alexandra.konrad@elastic.co>

* Update rfcs/text/0045-additional-vulnerability-fields.md

Co-authored-by: Alexandra Konrad <alexandra.konrad@elastic.co>

* Making changed to the date format as per comments from @trisch-me

* Resolving @trisch-me comments

* Resolving latest comments

* Update rfcs/text/0045-additional-vulnerability-fields.md

Co-authored-by: Alexandra Konrad <alexandra.konrad@elastic.co>

---------

Co-authored-by: Eric Beahan <eric.beahan@elastic.co>
Co-authored-by: Alexandra Konrad <alexandra.konrad@elastic.co>
---
 .../0045-additional-vulnerability-fields.md   | 138 ++++++++++++++++++
 1 file changed, 138 insertions(+)
 create mode 100644 rfcs/text/0045-additional-vulnerability-fields.md

diff --git a/rfcs/text/0045-additional-vulnerability-fields.md b/rfcs/text/0045-additional-vulnerability-fields.md
new file mode 100644
index 0000000000..63b82105e9
--- /dev/null
+++ b/rfcs/text/0045-additional-vulnerability-fields.md
@@ -0,0 +1,138 @@
+# 0000: Additional Vulnerability Fields
+<!-- Leave this ID at 0000. The ECS team will assign a unique, contiguous RFC number upon merging the initial stage of this RFC. -->
+
+- Stage: **0 (strawperson)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
+- Date: **TBD** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
+
+<!--
+As you work on your RFC, use the "Stage N" comments to guide you in what you should focus on, for the stage you're targeting.
+Feel free to remove these comments as you go along.
+-->
+
+<!--
+Stage 0: Provide a high level summary of the premise of these changes. Briefly describe the nature, purpose, and impact of the changes. ~2-5 sentences.
+-->
+This RFC proposes to expand the vulnerability fieldset to include more fields, the proposal takes into consideration various customer feedbacks provided to Security integration team, inputs from Infosec team managing vulnerabilities across Elastic and other companies. This will benefit our customers and internal product teams to provide more effective vulnerability management experience to end user. to come up with the list of fields, extensive research was done across various Vulnerability management products and schemas like OSV. It is a continuation of one of the previous RFC on similar topic- https://github.com/elastic/ecs/issues/1685
+
+<!--
+Stage 1: If the changes include field additions or modifications, please create a folder titled as the RFC number under rfcs/text/. This will be where proposed schema changes as standalone YAML files or extended example mappings and larger source documents will go as the RFC is iterated upon.
+-->
+
+<!--
+Stage X: Provide a brief explanation of why the proposal is being marked as abandoned. This is useful context for anyone revisiting this proposal or considering similar changes later on.
+-->
+
+## Fields
+The `vulnerabilities` fields being proposed are as follows:
+
+| Field | Type | Description / Use Case |
+| ----- | ---- | ---------------------- |
+| `vulnerability.vendor.id` | keyword | A vulnerability doesn't have necessary a CVE associated with it. It makes sense to seperate vulnerability ID (like CVEs) to the vendor/detection IDs. |
+| `vulnerability.title`	| keyword | Title/Name/Short Description for vulnerability, to be used in flyout and dashboards. |
+| `vulnerability.mitigation` | text | Explains user how to fix or mitigate the problem, could be usefd to store resolution from the scanner vendor or document mitigation in place |
+| `vulnerability.published`	| date | The “published” field indicates the date when information about a specific vulnerability was publicly disclosed or made available.It represents the moment when details about the vulnerability were shared with the security community, vendors, and the public.This field helps security professionals track the timeline of vulnerability awareness, in ISO 8601 format - YYYY-MM-DD |
+| `vulnerability.patch.*` | object | - |
+| `vulnerability.patch.exists` | boolean | The “patch” field refers to whether a security fix or update (commonly known as a patch) is available to address the identified vulnerability. It indicates whether the software vendor or developer has released a solution to mitigate the vulnerability. |
+| `vulnerability.patch.name` | text | Name of the patch |
+| `vulnerability.patch.code` | keyword | Associated patch code for example ESA-2020-13 |
+| `vulnerability.evidence` | text | A demonstration of the validity of a vulnerability claim, e.g. app.any.run replaying the exploitation of the vulnerability. |
+| `vulnerability.status` | keyword | The status field helps security teams track vulnerabilities, prioritize actions, and communicate their progress effectively. Examples- open/ignored/patched/mitigated/false_positive/risk_accepted/reopened..|
+| `vulnerability.tags` | keyword | This is different from cloud provider assigned resource tags, this is specifically for vulnerability. Vulnerability tags serve as a way to add custom metadata to vulnerabilities, enhancing their context and aiding in search and automation. |
+| `vulnerability.first_found` | date | First time a vulnerability was found on the asset, in ISO 8601 format: 2016-05-23T08:05:34.853Z |
+| `vulnerability.last_found` | date | Last time a vulnerability was found on the asset, in ISO 8601 format: 2016-05-23T08:05:34.853Z |
+| `vulnerability.last_scanned` | date | Last time a scan was performed on the asset. It's important as some companies are scanning on a quarterly basis. If last_found and last_scanned are close, it means it's still an active vulnerability, in ISO 8601 format: 2016-05-23T08:05:34.853Z|
+| `vulnerability.age` | long | Numbers of days since the vulnerability is active. It should be dynamically calculated (runtime fields, ingest, ...). It could either be then difference between the last_found date and the published date (preferred). It could also be the difference between the first_found and last_found dates. |
+| `vulnerability.uid` | keyword | It's extremely important to be able to deduplicate different scans. It's often that we have different scanners showing the same vulnerability on the same asset. |
+| `vulnerability.type` | keyword | To conclude if the vulnerability is confirmed or potential. |
+| `vulnerability.exploitability.*` | object | - |
+| `vulnerability.exploitability.exploited` | boolean | To indicate if the vulnerability has been exploited or not. |
+| `vulnerability.exploitability.reference` | keyword | Exploitability databse for example CSA-KEV. |
+| `vulnerability.exploitability.confidence` | keyword | Confidence measure the credibility of existence and exploitability. |
+| `vulnerability.exploitability.first_seen` | date | First time of exploitability, in ISO 8601 format: 2016-05-23T08:05:34.853Z |
+| `vulnerability.exploitability.last_seen` | date | Last time of exploitability, in ISO 8601 format: 2016-05-23T08:05:34.853Z |
+| `vulnerability.affected.*` | object | The affected field is a JSON array containing objects that describes the affected package versions, meaning those that contain the vulnerability. |
+| `vulnerability.affected.package` | array | Package field is a JSON object identifying the affected code library or command provided by the package. |
+| `vulnerability.affected.severity` | array | This field applies to a specific package, in cases where affected packages have differing severities for the same vulnerability. |
+| `vulnerability.affected.versions` | array | Affected version in whatever version syntax is used by the given package ecosystem. |
+
+
+<!--
+Stage 1: Describe at a high level how this change affects fields. Include new or updated yml field definitions for all of the essential fields in this draft. While not exhaustive, the fields documented here should be comprehensive enough to deeply evaluate the technical considerations of this change. The goal here is to validate the technical details for all essential fields and to provide a basis for adding experimental field definitions to the schema. Use GitHub code blocks with yml syntax formatting, and add them to the corresponding RFC folder.
+-->
+
+<!--
+Stage 2: Add or update all remaining field definitions. The list should now be exhaustive. The goal here is to validate the technical details of all remaining fields and to provide a basis for releasing these field definitions as beta in the schema. Use GitHub code blocks with yml syntax formatting, and add them to the corresponding RFC folder.
+-->
+
+## Usage
+
+<!--
+Stage 1: Describe at a high-level how these field changes will be used in practice. Real world examples are encouraged. The goal here is to understand how people would leverage these fields to gain insights or solve problems. ~1-3 paragraphs.
+-->
+
+## Source data
+
+<!--
+Stage 1: Provide a high-level description of example sources of data. This does not yet need to be a concrete example of a source document, but instead can simply describe a potential source (e.g. nginx access log). This will ultimately be fleshed out to include literal source examples in a future stage. The goal here is to identify practical sources for these fields in the real world. ~1-3 sentences or unordered list.
+-->
+
+<!--
+Stage 2: Included a real world example source document. Ideally this example comes from the source(s) identified in stage 1. If not, it should replace them. The goal here is to validate the utility of these field changes in the context of a real world example. Format with the source name as a ### header and the example document in a GitHub code block with json formatting, or if on the larger side, add them to the corresponding RFC folder.
+-->
+
+<!--
+Stage 3: Add more real world example source documents so we have at least 2 total, but ideally 3. Format as described in stage 2.
+-->
+
+## Scope of impact
+
+<!--
+Stage 2: Identifies scope of impact of changes. Are breaking changes required? Should deprecation strategies be adopted? Will significant refactoring be involved? Break the impact down into:
+ * Ingestion mechanisms (e.g. beats/logstash)
+ * Usage mechanisms (e.g. Kibana applications, detections)
+ * ECS project (e.g. docs, tooling)
+The goal here is to research and understand the impact of these changes on users in the community and development teams across Elastic. 2-5 sentences each.
+-->
+
+## Concerns
+
+<!--
+Stage 1: Identify potential concerns, implementation challenges, or complexity. Spend some time on this. Play devil's advocate. Try to identify the sort of non-obvious challenges that tend to surface later. The goal here is to surface risks early, allow everyone the time to work through them, and ultimately document resolution for posterity's sake.
+-->
+
+<!--
+Stage 2: Document new concerns or resolutions to previously listed concerns. It's not critical that all concerns have resolutions at this point, but it would be helpful if resolutions were taking shape for the most significant concerns.
+-->
+
+<!--
+Stage 3: Document resolutions for all existing concerns. Any new concerns should be documented along with their resolution. The goal here is to eliminate risk of churn and instability by ensuring all concerns have been addressed.
+-->
+
+## People
+
+The following are the people that consulted on the contents of this RFC.
+
+* @smriti0321 | author
+* @tinnytintin10 | Product Manager Cloud Security
+* @oren-zohar | Engineering Manager Cloud Security
+* @orouz | Engineer
+* @clement-fouque | Information Security Analyst
+
+
+
+## References
+
+<!-- Insert any links appropriate to this RFC in this section. -->
+previous RFC  - https://github.com/elastic/ecs/issues/1685
+https://ossf.github.io/osv-schema/#affected-fields
+
+### RFC Pull Requests
+
+<!-- An RFC should link to the PRs for each of it stage advancements. -->
+
+* Stage 0: https://github.com/elastic/ecs/pull/2331
+
+<!--
+* Stage 1: https://github.com/elastic/ecs/pull/NNN
+...
+-->

From 220ecee12b6829515d2935e331d08c0f1579d012 Mon Sep 17 00:00:00 2001
From: Michael Wolf <michael.wolf@elastic.co>
Date: Mon, 23 Sep 2024 11:19:19 -0700
Subject: [PATCH 173/186] Fix type in code signature (#2382)

Change the type of code_signature.flags to keyword, which is what it should be. Also add a unit test that will verify all types are valid.
---
 docs/fields/field-details.asciidoc            |  2 +-
 experimental/generated/beats/fields.ecs.yml   | 18 ++++++----
 experimental/generated/csv/fields.csv         | 12 +++----
 experimental/generated/ecs/ecs_flat.yml       | 18 ++++++----
 experimental/generated/ecs/ecs_nested.yml     | 21 +++++++----
 .../composable/component/dll.json             |  3 +-
 .../composable/component/file.json            |  3 +-
 .../composable/component/process.json         |  6 ++--
 .../composable/component/threat.json          |  6 ++--
 .../elasticsearch/legacy/template.json        | 18 ++++++----
 generated/beats/fields.ecs.yml                | 18 ++++++----
 generated/csv/fields.csv                      | 12 +++----
 generated/ecs/ecs_flat.yml                    | 18 ++++++----
 generated/ecs/ecs_nested.yml                  | 21 +++++++----
 .../composable/component/dll.json             |  3 +-
 .../composable/component/file.json            |  3 +-
 .../composable/component/process.json         |  6 ++--
 .../composable/component/threat.json          |  6 ++--
 generated/elasticsearch/legacy/template.json  | 18 ++++++----
 rfcs/text/0044/code_signature.yml             |  4 +--
 schemas/code_signature.yml                    |  2 +-
 scripts/tests/test_ecs_spec.py                | 35 +++++++++++++++++++
 22 files changed, 175 insertions(+), 78 deletions(-)

diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index f2259fb87e..23ae02e99a 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -873,7 +873,7 @@ a| beta:[ This field is beta and subject to change. ]
 
 The flags used to sign the process.
 
-type: string
+type: keyword
 
 
 
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 625206235f..ee0ecb5e3b 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -1273,7 +1273,8 @@
       default_field: false
     - name: code_signature.flags
       level: extended
-      type: string
+      type: keyword
+      ignore_above: 1024
       description: The flags used to sign the process.
       example: 570522385
       default_field: false
@@ -2439,7 +2440,8 @@
       default_field: false
     - name: code_signature.flags
       level: extended
-      type: string
+      type: keyword
+      ignore_above: 1024
       description: The flags used to sign the process.
       example: 570522385
       default_field: false
@@ -4793,7 +4795,8 @@
       default_field: false
     - name: code_signature.flags
       level: extended
-      type: string
+      type: keyword
+      ignore_above: 1024
       description: The flags used to sign the process.
       example: 570522385
       default_field: false
@@ -6117,7 +6120,8 @@
       default_field: false
     - name: parent.code_signature.flags
       level: extended
-      type: string
+      type: keyword
+      ignore_above: 1024
       description: The flags used to sign the process.
       example: 570522385
       default_field: false
@@ -9177,7 +9181,8 @@
       default_field: false
     - name: enrichments.indicator.file.code_signature.flags
       level: extended
-      type: string
+      type: keyword
+      ignore_above: 1024
       description: The flags used to sign the process.
       example: 570522385
       default_field: false
@@ -10798,7 +10803,8 @@
       default_field: false
     - name: indicator.file.code_signature.flags
       level: extended
-      type: string
+      type: keyword
+      ignore_above: 1024
       description: The flags used to sign the process.
       example: 570522385
       default_field: false
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index 85f24dce13..be5ee33461 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -149,7 +149,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,device,device.serial_number,keyword,core,,DJGAQS4CW5,Serial Number of the device
 8.12.0-dev+exp,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
 8.12.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.12.0-dev+exp,true,dll,dll.code_signature.flags,string,extended,,570522385,Code signing flags of the process
+8.12.0-dev+exp,true,dll,dll.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
 8.12.0-dev+exp,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 8.12.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 8.12.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
@@ -280,7 +280,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
 8.12.0-dev+exp,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
 8.12.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.12.0-dev+exp,true,file,file.code_signature.flags,string,extended,,570522385,Code signing flags of the process
+8.12.0-dev+exp,true,file,file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
 8.12.0-dev+exp,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 8.12.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 8.12.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
@@ -593,7 +593,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array.
 8.12.0-dev+exp,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
 8.12.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.12.0-dev+exp,true,process,process.code_signature.flags,string,extended,,570522385,Code signing flags of the process
+8.12.0-dev+exp,true,process,process.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
 8.12.0-dev+exp,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 8.12.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 8.12.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
@@ -775,7 +775,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
 8.12.0-dev+exp,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
 8.12.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.12.0-dev+exp,true,process,process.parent.code_signature.flags,string,extended,,570522385,Code signing flags of the process
+8.12.0-dev+exp,true,process,process.parent.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
 8.12.0-dev+exp,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 8.12.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 8.12.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
@@ -1162,7 +1162,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.flags,string,extended,,570522385,Code signing flags of the process
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
@@ -1381,7 +1381,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
 8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
 8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.flags,string,extended,,570522385,Code signing flags of the process
+8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
 8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 6e09b7f52f..e529df5f93 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -1806,12 +1806,13 @@ dll.code_signature.flags:
   description: The flags used to sign the process.
   example: 570522385
   flat_name: dll.code_signature.flags
+  ignore_above: 1024
   level: extended
   name: flags
   normalize: []
   original_fieldset: code_signature
   short: Code signing flags of the process
-  type: string
+  type: keyword
 dll.code_signature.signing_id:
   dashed_name: dll-code-signature-signing-id
   description: 'The identifier used to sign the process.
@@ -3957,12 +3958,13 @@ file.code_signature.flags:
   description: The flags used to sign the process.
   example: 570522385
   flat_name: file.code_signature.flags
+  ignore_above: 1024
   level: extended
   name: flags
   normalize: []
   original_fieldset: code_signature
   short: Code signing flags of the process
-  type: string
+  type: keyword
 file.code_signature.signing_id:
   dashed_name: file-code-signature-signing-id
   description: 'The identifier used to sign the process.
@@ -7787,12 +7789,13 @@ process.code_signature.flags:
   description: The flags used to sign the process.
   example: 570522385
   flat_name: process.code_signature.flags
+  ignore_above: 1024
   level: extended
   name: flags
   normalize: []
   original_fieldset: code_signature
   short: Code signing flags of the process
-  type: string
+  type: keyword
 process.code_signature.signing_id:
   dashed_name: process-code-signature-signing-id
   description: 'The identifier used to sign the process.
@@ -9956,12 +9959,13 @@ process.parent.code_signature.flags:
   description: The flags used to sign the process.
   example: 570522385
   flat_name: process.parent.code_signature.flags
+  ignore_above: 1024
   level: extended
   name: flags
   normalize: []
   original_fieldset: code_signature
   short: Code signing flags of the process
-  type: string
+  type: keyword
 process.parent.code_signature.signing_id:
   dashed_name: process-parent-code-signature-signing-id
   description: 'The identifier used to sign the process.
@@ -14782,12 +14786,13 @@ threat.enrichments.indicator.file.code_signature.flags:
   description: The flags used to sign the process.
   example: 570522385
   flat_name: threat.enrichments.indicator.file.code_signature.flags
+  ignore_above: 1024
   level: extended
   name: flags
   normalize: []
   original_fieldset: code_signature
   short: Code signing flags of the process
-  type: string
+  type: keyword
 threat.enrichments.indicator.file.code_signature.signing_id:
   dashed_name: threat-enrichments-indicator-file-code-signature-signing-id
   description: 'The identifier used to sign the process.
@@ -17518,12 +17523,13 @@ threat.indicator.file.code_signature.flags:
   description: The flags used to sign the process.
   example: 570522385
   flat_name: threat.indicator.file.code_signature.flags
+  ignore_above: 1024
   level: extended
   name: flags
   normalize: []
   original_fieldset: code_signature
   short: Code signing flags of the process
-  type: string
+  type: keyword
 threat.indicator.file.code_signature.signing_id:
   dashed_name: threat-indicator-file-code-signature-signing-id
   description: 'The identifier used to sign the process.
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 1f7f9648b7..f4a2844515 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -1326,11 +1326,12 @@ code_signature:
       description: The flags used to sign the process.
       example: 570522385
       flat_name: code_signature.flags
+      ignore_above: 1024
       level: extended
       name: flags
       normalize: []
       short: Code signing flags of the process
-      type: string
+      type: keyword
     code_signature.signing_id:
       dashed_name: code-signature-signing-id
       description: 'The identifier used to sign the process.
@@ -2290,12 +2291,13 @@ dll:
       description: The flags used to sign the process.
       example: 570522385
       flat_name: dll.code_signature.flags
+      ignore_above: 1024
       level: extended
       name: flags
       normalize: []
       original_fieldset: code_signature
       short: Code signing flags of the process
-      type: string
+      type: keyword
     dll.code_signature.signing_id:
       dashed_name: dll-code-signature-signing-id
       description: 'The identifier used to sign the process.
@@ -5001,12 +5003,13 @@ file:
       description: The flags used to sign the process.
       example: 570522385
       flat_name: file.code_signature.flags
+      ignore_above: 1024
       level: extended
       name: flags
       normalize: []
       original_fieldset: code_signature
       short: Code signing flags of the process
-      type: string
+      type: keyword
     file.code_signature.signing_id:
       dashed_name: file-code-signature-signing-id
       description: 'The identifier used to sign the process.
@@ -10020,12 +10023,13 @@ process:
       description: The flags used to sign the process.
       example: 570522385
       flat_name: process.code_signature.flags
+      ignore_above: 1024
       level: extended
       name: flags
       normalize: []
       original_fieldset: code_signature
       short: Code signing flags of the process
-      type: string
+      type: keyword
     process.code_signature.signing_id:
       dashed_name: process-code-signature-signing-id
       description: 'The identifier used to sign the process.
@@ -12194,12 +12198,13 @@ process:
       description: The flags used to sign the process.
       example: 570522385
       flat_name: process.parent.code_signature.flags
+      ignore_above: 1024
       level: extended
       name: flags
       normalize: []
       original_fieldset: code_signature
       short: Code signing flags of the process
-      type: string
+      type: keyword
     process.parent.code_signature.signing_id:
       dashed_name: process-parent-code-signature-signing-id
       description: 'The identifier used to sign the process.
@@ -17482,12 +17487,13 @@ threat:
       description: The flags used to sign the process.
       example: 570522385
       flat_name: threat.enrichments.indicator.file.code_signature.flags
+      ignore_above: 1024
       level: extended
       name: flags
       normalize: []
       original_fieldset: code_signature
       short: Code signing flags of the process
-      type: string
+      type: keyword
     threat.enrichments.indicator.file.code_signature.signing_id:
       dashed_name: threat-enrichments-indicator-file-code-signature-signing-id
       description: 'The identifier used to sign the process.
@@ -20224,12 +20230,13 @@ threat:
       description: The flags used to sign the process.
       example: 570522385
       flat_name: threat.indicator.file.code_signature.flags
+      ignore_above: 1024
       level: extended
       name: flags
       normalize: []
       original_fieldset: code_signature
       short: Code signing flags of the process
-      type: string
+      type: keyword
     threat.indicator.file.code_signature.signing_id:
       dashed_name: threat-indicator-file-code-signature-signing-id
       description: 'The identifier used to sign the process.
diff --git a/experimental/generated/elasticsearch/composable/component/dll.json b/experimental/generated/elasticsearch/composable/component/dll.json
index 55e2246263..e59687764d 100644
--- a/experimental/generated/elasticsearch/composable/component/dll.json
+++ b/experimental/generated/elasticsearch/composable/component/dll.json
@@ -18,7 +18,8 @@
                   "type": "boolean"
                 },
                 "flags": {
-                  "type": "string"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "signing_id": {
                   "ignore_above": 1024,
diff --git a/experimental/generated/elasticsearch/composable/component/file.json b/experimental/generated/elasticsearch/composable/component/file.json
index adb9d1d8ec..175a0cbab7 100644
--- a/experimental/generated/elasticsearch/composable/component/file.json
+++ b/experimental/generated/elasticsearch/composable/component/file.json
@@ -25,7 +25,8 @@
                   "type": "boolean"
                 },
                 "flags": {
-                  "type": "string"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "signing_id": {
                   "ignore_above": 1024,
diff --git a/experimental/generated/elasticsearch/composable/component/process.json b/experimental/generated/elasticsearch/composable/component/process.json
index de0be5f249..76b8983a3b 100644
--- a/experimental/generated/elasticsearch/composable/component/process.json
+++ b/experimental/generated/elasticsearch/composable/component/process.json
@@ -25,7 +25,8 @@
                   "type": "boolean"
                 },
                 "flags": {
-                  "type": "string"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "signing_id": {
                   "ignore_above": 1024,
@@ -832,7 +833,8 @@
                       "type": "boolean"
                     },
                     "flags": {
-                      "type": "string"
+                      "ignore_above": 1024,
+                      "type": "keyword"
                     },
                     "signing_id": {
                       "ignore_above": 1024,
diff --git a/experimental/generated/elasticsearch/composable/component/threat.json b/experimental/generated/elasticsearch/composable/component/threat.json
index cdcbbd7ae6..32056d1507 100644
--- a/experimental/generated/elasticsearch/composable/component/threat.json
+++ b/experimental/generated/elasticsearch/composable/component/threat.json
@@ -67,7 +67,8 @@
                               "type": "boolean"
                             },
                             "flags": {
-                              "type": "string"
+                              "ignore_above": 1024,
+                              "type": "keyword"
                             },
                             "signing_id": {
                               "ignore_above": 1024,
@@ -995,7 +996,8 @@
                           "type": "boolean"
                         },
                         "flags": {
-                          "type": "string"
+                          "ignore_above": 1024,
+                          "type": "keyword"
                         },
                         "signing_id": {
                           "ignore_above": 1024,
diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json
index 6b9172fe34..bc7f446065 100644
--- a/experimental/generated/elasticsearch/legacy/template.json
+++ b/experimental/generated/elasticsearch/legacy/template.json
@@ -801,7 +801,8 @@
                 "type": "boolean"
               },
               "flags": {
-                "type": "string"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "signing_id": {
                 "ignore_above": 1024,
@@ -1376,7 +1377,8 @@
                 "type": "boolean"
               },
               "flags": {
-                "type": "string"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "signing_id": {
                 "ignore_above": 1024,
@@ -2768,7 +2770,8 @@
                 "type": "boolean"
               },
               "flags": {
-                "type": "string"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "signing_id": {
                 "ignore_above": 1024,
@@ -3575,7 +3578,8 @@
                     "type": "boolean"
                   },
                   "flags": {
-                    "type": "string"
+                    "ignore_above": 1024,
+                    "type": "keyword"
                   },
                   "signing_id": {
                     "ignore_above": 1024,
@@ -5320,7 +5324,8 @@
                             "type": "boolean"
                           },
                           "flags": {
-                            "type": "string"
+                            "ignore_above": 1024,
+                            "type": "keyword"
                           },
                           "signing_id": {
                             "ignore_above": 1024,
@@ -6248,7 +6253,8 @@
                         "type": "boolean"
                       },
                       "flags": {
-                        "type": "string"
+                        "ignore_above": 1024,
+                        "type": "keyword"
                       },
                       "signing_id": {
                         "ignore_above": 1024,
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 77f9536d95..3883c5b045 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -1223,7 +1223,8 @@
       default_field: false
     - name: code_signature.flags
       level: extended
-      type: string
+      type: keyword
+      ignore_above: 1024
       description: The flags used to sign the process.
       example: 570522385
       default_field: false
@@ -2389,7 +2390,8 @@
       default_field: false
     - name: code_signature.flags
       level: extended
-      type: string
+      type: keyword
+      ignore_above: 1024
       description: The flags used to sign the process.
       example: 570522385
       default_field: false
@@ -4743,7 +4745,8 @@
       default_field: false
     - name: code_signature.flags
       level: extended
-      type: string
+      type: keyword
+      ignore_above: 1024
       description: The flags used to sign the process.
       example: 570522385
       default_field: false
@@ -6067,7 +6070,8 @@
       default_field: false
     - name: parent.code_signature.flags
       level: extended
-      type: string
+      type: keyword
+      ignore_above: 1024
       description: The flags used to sign the process.
       example: 570522385
       default_field: false
@@ -9127,7 +9131,8 @@
       default_field: false
     - name: enrichments.indicator.file.code_signature.flags
       level: extended
-      type: string
+      type: keyword
+      ignore_above: 1024
       description: The flags used to sign the process.
       example: 570522385
       default_field: false
@@ -10748,7 +10753,8 @@
       default_field: false
     - name: indicator.file.code_signature.flags
       level: extended
-      type: string
+      type: keyword
+      ignore_above: 1024
       description: The flags used to sign the process.
       example: 570522385
       default_field: false
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index a7210ad73b..8af3fac81a 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -142,7 +142,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev,true,device,device.serial_number,keyword,core,,DJGAQS4CW5,Serial Number of the device
 8.12.0-dev,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
 8.12.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.12.0-dev,true,dll,dll.code_signature.flags,string,extended,,570522385,Code signing flags of the process
+8.12.0-dev,true,dll,dll.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
 8.12.0-dev,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 8.12.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 8.12.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
@@ -273,7 +273,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
 8.12.0-dev,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
 8.12.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.12.0-dev,true,file,file.code_signature.flags,string,extended,,570522385,Code signing flags of the process
+8.12.0-dev,true,file,file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
 8.12.0-dev,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 8.12.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 8.12.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
@@ -586,7 +586,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array.
 8.12.0-dev,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
 8.12.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.12.0-dev,true,process,process.code_signature.flags,string,extended,,570522385,Code signing flags of the process
+8.12.0-dev,true,process,process.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
 8.12.0-dev,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 8.12.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 8.12.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
@@ -768,7 +768,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
 8.12.0-dev,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
 8.12.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.12.0-dev,true,process,process.parent.code_signature.flags,string,extended,,570522385,Code signing flags of the process
+8.12.0-dev,true,process,process.parent.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
 8.12.0-dev,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 8.12.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 8.12.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
@@ -1155,7 +1155,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
 8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
 8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.flags,string,extended,,570522385,Code signing flags of the process
+8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
 8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
@@ -1374,7 +1374,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
 8.12.0-dev,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
 8.12.0-dev,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.12.0-dev,true,threat,threat.indicator.file.code_signature.flags,string,extended,,570522385,Code signing flags of the process
+8.12.0-dev,true,threat,threat.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
 8.12.0-dev,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 8.12.0-dev,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 8.12.0-dev,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 7e504589db..bad8611fa7 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -1737,12 +1737,13 @@ dll.code_signature.flags:
   description: The flags used to sign the process.
   example: 570522385
   flat_name: dll.code_signature.flags
+  ignore_above: 1024
   level: extended
   name: flags
   normalize: []
   original_fieldset: code_signature
   short: Code signing flags of the process
-  type: string
+  type: keyword
 dll.code_signature.signing_id:
   dashed_name: dll-code-signature-signing-id
   description: 'The identifier used to sign the process.
@@ -3888,12 +3889,13 @@ file.code_signature.flags:
   description: The flags used to sign the process.
   example: 570522385
   flat_name: file.code_signature.flags
+  ignore_above: 1024
   level: extended
   name: flags
   normalize: []
   original_fieldset: code_signature
   short: Code signing flags of the process
-  type: string
+  type: keyword
 file.code_signature.signing_id:
   dashed_name: file-code-signature-signing-id
   description: 'The identifier used to sign the process.
@@ -7718,12 +7720,13 @@ process.code_signature.flags:
   description: The flags used to sign the process.
   example: 570522385
   flat_name: process.code_signature.flags
+  ignore_above: 1024
   level: extended
   name: flags
   normalize: []
   original_fieldset: code_signature
   short: Code signing flags of the process
-  type: string
+  type: keyword
 process.code_signature.signing_id:
   dashed_name: process-code-signature-signing-id
   description: 'The identifier used to sign the process.
@@ -9887,12 +9890,13 @@ process.parent.code_signature.flags:
   description: The flags used to sign the process.
   example: 570522385
   flat_name: process.parent.code_signature.flags
+  ignore_above: 1024
   level: extended
   name: flags
   normalize: []
   original_fieldset: code_signature
   short: Code signing flags of the process
-  type: string
+  type: keyword
 process.parent.code_signature.signing_id:
   dashed_name: process-parent-code-signature-signing-id
   description: 'The identifier used to sign the process.
@@ -14713,12 +14717,13 @@ threat.enrichments.indicator.file.code_signature.flags:
   description: The flags used to sign the process.
   example: 570522385
   flat_name: threat.enrichments.indicator.file.code_signature.flags
+  ignore_above: 1024
   level: extended
   name: flags
   normalize: []
   original_fieldset: code_signature
   short: Code signing flags of the process
-  type: string
+  type: keyword
 threat.enrichments.indicator.file.code_signature.signing_id:
   dashed_name: threat-enrichments-indicator-file-code-signature-signing-id
   description: 'The identifier used to sign the process.
@@ -17449,12 +17454,13 @@ threat.indicator.file.code_signature.flags:
   description: The flags used to sign the process.
   example: 570522385
   flat_name: threat.indicator.file.code_signature.flags
+  ignore_above: 1024
   level: extended
   name: flags
   normalize: []
   original_fieldset: code_signature
   short: Code signing flags of the process
-  type: string
+  type: keyword
 threat.indicator.file.code_signature.signing_id:
   dashed_name: threat-indicator-file-code-signature-signing-id
   description: 'The identifier used to sign the process.
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index b08955b69b..a401fa7b0a 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -1246,11 +1246,12 @@ code_signature:
       description: The flags used to sign the process.
       example: 570522385
       flat_name: code_signature.flags
+      ignore_above: 1024
       level: extended
       name: flags
       normalize: []
       short: Code signing flags of the process
-      type: string
+      type: keyword
     code_signature.signing_id:
       dashed_name: code-signature-signing-id
       description: 'The identifier used to sign the process.
@@ -2210,12 +2211,13 @@ dll:
       description: The flags used to sign the process.
       example: 570522385
       flat_name: dll.code_signature.flags
+      ignore_above: 1024
       level: extended
       name: flags
       normalize: []
       original_fieldset: code_signature
       short: Code signing flags of the process
-      type: string
+      type: keyword
     dll.code_signature.signing_id:
       dashed_name: dll-code-signature-signing-id
       description: 'The identifier used to sign the process.
@@ -4921,12 +4923,13 @@ file:
       description: The flags used to sign the process.
       example: 570522385
       flat_name: file.code_signature.flags
+      ignore_above: 1024
       level: extended
       name: flags
       normalize: []
       original_fieldset: code_signature
       short: Code signing flags of the process
-      type: string
+      type: keyword
     file.code_signature.signing_id:
       dashed_name: file-code-signature-signing-id
       description: 'The identifier used to sign the process.
@@ -9940,12 +9943,13 @@ process:
       description: The flags used to sign the process.
       example: 570522385
       flat_name: process.code_signature.flags
+      ignore_above: 1024
       level: extended
       name: flags
       normalize: []
       original_fieldset: code_signature
       short: Code signing flags of the process
-      type: string
+      type: keyword
     process.code_signature.signing_id:
       dashed_name: process-code-signature-signing-id
       description: 'The identifier used to sign the process.
@@ -12114,12 +12118,13 @@ process:
       description: The flags used to sign the process.
       example: 570522385
       flat_name: process.parent.code_signature.flags
+      ignore_above: 1024
       level: extended
       name: flags
       normalize: []
       original_fieldset: code_signature
       short: Code signing flags of the process
-      type: string
+      type: keyword
     process.parent.code_signature.signing_id:
       dashed_name: process-parent-code-signature-signing-id
       description: 'The identifier used to sign the process.
@@ -17402,12 +17407,13 @@ threat:
       description: The flags used to sign the process.
       example: 570522385
       flat_name: threat.enrichments.indicator.file.code_signature.flags
+      ignore_above: 1024
       level: extended
       name: flags
       normalize: []
       original_fieldset: code_signature
       short: Code signing flags of the process
-      type: string
+      type: keyword
     threat.enrichments.indicator.file.code_signature.signing_id:
       dashed_name: threat-enrichments-indicator-file-code-signature-signing-id
       description: 'The identifier used to sign the process.
@@ -20144,12 +20150,13 @@ threat:
       description: The flags used to sign the process.
       example: 570522385
       flat_name: threat.indicator.file.code_signature.flags
+      ignore_above: 1024
       level: extended
       name: flags
       normalize: []
       original_fieldset: code_signature
       short: Code signing flags of the process
-      type: string
+      type: keyword
     threat.indicator.file.code_signature.signing_id:
       dashed_name: threat-indicator-file-code-signature-signing-id
       description: 'The identifier used to sign the process.
diff --git a/generated/elasticsearch/composable/component/dll.json b/generated/elasticsearch/composable/component/dll.json
index b5f52995c5..7c76d1ed0d 100644
--- a/generated/elasticsearch/composable/component/dll.json
+++ b/generated/elasticsearch/composable/component/dll.json
@@ -18,7 +18,8 @@
                   "type": "boolean"
                 },
                 "flags": {
-                  "type": "string"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "signing_id": {
                   "ignore_above": 1024,
diff --git a/generated/elasticsearch/composable/component/file.json b/generated/elasticsearch/composable/component/file.json
index cc12f10be1..c032c0a53c 100644
--- a/generated/elasticsearch/composable/component/file.json
+++ b/generated/elasticsearch/composable/component/file.json
@@ -25,7 +25,8 @@
                   "type": "boolean"
                 },
                 "flags": {
-                  "type": "string"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "signing_id": {
                   "ignore_above": 1024,
diff --git a/generated/elasticsearch/composable/component/process.json b/generated/elasticsearch/composable/component/process.json
index 610ff74848..d48a4eddab 100644
--- a/generated/elasticsearch/composable/component/process.json
+++ b/generated/elasticsearch/composable/component/process.json
@@ -25,7 +25,8 @@
                   "type": "boolean"
                 },
                 "flags": {
-                  "type": "string"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "signing_id": {
                   "ignore_above": 1024,
@@ -832,7 +833,8 @@
                       "type": "boolean"
                     },
                     "flags": {
-                      "type": "string"
+                      "ignore_above": 1024,
+                      "type": "keyword"
                     },
                     "signing_id": {
                       "ignore_above": 1024,
diff --git a/generated/elasticsearch/composable/component/threat.json b/generated/elasticsearch/composable/component/threat.json
index c9030c4167..40f98ec195 100644
--- a/generated/elasticsearch/composable/component/threat.json
+++ b/generated/elasticsearch/composable/component/threat.json
@@ -67,7 +67,8 @@
                               "type": "boolean"
                             },
                             "flags": {
-                              "type": "string"
+                              "ignore_above": 1024,
+                              "type": "keyword"
                             },
                             "signing_id": {
                               "ignore_above": 1024,
@@ -995,7 +996,8 @@
                           "type": "boolean"
                         },
                         "flags": {
-                          "type": "string"
+                          "ignore_above": 1024,
+                          "type": "keyword"
                         },
                         "signing_id": {
                           "ignore_above": 1024,
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index 6725cae44d..66b302cebd 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -759,7 +759,8 @@
                 "type": "boolean"
               },
               "flags": {
-                "type": "string"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "signing_id": {
                 "ignore_above": 1024,
@@ -1334,7 +1335,8 @@
                 "type": "boolean"
               },
               "flags": {
-                "type": "string"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "signing_id": {
                 "ignore_above": 1024,
@@ -2726,7 +2728,8 @@
                 "type": "boolean"
               },
               "flags": {
-                "type": "string"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "signing_id": {
                 "ignore_above": 1024,
@@ -3533,7 +3536,8 @@
                     "type": "boolean"
                   },
                   "flags": {
-                    "type": "string"
+                    "ignore_above": 1024,
+                    "type": "keyword"
                   },
                   "signing_id": {
                     "ignore_above": 1024,
@@ -5278,7 +5282,8 @@
                             "type": "boolean"
                           },
                           "flags": {
-                            "type": "string"
+                            "ignore_above": 1024,
+                            "type": "keyword"
                           },
                           "signing_id": {
                             "ignore_above": 1024,
@@ -6206,7 +6211,8 @@
                         "type": "boolean"
                       },
                       "flags": {
-                        "type": "string"
+                        "ignore_above": 1024,
+                        "type": "keyword"
                       },
                       "signing_id": {
                         "ignore_above": 1024,
diff --git a/rfcs/text/0044/code_signature.yml b/rfcs/text/0044/code_signature.yml
index 091339048d..d16b64b6e4 100644
--- a/rfcs/text/0044/code_signature.yml
+++ b/rfcs/text/0044/code_signature.yml
@@ -3,8 +3,8 @@
   fields:
     - name: flags
       level: extended
-      type: string
+      type: keyword
       short: Code signing flags of the process
       description: >
           The flags used to sign the process.
-      example: 570522385
\ No newline at end of file
+      example: 570522385
diff --git a/schemas/code_signature.yml b/schemas/code_signature.yml
index 67e6a5da4a..e5808e6e3d 100644
--- a/schemas/code_signature.yml
+++ b/schemas/code_signature.yml
@@ -37,7 +37,7 @@
 
     - name: flags
       level: extended
-      type: string
+      type: keyword
       short: Code signing flags of the process
       description: >
           The flags used to sign the process.
diff --git a/scripts/tests/test_ecs_spec.py b/scripts/tests/test_ecs_spec.py
index edb0b8420c..a55d7bbb68 100644
--- a/scripts/tests/test_ecs_spec.py
+++ b/scripts/tests/test_ecs_spec.py
@@ -130,6 +130,41 @@ def test_normalize_always_array(self):
         for (field_name, field) in self.ecs_fields.items():
             self.assertIsInstance(field.get('normalize'), list, field_name)
 
+    def test_valid_type(self):
+        valid_types = ['binary',
+                       'boolean',
+                       'keyword',
+                       'constant_keyword',
+                       'wildcard',
+                       'long',
+                       'integer',
+                       'short',
+                       'byte',
+                       'double',
+                       'float',
+                       'half_float',
+                       'scaled_float',
+                       'unsigned_long',
+                       'date',
+                       'date_nanos',
+                       'alias',
+                       'object',
+                       'flattened',
+                       'nested',
+                       'join',
+                       'long_range',
+                       'double_range',
+                       'date_range',
+                       'ip',
+                       'text',
+                       'match_only_text',
+                       'geo_point',
+                       'geo_shape',
+                       'point',
+                       'shape']
+        for (field_name, field) in self.ecs_fields.items():
+            self.assertIn(field.get('type'), valid_types, field_name)
+
 
 if __name__ == '__main__':
     unittest.main()

From e78c4247394c8440dbdfa4224d68ca433742fcea Mon Sep 17 00:00:00 2001
From: Michael Wolf <michael.wolf@elastic.co>
Date: Tue, 24 Sep 2024 01:22:33 -0700
Subject: [PATCH 174/186] Enforce yamllint in CI (#2381)

Start running and enforcing yamllint checks in CI.
---
 .github/workflows/test.yml | 2 +-
 Makefile                   | 4 ++--
 schemas/email.yml          | 4 ++--
 schemas/pe.yml             | 1 -
 4 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index b618b7394b..cc2d5276c5 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -12,4 +12,4 @@ jobs:
         with:
           python-version: '3.x'
       - run: git fetch --prune --unshallow --tags
-      - run: make check
+      - run: make check yamllint
diff --git a/Makefile b/Makefile
index d6e65d4a45..5aaeebcebd 100644
--- a/Makefile
+++ b/Makefile
@@ -86,7 +86,7 @@ misspell:
 	fi
 	./build/misspell/bin/misspell -error README.md CONTRIBUTING.md schemas/* docs/* experimental/schemas/*
 
-# Warn re misspell removal     
+# Warn re misspell removal
 .PHONY: misspell_warn
 misspell_warn:
 	@echo "Warning: due to lack of cross-platform support, misspell is no longer included in this task and may be deprecated in future\n"
@@ -110,4 +110,4 @@ build/ve/bin/activate: scripts/requirements.txt scripts/requirements-dev.txt
 # Check YAML syntax (currently not enforced).
 .PHONY: yamllint
 yamllint: ve
-	build/ve/bin/yamllint schemas/*.yml
+	build/ve/bin/yamllint -d '{extends: default, rules: {line-length: disable}}' schemas/*.yml
diff --git a/schemas/email.yml b/schemas/email.yml
index 82bfd5b219..9c8b6ff390 100644
--- a/schemas/email.yml
+++ b/schemas/email.yml
@@ -180,8 +180,8 @@
         A brief summary of the topic of the message.
       example: "Please see this important message."
       multi_fields:
-      - type: match_only_text
-        name: text
+        - type: match_only_text
+          name: text
 
     - name: to.address
       level: extended
diff --git a/schemas/pe.yml b/schemas/pe.yml
index f2a5f1561e..d201544658 100644
--- a/schemas/pe.yml
+++ b/schemas/pe.yml
@@ -208,4 +208,3 @@
       format: string
       type: long
       level: extended
-

From 68fd03838cc2e167d08cbc1c7f534d34a8df4246 Mon Sep 17 00:00:00 2001
From: Michal Stanek <75310947+stanek-michal@users.noreply.github.com>
Date: Fri, 27 Sep 2024 20:11:23 +0200
Subject: [PATCH 175/186] Add Stage0 RFC for new fields for fileless execution
 on Linux (#2322)

---
 rfcs/text/0047-fileless-execution-linux.md | 132 +++++++++++++++++++++
 1 file changed, 132 insertions(+)
 create mode 100644 rfcs/text/0047-fileless-execution-linux.md

diff --git a/rfcs/text/0047-fileless-execution-linux.md b/rfcs/text/0047-fileless-execution-linux.md
new file mode 100644
index 0000000000..8ab161511d
--- /dev/null
+++ b/rfcs/text/0047-fileless-execution-linux.md
@@ -0,0 +1,132 @@
+# 0047: Fileless execution on Linux
+<!-- Leave this ID at 0000. The ECS team will assign a unique, contiguous RFC number upon merging the initial stage of this RFC. -->
+
+- Stage: **0 (strawperson)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
+- Date: **2024-09-26** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
+
+<!--
+As you work on your RFC, use the "Stage N" comments to guide you in what you should focus on, for the stage you're targeting.
+Feel free to remove these comments as you go along.
+-->
+
+<!--
+Stage 0: Provide a high level summary of the premise of these changes. Briefly describe the nature, purpose, and impact of the changes. ~2-5 sentences.
+-->
+
+This RFC proposes adding new fields and event types to enhance the detection of fileless malware execution and related malicious activities on Linux systems.
+
+The new fields include:
+ * file.is_memfd - Indicates if the file is an anonymous file descriptor (memfd) created using the memfd_create system call.
+ * file.is_shmem - Indicates if the file is a POSIX shared memory object created using the shm_open system call, typically located in /dev/shm.
+ * process.is_setuid - Indicates if the process has the setuid bit set, allowing it to run with the privileges of its owner.
+ * process.is_setgid - Indicates if the process has the setgid bit set, allowing it to run with the privileges of its group.
+ * process.is_memfd - Indicates if the process was executed from a memory file descriptor (memfd).
+ * process.inode_nlink - Number of links to the inode of the process executable file, obtained from the i_nlink variable in the inode structure.
+
+New process event types:
+ * memfd_create
+ * shmget (SystemV shared memory API)
+ * ptrace
+ * load_module
+
+New file event types:
+ * memfd_open
+ * shmem_open
+
+These additions will enable the detection and investigation of various malware execution techniques, such as executing code from memory file descriptors (memfd), hiding malicious binaries in shared memory objects (shm_open and shmget), debugging other processes for code injection (ptrace), and loading kernel modules for rootkits (load_module). The proposed fields also cover privilege escalation using setuid/setgid binaries.
+
+<!--
+Stage 1: If the changes include field additions or modifications, please create a folder titled as the RFC number under rfcs/text/. This will be where proposed schema changes as standalone YAML files or extended example mappings and larger source documents will go as the RFC is iterated upon.
+-->
+
+<!--
+Stage X: Provide a brief explanation of why the proposal is being marked as abandoned. This is useful context for anyone revisiting this proposal or considering similar changes later on.
+-->
+
+## Fields
+
+<!--
+Stage 1: Describe at a high level how this change affects fields. Include new or updated yml field definitions for all of the essential fields in this draft. While not exhaustive, the fields documented here should be comprehensive enough to deeply evaluate the technical considerations of this change. The goal here is to validate the technical details for all essential fields and to provide a basis for adding experimental field definitions to the schema. Use GitHub code blocks with yml syntax formatting, and add them to the corresponding RFC folder.
+-->
+
+<!--
+Stage 2: Add or update all remaining field definitions. The list should now be exhaustive. The goal here is to validate the technical details of all remaining fields and to provide a basis for releasing these field definitions as beta in the schema. Use GitHub code blocks with yml syntax formatting, and add them to the corresponding RFC folder.
+-->
+
+## Usage
+
+<!--
+Stage 1: Describe at a high-level how these field changes will be used in practice. Real world examples are encouraged. The goal here is to understand how people would leverage these fields to gain insights or solve problems. ~1-3 paragraphs.
+-->
+
+## Source data
+
+The data can be collected by monitoring system calls and events on Linux hosts using kernel instrumentation techniques like eBPF or kprobes.
+
+<!--
+Stage 1: Provide a high-level description of example sources of data. This does not yet need to be a concrete example of a source document, but instead can simply describe a potential source (e.g. nginx access log). This will ultimately be fleshed out to include literal source examples in a future stage. The goal here is to identify practical sources for these fields in the real world. ~1-3 sentences or unordered list.
+-->
+
+<!--
+Stage 2: Included a real world example source document. Ideally this example comes from the source(s) identified in stage 1. If not, it should replace them. The goal here is to validate the utility of these field changes in the context of a real world example. Format with the source name as a ### header and the example document in a GitHub code block with json formatting, or if on the larger side, add them to the corresponding RFC folder.
+-->
+
+<!--
+Stage 3: Add more real world example source documents so we have at least 2 total, but ideally 3. Format as described in stage 2.
+-->
+
+## Scope of impact
+
+<!--
+Stage 2: Identifies scope of impact of changes. Are breaking changes required? Should deprecation strategies be adopted? Will significant refactoring be involved? Break the impact down into:
+ * Ingestion mechanisms (e.g. beats/logstash)
+ * Usage mechanisms (e.g. Kibana applications, detections)
+ * ECS project (e.g. docs, tooling)
+The goal here is to research and understand the impact of these changes on users in the community and development teams across Elastic. 2-5 sentences each.
+-->
+
+## Concerns
+
+<!--
+Stage 1: Identify potential concerns, implementation challenges, or complexity. Spend some time on this. Play devil's advocate. Try to identify the sort of non-obvious challenges that tend to surface later. The goal here is to surface risks early, allow everyone the time to work through them, and ultimately document resolution for posterity's sake.
+-->
+
+<!--
+Stage 2: Document new concerns or resolutions to previously listed concerns. It's not critical that all concerns have resolutions at this point, but it would be helpful if resolutions were taking shape for the most significant concerns.
+-->
+
+<!--
+Stage 3: Document resolutions for all existing concerns. Any new concerns should be documented along with their resolution. The goal here is to eliminate risk of churn and instability by ensuring all concerns have been addressed.
+-->
+
+## People
+
+The following are the people that consulted on the contents of this RFC.
+
+ * @stanek-michal    | author
+
+<!--
+Who will be or has been consulted on the contents of this RFC? Identify authorship and sponsorship, and optionally identify the nature of involvement of others. Link to GitHub aliases where possible. This list will likely change or grow stage after stage.
+
+e.g.:
+
+* @Yasmina | author
+* @Monique | sponsor
+* @EunJung | subject matter expert
+* @JaneDoe | grammar, spelling, prose
+* @Mariana
+-->
+
+
+## References
+
+<!-- Insert any links appropriate to this RFC in this section. -->
+
+### RFC Pull Requests
+
+<!-- An RFC should link to the PRs for each of it stage advancements. -->
+
+<!--
+* Stage 1: https://github.com/elastic/ecs/pull/NNN
+...
+-->

From 312f5d5438c0c2d744b56da1763414ddd17ec2ec Mon Sep 17 00:00:00 2001
From: "elastic-renovate-prod[bot]"
 <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
Date: Tue, 15 Oct 2024 13:00:22 -0700
Subject: [PATCH 176/186] Update actions/checkout digest to eef6144 (#2389)

Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
---
 .github/workflows/test.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index cc2d5276c5..829db21779 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -7,7 +7,7 @@ jobs:
     runs-on: ubuntu-22.04
     name: Unit Tests
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
       - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5
         with:
           python-version: '3.x'

From 8a2c649b8ead839848750bcea085b6a755a5ba46 Mon Sep 17 00:00:00 2001
From: Asuka Nakajima <asuka.nakajima@elastic.co>
Date: Wed, 16 Oct 2024 05:13:18 +0900
Subject: [PATCH 177/186] [RFC] Stage 0: Introducing new fields in
 file/dll/process fields (#2387)

---------

Co-authored-by: Michael Wolf <michael.wolf@elastic.co>
---
 rfcs/text/0048-fileorigin-fields.md | 143 ++++++++++++++++++++++++++++
 1 file changed, 143 insertions(+)
 create mode 100644 rfcs/text/0048-fileorigin-fields.md

diff --git a/rfcs/text/0048-fileorigin-fields.md b/rfcs/text/0048-fileorigin-fields.md
new file mode 100644
index 0000000000..85622991b7
--- /dev/null
+++ b/rfcs/text/0048-fileorigin-fields.md
@@ -0,0 +1,143 @@
+# 0048: File Origin Fields
+<!-- Leave this ID at 0000. The ECS team will assign a unique, contiguous RFC number upon merging the initial stage of this RFC. -->
+
+- Stage: **0 (strawperson)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
+- Date: **2024-10-15** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
+
+<!--
+As you work on your RFC, use the "Stage N" comments to guide you in what you should focus on, for the stage you're targeting.
+Feel free to remove these comments as you go along.
+-->
+
+<!--
+Stage 0: Provide a high level summary of the premise of these changes. Briefly describe the nature, purpose, and impact of the changes. ~2-5 sentences.
+-->
+
+It is known that when downloading files from the internet using a web browser (eg. Chrome, Edge, etc), information about the file's source is added to the file.
+In Windows, it is known as the Mark of the Web and stored in file's Alternate Data Stream (ADS). In MacOS, it is stored in file's extended file attributes (metadata).
+
+For example, in Windows, when you download an image file (`image17.webp`) from [this webpage](https://www.elastic.co/security-labs/pikabot-i-choose-you) using a web browser, the download source URL is automatically added to the file's Alternate Data Stream (ADS) as following.
+
+<img width="578" alt="image" src="https://github.com/user-attachments/assets/b3dba571-1155-4226-88a0-fb9d67424d64">
+
+* Inside `image17.webp:Zone.Identifier:$DATA`
+<img width="804" alt="image" src="https://github.com/user-attachments/assets/f6058d40-d060-4dcb-9bdc-760e76389b45">
+
+In ensuring endpoint security, the origin information of a file is crucial for determining whether a downloaded file or executable from the internet comes from a safe source and if it is safe to execute.
+
+Thus, this PR adds new fields to store the URL of the file's origin information for `file`, `process`, and `dll`.
+The ReferrerUrl is intended to be stored in the `origin_referrer_url` field, and the `HostUrl` is inteded to be stored in the `origin_url` field. The ZoneId is intended to be stored in the `zone_identifier` field.
+
+<!--
+Stage 1: If the changes include field additions or modifications, please create a folder titled as the RFC number under rfcs/text/. This will be where proposed schema changes as standalone YAML files or extended example mappings and larger source documents will go as the RFC is iterated upon.
+-->
+
+<!--
+Stage X: Provide a brief explanation of why the proposal is being marked as abandoned. This is useful context for anyone revisiting this proposal or considering similar changes later on.
+-->
+
+## Fields
+
+<!--
+Stage 1: Describe at a high level how this change affects fields. Include new or updated yml field definitions for all of the essential fields in this draft. While not exhaustive, the fields documented here should be comprehensive enough to deeply evaluate the technical considerations of this change. The goal here is to validate the technical details for all essential fields and to provide a basis for adding experimental field definitions to the schema. Use GitHub code blocks with yml syntax formatting, and add them to the corresponding RFC folder.
+-->
+
+The new fields proposed are:
+
+Field | Type | Description /Usage
+-- | -- | -- 
+file.origin_referrer_url | keyword | The URL of the webpage that linked to the file.
+file.origin_url | keyword | The URL where the file is hosted.
+file.zone_identifier | short | Numerical identifier that indicates the security zone of a file's origin.
+process.origin_referrer_url | keyword | The URL of the webpage that linked to the file.
+process.origin_url | keyword | The URL where the file is hosted.
+process.zone_identifier | short | Numerical identifier that indicates the security zone of a file's origin.
+dll.origin_referrer_url | keyword | The URL of the webpage that linked to the file.
+dll.origin_url | keyword | The URL where the file is hosted.
+dll.zone_identifier | short | Numerical identifier that indicates the security zone of a file's origin.
+
+<!--
+Stage 2: Add or update all remaining field definitions. The list should now be exhaustive. The goal here is to validate the technical details of all remaining fields and to provide a basis for releasing these field definitions as beta in the schema. Use GitHub code blocks with yml syntax formatting, and add them to the corresponding RFC folder.
+-->
+
+## Usage
+
+<!--
+Stage 1: Describe at a high-level how these field changes will be used in practice. Real world examples are encouraged. The goal here is to understand how people would leverage these fields to gain insights or solve problems. ~1-3 paragraphs.
+-->
+
+## Source data
+
+<!--
+Stage 1: Provide a high-level description of example sources of data. This does not yet need to be a concrete example of a source document, but instead can simply describe a potential source (e.g. nginx access log). This will ultimately be fleshed out to include literal source examples in a future stage. The goal here is to identify practical sources for these fields in the real world. ~1-3 sentences or unordered list.
+-->
+
+<!--
+Stage 2: Included a real world example source document. Ideally this example comes from the source(s) identified in stage 1. If not, it should replace them. The goal here is to validate the utility of these field changes in the context of a real world example. Format with the source name as a ### header and the example document in a GitHub code block with json formatting, or if on the larger side, add them to the corresponding RFC folder.
+-->
+
+<!--
+Stage 3: Add more real world example source documents so we have at least 2 total, but ideally 3. Format as described in stage 2.
+-->
+
+## Scope of impact
+
+<!--
+Stage 2: Identifies scope of impact of changes. Are breaking changes required? Should deprecation strategies be adopted? Will significant refactoring be involved? Break the impact down into:
+ * Ingestion mechanisms (e.g. beats/logstash)
+ * Usage mechanisms (e.g. Kibana applications, detections)
+ * ECS project (e.g. docs, tooling)
+The goal here is to research and understand the impact of these changes on users in the community and development teams across Elastic. 2-5 sentences each.
+-->
+
+## Concerns
+
+<!--
+Stage 1: Identify potential concerns, implementation challenges, or complexity. Spend some time on this. Play devil's advocate. Try to identify the sort of non-obvious challenges that tend to surface later. The goal here is to surface risks early, allow everyone the time to work through them, and ultimately document resolution for posterity's sake.
+-->
+
+<!--
+Stage 2: Document new concerns or resolutions to previously listed concerns. It's not critical that all concerns have resolutions at this point, but it would be helpful if resolutions were taking shape for the most significant concerns.
+-->
+
+<!--
+Stage 3: Document resolutions for all existing concerns. Any new concerns should be documented along with their resolution. The goal here is to eliminate risk of churn and instability by ensuring all concerns have been addressed.
+-->
+
+## People
+
+The following are the people that consulted on the contents of this RFC.
+
+* @AsuNa-jp | author
+* @joe-desimone
+* @trisch-me 
+* @mjwolf 
+
+<!--
+Who will be or has been consulted on the contents of this RFC? Identify authorship and sponsorship, and optionally identify the nature of involvement of others. Link to GitHub aliases where possible. This list will likely change or grow stage after stage.
+
+e.g.:
+
+* @Yasmina | author
+* @Monique | sponsor
+* @EunJung | subject matter expert
+* @JaneDoe | grammar, spelling, prose
+* @Mariana
+-->
+
+
+## References
+
+<!-- Insert any links appropriate to this RFC in this section. -->
+
+
+### RFC Pull Requests
+
+<!-- An RFC should link to the PRs for each of it stage advancements. -->
+
+* Stage 0: https://github.com/elastic/ecs/pull/2387
+
+<!--
+* Stage 1: https://github.com/elastic/ecs/pull/NNN
+...
+-->

From 4fa0abdf5db87abc91791b9a0093b371cc696032 Mon Sep 17 00:00:00 2001
From: Christiano Haesbaert <haesbaert@haesbaert.org>
Date: Tue, 15 Oct 2024 22:51:53 +0200
Subject: [PATCH 178/186] Define base encoding in x509.serial_number (#2383)

Narrow the definition of x509.serial_number to be encoded in hexadecimal,
otherwise we end up with integrations choosing their own encoding, as noted
below, Zeek uses base 16 while the rest of beats is using base 10.
---
 CHANGELOG.next.md                           |  2 ++
 docs/fields/field-details.asciidoc          |  2 +-
 experimental/generated/beats/fields.ecs.yml | 14 +++++++-------
 experimental/generated/ecs/ecs_flat.yml     | 21 +++++++--------------
 experimental/generated/ecs/ecs_nested.yml   | 16 ++++++++--------
 generated/beats/fields.ecs.yml              | 14 +++++++-------
 generated/ecs/ecs_flat.yml                  | 21 +++++++--------------
 generated/ecs/ecs_nested.yml                | 16 ++++++++--------
 schemas/x509.yml                            |  4 ++--
 9 files changed, 49 insertions(+), 61 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 9613fb89e6..70a4a3e0a6 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -25,6 +25,8 @@ Thanks, you're awesome :-) -->
 
 #### Improvements
 
+* Define base encoding of `x509.serial_number`. #2383
+
 #### Deprecated
 
 ### Tooling and Artifact Changes
diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index 23ae02e99a..489828f764 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -13803,7 +13803,7 @@ example: `2048`
 [[field-x509-serial-number]]
 <<field-x509-serial-number, x509.serial_number>>
 
-a| Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+a| Unique serial number issued by the certificate authority. For consistency, this should be encoded in base 16 and formatted without colons and uppercase characters.
 
 type: keyword
 
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index ee0ecb5e3b..932f199061 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -3339,7 +3339,7 @@
       type: keyword
       ignore_above: 1024
       description: Unique serial number issued by the certificate authority. For consistency,
-        if this value is alphanumeric, it should be formatted without colons and uppercase
+        this should be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       default_field: false
@@ -9984,7 +9984,7 @@
       type: keyword
       ignore_above: 1024
       description: Unique serial number issued by the certificate authority. For consistency,
-        if this value is alphanumeric, it should be formatted without colons and uppercase
+        this should be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       default_field: false
@@ -10541,7 +10541,7 @@
       type: keyword
       ignore_above: 1024
       description: Unique serial number issued by the certificate authority. For consistency,
-        if this value is alphanumeric, it should be formatted without colons and uppercase
+        this should be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       default_field: false
@@ -11606,7 +11606,7 @@
       type: keyword
       ignore_above: 1024
       description: Unique serial number issued by the certificate authority. For consistency,
-        if this value is alphanumeric, it should be formatted without colons and uppercase
+        this should be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       default_field: false
@@ -12174,7 +12174,7 @@
       type: keyword
       ignore_above: 1024
       description: Unique serial number issued by the certificate authority. For consistency,
-        if this value is alphanumeric, it should be formatted without colons and uppercase
+        this should be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       default_field: false
@@ -12590,7 +12590,7 @@
       type: keyword
       ignore_above: 1024
       description: Unique serial number issued by the certificate authority. For consistency,
-        if this value is alphanumeric, it should be formatted without colons and uppercase
+        this should be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       default_field: false
@@ -12872,7 +12872,7 @@
       type: keyword
       ignore_above: 1024
       description: Unique serial number issued by the certificate authority. For consistency,
-        if this value is alphanumeric, it should be formatted without colons and uppercase
+        this should be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       default_field: false
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index e529df5f93..d7b749d18d 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -5510,8 +5510,7 @@ file.x509.public_key_size:
 file.x509.serial_number:
   dashed_name: file-x509-serial-number
   description: Unique serial number issued by the certificate authority. For consistency,
-    if this value is alphanumeric, it should be formatted without colons and uppercase
-    characters.
+    this should be encoded in base 16 and formatted without colons and uppercase characters.
   example: 55FBB9C7DEBF09809D12CCAA
   flat_name: file.x509.serial_number
   ignore_above: 1024
@@ -16160,8 +16159,7 @@ threat.enrichments.indicator.file.x509.public_key_size:
 threat.enrichments.indicator.file.x509.serial_number:
   dashed_name: threat-enrichments-indicator-file-x509-serial-number
   description: Unique serial number issued by the certificate authority. For consistency,
-    if this value is alphanumeric, it should be formatted without colons and uppercase
-    characters.
+    this should be encoded in base 16 and formatted without colons and uppercase characters.
   example: 55FBB9C7DEBF09809D12CCAA
   flat_name: threat.enrichments.indicator.file.x509.serial_number
   ignore_above: 1024
@@ -17087,8 +17085,7 @@ threat.enrichments.indicator.x509.public_key_size:
 threat.enrichments.indicator.x509.serial_number:
   dashed_name: threat-enrichments-indicator-x509-serial-number
   description: Unique serial number issued by the certificate authority. For consistency,
-    if this value is alphanumeric, it should be formatted without colons and uppercase
-    characters.
+    this should be encoded in base 16 and formatted without colons and uppercase characters.
   example: 55FBB9C7DEBF09809D12CCAA
   flat_name: threat.enrichments.indicator.x509.serial_number
   ignore_above: 1024
@@ -18897,8 +18894,7 @@ threat.indicator.file.x509.public_key_size:
 threat.indicator.file.x509.serial_number:
   dashed_name: threat-indicator-file-x509-serial-number
   description: Unique serial number issued by the certificate authority. For consistency,
-    if this value is alphanumeric, it should be formatted without colons and uppercase
-    characters.
+    this should be encoded in base 16 and formatted without colons and uppercase characters.
   example: 55FBB9C7DEBF09809D12CCAA
   flat_name: threat.indicator.file.x509.serial_number
   ignore_above: 1024
@@ -19840,8 +19836,7 @@ threat.indicator.x509.public_key_size:
 threat.indicator.x509.serial_number:
   dashed_name: threat-indicator-x509-serial-number
   description: Unique serial number issued by the certificate authority. For consistency,
-    if this value is alphanumeric, it should be formatted without colons and uppercase
-    characters.
+    this should be encoded in base 16 and formatted without colons and uppercase characters.
   example: 55FBB9C7DEBF09809D12CCAA
   flat_name: threat.indicator.x509.serial_number
   ignore_above: 1024
@@ -20531,8 +20526,7 @@ tls.client.x509.public_key_size:
 tls.client.x509.serial_number:
   dashed_name: tls-client-x509-serial-number
   description: Unique serial number issued by the certificate authority. For consistency,
-    if this value is alphanumeric, it should be formatted without colons and uppercase
-    characters.
+    this should be encoded in base 16 and formatted without colons and uppercase characters.
   example: 55FBB9C7DEBF09809D12CCAA
   flat_name: tls.client.x509.serial_number
   ignore_above: 1024
@@ -21008,8 +21002,7 @@ tls.server.x509.public_key_size:
 tls.server.x509.serial_number:
   dashed_name: tls-server-x509-serial-number
   description: Unique serial number issued by the certificate authority. For consistency,
-    if this value is alphanumeric, it should be formatted without colons and uppercase
-    characters.
+    this should be encoded in base 16 and formatted without colons and uppercase characters.
   example: 55FBB9C7DEBF09809D12CCAA
   flat_name: tls.server.x509.serial_number
   ignore_above: 1024
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index f4a2844515..28fbb237c6 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -6558,7 +6558,7 @@ file:
     file.x509.serial_number:
       dashed_name: file-x509-serial-number
       description: Unique serial number issued by the certificate authority. For consistency,
-        if this value is alphanumeric, it should be formatted without colons and uppercase
+        this should be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       flat_name: file.x509.serial_number
@@ -18863,7 +18863,7 @@ threat:
     threat.enrichments.indicator.file.x509.serial_number:
       dashed_name: threat-enrichments-indicator-file-x509-serial-number
       description: Unique serial number issued by the certificate authority. For consistency,
-        if this value is alphanumeric, it should be formatted without colons and uppercase
+        this should be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       flat_name: threat.enrichments.indicator.file.x509.serial_number
@@ -19794,7 +19794,7 @@ threat:
     threat.enrichments.indicator.x509.serial_number:
       dashed_name: threat-enrichments-indicator-x509-serial-number
       description: Unique serial number issued by the certificate authority. For consistency,
-        if this value is alphanumeric, it should be formatted without colons and uppercase
+        this should be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       flat_name: threat.enrichments.indicator.x509.serial_number
@@ -21606,7 +21606,7 @@ threat:
     threat.indicator.file.x509.serial_number:
       dashed_name: threat-indicator-file-x509-serial-number
       description: Unique serial number issued by the certificate authority. For consistency,
-        if this value is alphanumeric, it should be formatted without colons and uppercase
+        this should be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       flat_name: threat.indicator.file.x509.serial_number
@@ -22553,7 +22553,7 @@ threat:
     threat.indicator.x509.serial_number:
       dashed_name: threat-indicator-x509-serial-number
       description: Unique serial number issued by the certificate authority. For consistency,
-        if this value is alphanumeric, it should be formatted without colons and uppercase
+        this should be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       flat_name: threat.indicator.x509.serial_number
@@ -23308,7 +23308,7 @@ tls:
     tls.client.x509.serial_number:
       dashed_name: tls-client-x509-serial-number
       description: Unique serial number issued by the certificate authority. For consistency,
-        if this value is alphanumeric, it should be formatted without colons and uppercase
+        this should be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       flat_name: tls.client.x509.serial_number
@@ -23788,7 +23788,7 @@ tls:
     tls.server.x509.serial_number:
       dashed_name: tls-server-x509-serial-number
       description: Unique serial number issued by the certificate authority. For consistency,
-        if this value is alphanumeric, it should be formatted without colons and uppercase
+        this should be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       flat_name: tls.server.x509.serial_number
@@ -25706,7 +25706,7 @@ x509:
     x509.serial_number:
       dashed_name: x509-serial-number
       description: Unique serial number issued by the certificate authority. For consistency,
-        if this value is alphanumeric, it should be formatted without colons and uppercase
+        this should be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       flat_name: x509.serial_number
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 3883c5b045..fc1cab5897 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -3289,7 +3289,7 @@
       type: keyword
       ignore_above: 1024
       description: Unique serial number issued by the certificate authority. For consistency,
-        if this value is alphanumeric, it should be formatted without colons and uppercase
+        this should be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       default_field: false
@@ -9934,7 +9934,7 @@
       type: keyword
       ignore_above: 1024
       description: Unique serial number issued by the certificate authority. For consistency,
-        if this value is alphanumeric, it should be formatted without colons and uppercase
+        this should be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       default_field: false
@@ -10491,7 +10491,7 @@
       type: keyword
       ignore_above: 1024
       description: Unique serial number issued by the certificate authority. For consistency,
-        if this value is alphanumeric, it should be formatted without colons and uppercase
+        this should be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       default_field: false
@@ -11556,7 +11556,7 @@
       type: keyword
       ignore_above: 1024
       description: Unique serial number issued by the certificate authority. For consistency,
-        if this value is alphanumeric, it should be formatted without colons and uppercase
+        this should be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       default_field: false
@@ -12124,7 +12124,7 @@
       type: keyword
       ignore_above: 1024
       description: Unique serial number issued by the certificate authority. For consistency,
-        if this value is alphanumeric, it should be formatted without colons and uppercase
+        this should be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       default_field: false
@@ -12540,7 +12540,7 @@
       type: keyword
       ignore_above: 1024
       description: Unique serial number issued by the certificate authority. For consistency,
-        if this value is alphanumeric, it should be formatted without colons and uppercase
+        this should be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       default_field: false
@@ -12822,7 +12822,7 @@
       type: keyword
       ignore_above: 1024
       description: Unique serial number issued by the certificate authority. For consistency,
-        if this value is alphanumeric, it should be formatted without colons and uppercase
+        this should be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       default_field: false
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index bad8611fa7..b58c35d5ff 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -5441,8 +5441,7 @@ file.x509.public_key_size:
 file.x509.serial_number:
   dashed_name: file-x509-serial-number
   description: Unique serial number issued by the certificate authority. For consistency,
-    if this value is alphanumeric, it should be formatted without colons and uppercase
-    characters.
+    this should be encoded in base 16 and formatted without colons and uppercase characters.
   example: 55FBB9C7DEBF09809D12CCAA
   flat_name: file.x509.serial_number
   ignore_above: 1024
@@ -16091,8 +16090,7 @@ threat.enrichments.indicator.file.x509.public_key_size:
 threat.enrichments.indicator.file.x509.serial_number:
   dashed_name: threat-enrichments-indicator-file-x509-serial-number
   description: Unique serial number issued by the certificate authority. For consistency,
-    if this value is alphanumeric, it should be formatted without colons and uppercase
-    characters.
+    this should be encoded in base 16 and formatted without colons and uppercase characters.
   example: 55FBB9C7DEBF09809D12CCAA
   flat_name: threat.enrichments.indicator.file.x509.serial_number
   ignore_above: 1024
@@ -17018,8 +17016,7 @@ threat.enrichments.indicator.x509.public_key_size:
 threat.enrichments.indicator.x509.serial_number:
   dashed_name: threat-enrichments-indicator-x509-serial-number
   description: Unique serial number issued by the certificate authority. For consistency,
-    if this value is alphanumeric, it should be formatted without colons and uppercase
-    characters.
+    this should be encoded in base 16 and formatted without colons and uppercase characters.
   example: 55FBB9C7DEBF09809D12CCAA
   flat_name: threat.enrichments.indicator.x509.serial_number
   ignore_above: 1024
@@ -18828,8 +18825,7 @@ threat.indicator.file.x509.public_key_size:
 threat.indicator.file.x509.serial_number:
   dashed_name: threat-indicator-file-x509-serial-number
   description: Unique serial number issued by the certificate authority. For consistency,
-    if this value is alphanumeric, it should be formatted without colons and uppercase
-    characters.
+    this should be encoded in base 16 and formatted without colons and uppercase characters.
   example: 55FBB9C7DEBF09809D12CCAA
   flat_name: threat.indicator.file.x509.serial_number
   ignore_above: 1024
@@ -19771,8 +19767,7 @@ threat.indicator.x509.public_key_size:
 threat.indicator.x509.serial_number:
   dashed_name: threat-indicator-x509-serial-number
   description: Unique serial number issued by the certificate authority. For consistency,
-    if this value is alphanumeric, it should be formatted without colons and uppercase
-    characters.
+    this should be encoded in base 16 and formatted without colons and uppercase characters.
   example: 55FBB9C7DEBF09809D12CCAA
   flat_name: threat.indicator.x509.serial_number
   ignore_above: 1024
@@ -20462,8 +20457,7 @@ tls.client.x509.public_key_size:
 tls.client.x509.serial_number:
   dashed_name: tls-client-x509-serial-number
   description: Unique serial number issued by the certificate authority. For consistency,
-    if this value is alphanumeric, it should be formatted without colons and uppercase
-    characters.
+    this should be encoded in base 16 and formatted without colons and uppercase characters.
   example: 55FBB9C7DEBF09809D12CCAA
   flat_name: tls.client.x509.serial_number
   ignore_above: 1024
@@ -20939,8 +20933,7 @@ tls.server.x509.public_key_size:
 tls.server.x509.serial_number:
   dashed_name: tls-server-x509-serial-number
   description: Unique serial number issued by the certificate authority. For consistency,
-    if this value is alphanumeric, it should be formatted without colons and uppercase
-    characters.
+    this should be encoded in base 16 and formatted without colons and uppercase characters.
   example: 55FBB9C7DEBF09809D12CCAA
   flat_name: tls.server.x509.serial_number
   ignore_above: 1024
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index a401fa7b0a..8c8aa6b1a8 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -6478,7 +6478,7 @@ file:
     file.x509.serial_number:
       dashed_name: file-x509-serial-number
       description: Unique serial number issued by the certificate authority. For consistency,
-        if this value is alphanumeric, it should be formatted without colons and uppercase
+        this should be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       flat_name: file.x509.serial_number
@@ -18783,7 +18783,7 @@ threat:
     threat.enrichments.indicator.file.x509.serial_number:
       dashed_name: threat-enrichments-indicator-file-x509-serial-number
       description: Unique serial number issued by the certificate authority. For consistency,
-        if this value is alphanumeric, it should be formatted without colons and uppercase
+        this should be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       flat_name: threat.enrichments.indicator.file.x509.serial_number
@@ -19714,7 +19714,7 @@ threat:
     threat.enrichments.indicator.x509.serial_number:
       dashed_name: threat-enrichments-indicator-x509-serial-number
       description: Unique serial number issued by the certificate authority. For consistency,
-        if this value is alphanumeric, it should be formatted without colons and uppercase
+        this should be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       flat_name: threat.enrichments.indicator.x509.serial_number
@@ -21526,7 +21526,7 @@ threat:
     threat.indicator.file.x509.serial_number:
       dashed_name: threat-indicator-file-x509-serial-number
       description: Unique serial number issued by the certificate authority. For consistency,
-        if this value is alphanumeric, it should be formatted without colons and uppercase
+        this should be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       flat_name: threat.indicator.file.x509.serial_number
@@ -22473,7 +22473,7 @@ threat:
     threat.indicator.x509.serial_number:
       dashed_name: threat-indicator-x509-serial-number
       description: Unique serial number issued by the certificate authority. For consistency,
-        if this value is alphanumeric, it should be formatted without colons and uppercase
+        this should be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       flat_name: threat.indicator.x509.serial_number
@@ -23228,7 +23228,7 @@ tls:
     tls.client.x509.serial_number:
       dashed_name: tls-client-x509-serial-number
       description: Unique serial number issued by the certificate authority. For consistency,
-        if this value is alphanumeric, it should be formatted without colons and uppercase
+        this should be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       flat_name: tls.client.x509.serial_number
@@ -23708,7 +23708,7 @@ tls:
     tls.server.x509.serial_number:
       dashed_name: tls-server-x509-serial-number
       description: Unique serial number issued by the certificate authority. For consistency,
-        if this value is alphanumeric, it should be formatted without colons and uppercase
+        this should be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       flat_name: tls.server.x509.serial_number
@@ -25626,7 +25626,7 @@ x509:
     x509.serial_number:
       dashed_name: x509-serial-number
       description: Unique serial number issued by the certificate authority. For consistency,
-        if this value is alphanumeric, it should be formatted without colons and uppercase
+        this should be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       flat_name: x509.serial_number
diff --git a/schemas/x509.yml b/schemas/x509.yml
index be03f7c685..40f8aa71da 100644
--- a/schemas/x509.yml
+++ b/schemas/x509.yml
@@ -52,8 +52,8 @@
       type: keyword
       short: Unique serial number issued by the certificate authority.
       description: >
-        Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be
-        formatted without colons and uppercase characters.
+        Unique serial number issued by the certificate authority. For consistency, this should be
+        encoded in base 16 and formatted without colons and uppercase characters.
       example: 55FBB9C7DEBF09809D12CCAA
 
     - name: issuer.distinguished_name

From 7722217ef2105f1b1f2b0081904f79cbe811fc69 Mon Sep 17 00:00:00 2001
From: Michael Wolf <michael.wolf@elastic.co>
Date: Fri, 8 Nov 2024 09:17:14 -0800
Subject: [PATCH 179/186] Increment version to 9.0.0-dev (#2400)

---
 docs/fields/fields.asciidoc                   |    2 +-
 docs/index.asciidoc                           |    2 +-
 experimental/generated/beats/fields.ecs.yml   |    2 +-
 experimental/generated/csv/fields.csv         | 3574 ++++++++---------
 .../composable/component/agent.json           |    2 +-
 .../composable/component/base.json            |    2 +-
 .../composable/component/cgroup.json          |    2 +-
 .../composable/component/client.json          |    2 +-
 .../composable/component/cloud.json           |    2 +-
 .../composable/component/container.json       |    2 +-
 .../composable/component/data_stream.json     |    2 +-
 .../composable/component/destination.json     |    2 +-
 .../composable/component/device.json          |    2 +-
 .../composable/component/dll.json             |    2 +-
 .../composable/component/dns.json             |    2 +-
 .../composable/component/ecs.json             |    2 +-
 .../composable/component/email.json           |    2 +-
 .../composable/component/error.json           |    2 +-
 .../composable/component/event.json           |    2 +-
 .../composable/component/faas.json            |    2 +-
 .../composable/component/file.json            |    2 +-
 .../composable/component/group.json           |    2 +-
 .../composable/component/host.json            |    2 +-
 .../composable/component/http.json            |    2 +-
 .../composable/component/log.json             |    2 +-
 .../composable/component/network.json         |    2 +-
 .../composable/component/observer.json        |    2 +-
 .../composable/component/orchestrator.json    |    2 +-
 .../composable/component/organization.json    |    2 +-
 .../composable/component/package.json         |    2 +-
 .../composable/component/process.json         |    2 +-
 .../composable/component/registry.json        |    2 +-
 .../composable/component/related.json         |    2 +-
 .../composable/component/rule.json            |    2 +-
 .../composable/component/server.json          |    2 +-
 .../composable/component/service.json         |    2 +-
 .../composable/component/source.json          |    2 +-
 .../composable/component/threat.json          |    2 +-
 .../composable/component/tls.json             |    2 +-
 .../composable/component/tracing.json         |    2 +-
 .../composable/component/url.json             |    2 +-
 .../composable/component/user.json            |    2 +-
 .../composable/component/user_agent.json      |    2 +-
 .../composable/component/volume.json          |    2 +-
 .../composable/component/vulnerability.json   |    2 +-
 .../elasticsearch/composable/template.json    |   84 +-
 .../elasticsearch/legacy/template.json        |    2 +-
 generated/beats/fields.ecs.yml                |    2 +-
 generated/csv/fields.csv                      | 3560 ++++++++--------
 .../composable/component/agent.json           |    2 +-
 .../composable/component/base.json            |    2 +-
 .../composable/component/client.json          |    2 +-
 .../composable/component/cloud.json           |    2 +-
 .../composable/component/container.json       |    2 +-
 .../composable/component/data_stream.json     |    2 +-
 .../composable/component/destination.json     |    2 +-
 .../composable/component/device.json          |    2 +-
 .../composable/component/dll.json             |    2 +-
 .../composable/component/dns.json             |    2 +-
 .../composable/component/ecs.json             |    2 +-
 .../composable/component/email.json           |    2 +-
 .../composable/component/error.json           |    2 +-
 .../composable/component/event.json           |    2 +-
 .../composable/component/faas.json            |    2 +-
 .../composable/component/file.json            |    2 +-
 .../composable/component/group.json           |    2 +-
 .../composable/component/host.json            |    2 +-
 .../composable/component/http.json            |    2 +-
 .../composable/component/log.json             |    2 +-
 .../composable/component/network.json         |    2 +-
 .../composable/component/observer.json        |    2 +-
 .../composable/component/orchestrator.json    |    2 +-
 .../composable/component/organization.json    |    2 +-
 .../composable/component/package.json         |    2 +-
 .../composable/component/process.json         |    2 +-
 .../composable/component/registry.json        |    2 +-
 .../composable/component/related.json         |    2 +-
 .../composable/component/rule.json            |    2 +-
 .../composable/component/server.json          |    2 +-
 .../composable/component/service.json         |    2 +-
 .../composable/component/source.json          |    2 +-
 .../composable/component/threat.json          |    2 +-
 .../composable/component/tls.json             |    2 +-
 .../composable/component/tracing.json         |    2 +-
 .../composable/component/url.json             |    2 +-
 .../composable/component/user.json            |    2 +-
 .../composable/component/user_agent.json      |    2 +-
 .../composable/component/volume.json          |    2 +-
 .../composable/component/vulnerability.json   |    2 +-
 .../elasticsearch/composable/template.json    |   82 +-
 generated/elasticsearch/legacy/template.json  |    2 +-
 version                                       |    2 +-
 92 files changed, 3738 insertions(+), 3738 deletions(-)

diff --git a/docs/fields/fields.asciidoc b/docs/fields/fields.asciidoc
index e8efb3cc75..f99e3d4198 100644
--- a/docs/fields/fields.asciidoc
+++ b/docs/fields/fields.asciidoc
@@ -1,7 +1,7 @@
 [[ecs-field-reference]]
 == {ecs} Field Reference
 
-This is the documentation of ECS version 8.12.0-dev.
+This is the documentation of ECS version 9.0.0-dev.
 
 ECS defines multiple groups of related fields. They are called "field sets".
 The <<ecs-base,Base>> field set is the only one whose fields are defined
diff --git a/docs/index.asciidoc b/docs/index.asciidoc
index 0df56fe128..ce7ae20021 100644
--- a/docs/index.asciidoc
+++ b/docs/index.asciidoc
@@ -13,7 +13,7 @@ include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
 [[ecs-reference]]
 == Overview
 
-This is the documentation of ECS version 8.12.0-dev.
+This is the documentation of ECS version 9.0.0-dev.
 
 [float]
 === What is ECS?
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 932f199061..4edbea7a0b 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -1,5 +1,5 @@
 # WARNING! Do not edit this file directly, it was generated by the ECS project,
-# based on ECS version 8.12.0-dev+exp.
+# based on ECS version 9.0.0-dev+exp.
 # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields.
 
 - key: ecs
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index be5ee33461..2f73b45091 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -1,1788 +1,1788 @@
 ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
-8.12.0-dev+exp,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
-8.12.0-dev+exp,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
-8.12.0-dev+exp,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer.
-8.12.0-dev+exp,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
-8.12.0-dev+exp,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
-8.12.0-dev+exp,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
-8.12.0-dev+exp,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
-8.12.0-dev+exp,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
-8.12.0-dev+exp,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
-8.12.0-dev+exp,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
-8.12.0-dev+exp,true,cgroup,cgroup.cpu.periods,long,extended,,454839343,Number of period intervals that have elapsed.
-8.12.0-dev+exp,true,cgroup,cgroup.cpu.throttled.us,long,extended,,15000,Microseconds of CPU throttled time.
-8.12.0-dev+exp,true,cgroup,cgroup.cpu.usage,scaled_float,extended,,,"CPU usage, normalized by the CPU count."
-8.12.0-dev+exp,true,cgroup,cgroup.memory.limit,long,extended,,256,Memory limit within the cgroup.
-8.12.0-dev+exp,true,cgroup,cgroup.memory.swap.usage,long,extended,,5600,The amount of cgroup memory in swap.
-8.12.0-dev+exp,true,cgroup,cgroup.memory.usage,long,extended,,25600,Memory usage in bytes
-8.12.0-dev+exp,true,cgroup,cgroup.version,long,extended,,,The cgroup version linked to the metrics
-8.12.0-dev+exp,true,client,client.address,keyword,extended,,,Client network address.
-8.12.0-dev+exp,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.12.0-dev+exp,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.12.0-dev+exp,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.12.0-dev+exp,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
-8.12.0-dev+exp,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client.
-8.12.0-dev+exp,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
-8.12.0-dev+exp,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
-8.12.0-dev+exp,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.12.0-dev+exp,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.12.0-dev+exp,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
-8.12.0-dev+exp,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.12.0-dev+exp,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.12.0-dev+exp,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
-8.12.0-dev+exp,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.12.0-dev+exp,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
-8.12.0-dev+exp,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.12.0-dev+exp,true,client,client.ip,ip,core,,,IP address of the client.
-8.12.0-dev+exp,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
-8.12.0-dev+exp,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
-8.12.0-dev+exp,true,client,client.nat.port,long,extended,,,Client NAT port
-8.12.0-dev+exp,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
-8.12.0-dev+exp,true,client,client.port,long,core,,,Port of the client.
-8.12.0-dev+exp,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
-8.12.0-dev+exp,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.12.0-dev+exp,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.12.0-dev+exp,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.12.0-dev+exp,true,client,client.user.email,keyword,extended,,,User email address.
-8.12.0-dev+exp,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.12.0-dev+exp,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.12.0-dev+exp,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.12.0-dev+exp,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev+exp,true,client,client.user.group.name,keyword,extended,,,Name of the group.
-8.12.0-dev+exp,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.12.0-dev+exp,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev+exp,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.12.0-dev+exp,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.12.0-dev+exp,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.12.0-dev+exp,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.12.0-dev+exp,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.12.0-dev+exp,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
-8.12.0-dev+exp,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.12.0-dev+exp,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.12.0-dev+exp,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.12.0-dev+exp,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.12.0-dev+exp,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.12.0-dev+exp,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine.
-8.12.0-dev+exp,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.12.0-dev+exp,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id.
-8.12.0-dev+exp,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name.
-8.12.0-dev+exp,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider.
-8.12.0-dev+exp,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.12.0-dev+exp,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name.
-8.12.0-dev+exp,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
-8.12.0-dev+exp,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
-8.12.0-dev+exp,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
-8.12.0-dev+exp,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.12.0-dev+exp,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name.
-8.12.0-dev+exp,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.12.0-dev+exp,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.12.0-dev+exp,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.12.0-dev+exp,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.12.0-dev+exp,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine.
-8.12.0-dev+exp,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.12.0-dev+exp,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id.
-8.12.0-dev+exp,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name.
-8.12.0-dev+exp,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider.
-8.12.0-dev+exp,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.12.0-dev+exp,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name.
-8.12.0-dev+exp,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
-8.12.0-dev+exp,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
-8.12.0-dev+exp,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
-8.12.0-dev+exp,true,container,container.id,keyword,core,,,Unique container id.
-8.12.0-dev+exp,true,container,container.image.hash.all,keyword,extended,array,[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26],An array of digests of the image the container was built on.
-8.12.0-dev+exp,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
-8.12.0-dev+exp,true,container,container.image.tag,keyword,extended,array,,Container image tags.
-8.12.0-dev+exp,true,container,container.labels,object,extended,,,Image labels.
-8.12.0-dev+exp,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1."
-8.12.0-dev+exp,true,container,container.name,keyword,extended,,,Container name.
-8.12.0-dev+exp,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
-8.12.0-dev+exp,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
-8.12.0-dev+exp,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
-8.12.0-dev+exp,true,container,container.security_context.privileged,boolean,extended,,,Indicates whether the container is running in privileged mode.
-8.12.0-dev+exp,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
-8.12.0-dev+exp,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
-8.12.0-dev+exp,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
-8.12.0-dev+exp,true,destination,destination.address,keyword,extended,,,Destination network address.
-8.12.0-dev+exp,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.12.0-dev+exp,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.12.0-dev+exp,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.12.0-dev+exp,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
-8.12.0-dev+exp,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination.
-8.12.0-dev+exp,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
-8.12.0-dev+exp,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
-8.12.0-dev+exp,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.12.0-dev+exp,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.12.0-dev+exp,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
-8.12.0-dev+exp,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.12.0-dev+exp,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.12.0-dev+exp,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
-8.12.0-dev+exp,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.12.0-dev+exp,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
-8.12.0-dev+exp,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.12.0-dev+exp,true,destination,destination.ip,ip,core,,,IP address of the destination.
-8.12.0-dev+exp,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
-8.12.0-dev+exp,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
-8.12.0-dev+exp,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
-8.12.0-dev+exp,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
-8.12.0-dev+exp,true,destination,destination.port,long,core,,,Port of the destination.
-8.12.0-dev+exp,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
-8.12.0-dev+exp,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.12.0-dev+exp,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.12.0-dev+exp,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.12.0-dev+exp,true,destination,destination.user.email,keyword,extended,,,User email address.
-8.12.0-dev+exp,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.12.0-dev+exp,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.12.0-dev+exp,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.12.0-dev+exp,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev+exp,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
-8.12.0-dev+exp,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.12.0-dev+exp,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev+exp,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.12.0-dev+exp,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device.
-8.12.0-dev+exp,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer.
-8.12.0-dev+exp,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model.
-8.12.0-dev+exp,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model.
-8.12.0-dev+exp,true,device,device.serial_number,keyword,core,,DJGAQS4CW5,Serial Number of the device
-8.12.0-dev+exp,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.12.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.12.0-dev+exp,true,dll,dll.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
-8.12.0-dev+exp,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.12.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.12.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.12.0-dev+exp,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.12.0-dev+exp,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.12.0-dev+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.12.0-dev+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.12.0-dev+exp,true,dll,dll.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-8.12.0-dev+exp,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
-8.12.0-dev+exp,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
-8.12.0-dev+exp,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
-8.12.0-dev+exp,true,dll,dll.hash.sha384,keyword,extended,,,SHA384 hash.
-8.12.0-dev+exp,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
-8.12.0-dev+exp,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.12.0-dev+exp,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash.
-8.12.0-dev+exp,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
-8.12.0-dev+exp,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
-8.12.0-dev+exp,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.12.0-dev+exp,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.12.0-dev+exp,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.12.0-dev+exp,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.12.0-dev+exp,true,dll,dll.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.12.0-dev+exp,true,dll,dll.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.12.0-dev+exp,true,dll,dll.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.12.0-dev+exp,true,dll,dll.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.12.0-dev+exp,true,dll,dll.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.12.0-dev+exp,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.12.0-dev+exp,true,dll,dll.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.12.0-dev+exp,true,dll,dll.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.12.0-dev+exp,true,dll,dll.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev+exp,true,dll,dll.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev+exp,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.12.0-dev+exp,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.12.0-dev+exp,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.12.0-dev+exp,true,dll,dll.pe.sections,nested,extended,array,,Section information of the PE file.
-8.12.0-dev+exp,true,dll,dll.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.12.0-dev+exp,true,dll,dll.pe.sections.name,keyword,extended,,,PE Section List name.
-8.12.0-dev+exp,true,dll,dll.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.12.0-dev+exp,true,dll,dll.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.12.0-dev+exp,true,dll,dll.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.12.0-dev+exp,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
-8.12.0-dev+exp,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
-8.12.0-dev+exp,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
-8.12.0-dev+exp,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
-8.12.0-dev+exp,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
-8.12.0-dev+exp,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
-8.12.0-dev+exp,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
-8.12.0-dev+exp,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
-8.12.0-dev+exp,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
-8.12.0-dev+exp,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
-8.12.0-dev+exp,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
-8.12.0-dev+exp,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
-8.12.0-dev+exp,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
-8.12.0-dev+exp,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.12.0-dev+exp,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
-8.12.0-dev+exp,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
-8.12.0-dev+exp,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
-8.12.0-dev+exp,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
-8.12.0-dev+exp,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
-8.12.0-dev+exp,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
-8.12.0-dev+exp,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
-8.12.0-dev+exp,true,email,email.attachments.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-8.12.0-dev+exp,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash.
-8.12.0-dev+exp,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.12.0-dev+exp,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.12.0-dev+exp,true,email,email.attachments.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.12.0-dev+exp,true,email,email.attachments.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.12.0-dev+exp,true,email,email.attachments.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.12.0-dev+exp,true,email,email.attachments.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.12.0-dev+exp,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file.
-8.12.0-dev+exp,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file.
-8.12.0-dev+exp,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size.
-8.12.0-dev+exp,true,email,email.bcc.address,keyword,extended,array,bcc.user1@example.com,Email address of BCC recipient
-8.12.0-dev+exp,true,email,email.cc.address,keyword,extended,array,cc.user1@example.com,Email address of CC recipient
-8.12.0-dev+exp,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message.
-8.12.0-dev+exp,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered.
-8.12.0-dev+exp,true,email,email.direction,keyword,extended,,inbound,Direction of the message.
-8.12.0-dev+exp,true,email,email.from.address,keyword,extended,array,sender@example.com,The sender's email address.
-8.12.0-dev+exp,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source.
-8.12.0-dev+exp,true,email,email.message_id,wildcard,extended,,81ce15$8r2j59@mail01.example.com,Value from the Message-ID header.
-8.12.0-dev+exp,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed.
-8.12.0-dev+exp,true,email,email.reply_to.address,keyword,extended,array,reply.here@example.com,Address replies should be delivered to.
-8.12.0-dev+exp,true,email,email.sender.address,keyword,extended,,,Address of the message sender.
-8.12.0-dev+exp,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message.
-8.12.0-dev+exp,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
-8.12.0-dev+exp,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient
-8.12.0-dev+exp,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
-8.12.0-dev+exp,true,error,error.code,keyword,core,,,Error code describing the error.
-8.12.0-dev+exp,true,error,error.id,keyword,core,,,Unique identifier for the error.
-8.12.0-dev+exp,true,error,error.message,match_only_text,core,,,Error message.
-8.12.0-dev+exp,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
-8.12.0-dev+exp,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text.
-8.12.0-dev+exp,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
-8.12.0-dev+exp,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
-8.12.0-dev+exp,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field.
-8.12.0-dev+exp,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
-8.12.0-dev+exp,true,event,event.code,keyword,extended,,4648,Identification code for this event.
-8.12.0-dev+exp,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
-8.12.0-dev+exp,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
-8.12.0-dev+exp,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
-8.12.0-dev+exp,true,event,event.end,date,extended,,,`event.end` contains the date when the event ended or when the activity was last observed.
-8.12.0-dev+exp,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
-8.12.0-dev+exp,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
-8.12.0-dev+exp,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
-8.12.0-dev+exp,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
-8.12.0-dev+exp,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
-8.12.0-dev+exp,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
-8.12.0-dev+exp,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
-8.12.0-dev+exp,true,event,event.provider,keyword,extended,,kernel,Source of the event.
-8.12.0-dev+exp,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
-8.12.0-dev+exp,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
-8.12.0-dev+exp,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
-8.12.0-dev+exp,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
-8.12.0-dev+exp,true,event,event.sequence,long,extended,,,Sequence number of the event.
-8.12.0-dev+exp,true,event,event.severity,long,core,,7,Numeric severity of the event.
-8.12.0-dev+exp,true,event,event.start,date,extended,,,`event.start` contains the date when the event started or when the activity was first observed.
-8.12.0-dev+exp,true,event,event.timezone,keyword,extended,,,Event time zone.
-8.12.0-dev+exp,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
-8.12.0-dev+exp,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
-8.12.0-dev+exp,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function.
-8.12.0-dev+exp,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution.
-8.12.0-dev+exp,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function.
-8.12.0-dev+exp,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function.
-8.12.0-dev+exp,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc."
-8.12.0-dev+exp,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution.
-8.12.0-dev+exp,true,faas,faas.version,keyword,extended,,123,The version of a serverless function.
-8.12.0-dev+exp,true,file,file.accessed,date,extended,,,Last time the file was accessed.
-8.12.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.12.0-dev+exp,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.12.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.12.0-dev+exp,true,file,file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
-8.12.0-dev+exp,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.12.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.12.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.12.0-dev+exp,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.12.0-dev+exp,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.12.0-dev+exp,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.12.0-dev+exp,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.12.0-dev+exp,true,file,file.created,date,extended,,,File creation time.
-8.12.0-dev+exp,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.12.0-dev+exp,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
-8.12.0-dev+exp,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.12.0-dev+exp,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.12.0-dev+exp,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.12.0-dev+exp,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.12.0-dev+exp,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.12.0-dev+exp,true,file,file.elf.creation_date,date,extended,,,Build or compile date.
-8.12.0-dev+exp,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.12.0-dev+exp,true,file,file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.12.0-dev+exp,true,file,file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.12.0-dev+exp,true,file,file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.12.0-dev+exp,true,file,file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.12.0-dev+exp,true,file,file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.12.0-dev+exp,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.12.0-dev+exp,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.12.0-dev+exp,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.12.0-dev+exp,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.12.0-dev+exp,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.12.0-dev+exp,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.12.0-dev+exp,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.12.0-dev+exp,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.12.0-dev+exp,true,file,file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.12.0-dev+exp,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.12.0-dev+exp,true,file,file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev+exp,true,file,file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev+exp,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.12.0-dev+exp,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.12.0-dev+exp,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.12.0-dev+exp,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.12.0-dev+exp,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.12.0-dev+exp,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.12.0-dev+exp,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.12.0-dev+exp,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.12.0-dev+exp,true,file,file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.12.0-dev+exp,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.12.0-dev+exp,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.12.0-dev+exp,true,file,file.elf.segments,nested,extended,array,,ELF object segment list.
-8.12.0-dev+exp,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.12.0-dev+exp,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.12.0-dev+exp,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.12.0-dev+exp,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.12.0-dev+exp,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.12.0-dev+exp,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.12.0-dev+exp,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.12.0-dev+exp,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
-8.12.0-dev+exp,true,file,file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-8.12.0-dev+exp,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
-8.12.0-dev+exp,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.12.0-dev+exp,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.12.0-dev+exp,true,file,file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.12.0-dev+exp,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.12.0-dev+exp,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.12.0-dev+exp,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.12.0-dev+exp,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.12.0-dev+exp,true,file,file.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-8.12.0-dev+exp,true,file,file.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.12.0-dev+exp,true,file,file.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.12.0-dev+exp,true,file,file.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.12.0-dev+exp,true,file,file.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.12.0-dev+exp,true,file,file.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-8.12.0-dev+exp,true,file,file.macho.imports,flattened,extended,array,,List of imported element names and types.
-8.12.0-dev+exp,true,file,file.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev+exp,true,file,file.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev+exp,true,file,file.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-8.12.0-dev+exp,true,file,file.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.12.0-dev+exp,true,file,file.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-8.12.0-dev+exp,true,file,file.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-8.12.0-dev+exp,true,file,file.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.12.0-dev+exp,true,file,file.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-8.12.0-dev+exp,true,file,file.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-8.12.0-dev+exp,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.12.0-dev+exp,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.12.0-dev+exp,true,file,file.mtime,date,extended,,,Last time the file content was modified.
-8.12.0-dev+exp,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.12.0-dev+exp,true,file,file.owner,keyword,extended,,alice,File owner's username.
-8.12.0-dev+exp,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.12.0-dev+exp,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.12.0-dev+exp,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.12.0-dev+exp,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.12.0-dev+exp,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.12.0-dev+exp,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.12.0-dev+exp,true,file,file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.12.0-dev+exp,true,file,file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.12.0-dev+exp,true,file,file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.12.0-dev+exp,true,file,file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.12.0-dev+exp,true,file,file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.12.0-dev+exp,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.12.0-dev+exp,true,file,file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.12.0-dev+exp,true,file,file.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.12.0-dev+exp,true,file,file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev+exp,true,file,file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev+exp,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.12.0-dev+exp,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.12.0-dev+exp,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.12.0-dev+exp,true,file,file.pe.sections,nested,extended,array,,Section information of the PE file.
-8.12.0-dev+exp,true,file,file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.12.0-dev+exp,true,file,file.pe.sections.name,keyword,extended,,,PE Section List name.
-8.12.0-dev+exp,true,file,file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.12.0-dev+exp,true,file,file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.12.0-dev+exp,true,file,file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.12.0-dev+exp,true,file,file.size,long,extended,,16384,File size in bytes.
-8.12.0-dev+exp,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
-8.12.0-dev+exp,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.12.0-dev+exp,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.12.0-dev+exp,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.12.0-dev+exp,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.12.0-dev+exp,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.12.0-dev+exp,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.12.0-dev+exp,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.12.0-dev+exp,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.12.0-dev+exp,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.12.0-dev+exp,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.12.0-dev+exp,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.12.0-dev+exp,true,file,file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.12.0-dev+exp,true,file,file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.12.0-dev+exp,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.12.0-dev+exp,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.12.0-dev+exp,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.12.0-dev+exp,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.12.0-dev+exp,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.12.0-dev+exp,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.12.0-dev+exp,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.12.0-dev+exp,true,file,file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.12.0-dev+exp,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.12.0-dev+exp,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.12.0-dev+exp,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.12.0-dev+exp,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.12.0-dev+exp,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.12.0-dev+exp,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.12.0-dev+exp,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.12.0-dev+exp,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev+exp,true,group,group.name,keyword,extended,,,Name of the group.
-8.12.0-dev+exp,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
-8.12.0-dev+exp,true,host,host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id
-8.12.0-dev+exp,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
-8.12.0-dev+exp,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
-8.12.0-dev+exp,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
-8.12.0-dev+exp,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
-8.12.0-dev+exp,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
-8.12.0-dev+exp,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
-8.12.0-dev+exp,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.12.0-dev+exp,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.12.0-dev+exp,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
-8.12.0-dev+exp,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.12.0-dev+exp,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.12.0-dev+exp,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
-8.12.0-dev+exp,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.12.0-dev+exp,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
-8.12.0-dev+exp,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.12.0-dev+exp,true,host,host.hostname,keyword,core,,,Hostname of the host.
-8.12.0-dev+exp,true,host,host.id,keyword,core,,,Unique host id.
-8.12.0-dev+exp,true,host,host.ip,ip,core,array,,Host ip addresses.
-8.12.0-dev+exp,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
-8.12.0-dev+exp,true,host,host.name,keyword,core,,,Name of the host.
-8.12.0-dev+exp,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
-8.12.0-dev+exp,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
-8.12.0-dev+exp,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
-8.12.0-dev+exp,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
-8.12.0-dev+exp,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.12.0-dev+exp,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.12.0-dev+exp,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.12.0-dev+exp,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.12.0-dev+exp,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.12.0-dev+exp,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.12.0-dev+exp,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.12.0-dev+exp,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-8.12.0-dev+exp,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.12.0-dev+exp,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode
-8.12.0-dev+exp,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.12.0-dev+exp,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.12.0-dev+exp,true,host,host.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.12.0-dev+exp,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.12.0-dev+exp,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.12.0-dev+exp,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-8.12.0-dev+exp,true,host,host.type,keyword,core,,,Type of host.
-8.12.0-dev+exp,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
-8.12.0-dev+exp,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
-8.12.0-dev+exp,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
-8.12.0-dev+exp,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body.
-8.12.0-dev+exp,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
-8.12.0-dev+exp,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
-8.12.0-dev+exp,true,http,http.request.method,keyword,extended,,POST,HTTP request method.
-8.12.0-dev+exp,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
-8.12.0-dev+exp,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
-8.12.0-dev+exp,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
-8.12.0-dev+exp,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
-8.12.0-dev+exp,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body.
-8.12.0-dev+exp,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
-8.12.0-dev+exp,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
-8.12.0-dev+exp,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
-8.12.0-dev+exp,true,http,http.version,keyword,extended,,1.1,HTTP version.
-8.12.0-dev+exp,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
-8.12.0-dev+exp,true,log,log.level,keyword,core,,error,Log level of the log event.
-8.12.0-dev+exp,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
-8.12.0-dev+exp,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event.
-8.12.0-dev+exp,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
-8.12.0-dev+exp,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
-8.12.0-dev+exp,true,log,log.syslog,object,extended,,,Syslog metadata
-8.12.0-dev+exp,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message.
-8.12.0-dev+exp,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
-8.12.0-dev+exp,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
-8.12.0-dev+exp,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message.
-8.12.0-dev+exp,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message.
-8.12.0-dev+exp,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
-8.12.0-dev+exp,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message.
-8.12.0-dev+exp,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
-8.12.0-dev+exp,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
-8.12.0-dev+exp,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages.
-8.12.0-dev+exp,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version.
-8.12.0-dev+exp,true,network,network.application,keyword,extended,,aim,Application level protocol name.
-8.12.0-dev+exp,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
-8.12.0-dev+exp,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
-8.12.0-dev+exp,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
-8.12.0-dev+exp,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
-8.12.0-dev+exp,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
-8.12.0-dev+exp,true,network,network.inner,object,extended,,,Inner VLAN tag information
-8.12.0-dev+exp,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.12.0-dev+exp,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.12.0-dev+exp,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
-8.12.0-dev+exp,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
-8.12.0-dev+exp,true,network,network.protocol,keyword,core,,http,Application protocol name.
-8.12.0-dev+exp,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
-8.12.0-dev+exp,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
-8.12.0-dev+exp,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.12.0-dev+exp,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.12.0-dev+exp,true,observer,observer.egress,object,extended,,,Object field for egress information
-8.12.0-dev+exp,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
-8.12.0-dev+exp,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
-8.12.0-dev+exp,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
-8.12.0-dev+exp,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.12.0-dev+exp,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.12.0-dev+exp,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
-8.12.0-dev+exp,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
-8.12.0-dev+exp,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code.
-8.12.0-dev+exp,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.12.0-dev+exp,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.12.0-dev+exp,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
-8.12.0-dev+exp,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.12.0-dev+exp,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.12.0-dev+exp,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code.
-8.12.0-dev+exp,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.12.0-dev+exp,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
-8.12.0-dev+exp,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.12.0-dev+exp,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
-8.12.0-dev+exp,true,observer,observer.ingress,object,extended,,,Object field for ingress information
-8.12.0-dev+exp,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
-8.12.0-dev+exp,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
-8.12.0-dev+exp,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
-8.12.0-dev+exp,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.12.0-dev+exp,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.12.0-dev+exp,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
-8.12.0-dev+exp,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
-8.12.0-dev+exp,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer.
-8.12.0-dev+exp,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
-8.12.0-dev+exp,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.12.0-dev+exp,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.12.0-dev+exp,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.12.0-dev+exp,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.12.0-dev+exp,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.12.0-dev+exp,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.12.0-dev+exp,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.12.0-dev+exp,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-8.12.0-dev+exp,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.12.0-dev+exp,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
-8.12.0-dev+exp,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
-8.12.0-dev+exp,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
-8.12.0-dev+exp,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
-8.12.0-dev+exp,true,observer,observer.version,keyword,core,,,Observer version.
-8.12.0-dev+exp,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action
-8.12.0-dev+exp,true,orchestrator,orchestrator.cluster.id,keyword,extended,,,Unique ID of the cluster.
-8.12.0-dev+exp,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster.
-8.12.0-dev+exp,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster.
-8.12.0-dev+exp,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster.
-8.12.0-dev+exp,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place.
-8.12.0-dev+exp,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups).
-8.12.0-dev+exp,true,orchestrator,orchestrator.resource.annotation,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of annotations added to the resource.
-8.12.0-dev+exp,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon.
-8.12.0-dev+exp,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed.
-8.12.0-dev+exp,true,orchestrator,orchestrator.resource.label,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of labels added to the resource.
-8.12.0-dev+exp,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon.
-8.12.0-dev+exp,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed.
-8.12.0-dev+exp,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon.
-8.12.0-dev+exp,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)."
-8.12.0-dev+exp,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
-8.12.0-dev+exp,true,organization,organization.name,keyword,extended,,,Organization name.
-8.12.0-dev+exp,true,organization,organization.name.text,match_only_text,extended,,,Organization name.
-8.12.0-dev+exp,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
-8.12.0-dev+exp,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
-8.12.0-dev+exp,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
-8.12.0-dev+exp,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
-8.12.0-dev+exp,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
-8.12.0-dev+exp,true,package,package.installed,date,extended,,,Time when package was installed.
-8.12.0-dev+exp,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
-8.12.0-dev+exp,true,package,package.name,keyword,extended,,go,Package name
-8.12.0-dev+exp,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
-8.12.0-dev+exp,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
-8.12.0-dev+exp,true,package,package.size,long,extended,,62231,Package size in bytes.
-8.12.0-dev+exp,true,package,package.type,keyword,extended,,rpm,Package type
-8.12.0-dev+exp,true,package,package.version,keyword,extended,,1.12.9,Package version
-8.12.0-dev+exp,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.12.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array.
-8.12.0-dev+exp,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.12.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.12.0-dev+exp,true,process,process.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
-8.12.0-dev+exp,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.12.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.12.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.12.0-dev+exp,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.12.0-dev+exp,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.12.0-dev+exp,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.12.0-dev+exp,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.12.0-dev+exp,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.12.0-dev+exp,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.12.0-dev+exp,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.12.0-dev+exp,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.12.0-dev+exp,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.12.0-dev+exp,true,process,process.elf.creation_date,date,extended,,,Build or compile date.
-8.12.0-dev+exp,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.12.0-dev+exp,true,process,process.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.12.0-dev+exp,true,process,process.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.12.0-dev+exp,true,process,process.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.12.0-dev+exp,true,process,process.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.12.0-dev+exp,true,process,process.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.12.0-dev+exp,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.12.0-dev+exp,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.12.0-dev+exp,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.12.0-dev+exp,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.12.0-dev+exp,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.12.0-dev+exp,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.12.0-dev+exp,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.12.0-dev+exp,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.12.0-dev+exp,true,process,process.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.12.0-dev+exp,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.12.0-dev+exp,true,process,process.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev+exp,true,process,process.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev+exp,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.12.0-dev+exp,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.12.0-dev+exp,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.12.0-dev+exp,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.12.0-dev+exp,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.12.0-dev+exp,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.12.0-dev+exp,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.12.0-dev+exp,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.12.0-dev+exp,true,process,process.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.12.0-dev+exp,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.12.0-dev+exp,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.12.0-dev+exp,true,process,process.elf.segments,nested,extended,array,,ELF object segment list.
-8.12.0-dev+exp,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.12.0-dev+exp,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.12.0-dev+exp,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.12.0-dev+exp,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.12.0-dev+exp,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-8.12.0-dev+exp,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.12.0-dev+exp,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.12.0-dev+exp,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array.
-8.12.0-dev+exp,true,process,process.entry_leader.attested_groups.name,keyword,extended,,,Name of the group.
-8.12.0-dev+exp,true,process,process.entry_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev+exp,true,process,process.entry_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,process,process.entry_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.12.0-dev+exp,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.12.0-dev+exp,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.12.0-dev+exp,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
-8.12.0-dev+exp,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
-8.12.0-dev+exp,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.12.0-dev+exp,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.12.0-dev+exp,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev+exp,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group.
-8.12.0-dev+exp,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.12.0-dev+exp,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name.
-8.12.0-dev+exp,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.12.0-dev+exp,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.12.0-dev+exp,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id.
-8.12.0-dev+exp,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.12.0-dev+exp,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id.
-8.12.0-dev+exp,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.12.0-dev+exp,true,process,process.entry_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
-8.12.0-dev+exp,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.12.0-dev+exp,true,process,process.entry_leader.parent.vpid,long,core,,4242,Virtual process id.
-8.12.0-dev+exp,true,process,process.entry_leader.pid,long,core,,4242,Process id.
-8.12.0-dev+exp,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev+exp,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group.
-8.12.0-dev+exp,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev+exp,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,process,process.entry_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.12.0-dev+exp,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev+exp,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.12.0-dev+exp,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev+exp,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,process,process.entry_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.12.0-dev+exp,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev+exp,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.12.0-dev+exp,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.12.0-dev+exp,true,process,process.entry_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.12.0-dev+exp,true,process,process.entry_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.12.0-dev+exp,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev+exp,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,process,process.entry_leader.vpid,long,core,,4242,Virtual process id.
-8.12.0-dev+exp,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.12.0-dev+exp,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.12.0-dev+exp,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
-8.12.0-dev+exp,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.12.0-dev+exp,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.12.0-dev+exp,true,process,process.exit_code,long,extended,,137,The exit code of the process.
-8.12.0-dev+exp,true,process,process.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev+exp,true,process,process.group.name,keyword,extended,,,Name of the group.
-8.12.0-dev+exp,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.12.0-dev+exp,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array.
-8.12.0-dev+exp,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.12.0-dev+exp,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.12.0-dev+exp,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.12.0-dev+exp,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.12.0-dev+exp,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.12.0-dev+exp,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev+exp,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group.
-8.12.0-dev+exp,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.12.0-dev+exp,true,process,process.group_leader.name,keyword,extended,,ssh,Process name.
-8.12.0-dev+exp,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.12.0-dev+exp,true,process,process.group_leader.pid,long,core,,4242,Process id.
-8.12.0-dev+exp,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev+exp,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group.
-8.12.0-dev+exp,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev+exp,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,process,process.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.12.0-dev+exp,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev+exp,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.12.0-dev+exp,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev+exp,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,process,process.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.12.0-dev+exp,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev+exp,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.12.0-dev+exp,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.12.0-dev+exp,true,process,process.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.12.0-dev+exp,true,process,process.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.12.0-dev+exp,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev+exp,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,process,process.group_leader.vpid,long,core,,4242,Virtual process id.
-8.12.0-dev+exp,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.12.0-dev+exp,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.12.0-dev+exp,true,process,process.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-8.12.0-dev+exp,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
-8.12.0-dev+exp,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
-8.12.0-dev+exp,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
-8.12.0-dev+exp,true,process,process.hash.sha384,keyword,extended,,,SHA384 hash.
-8.12.0-dev+exp,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
-8.12.0-dev+exp,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.12.0-dev+exp,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash.
-8.12.0-dev+exp,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.12.0-dev+exp,true,process,process.io,object,extended,,,A chunk of input or output (IO) from a single process.
-8.12.0-dev+exp,true,process,process.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
-8.12.0-dev+exp,true,process,process.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
-8.12.0-dev+exp,true,process,process.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
-8.12.0-dev+exp,true,process,process.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
-8.12.0-dev+exp,true,process,process.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
-8.12.0-dev+exp,true,process,process.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
-8.12.0-dev+exp,true,process,process.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
-8.12.0-dev+exp,true,process,process.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
-8.12.0-dev+exp,true,process,process.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-8.12.0-dev+exp,true,process,process.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.12.0-dev+exp,true,process,process.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.12.0-dev+exp,true,process,process.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.12.0-dev+exp,true,process,process.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.12.0-dev+exp,true,process,process.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-8.12.0-dev+exp,true,process,process.macho.imports,flattened,extended,array,,List of imported element names and types.
-8.12.0-dev+exp,true,process,process.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev+exp,true,process,process.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev+exp,true,process,process.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-8.12.0-dev+exp,true,process,process.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.12.0-dev+exp,true,process,process.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-8.12.0-dev+exp,true,process,process.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-8.12.0-dev+exp,true,process,process.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.12.0-dev+exp,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-8.12.0-dev+exp,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-8.12.0-dev+exp,true,process,process.name,keyword,extended,,ssh,Process name.
-8.12.0-dev+exp,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
-8.12.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.12.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
-8.12.0-dev+exp,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.12.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.12.0-dev+exp,true,process,process.parent.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
-8.12.0-dev+exp,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.12.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.12.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.12.0-dev+exp,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.12.0-dev+exp,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.12.0-dev+exp,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.12.0-dev+exp,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.12.0-dev+exp,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.12.0-dev+exp,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.12.0-dev+exp,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.12.0-dev+exp,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.12.0-dev+exp,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.12.0-dev+exp,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date.
-8.12.0-dev+exp,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.12.0-dev+exp,true,process,process.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.12.0-dev+exp,true,process,process.parent.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.12.0-dev+exp,true,process,process.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.12.0-dev+exp,true,process,process.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.12.0-dev+exp,true,process,process.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.12.0-dev+exp,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.12.0-dev+exp,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.12.0-dev+exp,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.12.0-dev+exp,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.12.0-dev+exp,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.12.0-dev+exp,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.12.0-dev+exp,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.12.0-dev+exp,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.12.0-dev+exp,true,process,process.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.12.0-dev+exp,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.12.0-dev+exp,true,process,process.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev+exp,true,process,process.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev+exp,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.12.0-dev+exp,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.12.0-dev+exp,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.12.0-dev+exp,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.12.0-dev+exp,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.12.0-dev+exp,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.12.0-dev+exp,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.12.0-dev+exp,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.12.0-dev+exp,true,process,process.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.12.0-dev+exp,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.12.0-dev+exp,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.12.0-dev+exp,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list.
-8.12.0-dev+exp,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.12.0-dev+exp,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.12.0-dev+exp,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.12.0-dev+exp,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.12.0-dev+exp,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-8.12.0-dev+exp,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.12.0-dev+exp,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.12.0-dev+exp,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.12.0-dev+exp,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
-8.12.0-dev+exp,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev+exp,true,process,process.parent.group.name,keyword,extended,,,Name of the group.
-8.12.0-dev+exp,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.12.0-dev+exp,true,process,process.parent.group_leader.pid,long,core,,4242,Process id.
-8.12.0-dev+exp,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.12.0-dev+exp,true,process,process.parent.group_leader.vpid,long,core,,4242,Virtual process id.
-8.12.0-dev+exp,true,process,process.parent.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-8.12.0-dev+exp,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
-8.12.0-dev+exp,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
-8.12.0-dev+exp,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
-8.12.0-dev+exp,true,process,process.parent.hash.sha384,keyword,extended,,,SHA384 hash.
-8.12.0-dev+exp,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
-8.12.0-dev+exp,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.12.0-dev+exp,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash.
-8.12.0-dev+exp,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.12.0-dev+exp,true,process,process.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-8.12.0-dev+exp,true,process,process.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.12.0-dev+exp,true,process,process.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.12.0-dev+exp,true,process,process.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.12.0-dev+exp,true,process,process.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.12.0-dev+exp,true,process,process.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-8.12.0-dev+exp,true,process,process.parent.macho.imports,flattened,extended,array,,List of imported element names and types.
-8.12.0-dev+exp,true,process,process.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev+exp,true,process,process.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev+exp,true,process,process.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-8.12.0-dev+exp,true,process,process.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.12.0-dev+exp,true,process,process.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-8.12.0-dev+exp,true,process,process.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-8.12.0-dev+exp,true,process,process.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.12.0-dev+exp,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-8.12.0-dev+exp,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-8.12.0-dev+exp,true,process,process.parent.name,keyword,extended,,ssh,Process name.
-8.12.0-dev+exp,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
-8.12.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.12.0-dev+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.12.0-dev+exp,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.12.0-dev+exp,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.12.0-dev+exp,true,process,process.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.12.0-dev+exp,true,process,process.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.12.0-dev+exp,true,process,process.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.12.0-dev+exp,true,process,process.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.12.0-dev+exp,true,process,process.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.12.0-dev+exp,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.12.0-dev+exp,true,process,process.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.12.0-dev+exp,true,process,process.parent.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.12.0-dev+exp,true,process,process.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev+exp,true,process,process.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev+exp,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.12.0-dev+exp,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.12.0-dev+exp,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.12.0-dev+exp,true,process,process.parent.pe.sections,nested,extended,array,,Section information of the PE file.
-8.12.0-dev+exp,true,process,process.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.12.0-dev+exp,true,process,process.parent.pe.sections.name,keyword,extended,,,PE Section List name.
-8.12.0-dev+exp,true,process,process.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.12.0-dev+exp,true,process,process.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.12.0-dev+exp,true,process,process.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.12.0-dev+exp,true,process,process.parent.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
-8.12.0-dev+exp,true,process,process.parent.pid,long,core,,4242,Process id.
-8.12.0-dev+exp,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev+exp,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group.
-8.12.0-dev+exp,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev+exp,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,process,process.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev+exp,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group.
-8.12.0-dev+exp,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev+exp,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,process,process.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.12.0-dev+exp,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev+exp,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.12.0-dev+exp,true,process,process.parent.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
-8.12.0-dev+exp,true,process,process.parent.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
-8.12.0-dev+exp,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
-8.12.0-dev+exp,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
-8.12.0-dev+exp,true,process,process.parent.title,keyword,extended,,,Process title.
-8.12.0-dev+exp,true,process,process.parent.title.text,match_only_text,extended,,,Process title.
-8.12.0-dev+exp,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device.
-8.12.0-dev+exp,true,process,process.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.12.0-dev+exp,true,process,process.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.12.0-dev+exp,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
-8.12.0-dev+exp,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev+exp,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,process,process.parent.vpid,long,core,,4242,Virtual process id.
-8.12.0-dev+exp,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.12.0-dev+exp,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.12.0-dev+exp,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.12.0-dev+exp,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.12.0-dev+exp,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.12.0-dev+exp,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.12.0-dev+exp,true,process,process.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.12.0-dev+exp,true,process,process.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.12.0-dev+exp,true,process,process.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.12.0-dev+exp,true,process,process.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.12.0-dev+exp,true,process,process.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.12.0-dev+exp,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.12.0-dev+exp,true,process,process.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.12.0-dev+exp,true,process,process.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.12.0-dev+exp,true,process,process.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev+exp,true,process,process.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev+exp,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.12.0-dev+exp,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.12.0-dev+exp,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.12.0-dev+exp,true,process,process.pe.sections,nested,extended,array,,Section information of the PE file.
-8.12.0-dev+exp,true,process,process.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.12.0-dev+exp,true,process,process.pe.sections.name,keyword,extended,,,PE Section List name.
-8.12.0-dev+exp,true,process,process.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.12.0-dev+exp,true,process,process.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.12.0-dev+exp,true,process,process.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.12.0-dev+exp,true,process,process.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
-8.12.0-dev+exp,true,process,process.pid,long,core,,4242,Process id.
-8.12.0-dev+exp,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.12.0-dev+exp,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array.
-8.12.0-dev+exp,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.12.0-dev+exp,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.12.0-dev+exp,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev+exp,true,process,process.real_group.name,keyword,extended,,,Name of the group.
-8.12.0-dev+exp,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev+exp,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,process,process.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev+exp,true,process,process.saved_group.name,keyword,extended,,,Name of the group.
-8.12.0-dev+exp,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev+exp,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,process,process.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.12.0-dev+exp,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array.
-8.12.0-dev+exp,true,process,process.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.12.0-dev+exp,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.12.0-dev+exp,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.12.0-dev+exp,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.12.0-dev+exp,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.12.0-dev+exp,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev+exp,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group.
-8.12.0-dev+exp,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.12.0-dev+exp,true,process,process.session_leader.name,keyword,extended,,ssh,Process name.
-8.12.0-dev+exp,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.12.0-dev+exp,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.12.0-dev+exp,true,process,process.session_leader.parent.pid,long,core,,4242,Process id.
-8.12.0-dev+exp,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.12.0-dev+exp,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id.
-8.12.0-dev+exp,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.12.0-dev+exp,true,process,process.session_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
-8.12.0-dev+exp,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.12.0-dev+exp,true,process,process.session_leader.parent.vpid,long,core,,4242,Virtual process id.
-8.12.0-dev+exp,true,process,process.session_leader.pid,long,core,,4242,Process id.
-8.12.0-dev+exp,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev+exp,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group.
-8.12.0-dev+exp,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev+exp,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,process,process.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.12.0-dev+exp,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev+exp,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.12.0-dev+exp,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev+exp,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,process,process.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.12.0-dev+exp,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev+exp,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.12.0-dev+exp,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.12.0-dev+exp,true,process,process.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.12.0-dev+exp,true,process,process.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.12.0-dev+exp,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev+exp,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,process,process.session_leader.vpid,long,core,,4242,Virtual process id.
-8.12.0-dev+exp,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.12.0-dev+exp,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.12.0-dev+exp,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.12.0-dev+exp,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev+exp,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.12.0-dev+exp,true,process,process.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
-8.12.0-dev+exp,true,process,process.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
-8.12.0-dev+exp,true,process,process.thread.id,long,extended,,4242,Thread ID.
-8.12.0-dev+exp,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
-8.12.0-dev+exp,true,process,process.title,keyword,extended,,,Process title.
-8.12.0-dev+exp,true,process,process.title.text,match_only_text,extended,,,Process title.
-8.12.0-dev+exp,true,process,process.tty,object,extended,,,Information about the controlling TTY device.
-8.12.0-dev+exp,true,process,process.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.12.0-dev+exp,true,process,process.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.12.0-dev+exp,true,process,process.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
-8.12.0-dev+exp,true,process,process.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
-8.12.0-dev+exp,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
-8.12.0-dev+exp,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev+exp,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,process,process.vpid,long,core,,4242,Virtual process id.
-8.12.0-dev+exp,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.12.0-dev+exp,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.12.0-dev+exp,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.12.0-dev+exp,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.12.0-dev+exp,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.12.0-dev+exp,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.12.0-dev+exp,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.12.0-dev+exp,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.12.0-dev+exp,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
-8.12.0-dev+exp,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
-8.12.0-dev+exp,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
-8.12.0-dev+exp,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
-8.12.0-dev+exp,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event.
-8.12.0-dev+exp,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
-8.12.0-dev+exp,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
-8.12.0-dev+exp,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
-8.12.0-dev+exp,true,rule,rule.id,keyword,extended,,101,Rule ID
-8.12.0-dev+exp,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
-8.12.0-dev+exp,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
-8.12.0-dev+exp,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
-8.12.0-dev+exp,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
-8.12.0-dev+exp,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
-8.12.0-dev+exp,true,rule,rule.version,keyword,extended,,1.1,Rule version
-8.12.0-dev+exp,true,server,server.address,keyword,extended,,,Server network address.
-8.12.0-dev+exp,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.12.0-dev+exp,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.12.0-dev+exp,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.12.0-dev+exp,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
-8.12.0-dev+exp,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server.
-8.12.0-dev+exp,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
-8.12.0-dev+exp,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
-8.12.0-dev+exp,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.12.0-dev+exp,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.12.0-dev+exp,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
-8.12.0-dev+exp,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.12.0-dev+exp,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.12.0-dev+exp,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
-8.12.0-dev+exp,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.12.0-dev+exp,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
-8.12.0-dev+exp,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.12.0-dev+exp,true,server,server.ip,ip,core,,,IP address of the server.
-8.12.0-dev+exp,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
-8.12.0-dev+exp,true,server,server.nat.ip,ip,extended,,,Server NAT ip
-8.12.0-dev+exp,true,server,server.nat.port,long,extended,,,Server NAT port
-8.12.0-dev+exp,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
-8.12.0-dev+exp,true,server,server.port,long,core,,,Port of the server.
-8.12.0-dev+exp,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
-8.12.0-dev+exp,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.12.0-dev+exp,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.12.0-dev+exp,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.12.0-dev+exp,true,server,server.user.email,keyword,extended,,,User email address.
-8.12.0-dev+exp,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.12.0-dev+exp,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.12.0-dev+exp,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.12.0-dev+exp,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev+exp,true,server,server.user.group.name,keyword,extended,,,Name of the group.
-8.12.0-dev+exp,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.12.0-dev+exp,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev+exp,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.12.0-dev+exp,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.12.0-dev+exp,true,service,service.environment,keyword,extended,,production,Environment of the service.
-8.12.0-dev+exp,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.12.0-dev+exp,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.12.0-dev+exp,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.12.0-dev+exp,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.12.0-dev+exp,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.12.0-dev+exp,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.12.0-dev+exp,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.12.0-dev+exp,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
-8.12.0-dev+exp,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.12.0-dev+exp,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.12.0-dev+exp,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.12.0-dev+exp,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.12.0-dev+exp,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.12.0-dev+exp,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.12.0-dev+exp,true,service,service.origin.state,keyword,core,,,Current state of the service.
-8.12.0-dev+exp,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service.
-8.12.0-dev+exp,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service.
-8.12.0-dev+exp,true,service,service.state,keyword,core,,,Current state of the service.
-8.12.0-dev+exp,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.12.0-dev+exp,true,service,service.target.environment,keyword,extended,,production,Environment of the service.
-8.12.0-dev+exp,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.12.0-dev+exp,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.12.0-dev+exp,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.12.0-dev+exp,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.12.0-dev+exp,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.12.0-dev+exp,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.12.0-dev+exp,true,service,service.target.state,keyword,core,,,Current state of the service.
-8.12.0-dev+exp,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service.
-8.12.0-dev+exp,true,service,service.target.version,keyword,core,,3.2.4,Version of the service.
-8.12.0-dev+exp,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
-8.12.0-dev+exp,true,service,service.version,keyword,core,,3.2.4,Version of the service.
-8.12.0-dev+exp,true,source,source.address,keyword,extended,,,Source network address.
-8.12.0-dev+exp,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.12.0-dev+exp,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.12.0-dev+exp,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.12.0-dev+exp,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
-8.12.0-dev+exp,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source.
-8.12.0-dev+exp,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
-8.12.0-dev+exp,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
-8.12.0-dev+exp,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.12.0-dev+exp,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.12.0-dev+exp,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
-8.12.0-dev+exp,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.12.0-dev+exp,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.12.0-dev+exp,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
-8.12.0-dev+exp,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.12.0-dev+exp,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
-8.12.0-dev+exp,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.12.0-dev+exp,true,source,source.ip,ip,core,,,IP address of the source.
-8.12.0-dev+exp,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
-8.12.0-dev+exp,true,source,source.nat.ip,ip,extended,,,Source NAT ip
-8.12.0-dev+exp,true,source,source.nat.port,long,extended,,,Source NAT port
-8.12.0-dev+exp,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
-8.12.0-dev+exp,true,source,source.port,long,core,,,Port of the source.
-8.12.0-dev+exp,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-8.12.0-dev+exp,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.12.0-dev+exp,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.12.0-dev+exp,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.12.0-dev+exp,true,source,source.user.email,keyword,extended,,,User email address.
-8.12.0-dev+exp,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.12.0-dev+exp,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.12.0-dev+exp,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.12.0-dev+exp,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev+exp,true,source,source.user.group.name,keyword,extended,,,Name of the group.
-8.12.0-dev+exp,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.12.0-dev+exp,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev+exp,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.12.0-dev+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
-8.12.0-dev+exp,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.12.0-dev+exp,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.12.0-dev+exp,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.12.0-dev+exp,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value
-8.12.0-dev+exp,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field
-8.12.0-dev+exp,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier
-8.12.0-dev+exp,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index
-8.12.0-dev+exp,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05T17:00:58.326Z,Date of match
-8.12.0-dev+exp,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match
-8.12.0-dev+exp,true,threat,threat.feed.dashboard_id,keyword,extended,,5ba16340-72e6-11eb-a3e3-b3cc7c78a70f,Feed dashboard ID.
-8.12.0-dev+exp,true,threat,threat.feed.description,keyword,extended,,Threat feed from the AlienVault Open Threat eXchange network.,Description of the threat feed.
-8.12.0-dev+exp,true,threat,threat.feed.name,keyword,extended,,AlienVault OTX,Name of the threat feed.
-8.12.0-dev+exp,true,threat,threat.feed.reference,keyword,extended,,https://otx.alienvault.com,Reference for the threat feed.
-8.12.0-dev+exp,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
-8.12.0-dev+exp,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group.
-8.12.0-dev+exp,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group.
-8.12.0-dev+exp,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group.
-8.12.0-dev+exp,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group.
-8.12.0-dev+exp,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.12.0-dev+exp,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.12.0-dev+exp,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.12.0-dev+exp,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
-8.12.0-dev+exp,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
-8.12.0-dev+exp,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
-8.12.0-dev+exp,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed.
-8.12.0-dev+exp,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
-8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.12.0-dev+exp,true,threat,threat.indicator.file.created,date,extended,,,File creation time.
-8.12.0-dev+exp,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.12.0-dev+exp,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
-8.12.0-dev+exp,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.12.0-dev+exp,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.12.0-dev+exp,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.12.0-dev+exp,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.12.0-dev+exp,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.12.0-dev+exp,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
-8.12.0-dev+exp,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.12.0-dev+exp,true,threat,threat.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.12.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.12.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.12.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.12.0-dev+exp,true,threat,threat.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.12.0-dev+exp,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.12.0-dev+exp,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.12.0-dev+exp,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.12.0-dev+exp,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.12.0-dev+exp,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.12.0-dev+exp,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.12.0-dev+exp,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.12.0-dev+exp,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.12.0-dev+exp,true,threat,threat.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.12.0-dev+exp,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.12.0-dev+exp,true,threat,threat.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev+exp,true,threat,threat.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev+exp,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.12.0-dev+exp,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.12.0-dev+exp,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.12.0-dev+exp,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.12.0-dev+exp,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.12.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.12.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.12.0-dev+exp,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.12.0-dev+exp,true,threat,threat.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.12.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.12.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.12.0-dev+exp,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
-8.12.0-dev+exp,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.12.0-dev+exp,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.12.0-dev+exp,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.12.0-dev+exp,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.12.0-dev+exp,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.12.0-dev+exp,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.12.0-dev+exp,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.12.0-dev+exp,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
-8.12.0-dev+exp,true,threat,threat.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-8.12.0-dev+exp,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
-8.12.0-dev+exp,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.12.0-dev+exp,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.12.0-dev+exp,true,threat,threat.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.12.0-dev+exp,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.12.0-dev+exp,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.12.0-dev+exp,true,threat,threat.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.12.0-dev+exp,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.12.0-dev+exp,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.12.0-dev+exp,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.12.0-dev+exp,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified.
-8.12.0-dev+exp,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.12.0-dev+exp,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username.
-8.12.0-dev+exp,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.12.0-dev+exp,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.12.0-dev+exp,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.12.0-dev+exp,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.12.0-dev+exp,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.12.0-dev+exp,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.12.0-dev+exp,true,threat,threat.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.12.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.12.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.12.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.12.0-dev+exp,true,threat,threat.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.12.0-dev+exp,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.12.0-dev+exp,true,threat,threat.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.12.0-dev+exp,true,threat,threat.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.12.0-dev+exp,true,threat,threat.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev+exp,true,threat,threat.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev+exp,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.12.0-dev+exp,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.12.0-dev+exp,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.12.0-dev+exp,true,threat,threat.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
-8.12.0-dev+exp,true,threat,threat.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.12.0-dev+exp,true,threat,threat.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
-8.12.0-dev+exp,true,threat,threat.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.12.0-dev+exp,true,threat,threat.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.12.0-dev+exp,true,threat,threat.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.12.0-dev+exp,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes.
-8.12.0-dev+exp,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
-8.12.0-dev+exp,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.12.0-dev+exp,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.12.0-dev+exp,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.12.0-dev+exp,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.12.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.12.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.12.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.12.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.12.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.12.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.12.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.12.0-dev+exp,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.12.0-dev+exp,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.12.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.12.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.12.0-dev+exp,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.12.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.12.0-dev+exp,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.12.0-dev+exp,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.12.0-dev+exp,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.12.0-dev+exp,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.12.0-dev+exp,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.12.0-dev+exp,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.12.0-dev+exp,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.12.0-dev+exp,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.12.0-dev+exp,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.12.0-dev+exp,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.12.0-dev+exp,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
-8.12.0-dev+exp,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name.
-8.12.0-dev+exp,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code.
-8.12.0-dev+exp,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.12.0-dev+exp,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.12.0-dev+exp,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name.
-8.12.0-dev+exp,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.12.0-dev+exp,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.12.0-dev+exp,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code.
-8.12.0-dev+exp,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.12.0-dev+exp,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name.
-8.12.0-dev+exp,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.12.0-dev+exp,true,threat,threat.indicator.id,keyword,extended,array,[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37],ID of the indicator
-8.12.0-dev+exp,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
-8.12.0-dev+exp,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-8.12.0-dev+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
-8.12.0-dev+exp,true,threat,threat.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
-8.12.0-dev+exp,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
-8.12.0-dev+exp,true,threat,threat.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
-8.12.0-dev+exp,true,threat,threat.indicator.port,long,extended,,443,Indicator port
-8.12.0-dev+exp,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
-8.12.0-dev+exp,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
-8.12.0-dev+exp,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.12.0-dev+exp,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.12.0-dev+exp,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.12.0-dev+exp,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.12.0-dev+exp,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.12.0-dev+exp,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.12.0-dev+exp,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
-8.12.0-dev+exp,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics
-8.12.0-dev+exp,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed
-8.12.0-dev+exp,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
-8.12.0-dev+exp,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.12.0-dev+exp,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.12.0-dev+exp,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.12.0-dev+exp,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.12.0-dev+exp,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.12.0-dev+exp,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.12.0-dev+exp,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.12.0-dev+exp,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request.
-8.12.0-dev+exp,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.12.0-dev+exp,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
-8.12.0-dev+exp,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request.
-8.12.0-dev+exp,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.12.0-dev+exp,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
-8.12.0-dev+exp,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.12.0-dev+exp,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.12.0-dev+exp,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request.
-8.12.0-dev+exp,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.12.0-dev+exp,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.12.0-dev+exp,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.12.0-dev+exp,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.12.0-dev+exp,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.12.0-dev+exp,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.12.0-dev+exp,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.12.0-dev+exp,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.12.0-dev+exp,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.12.0-dev+exp,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.12.0-dev+exp,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.12.0-dev+exp,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.12.0-dev+exp,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.12.0-dev+exp,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.12.0-dev+exp,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.12.0-dev+exp,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.12.0-dev+exp,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.12.0-dev+exp,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.12.0-dev+exp,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.12.0-dev+exp,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.12.0-dev+exp,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.12.0-dev+exp,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.12.0-dev+exp,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.12.0-dev+exp,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.12.0-dev+exp,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software
-8.12.0-dev+exp,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software
-8.12.0-dev+exp,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software.
-8.12.0-dev+exp,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software.
-8.12.0-dev+exp,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL.
-8.12.0-dev+exp,true,threat,threat.software.type,keyword,extended,,Tool,Software type.
-8.12.0-dev+exp,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
-8.12.0-dev+exp,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
-8.12.0-dev+exp,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
-8.12.0-dev+exp,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
-8.12.0-dev+exp,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
-8.12.0-dev+exp,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name.
-8.12.0-dev+exp,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
-8.12.0-dev+exp,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
-8.12.0-dev+exp,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
-8.12.0-dev+exp,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
-8.12.0-dev+exp,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
-8.12.0-dev+exp,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
-8.12.0-dev+exp,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
-8.12.0-dev+exp,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
-8.12.0-dev+exp,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
-8.12.0-dev+exp,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
-8.12.0-dev+exp,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
-8.12.0-dev+exp,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
-8.12.0-dev+exp,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
-8.12.0-dev+exp,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
-8.12.0-dev+exp,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
-8.12.0-dev+exp,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
-8.12.0-dev+exp,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
-8.12.0-dev+exp,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
-8.12.0-dev+exp,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.12.0-dev+exp,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.12.0-dev+exp,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.12.0-dev+exp,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.12.0-dev+exp,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.12.0-dev+exp,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.12.0-dev+exp,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.12.0-dev+exp,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.12.0-dev+exp,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.12.0-dev+exp,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.12.0-dev+exp,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.12.0-dev+exp,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.12.0-dev+exp,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.12.0-dev+exp,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.12.0-dev+exp,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.12.0-dev+exp,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.12.0-dev+exp,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.12.0-dev+exp,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.12.0-dev+exp,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.12.0-dev+exp,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.12.0-dev+exp,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.12.0-dev+exp,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.12.0-dev+exp,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.12.0-dev+exp,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.12.0-dev+exp,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
-8.12.0-dev+exp,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
-8.12.0-dev+exp,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
-8.12.0-dev+exp,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
-8.12.0-dev+exp,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
-8.12.0-dev+exp,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
-8.12.0-dev+exp,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
-8.12.0-dev+exp,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
-8.12.0-dev+exp,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
-8.12.0-dev+exp,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
-8.12.0-dev+exp,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
-8.12.0-dev+exp,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
-8.12.0-dev+exp,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
-8.12.0-dev+exp,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
-8.12.0-dev+exp,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.12.0-dev+exp,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.12.0-dev+exp,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.12.0-dev+exp,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.12.0-dev+exp,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.12.0-dev+exp,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.12.0-dev+exp,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.12.0-dev+exp,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.12.0-dev+exp,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.12.0-dev+exp,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.12.0-dev+exp,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.12.0-dev+exp,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.12.0-dev+exp,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.12.0-dev+exp,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.12.0-dev+exp,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.12.0-dev+exp,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.12.0-dev+exp,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.12.0-dev+exp,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.12.0-dev+exp,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.12.0-dev+exp,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.12.0-dev+exp,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.12.0-dev+exp,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.12.0-dev+exp,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.12.0-dev+exp,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.12.0-dev+exp,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
-8.12.0-dev+exp,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
-8.12.0-dev+exp,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
-8.12.0-dev+exp,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
-8.12.0-dev+exp,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.12.0-dev+exp,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.12.0-dev+exp,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.12.0-dev+exp,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.12.0-dev+exp,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.12.0-dev+exp,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.12.0-dev+exp,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.12.0-dev+exp,true,url,url.password,keyword,extended,,,Password of the request.
-8.12.0-dev+exp,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.12.0-dev+exp,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
-8.12.0-dev+exp,true,url,url.query,keyword,extended,,,Query string of the request.
-8.12.0-dev+exp,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.12.0-dev+exp,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
-8.12.0-dev+exp,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.12.0-dev+exp,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.12.0-dev+exp,true,url,url.username,keyword,extended,,,Username of the request.
-8.12.0-dev+exp,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.12.0-dev+exp,true,user,user.changes.email,keyword,extended,,,User email address.
-8.12.0-dev+exp,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.12.0-dev+exp,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.12.0-dev+exp,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.12.0-dev+exp,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev+exp,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
-8.12.0-dev+exp,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.12.0-dev+exp,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev+exp,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.12.0-dev+exp,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.12.0-dev+exp,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.12.0-dev+exp,true,user,user.effective.email,keyword,extended,,,User email address.
-8.12.0-dev+exp,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.12.0-dev+exp,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.12.0-dev+exp,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.12.0-dev+exp,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev+exp,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
-8.12.0-dev+exp,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.12.0-dev+exp,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev+exp,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.12.0-dev+exp,true,user,user.email,keyword,extended,,,User email address.
-8.12.0-dev+exp,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.12.0-dev+exp,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.12.0-dev+exp,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.12.0-dev+exp,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev+exp,true,user,user.group.name,keyword,extended,,,Name of the group.
-8.12.0-dev+exp,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.12.0-dev+exp,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev+exp,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.12.0-dev+exp,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.12.0-dev+exp,true,user,user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.12.0-dev+exp,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.12.0-dev+exp,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.12.0-dev+exp,true,user,user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-8.12.0-dev+exp,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.12.0-dev+exp,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.12.0-dev+exp,true,user,user.target.email,keyword,extended,,,User email address.
-8.12.0-dev+exp,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.12.0-dev+exp,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.12.0-dev+exp,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.12.0-dev+exp,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev+exp,true,user,user.target.group.name,keyword,extended,,,Name of the group.
-8.12.0-dev+exp,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.12.0-dev+exp,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev+exp,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev+exp,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.12.0-dev+exp,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
-8.12.0-dev+exp,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
-8.12.0-dev+exp,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-8.12.0-dev+exp,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-8.12.0-dev+exp,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.12.0-dev+exp,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.12.0-dev+exp,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.12.0-dev+exp,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.12.0-dev+exp,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.12.0-dev+exp,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.12.0-dev+exp,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.12.0-dev+exp,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-8.12.0-dev+exp,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.12.0-dev+exp,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
-8.12.0-dev+exp,true,volume,volume.bus_type,keyword,extended,,FileBackedVirtual,Bus type of the device.
-8.12.0-dev+exp,true,volume,volume.default_access,keyword,extended,,,Bus type of the device.
-8.12.0-dev+exp,true,volume,volume.device_name,keyword,extended,,,Device name of the volume.
-8.12.0-dev+exp,true,volume,volume.device_type,keyword,extended,,CD-ROM File System,Volume device type.
-8.12.0-dev+exp,true,volume,volume.dos_name,keyword,extended,,E:,DOS name of the device.
-8.12.0-dev+exp,true,volume,volume.file_system_type,keyword,extended,,,Volume device file system type.
-8.12.0-dev+exp,true,volume,volume.mount_name,keyword,extended,,,Mount name of the volume.
-8.12.0-dev+exp,true,volume,volume.nt_name,keyword,extended,,\Device\Cdrom1,NT name of the device.
-8.12.0-dev+exp,true,volume,volume.product_id,keyword,extended,,,ProductID of the device.
-8.12.0-dev+exp,true,volume,volume.product_name,keyword,extended,,Virtual DVD-ROM,Produce name of the volume.
-8.12.0-dev+exp,true,volume,volume.removable,boolean,extended,,,Indicates if the volume is removable.
-8.12.0-dev+exp,true,volume,volume.serial_number,keyword,extended,,,Serial number of the device.
-8.12.0-dev+exp,true,volume,volume.size,long,extended,,,Size of the volume device in bytes.
-8.12.0-dev+exp,true,volume,volume.vendor_id,keyword,extended,,,VendorID of the device.
-8.12.0-dev+exp,true,volume,volume.vendor_name,keyword,extended,,Msft,Vendor name of the device.
-8.12.0-dev+exp,true,volume,volume.writable,boolean,extended,,,Indicates if the volume is writable.
-8.12.0-dev+exp,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
-8.12.0-dev+exp,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
-8.12.0-dev+exp,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-8.12.0-dev+exp,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-8.12.0-dev+exp,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
-8.12.0-dev+exp,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
-8.12.0-dev+exp,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
-8.12.0-dev+exp,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
-8.12.0-dev+exp,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
-8.12.0-dev+exp,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
-8.12.0-dev+exp,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
-8.12.0-dev+exp,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
-8.12.0-dev+exp,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
-8.12.0-dev+exp,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
+9.0.0-dev+exp,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
+9.0.0-dev+exp,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
+9.0.0-dev+exp,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer.
+9.0.0-dev+exp,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
+9.0.0-dev+exp,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
+9.0.0-dev+exp,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
+9.0.0-dev+exp,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
+9.0.0-dev+exp,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
+9.0.0-dev+exp,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
+9.0.0-dev+exp,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
+9.0.0-dev+exp,true,cgroup,cgroup.cpu.periods,long,extended,,454839343,Number of period intervals that have elapsed.
+9.0.0-dev+exp,true,cgroup,cgroup.cpu.throttled.us,long,extended,,15000,Microseconds of CPU throttled time.
+9.0.0-dev+exp,true,cgroup,cgroup.cpu.usage,scaled_float,extended,,,"CPU usage, normalized by the CPU count."
+9.0.0-dev+exp,true,cgroup,cgroup.memory.limit,long,extended,,256,Memory limit within the cgroup.
+9.0.0-dev+exp,true,cgroup,cgroup.memory.swap.usage,long,extended,,5600,The amount of cgroup memory in swap.
+9.0.0-dev+exp,true,cgroup,cgroup.memory.usage,long,extended,,25600,Memory usage in bytes
+9.0.0-dev+exp,true,cgroup,cgroup.version,long,extended,,,The cgroup version linked to the metrics
+9.0.0-dev+exp,true,client,client.address,keyword,extended,,,Client network address.
+9.0.0-dev+exp,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.0.0-dev+exp,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.0.0-dev+exp,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.0.0-dev+exp,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
+9.0.0-dev+exp,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client.
+9.0.0-dev+exp,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
+9.0.0-dev+exp,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
+9.0.0-dev+exp,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.0.0-dev+exp,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.0.0-dev+exp,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
+9.0.0-dev+exp,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.0.0-dev+exp,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.0.0-dev+exp,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
+9.0.0-dev+exp,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.0.0-dev+exp,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
+9.0.0-dev+exp,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.0.0-dev+exp,true,client,client.ip,ip,core,,,IP address of the client.
+9.0.0-dev+exp,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
+9.0.0-dev+exp,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
+9.0.0-dev+exp,true,client,client.nat.port,long,extended,,,Client NAT port
+9.0.0-dev+exp,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
+9.0.0-dev+exp,true,client,client.port,long,core,,,Port of the client.
+9.0.0-dev+exp,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
+9.0.0-dev+exp,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.0.0-dev+exp,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.0.0-dev+exp,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.0.0-dev+exp,true,client,client.user.email,keyword,extended,,,User email address.
+9.0.0-dev+exp,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.0.0-dev+exp,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.0.0-dev+exp,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.0.0-dev+exp,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev+exp,true,client,client.user.group.name,keyword,extended,,,Name of the group.
+9.0.0-dev+exp,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.0.0-dev+exp,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev+exp,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.0.0-dev+exp,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+9.0.0-dev+exp,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
+9.0.0-dev+exp,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+9.0.0-dev+exp,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+9.0.0-dev+exp,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
+9.0.0-dev+exp,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+9.0.0-dev+exp,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+9.0.0-dev+exp,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name.
+9.0.0-dev+exp,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+9.0.0-dev+exp,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+9.0.0-dev+exp,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine.
+9.0.0-dev+exp,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+9.0.0-dev+exp,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id.
+9.0.0-dev+exp,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name.
+9.0.0-dev+exp,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider.
+9.0.0-dev+exp,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+9.0.0-dev+exp,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name.
+9.0.0-dev+exp,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
+9.0.0-dev+exp,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
+9.0.0-dev+exp,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
+9.0.0-dev+exp,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+9.0.0-dev+exp,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name.
+9.0.0-dev+exp,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+9.0.0-dev+exp,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name.
+9.0.0-dev+exp,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+9.0.0-dev+exp,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+9.0.0-dev+exp,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine.
+9.0.0-dev+exp,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+9.0.0-dev+exp,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id.
+9.0.0-dev+exp,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name.
+9.0.0-dev+exp,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider.
+9.0.0-dev+exp,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+9.0.0-dev+exp,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name.
+9.0.0-dev+exp,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
+9.0.0-dev+exp,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
+9.0.0-dev+exp,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
+9.0.0-dev+exp,true,container,container.id,keyword,core,,,Unique container id.
+9.0.0-dev+exp,true,container,container.image.hash.all,keyword,extended,array,[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26],An array of digests of the image the container was built on.
+9.0.0-dev+exp,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
+9.0.0-dev+exp,true,container,container.image.tag,keyword,extended,array,,Container image tags.
+9.0.0-dev+exp,true,container,container.labels,object,extended,,,Image labels.
+9.0.0-dev+exp,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1."
+9.0.0-dev+exp,true,container,container.name,keyword,extended,,,Container name.
+9.0.0-dev+exp,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
+9.0.0-dev+exp,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+9.0.0-dev+exp,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
+9.0.0-dev+exp,true,container,container.security_context.privileged,boolean,extended,,,Indicates whether the container is running in privileged mode.
+9.0.0-dev+exp,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
+9.0.0-dev+exp,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
+9.0.0-dev+exp,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
+9.0.0-dev+exp,true,destination,destination.address,keyword,extended,,,Destination network address.
+9.0.0-dev+exp,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.0.0-dev+exp,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.0.0-dev+exp,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.0.0-dev+exp,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
+9.0.0-dev+exp,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination.
+9.0.0-dev+exp,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
+9.0.0-dev+exp,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
+9.0.0-dev+exp,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.0.0-dev+exp,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.0.0-dev+exp,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
+9.0.0-dev+exp,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.0.0-dev+exp,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.0.0-dev+exp,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
+9.0.0-dev+exp,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.0.0-dev+exp,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
+9.0.0-dev+exp,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.0.0-dev+exp,true,destination,destination.ip,ip,core,,,IP address of the destination.
+9.0.0-dev+exp,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
+9.0.0-dev+exp,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
+9.0.0-dev+exp,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
+9.0.0-dev+exp,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
+9.0.0-dev+exp,true,destination,destination.port,long,core,,,Port of the destination.
+9.0.0-dev+exp,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
+9.0.0-dev+exp,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.0.0-dev+exp,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.0.0-dev+exp,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.0.0-dev+exp,true,destination,destination.user.email,keyword,extended,,,User email address.
+9.0.0-dev+exp,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.0.0-dev+exp,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.0.0-dev+exp,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.0.0-dev+exp,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev+exp,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
+9.0.0-dev+exp,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.0.0-dev+exp,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev+exp,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.0.0-dev+exp,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device.
+9.0.0-dev+exp,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer.
+9.0.0-dev+exp,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model.
+9.0.0-dev+exp,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model.
+9.0.0-dev+exp,true,device,device.serial_number,keyword,core,,DJGAQS4CW5,Serial Number of the device
+9.0.0-dev+exp,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+9.0.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+9.0.0-dev+exp,true,dll,dll.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
+9.0.0-dev+exp,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+9.0.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+9.0.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+9.0.0-dev+exp,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.0.0-dev+exp,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+9.0.0-dev+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+9.0.0-dev+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+9.0.0-dev+exp,true,dll,dll.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.0.0-dev+exp,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
+9.0.0-dev+exp,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
+9.0.0-dev+exp,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
+9.0.0-dev+exp,true,dll,dll.hash.sha384,keyword,extended,,,SHA384 hash.
+9.0.0-dev+exp,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
+9.0.0-dev+exp,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.0.0-dev+exp,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash.
+9.0.0-dev+exp,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
+9.0.0-dev+exp,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
+9.0.0-dev+exp,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+9.0.0-dev+exp,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+9.0.0-dev+exp,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+9.0.0-dev+exp,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+9.0.0-dev+exp,true,dll,dll.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+9.0.0-dev+exp,true,dll,dll.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.0.0-dev+exp,true,dll,dll.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.0.0-dev+exp,true,dll,dll.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.0.0-dev+exp,true,dll,dll.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.0.0-dev+exp,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+9.0.0-dev+exp,true,dll,dll.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+9.0.0-dev+exp,true,dll,dll.pe.imports,flattened,extended,array,,List of imported element names and types.
+9.0.0-dev+exp,true,dll,dll.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev+exp,true,dll,dll.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev+exp,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+9.0.0-dev+exp,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+9.0.0-dev+exp,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+9.0.0-dev+exp,true,dll,dll.pe.sections,nested,extended,array,,Section information of the PE file.
+9.0.0-dev+exp,true,dll,dll.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.0.0-dev+exp,true,dll,dll.pe.sections.name,keyword,extended,,,PE Section List name.
+9.0.0-dev+exp,true,dll,dll.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+9.0.0-dev+exp,true,dll,dll.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.0.0-dev+exp,true,dll,dll.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+9.0.0-dev+exp,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
+9.0.0-dev+exp,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
+9.0.0-dev+exp,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
+9.0.0-dev+exp,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
+9.0.0-dev+exp,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
+9.0.0-dev+exp,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
+9.0.0-dev+exp,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
+9.0.0-dev+exp,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
+9.0.0-dev+exp,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
+9.0.0-dev+exp,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
+9.0.0-dev+exp,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
+9.0.0-dev+exp,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
+9.0.0-dev+exp,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
+9.0.0-dev+exp,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.0.0-dev+exp,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
+9.0.0-dev+exp,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
+9.0.0-dev+exp,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
+9.0.0-dev+exp,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
+9.0.0-dev+exp,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
+9.0.0-dev+exp,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
+9.0.0-dev+exp,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
+9.0.0-dev+exp,true,email,email.attachments.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.0.0-dev+exp,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash.
+9.0.0-dev+exp,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash.
+9.0.0-dev+exp,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash.
+9.0.0-dev+exp,true,email,email.attachments.file.hash.sha384,keyword,extended,,,SHA384 hash.
+9.0.0-dev+exp,true,email,email.attachments.file.hash.sha512,keyword,extended,,,SHA512 hash.
+9.0.0-dev+exp,true,email,email.attachments.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.0.0-dev+exp,true,email,email.attachments.file.hash.tlsh,keyword,extended,,,TLSH hash.
+9.0.0-dev+exp,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file.
+9.0.0-dev+exp,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file.
+9.0.0-dev+exp,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size.
+9.0.0-dev+exp,true,email,email.bcc.address,keyword,extended,array,bcc.user1@example.com,Email address of BCC recipient
+9.0.0-dev+exp,true,email,email.cc.address,keyword,extended,array,cc.user1@example.com,Email address of CC recipient
+9.0.0-dev+exp,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message.
+9.0.0-dev+exp,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered.
+9.0.0-dev+exp,true,email,email.direction,keyword,extended,,inbound,Direction of the message.
+9.0.0-dev+exp,true,email,email.from.address,keyword,extended,array,sender@example.com,The sender's email address.
+9.0.0-dev+exp,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source.
+9.0.0-dev+exp,true,email,email.message_id,wildcard,extended,,81ce15$8r2j59@mail01.example.com,Value from the Message-ID header.
+9.0.0-dev+exp,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed.
+9.0.0-dev+exp,true,email,email.reply_to.address,keyword,extended,array,reply.here@example.com,Address replies should be delivered to.
+9.0.0-dev+exp,true,email,email.sender.address,keyword,extended,,,Address of the message sender.
+9.0.0-dev+exp,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message.
+9.0.0-dev+exp,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
+9.0.0-dev+exp,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient
+9.0.0-dev+exp,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
+9.0.0-dev+exp,true,error,error.code,keyword,core,,,Error code describing the error.
+9.0.0-dev+exp,true,error,error.id,keyword,core,,,Unique identifier for the error.
+9.0.0-dev+exp,true,error,error.message,match_only_text,core,,,Error message.
+9.0.0-dev+exp,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
+9.0.0-dev+exp,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text.
+9.0.0-dev+exp,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
+9.0.0-dev+exp,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
+9.0.0-dev+exp,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field.
+9.0.0-dev+exp,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
+9.0.0-dev+exp,true,event,event.code,keyword,extended,,4648,Identification code for this event.
+9.0.0-dev+exp,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
+9.0.0-dev+exp,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
+9.0.0-dev+exp,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
+9.0.0-dev+exp,true,event,event.end,date,extended,,,`event.end` contains the date when the event ended or when the activity was last observed.
+9.0.0-dev+exp,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
+9.0.0-dev+exp,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
+9.0.0-dev+exp,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
+9.0.0-dev+exp,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
+9.0.0-dev+exp,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
+9.0.0-dev+exp,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
+9.0.0-dev+exp,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
+9.0.0-dev+exp,true,event,event.provider,keyword,extended,,kernel,Source of the event.
+9.0.0-dev+exp,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
+9.0.0-dev+exp,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
+9.0.0-dev+exp,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
+9.0.0-dev+exp,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
+9.0.0-dev+exp,true,event,event.sequence,long,extended,,,Sequence number of the event.
+9.0.0-dev+exp,true,event,event.severity,long,core,,7,Numeric severity of the event.
+9.0.0-dev+exp,true,event,event.start,date,extended,,,`event.start` contains the date when the event started or when the activity was first observed.
+9.0.0-dev+exp,true,event,event.timezone,keyword,extended,,,Event time zone.
+9.0.0-dev+exp,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
+9.0.0-dev+exp,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
+9.0.0-dev+exp,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function.
+9.0.0-dev+exp,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution.
+9.0.0-dev+exp,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function.
+9.0.0-dev+exp,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function.
+9.0.0-dev+exp,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc."
+9.0.0-dev+exp,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution.
+9.0.0-dev+exp,true,faas,faas.version,keyword,extended,,123,The version of a serverless function.
+9.0.0-dev+exp,true,file,file.accessed,date,extended,,,Last time the file was accessed.
+9.0.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+9.0.0-dev+exp,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+9.0.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+9.0.0-dev+exp,true,file,file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
+9.0.0-dev+exp,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+9.0.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+9.0.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+9.0.0-dev+exp,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.0.0-dev+exp,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+9.0.0-dev+exp,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+9.0.0-dev+exp,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+9.0.0-dev+exp,true,file,file.created,date,extended,,,File creation time.
+9.0.0-dev+exp,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+9.0.0-dev+exp,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
+9.0.0-dev+exp,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+9.0.0-dev+exp,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+9.0.0-dev+exp,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+9.0.0-dev+exp,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+9.0.0-dev+exp,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+9.0.0-dev+exp,true,file,file.elf.creation_date,date,extended,,,Build or compile date.
+9.0.0-dev+exp,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types.
+9.0.0-dev+exp,true,file,file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+9.0.0-dev+exp,true,file,file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.0.0-dev+exp,true,file,file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.0.0-dev+exp,true,file,file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.0.0-dev+exp,true,file,file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.0.0-dev+exp,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+9.0.0-dev+exp,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+9.0.0-dev+exp,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+9.0.0-dev+exp,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+9.0.0-dev+exp,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+9.0.0-dev+exp,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+9.0.0-dev+exp,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+9.0.0-dev+exp,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header.
+9.0.0-dev+exp,true,file,file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+9.0.0-dev+exp,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types.
+9.0.0-dev+exp,true,file,file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev+exp,true,file,file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev+exp,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file.
+9.0.0-dev+exp,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+9.0.0-dev+exp,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.0.0-dev+exp,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+9.0.0-dev+exp,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name.
+9.0.0-dev+exp,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+9.0.0-dev+exp,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+9.0.0-dev+exp,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type.
+9.0.0-dev+exp,true,file,file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.0.0-dev+exp,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+9.0.0-dev+exp,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+9.0.0-dev+exp,true,file,file.elf.segments,nested,extended,array,,ELF object segment list.
+9.0.0-dev+exp,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+9.0.0-dev+exp,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type.
+9.0.0-dev+exp,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+9.0.0-dev+exp,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+9.0.0-dev+exp,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+9.0.0-dev+exp,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+9.0.0-dev+exp,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+9.0.0-dev+exp,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
+9.0.0-dev+exp,true,file,file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.0.0-dev+exp,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
+9.0.0-dev+exp,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
+9.0.0-dev+exp,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
+9.0.0-dev+exp,true,file,file.hash.sha384,keyword,extended,,,SHA384 hash.
+9.0.0-dev+exp,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
+9.0.0-dev+exp,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.0.0-dev+exp,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash.
+9.0.0-dev+exp,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+9.0.0-dev+exp,true,file,file.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+9.0.0-dev+exp,true,file,file.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.0.0-dev+exp,true,file,file.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.0.0-dev+exp,true,file,file.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.0.0-dev+exp,true,file,file.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.0.0-dev+exp,true,file,file.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+9.0.0-dev+exp,true,file,file.macho.imports,flattened,extended,array,,List of imported element names and types.
+9.0.0-dev+exp,true,file,file.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev+exp,true,file,file.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev+exp,true,file,file.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+9.0.0-dev+exp,true,file,file.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.0.0-dev+exp,true,file,file.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+9.0.0-dev+exp,true,file,file.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+9.0.0-dev+exp,true,file,file.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.0.0-dev+exp,true,file,file.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+9.0.0-dev+exp,true,file,file.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+9.0.0-dev+exp,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+9.0.0-dev+exp,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+9.0.0-dev+exp,true,file,file.mtime,date,extended,,,Last time the file content was modified.
+9.0.0-dev+exp,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+9.0.0-dev+exp,true,file,file.owner,keyword,extended,,alice,File owner's username.
+9.0.0-dev+exp,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+9.0.0-dev+exp,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+9.0.0-dev+exp,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+9.0.0-dev+exp,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+9.0.0-dev+exp,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+9.0.0-dev+exp,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+9.0.0-dev+exp,true,file,file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+9.0.0-dev+exp,true,file,file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.0.0-dev+exp,true,file,file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.0.0-dev+exp,true,file,file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.0.0-dev+exp,true,file,file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.0.0-dev+exp,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+9.0.0-dev+exp,true,file,file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+9.0.0-dev+exp,true,file,file.pe.imports,flattened,extended,array,,List of imported element names and types.
+9.0.0-dev+exp,true,file,file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev+exp,true,file,file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev+exp,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+9.0.0-dev+exp,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+9.0.0-dev+exp,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+9.0.0-dev+exp,true,file,file.pe.sections,nested,extended,array,,Section information of the PE file.
+9.0.0-dev+exp,true,file,file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.0.0-dev+exp,true,file,file.pe.sections.name,keyword,extended,,,PE Section List name.
+9.0.0-dev+exp,true,file,file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+9.0.0-dev+exp,true,file,file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.0.0-dev+exp,true,file,file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+9.0.0-dev+exp,true,file,file.size,long,extended,,16384,File size in bytes.
+9.0.0-dev+exp,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
+9.0.0-dev+exp,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+9.0.0-dev+exp,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+9.0.0-dev+exp,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+9.0.0-dev+exp,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+9.0.0-dev+exp,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+9.0.0-dev+exp,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+9.0.0-dev+exp,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+9.0.0-dev+exp,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+9.0.0-dev+exp,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+9.0.0-dev+exp,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+9.0.0-dev+exp,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.0.0-dev+exp,true,file,file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+9.0.0-dev+exp,true,file,file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+9.0.0-dev+exp,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+9.0.0-dev+exp,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+9.0.0-dev+exp,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+9.0.0-dev+exp,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+9.0.0-dev+exp,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+9.0.0-dev+exp,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+9.0.0-dev+exp,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+9.0.0-dev+exp,true,file,file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+9.0.0-dev+exp,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+9.0.0-dev+exp,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+9.0.0-dev+exp,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+9.0.0-dev+exp,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+9.0.0-dev+exp,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.0.0-dev+exp,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
+9.0.0-dev+exp,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.0.0-dev+exp,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev+exp,true,group,group.name,keyword,extended,,,Name of the group.
+9.0.0-dev+exp,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
+9.0.0-dev+exp,true,host,host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id
+9.0.0-dev+exp,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
+9.0.0-dev+exp,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
+9.0.0-dev+exp,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
+9.0.0-dev+exp,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
+9.0.0-dev+exp,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
+9.0.0-dev+exp,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
+9.0.0-dev+exp,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.0.0-dev+exp,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.0.0-dev+exp,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
+9.0.0-dev+exp,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.0.0-dev+exp,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.0.0-dev+exp,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
+9.0.0-dev+exp,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.0.0-dev+exp,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
+9.0.0-dev+exp,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.0.0-dev+exp,true,host,host.hostname,keyword,core,,,Hostname of the host.
+9.0.0-dev+exp,true,host,host.id,keyword,core,,,Unique host id.
+9.0.0-dev+exp,true,host,host.ip,ip,core,array,,Host ip addresses.
+9.0.0-dev+exp,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
+9.0.0-dev+exp,true,host,host.name,keyword,core,,,Name of the host.
+9.0.0-dev+exp,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
+9.0.0-dev+exp,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
+9.0.0-dev+exp,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+9.0.0-dev+exp,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
+9.0.0-dev+exp,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+9.0.0-dev+exp,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+9.0.0-dev+exp,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+9.0.0-dev+exp,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+9.0.0-dev+exp,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+9.0.0-dev+exp,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+9.0.0-dev+exp,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+9.0.0-dev+exp,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+9.0.0-dev+exp,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+9.0.0-dev+exp,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode
+9.0.0-dev+exp,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.0.0-dev+exp,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.0.0-dev+exp,true,host,host.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.0.0-dev+exp,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.0.0-dev+exp,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.0.0-dev+exp,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.0.0-dev+exp,true,host,host.type,keyword,core,,,Type of host.
+9.0.0-dev+exp,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
+9.0.0-dev+exp,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
+9.0.0-dev+exp,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
+9.0.0-dev+exp,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body.
+9.0.0-dev+exp,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
+9.0.0-dev+exp,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
+9.0.0-dev+exp,true,http,http.request.method,keyword,extended,,POST,HTTP request method.
+9.0.0-dev+exp,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
+9.0.0-dev+exp,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
+9.0.0-dev+exp,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
+9.0.0-dev+exp,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
+9.0.0-dev+exp,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body.
+9.0.0-dev+exp,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
+9.0.0-dev+exp,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
+9.0.0-dev+exp,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
+9.0.0-dev+exp,true,http,http.version,keyword,extended,,1.1,HTTP version.
+9.0.0-dev+exp,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
+9.0.0-dev+exp,true,log,log.level,keyword,core,,error,Log level of the log event.
+9.0.0-dev+exp,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
+9.0.0-dev+exp,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event.
+9.0.0-dev+exp,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
+9.0.0-dev+exp,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
+9.0.0-dev+exp,true,log,log.syslog,object,extended,,,Syslog metadata
+9.0.0-dev+exp,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message.
+9.0.0-dev+exp,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
+9.0.0-dev+exp,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
+9.0.0-dev+exp,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message.
+9.0.0-dev+exp,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message.
+9.0.0-dev+exp,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
+9.0.0-dev+exp,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message.
+9.0.0-dev+exp,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
+9.0.0-dev+exp,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
+9.0.0-dev+exp,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages.
+9.0.0-dev+exp,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version.
+9.0.0-dev+exp,true,network,network.application,keyword,extended,,aim,Application level protocol name.
+9.0.0-dev+exp,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
+9.0.0-dev+exp,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
+9.0.0-dev+exp,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
+9.0.0-dev+exp,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
+9.0.0-dev+exp,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
+9.0.0-dev+exp,true,network,network.inner,object,extended,,,Inner VLAN tag information
+9.0.0-dev+exp,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+9.0.0-dev+exp,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+9.0.0-dev+exp,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
+9.0.0-dev+exp,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
+9.0.0-dev+exp,true,network,network.protocol,keyword,core,,http,Application protocol name.
+9.0.0-dev+exp,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
+9.0.0-dev+exp,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
+9.0.0-dev+exp,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+9.0.0-dev+exp,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+9.0.0-dev+exp,true,observer,observer.egress,object,extended,,,Object field for egress information
+9.0.0-dev+exp,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
+9.0.0-dev+exp,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
+9.0.0-dev+exp,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
+9.0.0-dev+exp,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+9.0.0-dev+exp,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+9.0.0-dev+exp,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
+9.0.0-dev+exp,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
+9.0.0-dev+exp,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code.
+9.0.0-dev+exp,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.0.0-dev+exp,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.0.0-dev+exp,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
+9.0.0-dev+exp,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.0.0-dev+exp,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.0.0-dev+exp,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code.
+9.0.0-dev+exp,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.0.0-dev+exp,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
+9.0.0-dev+exp,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.0.0-dev+exp,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
+9.0.0-dev+exp,true,observer,observer.ingress,object,extended,,,Object field for ingress information
+9.0.0-dev+exp,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
+9.0.0-dev+exp,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
+9.0.0-dev+exp,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
+9.0.0-dev+exp,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+9.0.0-dev+exp,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+9.0.0-dev+exp,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
+9.0.0-dev+exp,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
+9.0.0-dev+exp,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer.
+9.0.0-dev+exp,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
+9.0.0-dev+exp,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+9.0.0-dev+exp,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+9.0.0-dev+exp,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+9.0.0-dev+exp,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+9.0.0-dev+exp,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+9.0.0-dev+exp,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+9.0.0-dev+exp,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+9.0.0-dev+exp,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+9.0.0-dev+exp,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+9.0.0-dev+exp,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
+9.0.0-dev+exp,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
+9.0.0-dev+exp,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
+9.0.0-dev+exp,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
+9.0.0-dev+exp,true,observer,observer.version,keyword,core,,,Observer version.
+9.0.0-dev+exp,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action
+9.0.0-dev+exp,true,orchestrator,orchestrator.cluster.id,keyword,extended,,,Unique ID of the cluster.
+9.0.0-dev+exp,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster.
+9.0.0-dev+exp,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster.
+9.0.0-dev+exp,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster.
+9.0.0-dev+exp,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place.
+9.0.0-dev+exp,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups).
+9.0.0-dev+exp,true,orchestrator,orchestrator.resource.annotation,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of annotations added to the resource.
+9.0.0-dev+exp,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon.
+9.0.0-dev+exp,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed.
+9.0.0-dev+exp,true,orchestrator,orchestrator.resource.label,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of labels added to the resource.
+9.0.0-dev+exp,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon.
+9.0.0-dev+exp,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed.
+9.0.0-dev+exp,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon.
+9.0.0-dev+exp,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)."
+9.0.0-dev+exp,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
+9.0.0-dev+exp,true,organization,organization.name,keyword,extended,,,Organization name.
+9.0.0-dev+exp,true,organization,organization.name.text,match_only_text,extended,,,Organization name.
+9.0.0-dev+exp,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
+9.0.0-dev+exp,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
+9.0.0-dev+exp,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
+9.0.0-dev+exp,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
+9.0.0-dev+exp,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
+9.0.0-dev+exp,true,package,package.installed,date,extended,,,Time when package was installed.
+9.0.0-dev+exp,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
+9.0.0-dev+exp,true,package,package.name,keyword,extended,,go,Package name
+9.0.0-dev+exp,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
+9.0.0-dev+exp,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
+9.0.0-dev+exp,true,package,package.size,long,extended,,62231,Package size in bytes.
+9.0.0-dev+exp,true,package,package.type,keyword,extended,,rpm,Package type
+9.0.0-dev+exp,true,package,package.version,keyword,extended,,1.12.9,Package version
+9.0.0-dev+exp,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+9.0.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array.
+9.0.0-dev+exp,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+9.0.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+9.0.0-dev+exp,true,process,process.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
+9.0.0-dev+exp,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+9.0.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+9.0.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+9.0.0-dev+exp,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.0.0-dev+exp,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+9.0.0-dev+exp,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+9.0.0-dev+exp,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+9.0.0-dev+exp,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.0.0-dev+exp,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.0.0-dev+exp,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+9.0.0-dev+exp,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+9.0.0-dev+exp,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+9.0.0-dev+exp,true,process,process.elf.creation_date,date,extended,,,Build or compile date.
+9.0.0-dev+exp,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types.
+9.0.0-dev+exp,true,process,process.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+9.0.0-dev+exp,true,process,process.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.0.0-dev+exp,true,process,process.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.0.0-dev+exp,true,process,process.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.0.0-dev+exp,true,process,process.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.0.0-dev+exp,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+9.0.0-dev+exp,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file.
+9.0.0-dev+exp,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header.
+9.0.0-dev+exp,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+9.0.0-dev+exp,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+9.0.0-dev+exp,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+9.0.0-dev+exp,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file.
+9.0.0-dev+exp,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header.
+9.0.0-dev+exp,true,process,process.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+9.0.0-dev+exp,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types.
+9.0.0-dev+exp,true,process,process.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev+exp,true,process,process.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev+exp,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file.
+9.0.0-dev+exp,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+9.0.0-dev+exp,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.0.0-dev+exp,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+9.0.0-dev+exp,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name.
+9.0.0-dev+exp,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+9.0.0-dev+exp,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+9.0.0-dev+exp,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type.
+9.0.0-dev+exp,true,process,process.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.0.0-dev+exp,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+9.0.0-dev+exp,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+9.0.0-dev+exp,true,process,process.elf.segments,nested,extended,array,,ELF object segment list.
+9.0.0-dev+exp,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+9.0.0-dev+exp,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type.
+9.0.0-dev+exp,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+9.0.0-dev+exp,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+9.0.0-dev+exp,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+9.0.0-dev+exp,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.0.0-dev+exp,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+9.0.0-dev+exp,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array.
+9.0.0-dev+exp,true,process,process.entry_leader.attested_groups.name,keyword,extended,,,Name of the group.
+9.0.0-dev+exp,true,process,process.entry_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev+exp,true,process,process.entry_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,process,process.entry_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.0.0-dev+exp,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.0.0-dev+exp,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.0.0-dev+exp,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
+9.0.0-dev+exp,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
+9.0.0-dev+exp,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.0.0-dev+exp,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.0.0-dev+exp,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev+exp,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group.
+9.0.0-dev+exp,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+9.0.0-dev+exp,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name.
+9.0.0-dev+exp,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name.
+9.0.0-dev+exp,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.0.0-dev+exp,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id.
+9.0.0-dev+exp,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.0.0-dev+exp,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id.
+9.0.0-dev+exp,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.0.0-dev+exp,true,process,process.entry_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
+9.0.0-dev+exp,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.0.0-dev+exp,true,process,process.entry_leader.parent.vpid,long,core,,4242,Virtual process id.
+9.0.0-dev+exp,true,process,process.entry_leader.pid,long,core,,4242,Process id.
+9.0.0-dev+exp,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev+exp,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group.
+9.0.0-dev+exp,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev+exp,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,process,process.entry_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+9.0.0-dev+exp,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev+exp,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group.
+9.0.0-dev+exp,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev+exp,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,process,process.entry_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.0.0-dev+exp,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev+exp,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+9.0.0-dev+exp,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device.
+9.0.0-dev+exp,true,process,process.entry_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+9.0.0-dev+exp,true,process,process.entry_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+9.0.0-dev+exp,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev+exp,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,process,process.entry_leader.vpid,long,core,,4242,Virtual process id.
+9.0.0-dev+exp,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+9.0.0-dev+exp,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+9.0.0-dev+exp,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
+9.0.0-dev+exp,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.0.0-dev+exp,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.0.0-dev+exp,true,process,process.exit_code,long,extended,,137,The exit code of the process.
+9.0.0-dev+exp,true,process,process.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev+exp,true,process,process.group.name,keyword,extended,,,Name of the group.
+9.0.0-dev+exp,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+9.0.0-dev+exp,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array.
+9.0.0-dev+exp,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.0.0-dev+exp,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.0.0-dev+exp,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.0.0-dev+exp,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.0.0-dev+exp,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.0.0-dev+exp,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev+exp,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group.
+9.0.0-dev+exp,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+9.0.0-dev+exp,true,process,process.group_leader.name,keyword,extended,,ssh,Process name.
+9.0.0-dev+exp,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name.
+9.0.0-dev+exp,true,process,process.group_leader.pid,long,core,,4242,Process id.
+9.0.0-dev+exp,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev+exp,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group.
+9.0.0-dev+exp,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev+exp,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,process,process.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+9.0.0-dev+exp,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev+exp,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group.
+9.0.0-dev+exp,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev+exp,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,process,process.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.0.0-dev+exp,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev+exp,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+9.0.0-dev+exp,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device.
+9.0.0-dev+exp,true,process,process.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+9.0.0-dev+exp,true,process,process.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+9.0.0-dev+exp,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev+exp,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,process,process.group_leader.vpid,long,core,,4242,Virtual process id.
+9.0.0-dev+exp,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+9.0.0-dev+exp,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+9.0.0-dev+exp,true,process,process.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.0.0-dev+exp,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
+9.0.0-dev+exp,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
+9.0.0-dev+exp,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
+9.0.0-dev+exp,true,process,process.hash.sha384,keyword,extended,,,SHA384 hash.
+9.0.0-dev+exp,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
+9.0.0-dev+exp,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.0.0-dev+exp,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash.
+9.0.0-dev+exp,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+9.0.0-dev+exp,true,process,process.io,object,extended,,,A chunk of input or output (IO) from a single process.
+9.0.0-dev+exp,true,process,process.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
+9.0.0-dev+exp,true,process,process.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
+9.0.0-dev+exp,true,process,process.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
+9.0.0-dev+exp,true,process,process.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
+9.0.0-dev+exp,true,process,process.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
+9.0.0-dev+exp,true,process,process.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
+9.0.0-dev+exp,true,process,process.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
+9.0.0-dev+exp,true,process,process.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
+9.0.0-dev+exp,true,process,process.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+9.0.0-dev+exp,true,process,process.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.0.0-dev+exp,true,process,process.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.0.0-dev+exp,true,process,process.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.0.0-dev+exp,true,process,process.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.0.0-dev+exp,true,process,process.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+9.0.0-dev+exp,true,process,process.macho.imports,flattened,extended,array,,List of imported element names and types.
+9.0.0-dev+exp,true,process,process.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev+exp,true,process,process.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev+exp,true,process,process.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+9.0.0-dev+exp,true,process,process.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.0.0-dev+exp,true,process,process.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+9.0.0-dev+exp,true,process,process.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+9.0.0-dev+exp,true,process,process.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.0.0-dev+exp,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+9.0.0-dev+exp,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+9.0.0-dev+exp,true,process,process.name,keyword,extended,,ssh,Process name.
+9.0.0-dev+exp,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
+9.0.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+9.0.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
+9.0.0-dev+exp,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+9.0.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+9.0.0-dev+exp,true,process,process.parent.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
+9.0.0-dev+exp,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+9.0.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+9.0.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+9.0.0-dev+exp,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.0.0-dev+exp,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+9.0.0-dev+exp,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+9.0.0-dev+exp,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+9.0.0-dev+exp,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.0.0-dev+exp,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.0.0-dev+exp,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+9.0.0-dev+exp,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+9.0.0-dev+exp,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+9.0.0-dev+exp,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date.
+9.0.0-dev+exp,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
+9.0.0-dev+exp,true,process,process.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+9.0.0-dev+exp,true,process,process.parent.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.0.0-dev+exp,true,process,process.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.0.0-dev+exp,true,process,process.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.0.0-dev+exp,true,process,process.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.0.0-dev+exp,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+9.0.0-dev+exp,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
+9.0.0-dev+exp,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
+9.0.0-dev+exp,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+9.0.0-dev+exp,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+9.0.0-dev+exp,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+9.0.0-dev+exp,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
+9.0.0-dev+exp,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
+9.0.0-dev+exp,true,process,process.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+9.0.0-dev+exp,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
+9.0.0-dev+exp,true,process,process.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev+exp,true,process,process.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev+exp,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
+9.0.0-dev+exp,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+9.0.0-dev+exp,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.0.0-dev+exp,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+9.0.0-dev+exp,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
+9.0.0-dev+exp,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+9.0.0-dev+exp,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+9.0.0-dev+exp,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
+9.0.0-dev+exp,true,process,process.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.0.0-dev+exp,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+9.0.0-dev+exp,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+9.0.0-dev+exp,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list.
+9.0.0-dev+exp,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+9.0.0-dev+exp,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
+9.0.0-dev+exp,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+9.0.0-dev+exp,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+9.0.0-dev+exp,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+9.0.0-dev+exp,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.0.0-dev+exp,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.0.0-dev+exp,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.0.0-dev+exp,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
+9.0.0-dev+exp,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev+exp,true,process,process.parent.group.name,keyword,extended,,,Name of the group.
+9.0.0-dev+exp,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.0.0-dev+exp,true,process,process.parent.group_leader.pid,long,core,,4242,Process id.
+9.0.0-dev+exp,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.0.0-dev+exp,true,process,process.parent.group_leader.vpid,long,core,,4242,Virtual process id.
+9.0.0-dev+exp,true,process,process.parent.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.0.0-dev+exp,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
+9.0.0-dev+exp,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
+9.0.0-dev+exp,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
+9.0.0-dev+exp,true,process,process.parent.hash.sha384,keyword,extended,,,SHA384 hash.
+9.0.0-dev+exp,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
+9.0.0-dev+exp,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.0.0-dev+exp,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash.
+9.0.0-dev+exp,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+9.0.0-dev+exp,true,process,process.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+9.0.0-dev+exp,true,process,process.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.0.0-dev+exp,true,process,process.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.0.0-dev+exp,true,process,process.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.0.0-dev+exp,true,process,process.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.0.0-dev+exp,true,process,process.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+9.0.0-dev+exp,true,process,process.parent.macho.imports,flattened,extended,array,,List of imported element names and types.
+9.0.0-dev+exp,true,process,process.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev+exp,true,process,process.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev+exp,true,process,process.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+9.0.0-dev+exp,true,process,process.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.0.0-dev+exp,true,process,process.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+9.0.0-dev+exp,true,process,process.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+9.0.0-dev+exp,true,process,process.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.0.0-dev+exp,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+9.0.0-dev+exp,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+9.0.0-dev+exp,true,process,process.parent.name,keyword,extended,,ssh,Process name.
+9.0.0-dev+exp,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
+9.0.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+9.0.0-dev+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+9.0.0-dev+exp,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+9.0.0-dev+exp,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+9.0.0-dev+exp,true,process,process.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+9.0.0-dev+exp,true,process,process.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.0.0-dev+exp,true,process,process.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.0.0-dev+exp,true,process,process.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.0.0-dev+exp,true,process,process.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.0.0-dev+exp,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+9.0.0-dev+exp,true,process,process.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+9.0.0-dev+exp,true,process,process.parent.pe.imports,flattened,extended,array,,List of imported element names and types.
+9.0.0-dev+exp,true,process,process.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev+exp,true,process,process.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev+exp,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+9.0.0-dev+exp,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+9.0.0-dev+exp,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+9.0.0-dev+exp,true,process,process.parent.pe.sections,nested,extended,array,,Section information of the PE file.
+9.0.0-dev+exp,true,process,process.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.0.0-dev+exp,true,process,process.parent.pe.sections.name,keyword,extended,,,PE Section List name.
+9.0.0-dev+exp,true,process,process.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+9.0.0-dev+exp,true,process,process.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.0.0-dev+exp,true,process,process.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+9.0.0-dev+exp,true,process,process.parent.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
+9.0.0-dev+exp,true,process,process.parent.pid,long,core,,4242,Process id.
+9.0.0-dev+exp,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev+exp,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group.
+9.0.0-dev+exp,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev+exp,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,process,process.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev+exp,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group.
+9.0.0-dev+exp,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev+exp,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,process,process.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.0.0-dev+exp,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev+exp,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
+9.0.0-dev+exp,true,process,process.parent.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
+9.0.0-dev+exp,true,process,process.parent.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
+9.0.0-dev+exp,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
+9.0.0-dev+exp,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
+9.0.0-dev+exp,true,process,process.parent.title,keyword,extended,,,Process title.
+9.0.0-dev+exp,true,process,process.parent.title.text,match_only_text,extended,,,Process title.
+9.0.0-dev+exp,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device.
+9.0.0-dev+exp,true,process,process.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+9.0.0-dev+exp,true,process,process.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+9.0.0-dev+exp,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
+9.0.0-dev+exp,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev+exp,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,process,process.parent.vpid,long,core,,4242,Virtual process id.
+9.0.0-dev+exp,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+9.0.0-dev+exp,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+9.0.0-dev+exp,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+9.0.0-dev+exp,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+9.0.0-dev+exp,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+9.0.0-dev+exp,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+9.0.0-dev+exp,true,process,process.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+9.0.0-dev+exp,true,process,process.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.0.0-dev+exp,true,process,process.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.0.0-dev+exp,true,process,process.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.0.0-dev+exp,true,process,process.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.0.0-dev+exp,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+9.0.0-dev+exp,true,process,process.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+9.0.0-dev+exp,true,process,process.pe.imports,flattened,extended,array,,List of imported element names and types.
+9.0.0-dev+exp,true,process,process.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev+exp,true,process,process.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev+exp,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+9.0.0-dev+exp,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+9.0.0-dev+exp,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+9.0.0-dev+exp,true,process,process.pe.sections,nested,extended,array,,Section information of the PE file.
+9.0.0-dev+exp,true,process,process.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.0.0-dev+exp,true,process,process.pe.sections.name,keyword,extended,,,PE Section List name.
+9.0.0-dev+exp,true,process,process.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+9.0.0-dev+exp,true,process,process.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.0.0-dev+exp,true,process,process.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+9.0.0-dev+exp,true,process,process.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
+9.0.0-dev+exp,true,process,process.pid,long,core,,4242,Process id.
+9.0.0-dev+exp,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+9.0.0-dev+exp,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array.
+9.0.0-dev+exp,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.0.0-dev+exp,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.0.0-dev+exp,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev+exp,true,process,process.real_group.name,keyword,extended,,,Name of the group.
+9.0.0-dev+exp,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev+exp,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,process,process.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev+exp,true,process,process.saved_group.name,keyword,extended,,,Name of the group.
+9.0.0-dev+exp,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev+exp,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,process,process.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+9.0.0-dev+exp,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array.
+9.0.0-dev+exp,true,process,process.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.0.0-dev+exp,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.0.0-dev+exp,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.0.0-dev+exp,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.0.0-dev+exp,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.0.0-dev+exp,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev+exp,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group.
+9.0.0-dev+exp,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+9.0.0-dev+exp,true,process,process.session_leader.name,keyword,extended,,ssh,Process name.
+9.0.0-dev+exp,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name.
+9.0.0-dev+exp,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.0.0-dev+exp,true,process,process.session_leader.parent.pid,long,core,,4242,Process id.
+9.0.0-dev+exp,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.0.0-dev+exp,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id.
+9.0.0-dev+exp,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.0.0-dev+exp,true,process,process.session_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
+9.0.0-dev+exp,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.0.0-dev+exp,true,process,process.session_leader.parent.vpid,long,core,,4242,Virtual process id.
+9.0.0-dev+exp,true,process,process.session_leader.pid,long,core,,4242,Process id.
+9.0.0-dev+exp,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev+exp,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group.
+9.0.0-dev+exp,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev+exp,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,process,process.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+9.0.0-dev+exp,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev+exp,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group.
+9.0.0-dev+exp,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev+exp,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,process,process.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.0.0-dev+exp,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev+exp,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+9.0.0-dev+exp,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device.
+9.0.0-dev+exp,true,process,process.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+9.0.0-dev+exp,true,process,process.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+9.0.0-dev+exp,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev+exp,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,process,process.session_leader.vpid,long,core,,4242,Virtual process id.
+9.0.0-dev+exp,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+9.0.0-dev+exp,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+9.0.0-dev+exp,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.0.0-dev+exp,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev+exp,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group.
+9.0.0-dev+exp,true,process,process.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
+9.0.0-dev+exp,true,process,process.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
+9.0.0-dev+exp,true,process,process.thread.id,long,extended,,4242,Thread ID.
+9.0.0-dev+exp,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
+9.0.0-dev+exp,true,process,process.title,keyword,extended,,,Process title.
+9.0.0-dev+exp,true,process,process.title.text,match_only_text,extended,,,Process title.
+9.0.0-dev+exp,true,process,process.tty,object,extended,,,Information about the controlling TTY device.
+9.0.0-dev+exp,true,process,process.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+9.0.0-dev+exp,true,process,process.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+9.0.0-dev+exp,true,process,process.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
+9.0.0-dev+exp,true,process,process.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
+9.0.0-dev+exp,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
+9.0.0-dev+exp,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev+exp,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,process,process.vpid,long,core,,4242,Virtual process id.
+9.0.0-dev+exp,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+9.0.0-dev+exp,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+9.0.0-dev+exp,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+9.0.0-dev+exp,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+9.0.0-dev+exp,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+9.0.0-dev+exp,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+9.0.0-dev+exp,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+9.0.0-dev+exp,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+9.0.0-dev+exp,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
+9.0.0-dev+exp,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
+9.0.0-dev+exp,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
+9.0.0-dev+exp,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
+9.0.0-dev+exp,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event.
+9.0.0-dev+exp,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
+9.0.0-dev+exp,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
+9.0.0-dev+exp,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
+9.0.0-dev+exp,true,rule,rule.id,keyword,extended,,101,Rule ID
+9.0.0-dev+exp,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
+9.0.0-dev+exp,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
+9.0.0-dev+exp,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
+9.0.0-dev+exp,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
+9.0.0-dev+exp,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
+9.0.0-dev+exp,true,rule,rule.version,keyword,extended,,1.1,Rule version
+9.0.0-dev+exp,true,server,server.address,keyword,extended,,,Server network address.
+9.0.0-dev+exp,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.0.0-dev+exp,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.0.0-dev+exp,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.0.0-dev+exp,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
+9.0.0-dev+exp,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server.
+9.0.0-dev+exp,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
+9.0.0-dev+exp,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
+9.0.0-dev+exp,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.0.0-dev+exp,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.0.0-dev+exp,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
+9.0.0-dev+exp,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.0.0-dev+exp,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.0.0-dev+exp,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
+9.0.0-dev+exp,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.0.0-dev+exp,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
+9.0.0-dev+exp,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.0.0-dev+exp,true,server,server.ip,ip,core,,,IP address of the server.
+9.0.0-dev+exp,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
+9.0.0-dev+exp,true,server,server.nat.ip,ip,extended,,,Server NAT ip
+9.0.0-dev+exp,true,server,server.nat.port,long,extended,,,Server NAT port
+9.0.0-dev+exp,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
+9.0.0-dev+exp,true,server,server.port,long,core,,,Port of the server.
+9.0.0-dev+exp,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
+9.0.0-dev+exp,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.0.0-dev+exp,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.0.0-dev+exp,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.0.0-dev+exp,true,server,server.user.email,keyword,extended,,,User email address.
+9.0.0-dev+exp,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.0.0-dev+exp,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.0.0-dev+exp,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.0.0-dev+exp,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev+exp,true,server,server.user.group.name,keyword,extended,,,Name of the group.
+9.0.0-dev+exp,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.0.0-dev+exp,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev+exp,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.0.0-dev+exp,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+9.0.0-dev+exp,true,service,service.environment,keyword,extended,,production,Environment of the service.
+9.0.0-dev+exp,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+9.0.0-dev+exp,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+9.0.0-dev+exp,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
+9.0.0-dev+exp,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+9.0.0-dev+exp,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+9.0.0-dev+exp,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+9.0.0-dev+exp,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+9.0.0-dev+exp,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
+9.0.0-dev+exp,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+9.0.0-dev+exp,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+9.0.0-dev+exp,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service.
+9.0.0-dev+exp,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+9.0.0-dev+exp,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+9.0.0-dev+exp,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+9.0.0-dev+exp,true,service,service.origin.state,keyword,core,,,Current state of the service.
+9.0.0-dev+exp,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service.
+9.0.0-dev+exp,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service.
+9.0.0-dev+exp,true,service,service.state,keyword,core,,,Current state of the service.
+9.0.0-dev+exp,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+9.0.0-dev+exp,true,service,service.target.environment,keyword,extended,,production,Environment of the service.
+9.0.0-dev+exp,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+9.0.0-dev+exp,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+9.0.0-dev+exp,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service.
+9.0.0-dev+exp,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+9.0.0-dev+exp,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+9.0.0-dev+exp,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+9.0.0-dev+exp,true,service,service.target.state,keyword,core,,,Current state of the service.
+9.0.0-dev+exp,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service.
+9.0.0-dev+exp,true,service,service.target.version,keyword,core,,3.2.4,Version of the service.
+9.0.0-dev+exp,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
+9.0.0-dev+exp,true,service,service.version,keyword,core,,3.2.4,Version of the service.
+9.0.0-dev+exp,true,source,source.address,keyword,extended,,,Source network address.
+9.0.0-dev+exp,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.0.0-dev+exp,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.0.0-dev+exp,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.0.0-dev+exp,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
+9.0.0-dev+exp,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source.
+9.0.0-dev+exp,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
+9.0.0-dev+exp,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
+9.0.0-dev+exp,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.0.0-dev+exp,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.0.0-dev+exp,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
+9.0.0-dev+exp,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.0.0-dev+exp,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.0.0-dev+exp,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
+9.0.0-dev+exp,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.0.0-dev+exp,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
+9.0.0-dev+exp,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.0.0-dev+exp,true,source,source.ip,ip,core,,,IP address of the source.
+9.0.0-dev+exp,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
+9.0.0-dev+exp,true,source,source.nat.ip,ip,extended,,,Source NAT ip
+9.0.0-dev+exp,true,source,source.nat.port,long,extended,,,Source NAT port
+9.0.0-dev+exp,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
+9.0.0-dev+exp,true,source,source.port,long,core,,,Port of the source.
+9.0.0-dev+exp,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+9.0.0-dev+exp,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.0.0-dev+exp,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.0.0-dev+exp,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.0.0-dev+exp,true,source,source.user.email,keyword,extended,,,User email address.
+9.0.0-dev+exp,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.0.0-dev+exp,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.0.0-dev+exp,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.0.0-dev+exp,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev+exp,true,source,source.user.group.name,keyword,extended,,,Name of the group.
+9.0.0-dev+exp,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.0.0-dev+exp,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev+exp,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.0.0-dev+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
+9.0.0-dev+exp,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+9.0.0-dev+exp,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+9.0.0-dev+exp,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
+9.0.0-dev+exp,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value
+9.0.0-dev+exp,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field
+9.0.0-dev+exp,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier
+9.0.0-dev+exp,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index
+9.0.0-dev+exp,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05T17:00:58.326Z,Date of match
+9.0.0-dev+exp,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match
+9.0.0-dev+exp,true,threat,threat.feed.dashboard_id,keyword,extended,,5ba16340-72e6-11eb-a3e3-b3cc7c78a70f,Feed dashboard ID.
+9.0.0-dev+exp,true,threat,threat.feed.description,keyword,extended,,Threat feed from the AlienVault Open Threat eXchange network.,Description of the threat feed.
+9.0.0-dev+exp,true,threat,threat.feed.name,keyword,extended,,AlienVault OTX,Name of the threat feed.
+9.0.0-dev+exp,true,threat,threat.feed.reference,keyword,extended,,https://otx.alienvault.com,Reference for the threat feed.
+9.0.0-dev+exp,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
+9.0.0-dev+exp,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group.
+9.0.0-dev+exp,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group.
+9.0.0-dev+exp,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group.
+9.0.0-dev+exp,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group.
+9.0.0-dev+exp,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.0.0-dev+exp,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.0.0-dev+exp,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.0.0-dev+exp,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
+9.0.0-dev+exp,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
+9.0.0-dev+exp,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
+9.0.0-dev+exp,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed.
+9.0.0-dev+exp,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+9.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+9.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+9.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
+9.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+9.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+9.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+9.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+9.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+9.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+9.0.0-dev+exp,true,threat,threat.indicator.file.created,date,extended,,,File creation time.
+9.0.0-dev+exp,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+9.0.0-dev+exp,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
+9.0.0-dev+exp,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+9.0.0-dev+exp,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+9.0.0-dev+exp,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+9.0.0-dev+exp,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+9.0.0-dev+exp,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+9.0.0-dev+exp,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
+9.0.0-dev+exp,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
+9.0.0-dev+exp,true,threat,threat.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+9.0.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.0.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.0.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.0.0-dev+exp,true,threat,threat.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+9.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+9.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+9.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+9.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+9.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+9.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+9.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
+9.0.0-dev+exp,true,threat,threat.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+9.0.0-dev+exp,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
+9.0.0-dev+exp,true,threat,threat.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev+exp,true,threat,threat.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
+9.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+9.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+9.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
+9.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+9.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+9.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
+9.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+9.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+9.0.0-dev+exp,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
+9.0.0-dev+exp,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+9.0.0-dev+exp,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
+9.0.0-dev+exp,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+9.0.0-dev+exp,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+9.0.0-dev+exp,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+9.0.0-dev+exp,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+9.0.0-dev+exp,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+9.0.0-dev+exp,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
+9.0.0-dev+exp,true,threat,threat.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.0.0-dev+exp,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
+9.0.0-dev+exp,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
+9.0.0-dev+exp,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
+9.0.0-dev+exp,true,threat,threat.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
+9.0.0-dev+exp,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
+9.0.0-dev+exp,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.0.0-dev+exp,true,threat,threat.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
+9.0.0-dev+exp,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+9.0.0-dev+exp,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+9.0.0-dev+exp,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+9.0.0-dev+exp,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified.
+9.0.0-dev+exp,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+9.0.0-dev+exp,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username.
+9.0.0-dev+exp,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+9.0.0-dev+exp,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+9.0.0-dev+exp,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+9.0.0-dev+exp,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+9.0.0-dev+exp,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+9.0.0-dev+exp,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+9.0.0-dev+exp,true,threat,threat.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+9.0.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.0.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.0.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.0.0-dev+exp,true,threat,threat.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.0.0-dev+exp,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+9.0.0-dev+exp,true,threat,threat.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+9.0.0-dev+exp,true,threat,threat.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
+9.0.0-dev+exp,true,threat,threat.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev+exp,true,threat,threat.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev+exp,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+9.0.0-dev+exp,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+9.0.0-dev+exp,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+9.0.0-dev+exp,true,threat,threat.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
+9.0.0-dev+exp,true,threat,threat.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.0.0-dev+exp,true,threat,threat.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
+9.0.0-dev+exp,true,threat,threat.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+9.0.0-dev+exp,true,threat,threat.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.0.0-dev+exp,true,threat,threat.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+9.0.0-dev+exp,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes.
+9.0.0-dev+exp,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
+9.0.0-dev+exp,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+9.0.0-dev+exp,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+9.0.0-dev+exp,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+9.0.0-dev+exp,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+9.0.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+9.0.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+9.0.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+9.0.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+9.0.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+9.0.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+9.0.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.0.0-dev+exp,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+9.0.0-dev+exp,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+9.0.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+9.0.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+9.0.0-dev+exp,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+9.0.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+9.0.0-dev+exp,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+9.0.0-dev+exp,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+9.0.0-dev+exp,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+9.0.0-dev+exp,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+9.0.0-dev+exp,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+9.0.0-dev+exp,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+9.0.0-dev+exp,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+9.0.0-dev+exp,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+9.0.0-dev+exp,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.0.0-dev+exp,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
+9.0.0-dev+exp,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
+9.0.0-dev+exp,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name.
+9.0.0-dev+exp,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code.
+9.0.0-dev+exp,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.0.0-dev+exp,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.0.0-dev+exp,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name.
+9.0.0-dev+exp,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.0.0-dev+exp,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.0.0-dev+exp,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code.
+9.0.0-dev+exp,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.0.0-dev+exp,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name.
+9.0.0-dev+exp,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.0.0-dev+exp,true,threat,threat.indicator.id,keyword,extended,array,[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37],ID of the indicator
+9.0.0-dev+exp,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
+9.0.0-dev+exp,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
+9.0.0-dev+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
+9.0.0-dev+exp,true,threat,threat.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
+9.0.0-dev+exp,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
+9.0.0-dev+exp,true,threat,threat.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
+9.0.0-dev+exp,true,threat,threat.indicator.port,long,extended,,443,Indicator port
+9.0.0-dev+exp,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
+9.0.0-dev+exp,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
+9.0.0-dev+exp,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+9.0.0-dev+exp,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+9.0.0-dev+exp,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+9.0.0-dev+exp,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+9.0.0-dev+exp,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+9.0.0-dev+exp,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+9.0.0-dev+exp,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
+9.0.0-dev+exp,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics
+9.0.0-dev+exp,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed
+9.0.0-dev+exp,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
+9.0.0-dev+exp,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+9.0.0-dev+exp,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+9.0.0-dev+exp,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
+9.0.0-dev+exp,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+9.0.0-dev+exp,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+9.0.0-dev+exp,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+9.0.0-dev+exp,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+9.0.0-dev+exp,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request.
+9.0.0-dev+exp,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+9.0.0-dev+exp,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
+9.0.0-dev+exp,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request.
+9.0.0-dev+exp,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+9.0.0-dev+exp,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
+9.0.0-dev+exp,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.0.0-dev+exp,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.0.0-dev+exp,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request.
+9.0.0-dev+exp,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+9.0.0-dev+exp,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+9.0.0-dev+exp,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+9.0.0-dev+exp,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+9.0.0-dev+exp,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+9.0.0-dev+exp,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+9.0.0-dev+exp,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+9.0.0-dev+exp,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.0.0-dev+exp,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+9.0.0-dev+exp,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+9.0.0-dev+exp,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+9.0.0-dev+exp,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+9.0.0-dev+exp,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+9.0.0-dev+exp,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+9.0.0-dev+exp,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+9.0.0-dev+exp,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+9.0.0-dev+exp,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+9.0.0-dev+exp,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+9.0.0-dev+exp,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+9.0.0-dev+exp,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+9.0.0-dev+exp,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+9.0.0-dev+exp,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+9.0.0-dev+exp,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.0.0-dev+exp,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
+9.0.0-dev+exp,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software
+9.0.0-dev+exp,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software
+9.0.0-dev+exp,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software.
+9.0.0-dev+exp,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software.
+9.0.0-dev+exp,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL.
+9.0.0-dev+exp,true,threat,threat.software.type,keyword,extended,,Tool,Software type.
+9.0.0-dev+exp,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
+9.0.0-dev+exp,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
+9.0.0-dev+exp,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
+9.0.0-dev+exp,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
+9.0.0-dev+exp,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
+9.0.0-dev+exp,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name.
+9.0.0-dev+exp,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
+9.0.0-dev+exp,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
+9.0.0-dev+exp,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
+9.0.0-dev+exp,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
+9.0.0-dev+exp,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
+9.0.0-dev+exp,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
+9.0.0-dev+exp,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
+9.0.0-dev+exp,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
+9.0.0-dev+exp,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
+9.0.0-dev+exp,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
+9.0.0-dev+exp,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
+9.0.0-dev+exp,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
+9.0.0-dev+exp,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
+9.0.0-dev+exp,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
+9.0.0-dev+exp,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
+9.0.0-dev+exp,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
+9.0.0-dev+exp,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
+9.0.0-dev+exp,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
+9.0.0-dev+exp,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+9.0.0-dev+exp,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+9.0.0-dev+exp,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+9.0.0-dev+exp,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+9.0.0-dev+exp,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+9.0.0-dev+exp,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+9.0.0-dev+exp,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+9.0.0-dev+exp,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.0.0-dev+exp,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+9.0.0-dev+exp,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+9.0.0-dev+exp,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+9.0.0-dev+exp,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+9.0.0-dev+exp,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+9.0.0-dev+exp,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+9.0.0-dev+exp,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+9.0.0-dev+exp,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+9.0.0-dev+exp,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+9.0.0-dev+exp,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+9.0.0-dev+exp,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+9.0.0-dev+exp,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+9.0.0-dev+exp,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+9.0.0-dev+exp,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+9.0.0-dev+exp,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.0.0-dev+exp,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
+9.0.0-dev+exp,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
+9.0.0-dev+exp,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
+9.0.0-dev+exp,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
+9.0.0-dev+exp,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
+9.0.0-dev+exp,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
+9.0.0-dev+exp,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
+9.0.0-dev+exp,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
+9.0.0-dev+exp,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
+9.0.0-dev+exp,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
+9.0.0-dev+exp,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
+9.0.0-dev+exp,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
+9.0.0-dev+exp,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
+9.0.0-dev+exp,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
+9.0.0-dev+exp,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
+9.0.0-dev+exp,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+9.0.0-dev+exp,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+9.0.0-dev+exp,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+9.0.0-dev+exp,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+9.0.0-dev+exp,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+9.0.0-dev+exp,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+9.0.0-dev+exp,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+9.0.0-dev+exp,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.0.0-dev+exp,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+9.0.0-dev+exp,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+9.0.0-dev+exp,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+9.0.0-dev+exp,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+9.0.0-dev+exp,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+9.0.0-dev+exp,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+9.0.0-dev+exp,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+9.0.0-dev+exp,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+9.0.0-dev+exp,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+9.0.0-dev+exp,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+9.0.0-dev+exp,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+9.0.0-dev+exp,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+9.0.0-dev+exp,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+9.0.0-dev+exp,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+9.0.0-dev+exp,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.0.0-dev+exp,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
+9.0.0-dev+exp,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
+9.0.0-dev+exp,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
+9.0.0-dev+exp,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
+9.0.0-dev+exp,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
+9.0.0-dev+exp,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+9.0.0-dev+exp,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+9.0.0-dev+exp,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
+9.0.0-dev+exp,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+9.0.0-dev+exp,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+9.0.0-dev+exp,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+9.0.0-dev+exp,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+9.0.0-dev+exp,true,url,url.password,keyword,extended,,,Password of the request.
+9.0.0-dev+exp,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+9.0.0-dev+exp,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
+9.0.0-dev+exp,true,url,url.query,keyword,extended,,,Query string of the request.
+9.0.0-dev+exp,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+9.0.0-dev+exp,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
+9.0.0-dev+exp,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.0.0-dev+exp,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.0.0-dev+exp,true,url,url.username,keyword,extended,,,Username of the request.
+9.0.0-dev+exp,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.0.0-dev+exp,true,user,user.changes.email,keyword,extended,,,User email address.
+9.0.0-dev+exp,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.0.0-dev+exp,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.0.0-dev+exp,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.0.0-dev+exp,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev+exp,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
+9.0.0-dev+exp,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.0.0-dev+exp,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev+exp,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.0.0-dev+exp,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.0.0-dev+exp,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.0.0-dev+exp,true,user,user.effective.email,keyword,extended,,,User email address.
+9.0.0-dev+exp,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.0.0-dev+exp,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.0.0-dev+exp,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.0.0-dev+exp,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev+exp,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
+9.0.0-dev+exp,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.0.0-dev+exp,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev+exp,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.0.0-dev+exp,true,user,user.email,keyword,extended,,,User email address.
+9.0.0-dev+exp,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.0.0-dev+exp,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.0.0-dev+exp,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.0.0-dev+exp,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev+exp,true,user,user.group.name,keyword,extended,,,Name of the group.
+9.0.0-dev+exp,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.0.0-dev+exp,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev+exp,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.0.0-dev+exp,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.0.0-dev+exp,true,user,user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.0.0-dev+exp,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.0.0-dev+exp,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.0.0-dev+exp,true,user,user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.0.0-dev+exp,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.0.0-dev+exp,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.0.0-dev+exp,true,user,user.target.email,keyword,extended,,,User email address.
+9.0.0-dev+exp,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.0.0-dev+exp,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.0.0-dev+exp,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.0.0-dev+exp,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev+exp,true,user,user.target.group.name,keyword,extended,,,Name of the group.
+9.0.0-dev+exp,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.0.0-dev+exp,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev+exp,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev+exp,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.0.0-dev+exp,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
+9.0.0-dev+exp,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
+9.0.0-dev+exp,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+9.0.0-dev+exp,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+9.0.0-dev+exp,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+9.0.0-dev+exp,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+9.0.0-dev+exp,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+9.0.0-dev+exp,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+9.0.0-dev+exp,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+9.0.0-dev+exp,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+9.0.0-dev+exp,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+9.0.0-dev+exp,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+9.0.0-dev+exp,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+9.0.0-dev+exp,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
+9.0.0-dev+exp,true,volume,volume.bus_type,keyword,extended,,FileBackedVirtual,Bus type of the device.
+9.0.0-dev+exp,true,volume,volume.default_access,keyword,extended,,,Bus type of the device.
+9.0.0-dev+exp,true,volume,volume.device_name,keyword,extended,,,Device name of the volume.
+9.0.0-dev+exp,true,volume,volume.device_type,keyword,extended,,CD-ROM File System,Volume device type.
+9.0.0-dev+exp,true,volume,volume.dos_name,keyword,extended,,E:,DOS name of the device.
+9.0.0-dev+exp,true,volume,volume.file_system_type,keyword,extended,,,Volume device file system type.
+9.0.0-dev+exp,true,volume,volume.mount_name,keyword,extended,,,Mount name of the volume.
+9.0.0-dev+exp,true,volume,volume.nt_name,keyword,extended,,\Device\Cdrom1,NT name of the device.
+9.0.0-dev+exp,true,volume,volume.product_id,keyword,extended,,,ProductID of the device.
+9.0.0-dev+exp,true,volume,volume.product_name,keyword,extended,,Virtual DVD-ROM,Produce name of the volume.
+9.0.0-dev+exp,true,volume,volume.removable,boolean,extended,,,Indicates if the volume is removable.
+9.0.0-dev+exp,true,volume,volume.serial_number,keyword,extended,,,Serial number of the device.
+9.0.0-dev+exp,true,volume,volume.size,long,extended,,,Size of the volume device in bytes.
+9.0.0-dev+exp,true,volume,volume.vendor_id,keyword,extended,,,VendorID of the device.
+9.0.0-dev+exp,true,volume,volume.vendor_name,keyword,extended,,Msft,Vendor name of the device.
+9.0.0-dev+exp,true,volume,volume.writable,boolean,extended,,,Indicates if the volume is writable.
+9.0.0-dev+exp,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
+9.0.0-dev+exp,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
+9.0.0-dev+exp,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+9.0.0-dev+exp,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+9.0.0-dev+exp,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
+9.0.0-dev+exp,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
+9.0.0-dev+exp,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
+9.0.0-dev+exp,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
+9.0.0-dev+exp,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
+9.0.0-dev+exp,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
+9.0.0-dev+exp,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
+9.0.0-dev+exp,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
+9.0.0-dev+exp,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
+9.0.0-dev+exp,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
diff --git a/experimental/generated/elasticsearch/composable/component/agent.json b/experimental/generated/elasticsearch/composable/component/agent.json
index 557ba8eb6e..e1b68bc031 100644
--- a/experimental/generated/elasticsearch/composable/component/agent.json
+++ b/experimental/generated/elasticsearch/composable/component/agent.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html",
-    "ecs_version": "8.12.0-dev+exp"
+    "ecs_version": "9.0.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/base.json b/experimental/generated/elasticsearch/composable/component/base.json
index aaf9afefb0..8b0e484962 100644
--- a/experimental/generated/elasticsearch/composable/component/base.json
+++ b/experimental/generated/elasticsearch/composable/component/base.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
-    "ecs_version": "8.12.0-dev+exp"
+    "ecs_version": "9.0.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/cgroup.json b/experimental/generated/elasticsearch/composable/component/cgroup.json
index 941bb2191a..092d3a33e7 100644
--- a/experimental/generated/elasticsearch/composable/component/cgroup.json
+++ b/experimental/generated/elasticsearch/composable/component/cgroup.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cgroup.html",
-    "ecs_version": "8.12.0-dev+exp"
+    "ecs_version": "9.0.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/client.json b/experimental/generated/elasticsearch/composable/component/client.json
index 743a9d3dc2..bd06c6abce 100644
--- a/experimental/generated/elasticsearch/composable/component/client.json
+++ b/experimental/generated/elasticsearch/composable/component/client.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-client.html",
-    "ecs_version": "8.12.0-dev+exp"
+    "ecs_version": "9.0.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/cloud.json b/experimental/generated/elasticsearch/composable/component/cloud.json
index e8ce7e6399..28e968adb8 100644
--- a/experimental/generated/elasticsearch/composable/component/cloud.json
+++ b/experimental/generated/elasticsearch/composable/component/cloud.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cloud.html",
-    "ecs_version": "8.12.0-dev+exp"
+    "ecs_version": "9.0.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/container.json b/experimental/generated/elasticsearch/composable/component/container.json
index 5a939273fa..9f430ba42c 100644
--- a/experimental/generated/elasticsearch/composable/component/container.json
+++ b/experimental/generated/elasticsearch/composable/component/container.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-container.html",
-    "ecs_version": "8.12.0-dev+exp"
+    "ecs_version": "9.0.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/data_stream.json b/experimental/generated/elasticsearch/composable/component/data_stream.json
index 602c2f81d3..9cc522bd77 100644
--- a/experimental/generated/elasticsearch/composable/component/data_stream.json
+++ b/experimental/generated/elasticsearch/composable/component/data_stream.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-data_stream.html",
-    "ecs_version": "8.12.0-dev+exp"
+    "ecs_version": "9.0.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/destination.json b/experimental/generated/elasticsearch/composable/component/destination.json
index a332a95269..5c3e47f68d 100644
--- a/experimental/generated/elasticsearch/composable/component/destination.json
+++ b/experimental/generated/elasticsearch/composable/component/destination.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-destination.html",
-    "ecs_version": "8.12.0-dev+exp"
+    "ecs_version": "9.0.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/device.json b/experimental/generated/elasticsearch/composable/component/device.json
index 215d046175..711b131438 100644
--- a/experimental/generated/elasticsearch/composable/component/device.json
+++ b/experimental/generated/elasticsearch/composable/component/device.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-device.html",
-    "ecs_version": "8.12.0-dev+exp"
+    "ecs_version": "9.0.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/dll.json b/experimental/generated/elasticsearch/composable/component/dll.json
index e59687764d..7f09c08d43 100644
--- a/experimental/generated/elasticsearch/composable/component/dll.json
+++ b/experimental/generated/elasticsearch/composable/component/dll.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dll.html",
-    "ecs_version": "8.12.0-dev+exp"
+    "ecs_version": "9.0.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/dns.json b/experimental/generated/elasticsearch/composable/component/dns.json
index 4ed0861343..23c6eb2aea 100644
--- a/experimental/generated/elasticsearch/composable/component/dns.json
+++ b/experimental/generated/elasticsearch/composable/component/dns.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html",
-    "ecs_version": "8.12.0-dev+exp"
+    "ecs_version": "9.0.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/ecs.json b/experimental/generated/elasticsearch/composable/component/ecs.json
index a4e6e32eff..fb53443d7f 100644
--- a/experimental/generated/elasticsearch/composable/component/ecs.json
+++ b/experimental/generated/elasticsearch/composable/component/ecs.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html",
-    "ecs_version": "8.12.0-dev+exp"
+    "ecs_version": "9.0.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/email.json b/experimental/generated/elasticsearch/composable/component/email.json
index 5de733e5f7..e79c0bc54b 100644
--- a/experimental/generated/elasticsearch/composable/component/email.json
+++ b/experimental/generated/elasticsearch/composable/component/email.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-email.html",
-    "ecs_version": "8.12.0-dev+exp"
+    "ecs_version": "9.0.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/error.json b/experimental/generated/elasticsearch/composable/component/error.json
index 81365f394c..1ffda6da4d 100644
--- a/experimental/generated/elasticsearch/composable/component/error.json
+++ b/experimental/generated/elasticsearch/composable/component/error.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-error.html",
-    "ecs_version": "8.12.0-dev+exp"
+    "ecs_version": "9.0.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/event.json b/experimental/generated/elasticsearch/composable/component/event.json
index b26490b26e..9b5934bfb1 100644
--- a/experimental/generated/elasticsearch/composable/component/event.json
+++ b/experimental/generated/elasticsearch/composable/component/event.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html",
-    "ecs_version": "8.12.0-dev+exp"
+    "ecs_version": "9.0.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/faas.json b/experimental/generated/elasticsearch/composable/component/faas.json
index f87ec45729..37adc56cea 100644
--- a/experimental/generated/elasticsearch/composable/component/faas.json
+++ b/experimental/generated/elasticsearch/composable/component/faas.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-faas.html",
-    "ecs_version": "8.12.0-dev+exp"
+    "ecs_version": "9.0.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/file.json b/experimental/generated/elasticsearch/composable/component/file.json
index 175a0cbab7..23726f8e0d 100644
--- a/experimental/generated/elasticsearch/composable/component/file.json
+++ b/experimental/generated/elasticsearch/composable/component/file.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html",
-    "ecs_version": "8.12.0-dev+exp"
+    "ecs_version": "9.0.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/group.json b/experimental/generated/elasticsearch/composable/component/group.json
index d553ed9148..2d1d44be2a 100644
--- a/experimental/generated/elasticsearch/composable/component/group.json
+++ b/experimental/generated/elasticsearch/composable/component/group.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-group.html",
-    "ecs_version": "8.12.0-dev+exp"
+    "ecs_version": "9.0.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/host.json b/experimental/generated/elasticsearch/composable/component/host.json
index b62d228655..e70d5efb99 100644
--- a/experimental/generated/elasticsearch/composable/component/host.json
+++ b/experimental/generated/elasticsearch/composable/component/host.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-host.html",
-    "ecs_version": "8.12.0-dev+exp"
+    "ecs_version": "9.0.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/http.json b/experimental/generated/elasticsearch/composable/component/http.json
index cd3cefba64..4d156eab39 100644
--- a/experimental/generated/elasticsearch/composable/component/http.json
+++ b/experimental/generated/elasticsearch/composable/component/http.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-http.html",
-    "ecs_version": "8.12.0-dev+exp"
+    "ecs_version": "9.0.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/log.json b/experimental/generated/elasticsearch/composable/component/log.json
index 6aae5a04e0..dfac9cfa24 100644
--- a/experimental/generated/elasticsearch/composable/component/log.json
+++ b/experimental/generated/elasticsearch/composable/component/log.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-log.html",
-    "ecs_version": "8.12.0-dev+exp"
+    "ecs_version": "9.0.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/network.json b/experimental/generated/elasticsearch/composable/component/network.json
index b170d396f5..cb42c402ce 100644
--- a/experimental/generated/elasticsearch/composable/component/network.json
+++ b/experimental/generated/elasticsearch/composable/component/network.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html",
-    "ecs_version": "8.12.0-dev+exp"
+    "ecs_version": "9.0.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/observer.json b/experimental/generated/elasticsearch/composable/component/observer.json
index 80f43d522d..bcc07801e6 100644
--- a/experimental/generated/elasticsearch/composable/component/observer.json
+++ b/experimental/generated/elasticsearch/composable/component/observer.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html",
-    "ecs_version": "8.12.0-dev+exp"
+    "ecs_version": "9.0.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/orchestrator.json b/experimental/generated/elasticsearch/composable/component/orchestrator.json
index f1eedca0d1..8c159f269f 100644
--- a/experimental/generated/elasticsearch/composable/component/orchestrator.json
+++ b/experimental/generated/elasticsearch/composable/component/orchestrator.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-orchestrator.html",
-    "ecs_version": "8.12.0-dev+exp"
+    "ecs_version": "9.0.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/organization.json b/experimental/generated/elasticsearch/composable/component/organization.json
index 49962ddcb3..d4bd623bbb 100644
--- a/experimental/generated/elasticsearch/composable/component/organization.json
+++ b/experimental/generated/elasticsearch/composable/component/organization.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-organization.html",
-    "ecs_version": "8.12.0-dev+exp"
+    "ecs_version": "9.0.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/package.json b/experimental/generated/elasticsearch/composable/component/package.json
index d7aa066318..2f8407105b 100644
--- a/experimental/generated/elasticsearch/composable/component/package.json
+++ b/experimental/generated/elasticsearch/composable/component/package.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-package.html",
-    "ecs_version": "8.12.0-dev+exp"
+    "ecs_version": "9.0.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/process.json b/experimental/generated/elasticsearch/composable/component/process.json
index 76b8983a3b..1f0700dc05 100644
--- a/experimental/generated/elasticsearch/composable/component/process.json
+++ b/experimental/generated/elasticsearch/composable/component/process.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-process.html",
-    "ecs_version": "8.12.0-dev+exp"
+    "ecs_version": "9.0.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/registry.json b/experimental/generated/elasticsearch/composable/component/registry.json
index 71753df64d..84a720c5c9 100644
--- a/experimental/generated/elasticsearch/composable/component/registry.json
+++ b/experimental/generated/elasticsearch/composable/component/registry.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-registry.html",
-    "ecs_version": "8.12.0-dev+exp"
+    "ecs_version": "9.0.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/related.json b/experimental/generated/elasticsearch/composable/component/related.json
index 529fa9a356..fb793ec7f1 100644
--- a/experimental/generated/elasticsearch/composable/component/related.json
+++ b/experimental/generated/elasticsearch/composable/component/related.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-related.html",
-    "ecs_version": "8.12.0-dev+exp"
+    "ecs_version": "9.0.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/rule.json b/experimental/generated/elasticsearch/composable/component/rule.json
index a614c71927..a60f42d277 100644
--- a/experimental/generated/elasticsearch/composable/component/rule.json
+++ b/experimental/generated/elasticsearch/composable/component/rule.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-rule.html",
-    "ecs_version": "8.12.0-dev+exp"
+    "ecs_version": "9.0.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/server.json b/experimental/generated/elasticsearch/composable/component/server.json
index 102722875f..77be2f4c04 100644
--- a/experimental/generated/elasticsearch/composable/component/server.json
+++ b/experimental/generated/elasticsearch/composable/component/server.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-server.html",
-    "ecs_version": "8.12.0-dev+exp"
+    "ecs_version": "9.0.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/service.json b/experimental/generated/elasticsearch/composable/component/service.json
index 93a1f7fca9..7cbe9ebd19 100644
--- a/experimental/generated/elasticsearch/composable/component/service.json
+++ b/experimental/generated/elasticsearch/composable/component/service.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-service.html",
-    "ecs_version": "8.12.0-dev+exp"
+    "ecs_version": "9.0.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/source.json b/experimental/generated/elasticsearch/composable/component/source.json
index a17ed2a0a8..7e8dca104c 100644
--- a/experimental/generated/elasticsearch/composable/component/source.json
+++ b/experimental/generated/elasticsearch/composable/component/source.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-source.html",
-    "ecs_version": "8.12.0-dev+exp"
+    "ecs_version": "9.0.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/threat.json b/experimental/generated/elasticsearch/composable/component/threat.json
index 32056d1507..1e69b2af2b 100644
--- a/experimental/generated/elasticsearch/composable/component/threat.json
+++ b/experimental/generated/elasticsearch/composable/component/threat.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-threat.html",
-    "ecs_version": "8.12.0-dev+exp"
+    "ecs_version": "9.0.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/tls.json b/experimental/generated/elasticsearch/composable/component/tls.json
index 5ce583f817..4630b45bba 100644
--- a/experimental/generated/elasticsearch/composable/component/tls.json
+++ b/experimental/generated/elasticsearch/composable/component/tls.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tls.html",
-    "ecs_version": "8.12.0-dev+exp"
+    "ecs_version": "9.0.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/tracing.json b/experimental/generated/elasticsearch/composable/component/tracing.json
index b3485b8808..95814055f4 100644
--- a/experimental/generated/elasticsearch/composable/component/tracing.json
+++ b/experimental/generated/elasticsearch/composable/component/tracing.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tracing.html",
-    "ecs_version": "8.12.0-dev+exp"
+    "ecs_version": "9.0.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/url.json b/experimental/generated/elasticsearch/composable/component/url.json
index e2f6efe932..c227d871a7 100644
--- a/experimental/generated/elasticsearch/composable/component/url.json
+++ b/experimental/generated/elasticsearch/composable/component/url.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-url.html",
-    "ecs_version": "8.12.0-dev+exp"
+    "ecs_version": "9.0.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/user.json b/experimental/generated/elasticsearch/composable/component/user.json
index a2e9f72723..540d6558ed 100644
--- a/experimental/generated/elasticsearch/composable/component/user.json
+++ b/experimental/generated/elasticsearch/composable/component/user.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user.html",
-    "ecs_version": "8.12.0-dev+exp"
+    "ecs_version": "9.0.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/user_agent.json b/experimental/generated/elasticsearch/composable/component/user_agent.json
index f95f4f22a1..165d8bfd6e 100644
--- a/experimental/generated/elasticsearch/composable/component/user_agent.json
+++ b/experimental/generated/elasticsearch/composable/component/user_agent.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html",
-    "ecs_version": "8.12.0-dev+exp"
+    "ecs_version": "9.0.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/volume.json b/experimental/generated/elasticsearch/composable/component/volume.json
index a53f3b65d8..e3802fa838 100644
--- a/experimental/generated/elasticsearch/composable/component/volume.json
+++ b/experimental/generated/elasticsearch/composable/component/volume.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-volume.html",
-    "ecs_version": "8.12.0-dev+exp"
+    "ecs_version": "9.0.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/component/vulnerability.json b/experimental/generated/elasticsearch/composable/component/vulnerability.json
index 395e9a6cbe..e1431bfef4 100644
--- a/experimental/generated/elasticsearch/composable/component/vulnerability.json
+++ b/experimental/generated/elasticsearch/composable/component/vulnerability.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html",
-    "ecs_version": "8.12.0-dev+exp"
+    "ecs_version": "9.0.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/composable/template.json b/experimental/generated/elasticsearch/composable/template.json
index 5243ee3ba5..079b07510c 100644
--- a/experimental/generated/elasticsearch/composable/template.json
+++ b/experimental/generated/elasticsearch/composable/template.json
@@ -1,50 +1,50 @@
 {
   "_meta": {
     "description": "Sample composable template that includes all ECS fields",
-    "ecs_version": "8.12.0-dev+exp"
+    "ecs_version": "9.0.0-dev+exp"
   },
   "composed_of": [
-    "ecs_8.12.0-dev-exp_cgroup",
-    "ecs_8.12.0-dev-exp_base",
-    "ecs_8.12.0-dev-exp_agent",
-    "ecs_8.12.0-dev-exp_client",
-    "ecs_8.12.0-dev-exp_cloud",
-    "ecs_8.12.0-dev-exp_container",
-    "ecs_8.12.0-dev-exp_data_stream",
-    "ecs_8.12.0-dev-exp_destination",
-    "ecs_8.12.0-dev-exp_device",
-    "ecs_8.12.0-dev-exp_dll",
-    "ecs_8.12.0-dev-exp_dns",
-    "ecs_8.12.0-dev-exp_ecs",
-    "ecs_8.12.0-dev-exp_email",
-    "ecs_8.12.0-dev-exp_error",
-    "ecs_8.12.0-dev-exp_event",
-    "ecs_8.12.0-dev-exp_faas",
-    "ecs_8.12.0-dev-exp_file",
-    "ecs_8.12.0-dev-exp_group",
-    "ecs_8.12.0-dev-exp_host",
-    "ecs_8.12.0-dev-exp_http",
-    "ecs_8.12.0-dev-exp_log",
-    "ecs_8.12.0-dev-exp_network",
-    "ecs_8.12.0-dev-exp_observer",
-    "ecs_8.12.0-dev-exp_orchestrator",
-    "ecs_8.12.0-dev-exp_organization",
-    "ecs_8.12.0-dev-exp_package",
-    "ecs_8.12.0-dev-exp_process",
-    "ecs_8.12.0-dev-exp_registry",
-    "ecs_8.12.0-dev-exp_related",
-    "ecs_8.12.0-dev-exp_rule",
-    "ecs_8.12.0-dev-exp_server",
-    "ecs_8.12.0-dev-exp_service",
-    "ecs_8.12.0-dev-exp_source",
-    "ecs_8.12.0-dev-exp_threat",
-    "ecs_8.12.0-dev-exp_tls",
-    "ecs_8.12.0-dev-exp_tracing",
-    "ecs_8.12.0-dev-exp_url",
-    "ecs_8.12.0-dev-exp_user_agent",
-    "ecs_8.12.0-dev-exp_user",
-    "ecs_8.12.0-dev-exp_volume",
-    "ecs_8.12.0-dev-exp_vulnerability"
+    "ecs_9.0.0-dev-exp_cgroup",
+    "ecs_9.0.0-dev-exp_base",
+    "ecs_9.0.0-dev-exp_agent",
+    "ecs_9.0.0-dev-exp_client",
+    "ecs_9.0.0-dev-exp_cloud",
+    "ecs_9.0.0-dev-exp_container",
+    "ecs_9.0.0-dev-exp_data_stream",
+    "ecs_9.0.0-dev-exp_destination",
+    "ecs_9.0.0-dev-exp_device",
+    "ecs_9.0.0-dev-exp_dll",
+    "ecs_9.0.0-dev-exp_dns",
+    "ecs_9.0.0-dev-exp_ecs",
+    "ecs_9.0.0-dev-exp_email",
+    "ecs_9.0.0-dev-exp_error",
+    "ecs_9.0.0-dev-exp_event",
+    "ecs_9.0.0-dev-exp_faas",
+    "ecs_9.0.0-dev-exp_file",
+    "ecs_9.0.0-dev-exp_group",
+    "ecs_9.0.0-dev-exp_host",
+    "ecs_9.0.0-dev-exp_http",
+    "ecs_9.0.0-dev-exp_log",
+    "ecs_9.0.0-dev-exp_network",
+    "ecs_9.0.0-dev-exp_observer",
+    "ecs_9.0.0-dev-exp_orchestrator",
+    "ecs_9.0.0-dev-exp_organization",
+    "ecs_9.0.0-dev-exp_package",
+    "ecs_9.0.0-dev-exp_process",
+    "ecs_9.0.0-dev-exp_registry",
+    "ecs_9.0.0-dev-exp_related",
+    "ecs_9.0.0-dev-exp_rule",
+    "ecs_9.0.0-dev-exp_server",
+    "ecs_9.0.0-dev-exp_service",
+    "ecs_9.0.0-dev-exp_source",
+    "ecs_9.0.0-dev-exp_threat",
+    "ecs_9.0.0-dev-exp_tls",
+    "ecs_9.0.0-dev-exp_tracing",
+    "ecs_9.0.0-dev-exp_url",
+    "ecs_9.0.0-dev-exp_user_agent",
+    "ecs_9.0.0-dev-exp_user",
+    "ecs_9.0.0-dev-exp_volume",
+    "ecs_9.0.0-dev-exp_vulnerability"
   ],
   "index_patterns": [
     "try-ecs-*"
diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json
index bc7f446065..13003e6b81 100644
--- a/experimental/generated/elasticsearch/legacy/template.json
+++ b/experimental/generated/elasticsearch/legacy/template.json
@@ -4,7 +4,7 @@
   ],
   "mappings": {
     "_meta": {
-      "version": "8.12.0-dev+exp"
+      "version": "9.0.0-dev+exp"
     },
     "date_detection": false,
     "dynamic_templates": [
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index fc1cab5897..05a7e4da52 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -1,5 +1,5 @@
 # WARNING! Do not edit this file directly, it was generated by the ECS project,
-# based on ECS version 8.12.0-dev.
+# based on ECS version 9.0.0-dev.
 # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields.
 
 - key: ecs
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index 8af3fac81a..177908f017 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -1,1781 +1,1781 @@
 ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
-8.12.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
-8.12.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
-8.12.0-dev,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer.
-8.12.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
-8.12.0-dev,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
-8.12.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
-8.12.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
-8.12.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
-8.12.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
-8.12.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
-8.12.0-dev,true,client,client.address,keyword,extended,,,Client network address.
-8.12.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.12.0-dev,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.12.0-dev,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.12.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
-8.12.0-dev,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client.
-8.12.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
-8.12.0-dev,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
-8.12.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.12.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.12.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
-8.12.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.12.0-dev,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.12.0-dev,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
-8.12.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.12.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
-8.12.0-dev,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.12.0-dev,true,client,client.ip,ip,core,,,IP address of the client.
-8.12.0-dev,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
-8.12.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
-8.12.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port
-8.12.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
-8.12.0-dev,true,client,client.port,long,core,,,Port of the client.
-8.12.0-dev,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
-8.12.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.12.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.12.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.12.0-dev,true,client,client.user.email,keyword,extended,,,User email address.
-8.12.0-dev,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.12.0-dev,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.12.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.12.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group.
-8.12.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.12.0-dev,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.12.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.12.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.12.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.12.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.12.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
-8.12.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.12.0-dev,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.12.0-dev,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.12.0-dev,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.12.0-dev,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.12.0-dev,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine.
-8.12.0-dev,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.12.0-dev,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id.
-8.12.0-dev,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name.
-8.12.0-dev,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider.
-8.12.0-dev,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.12.0-dev,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name.
-8.12.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
-8.12.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
-8.12.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
-8.12.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.12.0-dev,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name.
-8.12.0-dev,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.12.0-dev,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.12.0-dev,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.12.0-dev,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.12.0-dev,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine.
-8.12.0-dev,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.12.0-dev,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id.
-8.12.0-dev,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name.
-8.12.0-dev,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider.
-8.12.0-dev,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.12.0-dev,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name.
-8.12.0-dev,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
-8.12.0-dev,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
-8.12.0-dev,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
-8.12.0-dev,true,container,container.id,keyword,core,,,Unique container id.
-8.12.0-dev,true,container,container.image.hash.all,keyword,extended,array,[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26],An array of digests of the image the container was built on.
-8.12.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
-8.12.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags.
-8.12.0-dev,true,container,container.labels,object,extended,,,Image labels.
-8.12.0-dev,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1."
-8.12.0-dev,true,container,container.name,keyword,extended,,,Container name.
-8.12.0-dev,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
-8.12.0-dev,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
-8.12.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
-8.12.0-dev,true,container,container.security_context.privileged,boolean,extended,,,Indicates whether the container is running in privileged mode.
-8.12.0-dev,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
-8.12.0-dev,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
-8.12.0-dev,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
-8.12.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address.
-8.12.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.12.0-dev,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.12.0-dev,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.12.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
-8.12.0-dev,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination.
-8.12.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
-8.12.0-dev,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
-8.12.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.12.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.12.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
-8.12.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.12.0-dev,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.12.0-dev,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
-8.12.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.12.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
-8.12.0-dev,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.12.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination.
-8.12.0-dev,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
-8.12.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
-8.12.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
-8.12.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
-8.12.0-dev,true,destination,destination.port,long,core,,,Port of the destination.
-8.12.0-dev,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
-8.12.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.12.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.12.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.12.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address.
-8.12.0-dev,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.12.0-dev,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.12.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.12.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
-8.12.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.12.0-dev,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.12.0-dev,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device.
-8.12.0-dev,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer.
-8.12.0-dev,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model.
-8.12.0-dev,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model.
-8.12.0-dev,true,device,device.serial_number,keyword,core,,DJGAQS4CW5,Serial Number of the device
-8.12.0-dev,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.12.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.12.0-dev,true,dll,dll.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
-8.12.0-dev,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.12.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.12.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.12.0-dev,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.12.0-dev,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.12.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.12.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.12.0-dev,true,dll,dll.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-8.12.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
-8.12.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
-8.12.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
-8.12.0-dev,true,dll,dll.hash.sha384,keyword,extended,,,SHA384 hash.
-8.12.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
-8.12.0-dev,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.12.0-dev,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash.
-8.12.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
-8.12.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
-8.12.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.12.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.12.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.12.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.12.0-dev,true,dll,dll.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.12.0-dev,true,dll,dll.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.12.0-dev,true,dll,dll.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.12.0-dev,true,dll,dll.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.12.0-dev,true,dll,dll.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.12.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.12.0-dev,true,dll,dll.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.12.0-dev,true,dll,dll.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.12.0-dev,true,dll,dll.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev,true,dll,dll.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.12.0-dev,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.12.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.12.0-dev,true,dll,dll.pe.sections,nested,extended,array,,Section information of the PE file.
-8.12.0-dev,true,dll,dll.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.12.0-dev,true,dll,dll.pe.sections.name,keyword,extended,,,PE Section List name.
-8.12.0-dev,true,dll,dll.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.12.0-dev,true,dll,dll.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.12.0-dev,true,dll,dll.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.12.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
-8.12.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
-8.12.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
-8.12.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
-8.12.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
-8.12.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
-8.12.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
-8.12.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
-8.12.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
-8.12.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
-8.12.0-dev,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
-8.12.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
-8.12.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
-8.12.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.12.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
-8.12.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
-8.12.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
-8.12.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
-8.12.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
-8.12.0-dev,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
-8.12.0-dev,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
-8.12.0-dev,true,email,email.attachments.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-8.12.0-dev,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash.
-8.12.0-dev,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.12.0-dev,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.12.0-dev,true,email,email.attachments.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.12.0-dev,true,email,email.attachments.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.12.0-dev,true,email,email.attachments.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.12.0-dev,true,email,email.attachments.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.12.0-dev,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file.
-8.12.0-dev,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file.
-8.12.0-dev,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size.
-8.12.0-dev,true,email,email.bcc.address,keyword,extended,array,bcc.user1@example.com,Email address of BCC recipient
-8.12.0-dev,true,email,email.cc.address,keyword,extended,array,cc.user1@example.com,Email address of CC recipient
-8.12.0-dev,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message.
-8.12.0-dev,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered.
-8.12.0-dev,true,email,email.direction,keyword,extended,,inbound,Direction of the message.
-8.12.0-dev,true,email,email.from.address,keyword,extended,array,sender@example.com,The sender's email address.
-8.12.0-dev,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source.
-8.12.0-dev,true,email,email.message_id,wildcard,extended,,81ce15$8r2j59@mail01.example.com,Value from the Message-ID header.
-8.12.0-dev,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed.
-8.12.0-dev,true,email,email.reply_to.address,keyword,extended,array,reply.here@example.com,Address replies should be delivered to.
-8.12.0-dev,true,email,email.sender.address,keyword,extended,,,Address of the message sender.
-8.12.0-dev,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message.
-8.12.0-dev,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
-8.12.0-dev,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient
-8.12.0-dev,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
-8.12.0-dev,true,error,error.code,keyword,core,,,Error code describing the error.
-8.12.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error.
-8.12.0-dev,true,error,error.message,match_only_text,core,,,Error message.
-8.12.0-dev,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
-8.12.0-dev,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text.
-8.12.0-dev,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
-8.12.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
-8.12.0-dev,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field.
-8.12.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
-8.12.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event.
-8.12.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
-8.12.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
-8.12.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
-8.12.0-dev,true,event,event.end,date,extended,,,`event.end` contains the date when the event ended or when the activity was last observed.
-8.12.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
-8.12.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
-8.12.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
-8.12.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
-8.12.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
-8.12.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
-8.12.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
-8.12.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event.
-8.12.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
-8.12.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
-8.12.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
-8.12.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
-8.12.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event.
-8.12.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event.
-8.12.0-dev,true,event,event.start,date,extended,,,`event.start` contains the date when the event started or when the activity was first observed.
-8.12.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone.
-8.12.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
-8.12.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
-8.12.0-dev,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function.
-8.12.0-dev,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution.
-8.12.0-dev,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function.
-8.12.0-dev,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function.
-8.12.0-dev,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc."
-8.12.0-dev,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution.
-8.12.0-dev,true,faas,faas.version,keyword,extended,,123,The version of a serverless function.
-8.12.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed.
-8.12.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.12.0-dev,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.12.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.12.0-dev,true,file,file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
-8.12.0-dev,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.12.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.12.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.12.0-dev,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.12.0-dev,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.12.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.12.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.12.0-dev,true,file,file.created,date,extended,,,File creation time.
-8.12.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.12.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
-8.12.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.12.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.12.0-dev,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.12.0-dev,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.12.0-dev,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.12.0-dev,true,file,file.elf.creation_date,date,extended,,,Build or compile date.
-8.12.0-dev,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.12.0-dev,true,file,file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.12.0-dev,true,file,file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.12.0-dev,true,file,file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.12.0-dev,true,file,file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.12.0-dev,true,file,file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.12.0-dev,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.12.0-dev,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.12.0-dev,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.12.0-dev,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.12.0-dev,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.12.0-dev,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.12.0-dev,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.12.0-dev,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.12.0-dev,true,file,file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.12.0-dev,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.12.0-dev,true,file,file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev,true,file,file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.12.0-dev,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.12.0-dev,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.12.0-dev,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.12.0-dev,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.12.0-dev,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.12.0-dev,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.12.0-dev,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.12.0-dev,true,file,file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.12.0-dev,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.12.0-dev,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.12.0-dev,true,file,file.elf.segments,nested,extended,array,,ELF object segment list.
-8.12.0-dev,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.12.0-dev,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.12.0-dev,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.12.0-dev,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.12.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.12.0-dev,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.12.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.12.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
-8.12.0-dev,true,file,file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-8.12.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
-8.12.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.12.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.12.0-dev,true,file,file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.12.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.12.0-dev,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.12.0-dev,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.12.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.12.0-dev,true,file,file.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-8.12.0-dev,true,file,file.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.12.0-dev,true,file,file.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.12.0-dev,true,file,file.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.12.0-dev,true,file,file.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.12.0-dev,true,file,file.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-8.12.0-dev,true,file,file.macho.imports,flattened,extended,array,,List of imported element names and types.
-8.12.0-dev,true,file,file.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev,true,file,file.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev,true,file,file.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-8.12.0-dev,true,file,file.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.12.0-dev,true,file,file.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-8.12.0-dev,true,file,file.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-8.12.0-dev,true,file,file.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.12.0-dev,true,file,file.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-8.12.0-dev,true,file,file.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-8.12.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.12.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.12.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified.
-8.12.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.12.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username.
-8.12.0-dev,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.12.0-dev,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.12.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.12.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.12.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.12.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.12.0-dev,true,file,file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.12.0-dev,true,file,file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.12.0-dev,true,file,file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.12.0-dev,true,file,file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.12.0-dev,true,file,file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.12.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.12.0-dev,true,file,file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.12.0-dev,true,file,file.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.12.0-dev,true,file,file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev,true,file,file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.12.0-dev,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.12.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.12.0-dev,true,file,file.pe.sections,nested,extended,array,,Section information of the PE file.
-8.12.0-dev,true,file,file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.12.0-dev,true,file,file.pe.sections.name,keyword,extended,,,PE Section List name.
-8.12.0-dev,true,file,file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.12.0-dev,true,file,file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.12.0-dev,true,file,file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.12.0-dev,true,file,file.size,long,extended,,16384,File size in bytes.
-8.12.0-dev,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
-8.12.0-dev,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.12.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.12.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.12.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.12.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.12.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.12.0-dev,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.12.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.12.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.12.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.12.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.12.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.12.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.12.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.12.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.12.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.12.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.12.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.12.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.12.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.12.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.12.0-dev,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.12.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.12.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.12.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.12.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.12.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.12.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.12.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev,true,group,group.name,keyword,extended,,,Name of the group.
-8.12.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
-8.12.0-dev,true,host,host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id
-8.12.0-dev,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
-8.12.0-dev,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
-8.12.0-dev,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
-8.12.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
-8.12.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
-8.12.0-dev,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
-8.12.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.12.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.12.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
-8.12.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.12.0-dev,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.12.0-dev,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
-8.12.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.12.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
-8.12.0-dev,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.12.0-dev,true,host,host.hostname,keyword,core,,,Hostname of the host.
-8.12.0-dev,true,host,host.id,keyword,core,,,Unique host id.
-8.12.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses.
-8.12.0-dev,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
-8.12.0-dev,true,host,host.name,keyword,core,,,Name of the host.
-8.12.0-dev,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
-8.12.0-dev,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
-8.12.0-dev,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
-8.12.0-dev,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
-8.12.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.12.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.12.0-dev,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.12.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.12.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.12.0-dev,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.12.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.12.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-8.12.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.12.0-dev,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode
-8.12.0-dev,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.12.0-dev,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.12.0-dev,true,host,host.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.12.0-dev,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.12.0-dev,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.12.0-dev,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-8.12.0-dev,true,host,host.type,keyword,core,,,Type of host.
-8.12.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
-8.12.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
-8.12.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
-8.12.0-dev,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body.
-8.12.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
-8.12.0-dev,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
-8.12.0-dev,true,http,http.request.method,keyword,extended,,POST,HTTP request method.
-8.12.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
-8.12.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
-8.12.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
-8.12.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
-8.12.0-dev,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body.
-8.12.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
-8.12.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
-8.12.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
-8.12.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version.
-8.12.0-dev,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
-8.12.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event.
-8.12.0-dev,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
-8.12.0-dev,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event.
-8.12.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
-8.12.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
-8.12.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata
-8.12.0-dev,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message.
-8.12.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
-8.12.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
-8.12.0-dev,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message.
-8.12.0-dev,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message.
-8.12.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
-8.12.0-dev,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message.
-8.12.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
-8.12.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
-8.12.0-dev,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages.
-8.12.0-dev,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version.
-8.12.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name.
-8.12.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
-8.12.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
-8.12.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
-8.12.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
-8.12.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
-8.12.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information
-8.12.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.12.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.12.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
-8.12.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
-8.12.0-dev,true,network,network.protocol,keyword,core,,http,Application protocol name.
-8.12.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
-8.12.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
-8.12.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.12.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.12.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information
-8.12.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
-8.12.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
-8.12.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
-8.12.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.12.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.12.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
-8.12.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
-8.12.0-dev,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code.
-8.12.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.12.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.12.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
-8.12.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.12.0-dev,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.12.0-dev,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code.
-8.12.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.12.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
-8.12.0-dev,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.12.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
-8.12.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information
-8.12.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
-8.12.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
-8.12.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
-8.12.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.12.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.12.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
-8.12.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
-8.12.0-dev,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer.
-8.12.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
-8.12.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.12.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.12.0-dev,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.12.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.12.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.12.0-dev,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.12.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.12.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-8.12.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.12.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
-8.12.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
-8.12.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
-8.12.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
-8.12.0-dev,true,observer,observer.version,keyword,core,,,Observer version.
-8.12.0-dev,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action
-8.12.0-dev,true,orchestrator,orchestrator.cluster.id,keyword,extended,,,Unique ID of the cluster.
-8.12.0-dev,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster.
-8.12.0-dev,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster.
-8.12.0-dev,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster.
-8.12.0-dev,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place.
-8.12.0-dev,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups).
-8.12.0-dev,true,orchestrator,orchestrator.resource.annotation,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of annotations added to the resource.
-8.12.0-dev,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon.
-8.12.0-dev,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed.
-8.12.0-dev,true,orchestrator,orchestrator.resource.label,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of labels added to the resource.
-8.12.0-dev,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon.
-8.12.0-dev,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed.
-8.12.0-dev,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon.
-8.12.0-dev,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)."
-8.12.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
-8.12.0-dev,true,organization,organization.name,keyword,extended,,,Organization name.
-8.12.0-dev,true,organization,organization.name.text,match_only_text,extended,,,Organization name.
-8.12.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
-8.12.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
-8.12.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
-8.12.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
-8.12.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
-8.12.0-dev,true,package,package.installed,date,extended,,,Time when package was installed.
-8.12.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
-8.12.0-dev,true,package,package.name,keyword,extended,,go,Package name
-8.12.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
-8.12.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
-8.12.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes.
-8.12.0-dev,true,package,package.type,keyword,extended,,rpm,Package type
-8.12.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version
-8.12.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.12.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array.
-8.12.0-dev,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.12.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.12.0-dev,true,process,process.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
-8.12.0-dev,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.12.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.12.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.12.0-dev,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.12.0-dev,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.12.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.12.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.12.0-dev,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.12.0-dev,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.12.0-dev,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.12.0-dev,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.12.0-dev,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.12.0-dev,true,process,process.elf.creation_date,date,extended,,,Build or compile date.
-8.12.0-dev,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.12.0-dev,true,process,process.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.12.0-dev,true,process,process.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.12.0-dev,true,process,process.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.12.0-dev,true,process,process.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.12.0-dev,true,process,process.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.12.0-dev,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.12.0-dev,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.12.0-dev,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.12.0-dev,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.12.0-dev,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.12.0-dev,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.12.0-dev,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.12.0-dev,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.12.0-dev,true,process,process.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.12.0-dev,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.12.0-dev,true,process,process.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev,true,process,process.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.12.0-dev,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.12.0-dev,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.12.0-dev,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.12.0-dev,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.12.0-dev,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.12.0-dev,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.12.0-dev,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.12.0-dev,true,process,process.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.12.0-dev,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.12.0-dev,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.12.0-dev,true,process,process.elf.segments,nested,extended,array,,ELF object segment list.
-8.12.0-dev,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.12.0-dev,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.12.0-dev,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.12.0-dev,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.12.0-dev,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-8.12.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.12.0-dev,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.12.0-dev,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array.
-8.12.0-dev,true,process,process.entry_leader.attested_groups.name,keyword,extended,,,Name of the group.
-8.12.0-dev,true,process,process.entry_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev,true,process,process.entry_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,process,process.entry_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.12.0-dev,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.12.0-dev,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.12.0-dev,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
-8.12.0-dev,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
-8.12.0-dev,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.12.0-dev,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.12.0-dev,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group.
-8.12.0-dev,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.12.0-dev,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name.
-8.12.0-dev,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.12.0-dev,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.12.0-dev,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id.
-8.12.0-dev,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.12.0-dev,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id.
-8.12.0-dev,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.12.0-dev,true,process,process.entry_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
-8.12.0-dev,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.12.0-dev,true,process,process.entry_leader.parent.vpid,long,core,,4242,Virtual process id.
-8.12.0-dev,true,process,process.entry_leader.pid,long,core,,4242,Process id.
-8.12.0-dev,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group.
-8.12.0-dev,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,process,process.entry_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.12.0-dev,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.12.0-dev,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,process,process.entry_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.12.0-dev,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.12.0-dev,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.12.0-dev,true,process,process.entry_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.12.0-dev,true,process,process.entry_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.12.0-dev,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,process,process.entry_leader.vpid,long,core,,4242,Virtual process id.
-8.12.0-dev,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.12.0-dev,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.12.0-dev,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
-8.12.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.12.0-dev,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.12.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process.
-8.12.0-dev,true,process,process.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev,true,process,process.group.name,keyword,extended,,,Name of the group.
-8.12.0-dev,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.12.0-dev,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array.
-8.12.0-dev,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.12.0-dev,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.12.0-dev,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.12.0-dev,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.12.0-dev,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.12.0-dev,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group.
-8.12.0-dev,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.12.0-dev,true,process,process.group_leader.name,keyword,extended,,ssh,Process name.
-8.12.0-dev,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.12.0-dev,true,process,process.group_leader.pid,long,core,,4242,Process id.
-8.12.0-dev,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group.
-8.12.0-dev,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,process,process.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.12.0-dev,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.12.0-dev,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,process,process.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.12.0-dev,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.12.0-dev,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.12.0-dev,true,process,process.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.12.0-dev,true,process,process.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.12.0-dev,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,process,process.group_leader.vpid,long,core,,4242,Virtual process id.
-8.12.0-dev,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.12.0-dev,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.12.0-dev,true,process,process.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-8.12.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
-8.12.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
-8.12.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
-8.12.0-dev,true,process,process.hash.sha384,keyword,extended,,,SHA384 hash.
-8.12.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
-8.12.0-dev,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.12.0-dev,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash.
-8.12.0-dev,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.12.0-dev,true,process,process.io,object,extended,,,A chunk of input or output (IO) from a single process.
-8.12.0-dev,true,process,process.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
-8.12.0-dev,true,process,process.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
-8.12.0-dev,true,process,process.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
-8.12.0-dev,true,process,process.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
-8.12.0-dev,true,process,process.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
-8.12.0-dev,true,process,process.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
-8.12.0-dev,true,process,process.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
-8.12.0-dev,true,process,process.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
-8.12.0-dev,true,process,process.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-8.12.0-dev,true,process,process.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.12.0-dev,true,process,process.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.12.0-dev,true,process,process.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.12.0-dev,true,process,process.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.12.0-dev,true,process,process.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-8.12.0-dev,true,process,process.macho.imports,flattened,extended,array,,List of imported element names and types.
-8.12.0-dev,true,process,process.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev,true,process,process.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev,true,process,process.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-8.12.0-dev,true,process,process.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.12.0-dev,true,process,process.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-8.12.0-dev,true,process,process.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-8.12.0-dev,true,process,process.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.12.0-dev,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-8.12.0-dev,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-8.12.0-dev,true,process,process.name,keyword,extended,,ssh,Process name.
-8.12.0-dev,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
-8.12.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.12.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
-8.12.0-dev,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.12.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.12.0-dev,true,process,process.parent.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
-8.12.0-dev,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.12.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.12.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.12.0-dev,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.12.0-dev,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.12.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.12.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.12.0-dev,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.12.0-dev,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.12.0-dev,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.12.0-dev,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.12.0-dev,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.12.0-dev,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date.
-8.12.0-dev,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.12.0-dev,true,process,process.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.12.0-dev,true,process,process.parent.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.12.0-dev,true,process,process.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.12.0-dev,true,process,process.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.12.0-dev,true,process,process.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.12.0-dev,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.12.0-dev,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.12.0-dev,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.12.0-dev,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.12.0-dev,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.12.0-dev,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.12.0-dev,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.12.0-dev,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.12.0-dev,true,process,process.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.12.0-dev,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.12.0-dev,true,process,process.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev,true,process,process.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.12.0-dev,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.12.0-dev,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.12.0-dev,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.12.0-dev,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.12.0-dev,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.12.0-dev,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.12.0-dev,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.12.0-dev,true,process,process.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.12.0-dev,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.12.0-dev,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.12.0-dev,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list.
-8.12.0-dev,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.12.0-dev,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.12.0-dev,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.12.0-dev,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.12.0-dev,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-8.12.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.12.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.12.0-dev,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.12.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
-8.12.0-dev,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev,true,process,process.parent.group.name,keyword,extended,,,Name of the group.
-8.12.0-dev,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.12.0-dev,true,process,process.parent.group_leader.pid,long,core,,4242,Process id.
-8.12.0-dev,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.12.0-dev,true,process,process.parent.group_leader.vpid,long,core,,4242,Virtual process id.
-8.12.0-dev,true,process,process.parent.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-8.12.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
-8.12.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
-8.12.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
-8.12.0-dev,true,process,process.parent.hash.sha384,keyword,extended,,,SHA384 hash.
-8.12.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
-8.12.0-dev,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.12.0-dev,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash.
-8.12.0-dev,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.12.0-dev,true,process,process.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-8.12.0-dev,true,process,process.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.12.0-dev,true,process,process.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.12.0-dev,true,process,process.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.12.0-dev,true,process,process.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.12.0-dev,true,process,process.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-8.12.0-dev,true,process,process.parent.macho.imports,flattened,extended,array,,List of imported element names and types.
-8.12.0-dev,true,process,process.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev,true,process,process.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev,true,process,process.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-8.12.0-dev,true,process,process.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.12.0-dev,true,process,process.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-8.12.0-dev,true,process,process.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-8.12.0-dev,true,process,process.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.12.0-dev,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-8.12.0-dev,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-8.12.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name.
-8.12.0-dev,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
-8.12.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.12.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.12.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.12.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.12.0-dev,true,process,process.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.12.0-dev,true,process,process.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.12.0-dev,true,process,process.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.12.0-dev,true,process,process.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.12.0-dev,true,process,process.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.12.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.12.0-dev,true,process,process.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.12.0-dev,true,process,process.parent.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.12.0-dev,true,process,process.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev,true,process,process.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.12.0-dev,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.12.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.12.0-dev,true,process,process.parent.pe.sections,nested,extended,array,,Section information of the PE file.
-8.12.0-dev,true,process,process.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.12.0-dev,true,process,process.parent.pe.sections.name,keyword,extended,,,PE Section List name.
-8.12.0-dev,true,process,process.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.12.0-dev,true,process,process.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.12.0-dev,true,process,process.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.12.0-dev,true,process,process.parent.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
-8.12.0-dev,true,process,process.parent.pid,long,core,,4242,Process id.
-8.12.0-dev,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group.
-8.12.0-dev,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,process,process.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group.
-8.12.0-dev,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,process,process.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.12.0-dev,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.12.0-dev,true,process,process.parent.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
-8.12.0-dev,true,process,process.parent.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
-8.12.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
-8.12.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
-8.12.0-dev,true,process,process.parent.title,keyword,extended,,,Process title.
-8.12.0-dev,true,process,process.parent.title.text,match_only_text,extended,,,Process title.
-8.12.0-dev,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device.
-8.12.0-dev,true,process,process.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.12.0-dev,true,process,process.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.12.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
-8.12.0-dev,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,process,process.parent.vpid,long,core,,4242,Virtual process id.
-8.12.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.12.0-dev,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.12.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.12.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.12.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.12.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.12.0-dev,true,process,process.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.12.0-dev,true,process,process.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.12.0-dev,true,process,process.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.12.0-dev,true,process,process.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.12.0-dev,true,process,process.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.12.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.12.0-dev,true,process,process.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.12.0-dev,true,process,process.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.12.0-dev,true,process,process.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev,true,process,process.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.12.0-dev,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.12.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.12.0-dev,true,process,process.pe.sections,nested,extended,array,,Section information of the PE file.
-8.12.0-dev,true,process,process.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.12.0-dev,true,process,process.pe.sections.name,keyword,extended,,,PE Section List name.
-8.12.0-dev,true,process,process.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.12.0-dev,true,process,process.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.12.0-dev,true,process,process.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.12.0-dev,true,process,process.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
-8.12.0-dev,true,process,process.pid,long,core,,4242,Process id.
-8.12.0-dev,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.12.0-dev,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array.
-8.12.0-dev,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.12.0-dev,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.12.0-dev,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev,true,process,process.real_group.name,keyword,extended,,,Name of the group.
-8.12.0-dev,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,process,process.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev,true,process,process.saved_group.name,keyword,extended,,,Name of the group.
-8.12.0-dev,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,process,process.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.12.0-dev,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array.
-8.12.0-dev,true,process,process.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.12.0-dev,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.12.0-dev,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.12.0-dev,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.12.0-dev,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.12.0-dev,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group.
-8.12.0-dev,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-8.12.0-dev,true,process,process.session_leader.name,keyword,extended,,ssh,Process name.
-8.12.0-dev,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name.
-8.12.0-dev,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.12.0-dev,true,process,process.session_leader.parent.pid,long,core,,4242,Process id.
-8.12.0-dev,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.12.0-dev,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id.
-8.12.0-dev,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.12.0-dev,true,process,process.session_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
-8.12.0-dev,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.12.0-dev,true,process,process.session_leader.parent.vpid,long,core,,4242,Virtual process id.
-8.12.0-dev,true,process,process.session_leader.pid,long,core,,4242,Process id.
-8.12.0-dev,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group.
-8.12.0-dev,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,process,process.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-8.12.0-dev,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group.
-8.12.0-dev,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,process,process.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.12.0-dev,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.12.0-dev,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.12.0-dev,true,process,process.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.12.0-dev,true,process,process.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.12.0-dev,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,process,process.session_leader.vpid,long,core,,4242,Virtual process id.
-8.12.0-dev,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.12.0-dev,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.12.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.12.0-dev,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group.
-8.12.0-dev,true,process,process.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
-8.12.0-dev,true,process,process.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
-8.12.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID.
-8.12.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
-8.12.0-dev,true,process,process.title,keyword,extended,,,Process title.
-8.12.0-dev,true,process,process.title.text,match_only_text,extended,,,Process title.
-8.12.0-dev,true,process,process.tty,object,extended,,,Information about the controlling TTY device.
-8.12.0-dev,true,process,process.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-8.12.0-dev,true,process,process.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-8.12.0-dev,true,process,process.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
-8.12.0-dev,true,process,process.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
-8.12.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
-8.12.0-dev,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,process,process.vpid,long,core,,4242,Virtual process id.
-8.12.0-dev,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.12.0-dev,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.12.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.12.0-dev,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.12.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.12.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.12.0-dev,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.12.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.12.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
-8.12.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
-8.12.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
-8.12.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
-8.12.0-dev,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event.
-8.12.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
-8.12.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
-8.12.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
-8.12.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID
-8.12.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
-8.12.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
-8.12.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
-8.12.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
-8.12.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
-8.12.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version
-8.12.0-dev,true,server,server.address,keyword,extended,,,Server network address.
-8.12.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.12.0-dev,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.12.0-dev,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.12.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
-8.12.0-dev,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server.
-8.12.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
-8.12.0-dev,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
-8.12.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.12.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.12.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
-8.12.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.12.0-dev,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.12.0-dev,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
-8.12.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.12.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
-8.12.0-dev,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.12.0-dev,true,server,server.ip,ip,core,,,IP address of the server.
-8.12.0-dev,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
-8.12.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip
-8.12.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port
-8.12.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
-8.12.0-dev,true,server,server.port,long,core,,,Port of the server.
-8.12.0-dev,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
-8.12.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.12.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.12.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.12.0-dev,true,server,server.user.email,keyword,extended,,,User email address.
-8.12.0-dev,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.12.0-dev,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.12.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.12.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group.
-8.12.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.12.0-dev,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.12.0-dev,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.12.0-dev,true,service,service.environment,keyword,extended,,production,Environment of the service.
-8.12.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.12.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.12.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.12.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.12.0-dev,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.12.0-dev,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.12.0-dev,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.12.0-dev,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
-8.12.0-dev,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.12.0-dev,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.12.0-dev,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.12.0-dev,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.12.0-dev,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.12.0-dev,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.12.0-dev,true,service,service.origin.state,keyword,core,,,Current state of the service.
-8.12.0-dev,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service.
-8.12.0-dev,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service.
-8.12.0-dev,true,service,service.state,keyword,core,,,Current state of the service.
-8.12.0-dev,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.12.0-dev,true,service,service.target.environment,keyword,extended,,production,Environment of the service.
-8.12.0-dev,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.12.0-dev,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.12.0-dev,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.12.0-dev,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.12.0-dev,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-8.12.0-dev,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-8.12.0-dev,true,service,service.target.state,keyword,core,,,Current state of the service.
-8.12.0-dev,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service.
-8.12.0-dev,true,service,service.target.version,keyword,core,,3.2.4,Version of the service.
-8.12.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
-8.12.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service.
-8.12.0-dev,true,source,source.address,keyword,extended,,,Source network address.
-8.12.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.12.0-dev,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.12.0-dev,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.12.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
-8.12.0-dev,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source.
-8.12.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
-8.12.0-dev,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
-8.12.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.12.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.12.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
-8.12.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.12.0-dev,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.12.0-dev,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
-8.12.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.12.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
-8.12.0-dev,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.12.0-dev,true,source,source.ip,ip,core,,,IP address of the source.
-8.12.0-dev,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
-8.12.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip
-8.12.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port
-8.12.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
-8.12.0-dev,true,source,source.port,long,core,,,Port of the source.
-8.12.0-dev,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-8.12.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.12.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.12.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.12.0-dev,true,source,source.user.email,keyword,extended,,,User email address.
-8.12.0-dev,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.12.0-dev,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.12.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.12.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group.
-8.12.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.12.0-dev,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.12.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
-8.12.0-dev,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event.
-8.12.0-dev,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event.
-8.12.0-dev,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.12.0-dev,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.12.0-dev,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.12.0-dev,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
-8.12.0-dev,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
-8.12.0-dev,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.12.0-dev,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.12.0-dev,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
-8.12.0-dev,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name.
-8.12.0-dev,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code.
-8.12.0-dev,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.12.0-dev,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.12.0-dev,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name.
-8.12.0-dev,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.12.0-dev,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.12.0-dev,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code.
-8.12.0-dev,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.12.0-dev,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name.
-8.12.0-dev,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.12.0-dev,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
-8.12.0-dev,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-8.12.0-dev,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
-8.12.0-dev,true,threat,threat.enrichments.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
-8.12.0-dev,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
-8.12.0-dev,true,threat,threat.enrichments.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
-8.12.0-dev,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
-8.12.0-dev,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
-8.12.0-dev,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
-8.12.0-dev,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.12.0-dev,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.12.0-dev,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.12.0-dev,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.12.0-dev,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.12.0-dev,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.12.0-dev,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
-8.12.0-dev,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics
-8.12.0-dev,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed
-8.12.0-dev,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
-8.12.0-dev,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.12.0-dev,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.12.0-dev,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.12.0-dev,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.12.0-dev,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.12.0-dev,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.12.0-dev,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.12.0-dev,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request.
-8.12.0-dev,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.12.0-dev,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
-8.12.0-dev,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request.
-8.12.0-dev,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.12.0-dev,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
-8.12.0-dev,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.12.0-dev,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.12.0-dev,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request.
-8.12.0-dev,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.12.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.12.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.12.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.12.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.12.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.12.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.12.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.12.0-dev,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.12.0-dev,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.12.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.12.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.12.0-dev,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.12.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.12.0-dev,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.12.0-dev,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.12.0-dev,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.12.0-dev,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.12.0-dev,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.12.0-dev,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.12.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.12.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.12.0-dev,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.12.0-dev,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.12.0-dev,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value
-8.12.0-dev,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field
-8.12.0-dev,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier
-8.12.0-dev,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index
-8.12.0-dev,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05T17:00:58.326Z,Date of match
-8.12.0-dev,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match
-8.12.0-dev,true,threat,threat.feed.dashboard_id,keyword,extended,,5ba16340-72e6-11eb-a3e3-b3cc7c78a70f,Feed dashboard ID.
-8.12.0-dev,true,threat,threat.feed.description,keyword,extended,,Threat feed from the AlienVault Open Threat eXchange network.,Description of the threat feed.
-8.12.0-dev,true,threat,threat.feed.name,keyword,extended,,AlienVault OTX,Name of the threat feed.
-8.12.0-dev,true,threat,threat.feed.reference,keyword,extended,,https://otx.alienvault.com,Reference for the threat feed.
-8.12.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
-8.12.0-dev,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group.
-8.12.0-dev,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group.
-8.12.0-dev,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group.
-8.12.0-dev,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group.
-8.12.0-dev,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.12.0-dev,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.12.0-dev,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.12.0-dev,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
-8.12.0-dev,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
-8.12.0-dev,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
-8.12.0-dev,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed.
-8.12.0-dev,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.12.0-dev,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.12.0-dev,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.12.0-dev,true,threat,threat.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
-8.12.0-dev,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.12.0-dev,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.12.0-dev,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.12.0-dev,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.12.0-dev,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.12.0-dev,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.12.0-dev,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.12.0-dev,true,threat,threat.indicator.file.created,date,extended,,,File creation time.
-8.12.0-dev,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.12.0-dev,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
-8.12.0-dev,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.12.0-dev,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.12.0-dev,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.12.0-dev,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.12.0-dev,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.12.0-dev,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
-8.12.0-dev,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.12.0-dev,true,threat,threat.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-8.12.0-dev,true,threat,threat.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.12.0-dev,true,threat,threat.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.12.0-dev,true,threat,threat.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.12.0-dev,true,threat,threat.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.12.0-dev,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.12.0-dev,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.12.0-dev,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.12.0-dev,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.12.0-dev,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.12.0-dev,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.12.0-dev,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.12.0-dev,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.12.0-dev,true,threat,threat.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-8.12.0-dev,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.12.0-dev,true,threat,threat.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev,true,threat,threat.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.12.0-dev,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.12.0-dev,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.12.0-dev,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.12.0-dev,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.12.0-dev,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.12.0-dev,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.12.0-dev,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.12.0-dev,true,threat,threat.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.12.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.12.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.12.0-dev,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
-8.12.0-dev,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.12.0-dev,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.12.0-dev,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.12.0-dev,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.12.0-dev,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.12.0-dev,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.12.0-dev,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.12.0-dev,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
-8.12.0-dev,true,threat,threat.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-8.12.0-dev,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
-8.12.0-dev,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.12.0-dev,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.12.0-dev,true,threat,threat.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
-8.12.0-dev,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.12.0-dev,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.12.0-dev,true,threat,threat.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
-8.12.0-dev,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.12.0-dev,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.12.0-dev,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.12.0-dev,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified.
-8.12.0-dev,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.12.0-dev,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username.
-8.12.0-dev,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.12.0-dev,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.12.0-dev,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.12.0-dev,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.12.0-dev,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.12.0-dev,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.12.0-dev,true,threat,threat.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-8.12.0-dev,true,threat,threat.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-8.12.0-dev,true,threat,threat.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-8.12.0-dev,true,threat,threat.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-8.12.0-dev,true,threat,threat.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-8.12.0-dev,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.12.0-dev,true,threat,threat.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-8.12.0-dev,true,threat,threat.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
-8.12.0-dev,true,threat,threat.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev,true,threat,threat.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-8.12.0-dev,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.12.0-dev,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-8.12.0-dev,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.12.0-dev,true,threat,threat.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
-8.12.0-dev,true,threat,threat.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.12.0-dev,true,threat,threat.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
-8.12.0-dev,true,threat,threat.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-8.12.0-dev,true,threat,threat.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-8.12.0-dev,true,threat,threat.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-8.12.0-dev,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes.
-8.12.0-dev,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
-8.12.0-dev,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.12.0-dev,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.12.0-dev,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.12.0-dev,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.12.0-dev,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.12.0-dev,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.12.0-dev,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.12.0-dev,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.12.0-dev,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.12.0-dev,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.12.0-dev,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.12.0-dev,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.12.0-dev,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.12.0-dev,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.12.0-dev,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.12.0-dev,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.12.0-dev,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.12.0-dev,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.12.0-dev,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.12.0-dev,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.12.0-dev,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.12.0-dev,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.12.0-dev,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.12.0-dev,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.12.0-dev,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.12.0-dev,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.12.0-dev,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.12.0-dev,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
-8.12.0-dev,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name.
-8.12.0-dev,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code.
-8.12.0-dev,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.12.0-dev,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.12.0-dev,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name.
-8.12.0-dev,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.12.0-dev,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.12.0-dev,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code.
-8.12.0-dev,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.12.0-dev,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name.
-8.12.0-dev,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.12.0-dev,true,threat,threat.indicator.id,keyword,extended,array,[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37],ID of the indicator
-8.12.0-dev,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
-8.12.0-dev,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-8.12.0-dev,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
-8.12.0-dev,true,threat,threat.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
-8.12.0-dev,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
-8.12.0-dev,true,threat,threat.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
-8.12.0-dev,true,threat,threat.indicator.port,long,extended,,443,Indicator port
-8.12.0-dev,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
-8.12.0-dev,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
-8.12.0-dev,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.12.0-dev,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.12.0-dev,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.12.0-dev,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.12.0-dev,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.12.0-dev,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.12.0-dev,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
-8.12.0-dev,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics
-8.12.0-dev,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed
-8.12.0-dev,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
-8.12.0-dev,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.12.0-dev,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.12.0-dev,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.12.0-dev,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.12.0-dev,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.12.0-dev,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.12.0-dev,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.12.0-dev,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request.
-8.12.0-dev,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.12.0-dev,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
-8.12.0-dev,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request.
-8.12.0-dev,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.12.0-dev,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
-8.12.0-dev,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.12.0-dev,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.12.0-dev,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request.
-8.12.0-dev,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.12.0-dev,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.12.0-dev,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.12.0-dev,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.12.0-dev,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.12.0-dev,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.12.0-dev,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.12.0-dev,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.12.0-dev,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.12.0-dev,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.12.0-dev,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.12.0-dev,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.12.0-dev,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.12.0-dev,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.12.0-dev,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.12.0-dev,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.12.0-dev,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.12.0-dev,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.12.0-dev,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.12.0-dev,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.12.0-dev,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.12.0-dev,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.12.0-dev,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.12.0-dev,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.12.0-dev,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software
-8.12.0-dev,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software
-8.12.0-dev,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software.
-8.12.0-dev,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software.
-8.12.0-dev,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL.
-8.12.0-dev,true,threat,threat.software.type,keyword,extended,,Tool,Software type.
-8.12.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
-8.12.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
-8.12.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
-8.12.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
-8.12.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
-8.12.0-dev,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name.
-8.12.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
-8.12.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
-8.12.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
-8.12.0-dev,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
-8.12.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
-8.12.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
-8.12.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
-8.12.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
-8.12.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
-8.12.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
-8.12.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
-8.12.0-dev,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
-8.12.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
-8.12.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
-8.12.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
-8.12.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
-8.12.0-dev,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
-8.12.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
-8.12.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.12.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.12.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.12.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.12.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.12.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.12.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.12.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.12.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.12.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.12.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.12.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.12.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.12.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.12.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.12.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.12.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.12.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.12.0-dev,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.12.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.12.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.12.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.12.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.12.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.12.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
-8.12.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
-8.12.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
-8.12.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
-8.12.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
-8.12.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
-8.12.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
-8.12.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
-8.12.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
-8.12.0-dev,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
-8.12.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
-8.12.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
-8.12.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
-8.12.0-dev,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
-8.12.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.12.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.12.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-8.12.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.12.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.12.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.12.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.12.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.12.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-8.12.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-8.12.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.12.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.12.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.12.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.12.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.12.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.12.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.12.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-8.12.0-dev,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.12.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.12.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.12.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.12.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.12.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.12.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
-8.12.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
-8.12.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
-8.12.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
-8.12.0-dev,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.12.0-dev,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.12.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.12.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.12.0-dev,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.12.0-dev,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.12.0-dev,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.12.0-dev,true,url,url.password,keyword,extended,,,Password of the request.
-8.12.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.12.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
-8.12.0-dev,true,url,url.query,keyword,extended,,,Query string of the request.
-8.12.0-dev,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.12.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
-8.12.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.12.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.12.0-dev,true,url,url.username,keyword,extended,,,Username of the request.
-8.12.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.12.0-dev,true,user,user.changes.email,keyword,extended,,,User email address.
-8.12.0-dev,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.12.0-dev,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.12.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.12.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
-8.12.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.12.0-dev,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.12.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.12.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.12.0-dev,true,user,user.effective.email,keyword,extended,,,User email address.
-8.12.0-dev,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.12.0-dev,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.12.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.12.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
-8.12.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.12.0-dev,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.12.0-dev,true,user,user.email,keyword,extended,,,User email address.
-8.12.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.12.0-dev,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.12.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.12.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group.
-8.12.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.12.0-dev,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-8.12.0-dev,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-8.12.0-dev,true,user,user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-8.12.0-dev,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.12.0-dev,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-8.12.0-dev,true,user,user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-8.12.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.12.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.12.0-dev,true,user,user.target.email,keyword,extended,,,User email address.
-8.12.0-dev,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.12.0-dev,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.12.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.12.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.12.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group.
-8.12.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.12.0-dev,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.12.0-dev,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.12.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.12.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
-8.12.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
-8.12.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-8.12.0-dev,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-8.12.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.12.0-dev,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.12.0-dev,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.12.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.12.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.12.0-dev,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.12.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.12.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-8.12.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.12.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
-8.12.0-dev,true,volume,volume.bus_type,keyword,extended,,FileBackedVirtual,Bus type of the device.
-8.12.0-dev,true,volume,volume.default_access,keyword,extended,,,Bus type of the device.
-8.12.0-dev,true,volume,volume.device_name,keyword,extended,,,Device name of the volume.
-8.12.0-dev,true,volume,volume.device_type,keyword,extended,,CD-ROM File System,Volume device type.
-8.12.0-dev,true,volume,volume.dos_name,keyword,extended,,E:,DOS name of the device.
-8.12.0-dev,true,volume,volume.file_system_type,keyword,extended,,,Volume device file system type.
-8.12.0-dev,true,volume,volume.mount_name,keyword,extended,,,Mount name of the volume.
-8.12.0-dev,true,volume,volume.nt_name,keyword,extended,,\Device\Cdrom1,NT name of the device.
-8.12.0-dev,true,volume,volume.product_id,keyword,extended,,,ProductID of the device.
-8.12.0-dev,true,volume,volume.product_name,keyword,extended,,Virtual DVD-ROM,Produce name of the volume.
-8.12.0-dev,true,volume,volume.removable,boolean,extended,,,Indicates if the volume is removable.
-8.12.0-dev,true,volume,volume.serial_number,keyword,extended,,,Serial number of the device.
-8.12.0-dev,true,volume,volume.size,long,extended,,,Size of the volume device in bytes.
-8.12.0-dev,true,volume,volume.vendor_id,keyword,extended,,,VendorID of the device.
-8.12.0-dev,true,volume,volume.vendor_name,keyword,extended,,Msft,Vendor name of the device.
-8.12.0-dev,true,volume,volume.writable,boolean,extended,,,Indicates if the volume is writable.
-8.12.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
-8.12.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
-8.12.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-8.12.0-dev,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-8.12.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
-8.12.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
-8.12.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
-8.12.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
-8.12.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
-8.12.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
-8.12.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
-8.12.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
-8.12.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
-8.12.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
+9.0.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
+9.0.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
+9.0.0-dev,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer.
+9.0.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
+9.0.0-dev,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
+9.0.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
+9.0.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
+9.0.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
+9.0.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
+9.0.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
+9.0.0-dev,true,client,client.address,keyword,extended,,,Client network address.
+9.0.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.0.0-dev,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.0.0-dev,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.0.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
+9.0.0-dev,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client.
+9.0.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
+9.0.0-dev,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
+9.0.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.0.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.0.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
+9.0.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.0.0-dev,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.0.0-dev,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
+9.0.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.0.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
+9.0.0-dev,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.0.0-dev,true,client,client.ip,ip,core,,,IP address of the client.
+9.0.0-dev,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
+9.0.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
+9.0.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port
+9.0.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
+9.0.0-dev,true,client,client.port,long,core,,,Port of the client.
+9.0.0-dev,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
+9.0.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.0.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.0.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.0.0-dev,true,client,client.user.email,keyword,extended,,,User email address.
+9.0.0-dev,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.0.0-dev,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.0.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.0.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group.
+9.0.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.0.0-dev,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.0.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+9.0.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
+9.0.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+9.0.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+9.0.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
+9.0.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+9.0.0-dev,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+9.0.0-dev,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name.
+9.0.0-dev,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+9.0.0-dev,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+9.0.0-dev,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine.
+9.0.0-dev,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+9.0.0-dev,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id.
+9.0.0-dev,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name.
+9.0.0-dev,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider.
+9.0.0-dev,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+9.0.0-dev,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name.
+9.0.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
+9.0.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
+9.0.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
+9.0.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+9.0.0-dev,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name.
+9.0.0-dev,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+9.0.0-dev,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name.
+9.0.0-dev,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+9.0.0-dev,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+9.0.0-dev,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine.
+9.0.0-dev,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+9.0.0-dev,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id.
+9.0.0-dev,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name.
+9.0.0-dev,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider.
+9.0.0-dev,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+9.0.0-dev,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name.
+9.0.0-dev,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
+9.0.0-dev,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
+9.0.0-dev,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
+9.0.0-dev,true,container,container.id,keyword,core,,,Unique container id.
+9.0.0-dev,true,container,container.image.hash.all,keyword,extended,array,[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26],An array of digests of the image the container was built on.
+9.0.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
+9.0.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags.
+9.0.0-dev,true,container,container.labels,object,extended,,,Image labels.
+9.0.0-dev,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1."
+9.0.0-dev,true,container,container.name,keyword,extended,,,Container name.
+9.0.0-dev,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
+9.0.0-dev,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+9.0.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
+9.0.0-dev,true,container,container.security_context.privileged,boolean,extended,,,Indicates whether the container is running in privileged mode.
+9.0.0-dev,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
+9.0.0-dev,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
+9.0.0-dev,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
+9.0.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address.
+9.0.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.0.0-dev,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.0.0-dev,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.0.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
+9.0.0-dev,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination.
+9.0.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
+9.0.0-dev,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
+9.0.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.0.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.0.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
+9.0.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.0.0-dev,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.0.0-dev,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
+9.0.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.0.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
+9.0.0-dev,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.0.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination.
+9.0.0-dev,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
+9.0.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
+9.0.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
+9.0.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
+9.0.0-dev,true,destination,destination.port,long,core,,,Port of the destination.
+9.0.0-dev,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
+9.0.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.0.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.0.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.0.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address.
+9.0.0-dev,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.0.0-dev,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.0.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.0.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
+9.0.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.0.0-dev,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.0.0-dev,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device.
+9.0.0-dev,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer.
+9.0.0-dev,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model.
+9.0.0-dev,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model.
+9.0.0-dev,true,device,device.serial_number,keyword,core,,DJGAQS4CW5,Serial Number of the device
+9.0.0-dev,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+9.0.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+9.0.0-dev,true,dll,dll.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
+9.0.0-dev,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+9.0.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+9.0.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+9.0.0-dev,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.0.0-dev,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+9.0.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+9.0.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+9.0.0-dev,true,dll,dll.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.0.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
+9.0.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
+9.0.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
+9.0.0-dev,true,dll,dll.hash.sha384,keyword,extended,,,SHA384 hash.
+9.0.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
+9.0.0-dev,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.0.0-dev,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash.
+9.0.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
+9.0.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
+9.0.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+9.0.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+9.0.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+9.0.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+9.0.0-dev,true,dll,dll.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+9.0.0-dev,true,dll,dll.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.0.0-dev,true,dll,dll.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.0.0-dev,true,dll,dll.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.0.0-dev,true,dll,dll.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.0.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+9.0.0-dev,true,dll,dll.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+9.0.0-dev,true,dll,dll.pe.imports,flattened,extended,array,,List of imported element names and types.
+9.0.0-dev,true,dll,dll.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev,true,dll,dll.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+9.0.0-dev,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+9.0.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+9.0.0-dev,true,dll,dll.pe.sections,nested,extended,array,,Section information of the PE file.
+9.0.0-dev,true,dll,dll.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.0.0-dev,true,dll,dll.pe.sections.name,keyword,extended,,,PE Section List name.
+9.0.0-dev,true,dll,dll.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+9.0.0-dev,true,dll,dll.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.0.0-dev,true,dll,dll.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+9.0.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
+9.0.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
+9.0.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
+9.0.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
+9.0.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
+9.0.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
+9.0.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
+9.0.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
+9.0.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
+9.0.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
+9.0.0-dev,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
+9.0.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
+9.0.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
+9.0.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.0.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
+9.0.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
+9.0.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
+9.0.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
+9.0.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
+9.0.0-dev,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
+9.0.0-dev,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
+9.0.0-dev,true,email,email.attachments.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.0.0-dev,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash.
+9.0.0-dev,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash.
+9.0.0-dev,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash.
+9.0.0-dev,true,email,email.attachments.file.hash.sha384,keyword,extended,,,SHA384 hash.
+9.0.0-dev,true,email,email.attachments.file.hash.sha512,keyword,extended,,,SHA512 hash.
+9.0.0-dev,true,email,email.attachments.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.0.0-dev,true,email,email.attachments.file.hash.tlsh,keyword,extended,,,TLSH hash.
+9.0.0-dev,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file.
+9.0.0-dev,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file.
+9.0.0-dev,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size.
+9.0.0-dev,true,email,email.bcc.address,keyword,extended,array,bcc.user1@example.com,Email address of BCC recipient
+9.0.0-dev,true,email,email.cc.address,keyword,extended,array,cc.user1@example.com,Email address of CC recipient
+9.0.0-dev,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message.
+9.0.0-dev,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered.
+9.0.0-dev,true,email,email.direction,keyword,extended,,inbound,Direction of the message.
+9.0.0-dev,true,email,email.from.address,keyword,extended,array,sender@example.com,The sender's email address.
+9.0.0-dev,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source.
+9.0.0-dev,true,email,email.message_id,wildcard,extended,,81ce15$8r2j59@mail01.example.com,Value from the Message-ID header.
+9.0.0-dev,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed.
+9.0.0-dev,true,email,email.reply_to.address,keyword,extended,array,reply.here@example.com,Address replies should be delivered to.
+9.0.0-dev,true,email,email.sender.address,keyword,extended,,,Address of the message sender.
+9.0.0-dev,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message.
+9.0.0-dev,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
+9.0.0-dev,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient
+9.0.0-dev,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
+9.0.0-dev,true,error,error.code,keyword,core,,,Error code describing the error.
+9.0.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error.
+9.0.0-dev,true,error,error.message,match_only_text,core,,,Error message.
+9.0.0-dev,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
+9.0.0-dev,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text.
+9.0.0-dev,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
+9.0.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
+9.0.0-dev,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field.
+9.0.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
+9.0.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event.
+9.0.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
+9.0.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
+9.0.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
+9.0.0-dev,true,event,event.end,date,extended,,,`event.end` contains the date when the event ended or when the activity was last observed.
+9.0.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
+9.0.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
+9.0.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
+9.0.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
+9.0.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
+9.0.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
+9.0.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
+9.0.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event.
+9.0.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
+9.0.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
+9.0.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
+9.0.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
+9.0.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event.
+9.0.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event.
+9.0.0-dev,true,event,event.start,date,extended,,,`event.start` contains the date when the event started or when the activity was first observed.
+9.0.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone.
+9.0.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
+9.0.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
+9.0.0-dev,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function.
+9.0.0-dev,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution.
+9.0.0-dev,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function.
+9.0.0-dev,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function.
+9.0.0-dev,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc."
+9.0.0-dev,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution.
+9.0.0-dev,true,faas,faas.version,keyword,extended,,123,The version of a serverless function.
+9.0.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed.
+9.0.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+9.0.0-dev,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+9.0.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+9.0.0-dev,true,file,file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
+9.0.0-dev,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+9.0.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+9.0.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+9.0.0-dev,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.0.0-dev,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+9.0.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+9.0.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+9.0.0-dev,true,file,file.created,date,extended,,,File creation time.
+9.0.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+9.0.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
+9.0.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+9.0.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+9.0.0-dev,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+9.0.0-dev,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+9.0.0-dev,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+9.0.0-dev,true,file,file.elf.creation_date,date,extended,,,Build or compile date.
+9.0.0-dev,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types.
+9.0.0-dev,true,file,file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+9.0.0-dev,true,file,file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.0.0-dev,true,file,file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.0.0-dev,true,file,file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.0.0-dev,true,file,file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.0.0-dev,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+9.0.0-dev,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+9.0.0-dev,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+9.0.0-dev,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+9.0.0-dev,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+9.0.0-dev,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+9.0.0-dev,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+9.0.0-dev,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header.
+9.0.0-dev,true,file,file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+9.0.0-dev,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types.
+9.0.0-dev,true,file,file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev,true,file,file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file.
+9.0.0-dev,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+9.0.0-dev,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.0.0-dev,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+9.0.0-dev,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name.
+9.0.0-dev,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+9.0.0-dev,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+9.0.0-dev,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type.
+9.0.0-dev,true,file,file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.0.0-dev,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+9.0.0-dev,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+9.0.0-dev,true,file,file.elf.segments,nested,extended,array,,ELF object segment list.
+9.0.0-dev,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+9.0.0-dev,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type.
+9.0.0-dev,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+9.0.0-dev,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+9.0.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+9.0.0-dev,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+9.0.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+9.0.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
+9.0.0-dev,true,file,file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.0.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
+9.0.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
+9.0.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
+9.0.0-dev,true,file,file.hash.sha384,keyword,extended,,,SHA384 hash.
+9.0.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
+9.0.0-dev,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.0.0-dev,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash.
+9.0.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+9.0.0-dev,true,file,file.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+9.0.0-dev,true,file,file.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.0.0-dev,true,file,file.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.0.0-dev,true,file,file.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.0.0-dev,true,file,file.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.0.0-dev,true,file,file.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+9.0.0-dev,true,file,file.macho.imports,flattened,extended,array,,List of imported element names and types.
+9.0.0-dev,true,file,file.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev,true,file,file.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev,true,file,file.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+9.0.0-dev,true,file,file.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.0.0-dev,true,file,file.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+9.0.0-dev,true,file,file.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+9.0.0-dev,true,file,file.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.0.0-dev,true,file,file.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+9.0.0-dev,true,file,file.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+9.0.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+9.0.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+9.0.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified.
+9.0.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+9.0.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username.
+9.0.0-dev,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+9.0.0-dev,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+9.0.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+9.0.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+9.0.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+9.0.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+9.0.0-dev,true,file,file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+9.0.0-dev,true,file,file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.0.0-dev,true,file,file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.0.0-dev,true,file,file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.0.0-dev,true,file,file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.0.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+9.0.0-dev,true,file,file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+9.0.0-dev,true,file,file.pe.imports,flattened,extended,array,,List of imported element names and types.
+9.0.0-dev,true,file,file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev,true,file,file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+9.0.0-dev,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+9.0.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+9.0.0-dev,true,file,file.pe.sections,nested,extended,array,,Section information of the PE file.
+9.0.0-dev,true,file,file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.0.0-dev,true,file,file.pe.sections.name,keyword,extended,,,PE Section List name.
+9.0.0-dev,true,file,file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+9.0.0-dev,true,file,file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.0.0-dev,true,file,file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+9.0.0-dev,true,file,file.size,long,extended,,16384,File size in bytes.
+9.0.0-dev,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
+9.0.0-dev,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+9.0.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+9.0.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+9.0.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+9.0.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+9.0.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+9.0.0-dev,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+9.0.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+9.0.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+9.0.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+9.0.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.0.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+9.0.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+9.0.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+9.0.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+9.0.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+9.0.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+9.0.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+9.0.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+9.0.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+9.0.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+9.0.0-dev,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+9.0.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+9.0.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+9.0.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+9.0.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.0.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
+9.0.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.0.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev,true,group,group.name,keyword,extended,,,Name of the group.
+9.0.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
+9.0.0-dev,true,host,host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id
+9.0.0-dev,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
+9.0.0-dev,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
+9.0.0-dev,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
+9.0.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
+9.0.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
+9.0.0-dev,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
+9.0.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.0.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.0.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
+9.0.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.0.0-dev,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.0.0-dev,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
+9.0.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.0.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
+9.0.0-dev,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.0.0-dev,true,host,host.hostname,keyword,core,,,Hostname of the host.
+9.0.0-dev,true,host,host.id,keyword,core,,,Unique host id.
+9.0.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses.
+9.0.0-dev,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
+9.0.0-dev,true,host,host.name,keyword,core,,,Name of the host.
+9.0.0-dev,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
+9.0.0-dev,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
+9.0.0-dev,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+9.0.0-dev,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
+9.0.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+9.0.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+9.0.0-dev,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+9.0.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+9.0.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+9.0.0-dev,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+9.0.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+9.0.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+9.0.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+9.0.0-dev,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode
+9.0.0-dev,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.0.0-dev,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.0.0-dev,true,host,host.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.0.0-dev,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.0.0-dev,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.0.0-dev,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.0.0-dev,true,host,host.type,keyword,core,,,Type of host.
+9.0.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
+9.0.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
+9.0.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
+9.0.0-dev,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body.
+9.0.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
+9.0.0-dev,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
+9.0.0-dev,true,http,http.request.method,keyword,extended,,POST,HTTP request method.
+9.0.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
+9.0.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
+9.0.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
+9.0.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
+9.0.0-dev,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body.
+9.0.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
+9.0.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
+9.0.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
+9.0.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version.
+9.0.0-dev,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
+9.0.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event.
+9.0.0-dev,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
+9.0.0-dev,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event.
+9.0.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
+9.0.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
+9.0.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata
+9.0.0-dev,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message.
+9.0.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
+9.0.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
+9.0.0-dev,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message.
+9.0.0-dev,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message.
+9.0.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
+9.0.0-dev,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message.
+9.0.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
+9.0.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
+9.0.0-dev,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages.
+9.0.0-dev,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version.
+9.0.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name.
+9.0.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
+9.0.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
+9.0.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
+9.0.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
+9.0.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
+9.0.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information
+9.0.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+9.0.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+9.0.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
+9.0.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
+9.0.0-dev,true,network,network.protocol,keyword,core,,http,Application protocol name.
+9.0.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
+9.0.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
+9.0.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+9.0.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+9.0.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information
+9.0.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
+9.0.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
+9.0.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
+9.0.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+9.0.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+9.0.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
+9.0.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
+9.0.0-dev,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code.
+9.0.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.0.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.0.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
+9.0.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.0.0-dev,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.0.0-dev,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code.
+9.0.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.0.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
+9.0.0-dev,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.0.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
+9.0.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information
+9.0.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
+9.0.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
+9.0.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
+9.0.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+9.0.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+9.0.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
+9.0.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
+9.0.0-dev,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer.
+9.0.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
+9.0.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+9.0.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+9.0.0-dev,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+9.0.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+9.0.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+9.0.0-dev,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+9.0.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+9.0.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+9.0.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+9.0.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
+9.0.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
+9.0.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
+9.0.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
+9.0.0-dev,true,observer,observer.version,keyword,core,,,Observer version.
+9.0.0-dev,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action
+9.0.0-dev,true,orchestrator,orchestrator.cluster.id,keyword,extended,,,Unique ID of the cluster.
+9.0.0-dev,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster.
+9.0.0-dev,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster.
+9.0.0-dev,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster.
+9.0.0-dev,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place.
+9.0.0-dev,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups).
+9.0.0-dev,true,orchestrator,orchestrator.resource.annotation,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of annotations added to the resource.
+9.0.0-dev,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon.
+9.0.0-dev,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed.
+9.0.0-dev,true,orchestrator,orchestrator.resource.label,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of labels added to the resource.
+9.0.0-dev,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon.
+9.0.0-dev,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed.
+9.0.0-dev,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon.
+9.0.0-dev,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)."
+9.0.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
+9.0.0-dev,true,organization,organization.name,keyword,extended,,,Organization name.
+9.0.0-dev,true,organization,organization.name.text,match_only_text,extended,,,Organization name.
+9.0.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
+9.0.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
+9.0.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
+9.0.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
+9.0.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
+9.0.0-dev,true,package,package.installed,date,extended,,,Time when package was installed.
+9.0.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
+9.0.0-dev,true,package,package.name,keyword,extended,,go,Package name
+9.0.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
+9.0.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
+9.0.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes.
+9.0.0-dev,true,package,package.type,keyword,extended,,rpm,Package type
+9.0.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version
+9.0.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+9.0.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array.
+9.0.0-dev,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+9.0.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+9.0.0-dev,true,process,process.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
+9.0.0-dev,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+9.0.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+9.0.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+9.0.0-dev,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.0.0-dev,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+9.0.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+9.0.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+9.0.0-dev,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.0.0-dev,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.0.0-dev,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+9.0.0-dev,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+9.0.0-dev,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+9.0.0-dev,true,process,process.elf.creation_date,date,extended,,,Build or compile date.
+9.0.0-dev,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types.
+9.0.0-dev,true,process,process.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+9.0.0-dev,true,process,process.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.0.0-dev,true,process,process.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.0.0-dev,true,process,process.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.0.0-dev,true,process,process.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.0.0-dev,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+9.0.0-dev,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file.
+9.0.0-dev,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header.
+9.0.0-dev,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+9.0.0-dev,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+9.0.0-dev,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+9.0.0-dev,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file.
+9.0.0-dev,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header.
+9.0.0-dev,true,process,process.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+9.0.0-dev,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types.
+9.0.0-dev,true,process,process.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev,true,process,process.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file.
+9.0.0-dev,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+9.0.0-dev,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.0.0-dev,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+9.0.0-dev,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name.
+9.0.0-dev,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+9.0.0-dev,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+9.0.0-dev,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type.
+9.0.0-dev,true,process,process.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.0.0-dev,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+9.0.0-dev,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+9.0.0-dev,true,process,process.elf.segments,nested,extended,array,,ELF object segment list.
+9.0.0-dev,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+9.0.0-dev,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type.
+9.0.0-dev,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+9.0.0-dev,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+9.0.0-dev,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+9.0.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.0.0-dev,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+9.0.0-dev,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array.
+9.0.0-dev,true,process,process.entry_leader.attested_groups.name,keyword,extended,,,Name of the group.
+9.0.0-dev,true,process,process.entry_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev,true,process,process.entry_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,process,process.entry_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.0.0-dev,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.0.0-dev,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.0.0-dev,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
+9.0.0-dev,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
+9.0.0-dev,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.0.0-dev,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.0.0-dev,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group.
+9.0.0-dev,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+9.0.0-dev,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name.
+9.0.0-dev,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name.
+9.0.0-dev,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.0.0-dev,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id.
+9.0.0-dev,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.0.0-dev,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id.
+9.0.0-dev,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.0.0-dev,true,process,process.entry_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
+9.0.0-dev,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.0.0-dev,true,process,process.entry_leader.parent.vpid,long,core,,4242,Virtual process id.
+9.0.0-dev,true,process,process.entry_leader.pid,long,core,,4242,Process id.
+9.0.0-dev,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group.
+9.0.0-dev,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,process,process.entry_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+9.0.0-dev,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group.
+9.0.0-dev,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,process,process.entry_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.0.0-dev,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+9.0.0-dev,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device.
+9.0.0-dev,true,process,process.entry_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+9.0.0-dev,true,process,process.entry_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+9.0.0-dev,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,process,process.entry_leader.vpid,long,core,,4242,Virtual process id.
+9.0.0-dev,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+9.0.0-dev,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+9.0.0-dev,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
+9.0.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.0.0-dev,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.0.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process.
+9.0.0-dev,true,process,process.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev,true,process,process.group.name,keyword,extended,,,Name of the group.
+9.0.0-dev,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+9.0.0-dev,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array.
+9.0.0-dev,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.0.0-dev,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.0.0-dev,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.0.0-dev,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.0.0-dev,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.0.0-dev,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group.
+9.0.0-dev,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+9.0.0-dev,true,process,process.group_leader.name,keyword,extended,,ssh,Process name.
+9.0.0-dev,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name.
+9.0.0-dev,true,process,process.group_leader.pid,long,core,,4242,Process id.
+9.0.0-dev,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group.
+9.0.0-dev,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,process,process.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+9.0.0-dev,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group.
+9.0.0-dev,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,process,process.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.0.0-dev,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+9.0.0-dev,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device.
+9.0.0-dev,true,process,process.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+9.0.0-dev,true,process,process.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+9.0.0-dev,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,process,process.group_leader.vpid,long,core,,4242,Virtual process id.
+9.0.0-dev,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+9.0.0-dev,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+9.0.0-dev,true,process,process.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.0.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
+9.0.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
+9.0.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
+9.0.0-dev,true,process,process.hash.sha384,keyword,extended,,,SHA384 hash.
+9.0.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
+9.0.0-dev,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.0.0-dev,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash.
+9.0.0-dev,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+9.0.0-dev,true,process,process.io,object,extended,,,A chunk of input or output (IO) from a single process.
+9.0.0-dev,true,process,process.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
+9.0.0-dev,true,process,process.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
+9.0.0-dev,true,process,process.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
+9.0.0-dev,true,process,process.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
+9.0.0-dev,true,process,process.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
+9.0.0-dev,true,process,process.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
+9.0.0-dev,true,process,process.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
+9.0.0-dev,true,process,process.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
+9.0.0-dev,true,process,process.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+9.0.0-dev,true,process,process.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.0.0-dev,true,process,process.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.0.0-dev,true,process,process.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.0.0-dev,true,process,process.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.0.0-dev,true,process,process.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+9.0.0-dev,true,process,process.macho.imports,flattened,extended,array,,List of imported element names and types.
+9.0.0-dev,true,process,process.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev,true,process,process.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev,true,process,process.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+9.0.0-dev,true,process,process.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.0.0-dev,true,process,process.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+9.0.0-dev,true,process,process.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+9.0.0-dev,true,process,process.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.0.0-dev,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+9.0.0-dev,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+9.0.0-dev,true,process,process.name,keyword,extended,,ssh,Process name.
+9.0.0-dev,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
+9.0.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+9.0.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
+9.0.0-dev,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+9.0.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+9.0.0-dev,true,process,process.parent.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
+9.0.0-dev,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+9.0.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+9.0.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+9.0.0-dev,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.0.0-dev,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+9.0.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+9.0.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+9.0.0-dev,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.0.0-dev,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.0.0-dev,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+9.0.0-dev,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+9.0.0-dev,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+9.0.0-dev,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date.
+9.0.0-dev,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
+9.0.0-dev,true,process,process.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+9.0.0-dev,true,process,process.parent.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.0.0-dev,true,process,process.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.0.0-dev,true,process,process.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.0.0-dev,true,process,process.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.0.0-dev,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+9.0.0-dev,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
+9.0.0-dev,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
+9.0.0-dev,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+9.0.0-dev,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+9.0.0-dev,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+9.0.0-dev,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
+9.0.0-dev,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
+9.0.0-dev,true,process,process.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+9.0.0-dev,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
+9.0.0-dev,true,process,process.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev,true,process,process.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
+9.0.0-dev,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+9.0.0-dev,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.0.0-dev,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+9.0.0-dev,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
+9.0.0-dev,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+9.0.0-dev,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+9.0.0-dev,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
+9.0.0-dev,true,process,process.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.0.0-dev,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+9.0.0-dev,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+9.0.0-dev,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list.
+9.0.0-dev,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+9.0.0-dev,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
+9.0.0-dev,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+9.0.0-dev,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+9.0.0-dev,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+9.0.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.0.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.0.0-dev,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.0.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
+9.0.0-dev,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev,true,process,process.parent.group.name,keyword,extended,,,Name of the group.
+9.0.0-dev,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.0.0-dev,true,process,process.parent.group_leader.pid,long,core,,4242,Process id.
+9.0.0-dev,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.0.0-dev,true,process,process.parent.group_leader.vpid,long,core,,4242,Virtual process id.
+9.0.0-dev,true,process,process.parent.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.0.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
+9.0.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
+9.0.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
+9.0.0-dev,true,process,process.parent.hash.sha384,keyword,extended,,,SHA384 hash.
+9.0.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
+9.0.0-dev,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.0.0-dev,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash.
+9.0.0-dev,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+9.0.0-dev,true,process,process.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+9.0.0-dev,true,process,process.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.0.0-dev,true,process,process.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.0.0-dev,true,process,process.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.0.0-dev,true,process,process.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.0.0-dev,true,process,process.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+9.0.0-dev,true,process,process.parent.macho.imports,flattened,extended,array,,List of imported element names and types.
+9.0.0-dev,true,process,process.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev,true,process,process.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev,true,process,process.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+9.0.0-dev,true,process,process.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.0.0-dev,true,process,process.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+9.0.0-dev,true,process,process.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+9.0.0-dev,true,process,process.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.0.0-dev,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+9.0.0-dev,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+9.0.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name.
+9.0.0-dev,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
+9.0.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+9.0.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+9.0.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+9.0.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+9.0.0-dev,true,process,process.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+9.0.0-dev,true,process,process.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.0.0-dev,true,process,process.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.0.0-dev,true,process,process.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.0.0-dev,true,process,process.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.0.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+9.0.0-dev,true,process,process.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+9.0.0-dev,true,process,process.parent.pe.imports,flattened,extended,array,,List of imported element names and types.
+9.0.0-dev,true,process,process.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev,true,process,process.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+9.0.0-dev,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+9.0.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+9.0.0-dev,true,process,process.parent.pe.sections,nested,extended,array,,Section information of the PE file.
+9.0.0-dev,true,process,process.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.0.0-dev,true,process,process.parent.pe.sections.name,keyword,extended,,,PE Section List name.
+9.0.0-dev,true,process,process.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+9.0.0-dev,true,process,process.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.0.0-dev,true,process,process.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+9.0.0-dev,true,process,process.parent.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
+9.0.0-dev,true,process,process.parent.pid,long,core,,4242,Process id.
+9.0.0-dev,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group.
+9.0.0-dev,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,process,process.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group.
+9.0.0-dev,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,process,process.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.0.0-dev,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
+9.0.0-dev,true,process,process.parent.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
+9.0.0-dev,true,process,process.parent.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
+9.0.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
+9.0.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
+9.0.0-dev,true,process,process.parent.title,keyword,extended,,,Process title.
+9.0.0-dev,true,process,process.parent.title.text,match_only_text,extended,,,Process title.
+9.0.0-dev,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device.
+9.0.0-dev,true,process,process.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+9.0.0-dev,true,process,process.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+9.0.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
+9.0.0-dev,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,process,process.parent.vpid,long,core,,4242,Virtual process id.
+9.0.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+9.0.0-dev,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+9.0.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+9.0.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+9.0.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+9.0.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+9.0.0-dev,true,process,process.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+9.0.0-dev,true,process,process.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.0.0-dev,true,process,process.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.0.0-dev,true,process,process.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.0.0-dev,true,process,process.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.0.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+9.0.0-dev,true,process,process.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+9.0.0-dev,true,process,process.pe.imports,flattened,extended,array,,List of imported element names and types.
+9.0.0-dev,true,process,process.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev,true,process,process.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+9.0.0-dev,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+9.0.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+9.0.0-dev,true,process,process.pe.sections,nested,extended,array,,Section information of the PE file.
+9.0.0-dev,true,process,process.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.0.0-dev,true,process,process.pe.sections.name,keyword,extended,,,PE Section List name.
+9.0.0-dev,true,process,process.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+9.0.0-dev,true,process,process.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.0.0-dev,true,process,process.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+9.0.0-dev,true,process,process.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to.
+9.0.0-dev,true,process,process.pid,long,core,,4242,Process id.
+9.0.0-dev,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+9.0.0-dev,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array.
+9.0.0-dev,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.0.0-dev,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.0.0-dev,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev,true,process,process.real_group.name,keyword,extended,,,Name of the group.
+9.0.0-dev,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,process,process.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev,true,process,process.saved_group.name,keyword,extended,,,Name of the group.
+9.0.0-dev,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,process,process.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+9.0.0-dev,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array.
+9.0.0-dev,true,process,process.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.0.0-dev,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.0.0-dev,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.0.0-dev,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.0.0-dev,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.0.0-dev,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group.
+9.0.0-dev,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+9.0.0-dev,true,process,process.session_leader.name,keyword,extended,,ssh,Process name.
+9.0.0-dev,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name.
+9.0.0-dev,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.0.0-dev,true,process,process.session_leader.parent.pid,long,core,,4242,Process id.
+9.0.0-dev,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.0.0-dev,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id.
+9.0.0-dev,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.0.0-dev,true,process,process.session_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
+9.0.0-dev,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.0.0-dev,true,process,process.session_leader.parent.vpid,long,core,,4242,Virtual process id.
+9.0.0-dev,true,process,process.session_leader.pid,long,core,,4242,Process id.
+9.0.0-dev,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group.
+9.0.0-dev,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,process,process.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+9.0.0-dev,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group.
+9.0.0-dev,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,process,process.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.0.0-dev,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+9.0.0-dev,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device.
+9.0.0-dev,true,process,process.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+9.0.0-dev,true,process,process.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+9.0.0-dev,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,process,process.session_leader.vpid,long,core,,4242,Virtual process id.
+9.0.0-dev,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+9.0.0-dev,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+9.0.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.0.0-dev,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group.
+9.0.0-dev,true,process,process.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
+9.0.0-dev,true,process,process.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
+9.0.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID.
+9.0.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
+9.0.0-dev,true,process,process.title,keyword,extended,,,Process title.
+9.0.0-dev,true,process,process.title.text,match_only_text,extended,,,Process title.
+9.0.0-dev,true,process,process.tty,object,extended,,,Information about the controlling TTY device.
+9.0.0-dev,true,process,process.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+9.0.0-dev,true,process,process.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+9.0.0-dev,true,process,process.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
+9.0.0-dev,true,process,process.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
+9.0.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
+9.0.0-dev,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,process,process.vpid,long,core,,4242,Virtual process id.
+9.0.0-dev,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+9.0.0-dev,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+9.0.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+9.0.0-dev,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+9.0.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+9.0.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+9.0.0-dev,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+9.0.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+9.0.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
+9.0.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
+9.0.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
+9.0.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
+9.0.0-dev,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event.
+9.0.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
+9.0.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
+9.0.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
+9.0.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID
+9.0.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
+9.0.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
+9.0.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
+9.0.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
+9.0.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
+9.0.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version
+9.0.0-dev,true,server,server.address,keyword,extended,,,Server network address.
+9.0.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.0.0-dev,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.0.0-dev,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.0.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
+9.0.0-dev,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server.
+9.0.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
+9.0.0-dev,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
+9.0.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.0.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.0.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
+9.0.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.0.0-dev,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.0.0-dev,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
+9.0.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.0.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
+9.0.0-dev,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.0.0-dev,true,server,server.ip,ip,core,,,IP address of the server.
+9.0.0-dev,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
+9.0.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip
+9.0.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port
+9.0.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
+9.0.0-dev,true,server,server.port,long,core,,,Port of the server.
+9.0.0-dev,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
+9.0.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.0.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.0.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.0.0-dev,true,server,server.user.email,keyword,extended,,,User email address.
+9.0.0-dev,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.0.0-dev,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.0.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.0.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group.
+9.0.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.0.0-dev,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.0.0-dev,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+9.0.0-dev,true,service,service.environment,keyword,extended,,production,Environment of the service.
+9.0.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+9.0.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+9.0.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
+9.0.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+9.0.0-dev,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+9.0.0-dev,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+9.0.0-dev,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+9.0.0-dev,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
+9.0.0-dev,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+9.0.0-dev,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+9.0.0-dev,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service.
+9.0.0-dev,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+9.0.0-dev,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+9.0.0-dev,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+9.0.0-dev,true,service,service.origin.state,keyword,core,,,Current state of the service.
+9.0.0-dev,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service.
+9.0.0-dev,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service.
+9.0.0-dev,true,service,service.state,keyword,core,,,Current state of the service.
+9.0.0-dev,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+9.0.0-dev,true,service,service.target.environment,keyword,extended,,production,Environment of the service.
+9.0.0-dev,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+9.0.0-dev,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+9.0.0-dev,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service.
+9.0.0-dev,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+9.0.0-dev,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+9.0.0-dev,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+9.0.0-dev,true,service,service.target.state,keyword,core,,,Current state of the service.
+9.0.0-dev,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service.
+9.0.0-dev,true,service,service.target.version,keyword,core,,3.2.4,Version of the service.
+9.0.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
+9.0.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service.
+9.0.0-dev,true,source,source.address,keyword,extended,,,Source network address.
+9.0.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.0.0-dev,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.0.0-dev,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.0.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
+9.0.0-dev,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source.
+9.0.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
+9.0.0-dev,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
+9.0.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.0.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.0.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
+9.0.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.0.0-dev,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.0.0-dev,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
+9.0.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.0.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
+9.0.0-dev,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.0.0-dev,true,source,source.ip,ip,core,,,IP address of the source.
+9.0.0-dev,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
+9.0.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip
+9.0.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port
+9.0.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
+9.0.0-dev,true,source,source.port,long,core,,,Port of the source.
+9.0.0-dev,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+9.0.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.0.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.0.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.0.0-dev,true,source,source.user.email,keyword,extended,,,User email address.
+9.0.0-dev,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.0.0-dev,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.0.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.0.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group.
+9.0.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.0.0-dev,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.0.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
+9.0.0-dev,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event.
+9.0.0-dev,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event.
+9.0.0-dev,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.0.0-dev,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.0.0-dev,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.0.0-dev,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
+9.0.0-dev,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
+9.0.0-dev,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+9.0.0-dev,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
+9.0.0-dev,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
+9.0.0-dev,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name.
+9.0.0-dev,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code.
+9.0.0-dev,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.0.0-dev,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.0.0-dev,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name.
+9.0.0-dev,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.0.0-dev,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.0.0-dev,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code.
+9.0.0-dev,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.0.0-dev,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name.
+9.0.0-dev,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.0.0-dev,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
+9.0.0-dev,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
+9.0.0-dev,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
+9.0.0-dev,true,threat,threat.enrichments.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
+9.0.0-dev,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
+9.0.0-dev,true,threat,threat.enrichments.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
+9.0.0-dev,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
+9.0.0-dev,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
+9.0.0-dev,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
+9.0.0-dev,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+9.0.0-dev,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+9.0.0-dev,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+9.0.0-dev,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+9.0.0-dev,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+9.0.0-dev,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+9.0.0-dev,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
+9.0.0-dev,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics
+9.0.0-dev,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed
+9.0.0-dev,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
+9.0.0-dev,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+9.0.0-dev,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+9.0.0-dev,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
+9.0.0-dev,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+9.0.0-dev,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+9.0.0-dev,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+9.0.0-dev,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+9.0.0-dev,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request.
+9.0.0-dev,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+9.0.0-dev,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
+9.0.0-dev,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request.
+9.0.0-dev,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+9.0.0-dev,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
+9.0.0-dev,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.0.0-dev,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.0.0-dev,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request.
+9.0.0-dev,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+9.0.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+9.0.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+9.0.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+9.0.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+9.0.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+9.0.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+9.0.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.0.0-dev,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+9.0.0-dev,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+9.0.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+9.0.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+9.0.0-dev,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+9.0.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+9.0.0-dev,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+9.0.0-dev,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+9.0.0-dev,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+9.0.0-dev,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+9.0.0-dev,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+9.0.0-dev,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+9.0.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+9.0.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+9.0.0-dev,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.0.0-dev,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
+9.0.0-dev,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value
+9.0.0-dev,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field
+9.0.0-dev,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier
+9.0.0-dev,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index
+9.0.0-dev,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05T17:00:58.326Z,Date of match
+9.0.0-dev,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match
+9.0.0-dev,true,threat,threat.feed.dashboard_id,keyword,extended,,5ba16340-72e6-11eb-a3e3-b3cc7c78a70f,Feed dashboard ID.
+9.0.0-dev,true,threat,threat.feed.description,keyword,extended,,Threat feed from the AlienVault Open Threat eXchange network.,Description of the threat feed.
+9.0.0-dev,true,threat,threat.feed.name,keyword,extended,,AlienVault OTX,Name of the threat feed.
+9.0.0-dev,true,threat,threat.feed.reference,keyword,extended,,https://otx.alienvault.com,Reference for the threat feed.
+9.0.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
+9.0.0-dev,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group.
+9.0.0-dev,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group.
+9.0.0-dev,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group.
+9.0.0-dev,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group.
+9.0.0-dev,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.0.0-dev,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.0.0-dev,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.0.0-dev,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
+9.0.0-dev,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
+9.0.0-dev,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
+9.0.0-dev,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed.
+9.0.0-dev,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+9.0.0-dev,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+9.0.0-dev,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+9.0.0-dev,true,threat,threat.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
+9.0.0-dev,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+9.0.0-dev,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+9.0.0-dev,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+9.0.0-dev,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.0.0-dev,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+9.0.0-dev,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+9.0.0-dev,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+9.0.0-dev,true,threat,threat.indicator.file.created,date,extended,,,File creation time.
+9.0.0-dev,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+9.0.0-dev,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
+9.0.0-dev,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+9.0.0-dev,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+9.0.0-dev,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+9.0.0-dev,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+9.0.0-dev,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+9.0.0-dev,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
+9.0.0-dev,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
+9.0.0-dev,true,threat,threat.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+9.0.0-dev,true,threat,threat.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.0.0-dev,true,threat,threat.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.0.0-dev,true,threat,threat.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.0.0-dev,true,threat,threat.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.0.0-dev,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+9.0.0-dev,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+9.0.0-dev,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+9.0.0-dev,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+9.0.0-dev,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+9.0.0-dev,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+9.0.0-dev,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+9.0.0-dev,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
+9.0.0-dev,true,threat,threat.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+9.0.0-dev,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
+9.0.0-dev,true,threat,threat.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev,true,threat,threat.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
+9.0.0-dev,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+9.0.0-dev,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.0.0-dev,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+9.0.0-dev,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
+9.0.0-dev,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+9.0.0-dev,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+9.0.0-dev,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
+9.0.0-dev,true,threat,threat.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.0.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+9.0.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+9.0.0-dev,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
+9.0.0-dev,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+9.0.0-dev,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
+9.0.0-dev,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+9.0.0-dev,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+9.0.0-dev,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+9.0.0-dev,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+9.0.0-dev,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+9.0.0-dev,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
+9.0.0-dev,true,threat,threat.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.0.0-dev,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
+9.0.0-dev,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
+9.0.0-dev,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
+9.0.0-dev,true,threat,threat.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
+9.0.0-dev,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
+9.0.0-dev,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.0.0-dev,true,threat,threat.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
+9.0.0-dev,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+9.0.0-dev,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+9.0.0-dev,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+9.0.0-dev,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified.
+9.0.0-dev,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+9.0.0-dev,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username.
+9.0.0-dev,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+9.0.0-dev,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+9.0.0-dev,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+9.0.0-dev,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+9.0.0-dev,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+9.0.0-dev,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+9.0.0-dev,true,threat,threat.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+9.0.0-dev,true,threat,threat.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.0.0-dev,true,threat,threat.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.0.0-dev,true,threat,threat.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.0.0-dev,true,threat,threat.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.0.0-dev,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+9.0.0-dev,true,threat,threat.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+9.0.0-dev,true,threat,threat.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
+9.0.0-dev,true,threat,threat.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev,true,threat,threat.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.0.0-dev,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+9.0.0-dev,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+9.0.0-dev,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+9.0.0-dev,true,threat,threat.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
+9.0.0-dev,true,threat,threat.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.0.0-dev,true,threat,threat.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
+9.0.0-dev,true,threat,threat.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+9.0.0-dev,true,threat,threat.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.0.0-dev,true,threat,threat.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+9.0.0-dev,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes.
+9.0.0-dev,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
+9.0.0-dev,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+9.0.0-dev,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+9.0.0-dev,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+9.0.0-dev,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+9.0.0-dev,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+9.0.0-dev,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+9.0.0-dev,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+9.0.0-dev,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+9.0.0-dev,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+9.0.0-dev,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+9.0.0-dev,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.0.0-dev,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+9.0.0-dev,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+9.0.0-dev,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+9.0.0-dev,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+9.0.0-dev,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+9.0.0-dev,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+9.0.0-dev,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+9.0.0-dev,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+9.0.0-dev,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+9.0.0-dev,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+9.0.0-dev,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+9.0.0-dev,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+9.0.0-dev,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+9.0.0-dev,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+9.0.0-dev,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.0.0-dev,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
+9.0.0-dev,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
+9.0.0-dev,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name.
+9.0.0-dev,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code.
+9.0.0-dev,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.0.0-dev,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.0.0-dev,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name.
+9.0.0-dev,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.0.0-dev,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.0.0-dev,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code.
+9.0.0-dev,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.0.0-dev,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name.
+9.0.0-dev,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.0.0-dev,true,threat,threat.indicator.id,keyword,extended,array,[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37],ID of the indicator
+9.0.0-dev,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
+9.0.0-dev,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
+9.0.0-dev,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
+9.0.0-dev,true,threat,threat.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
+9.0.0-dev,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
+9.0.0-dev,true,threat,threat.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
+9.0.0-dev,true,threat,threat.indicator.port,long,extended,,443,Indicator port
+9.0.0-dev,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
+9.0.0-dev,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
+9.0.0-dev,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+9.0.0-dev,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+9.0.0-dev,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+9.0.0-dev,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+9.0.0-dev,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+9.0.0-dev,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+9.0.0-dev,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
+9.0.0-dev,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics
+9.0.0-dev,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed
+9.0.0-dev,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
+9.0.0-dev,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+9.0.0-dev,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+9.0.0-dev,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
+9.0.0-dev,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+9.0.0-dev,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+9.0.0-dev,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+9.0.0-dev,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+9.0.0-dev,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request.
+9.0.0-dev,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+9.0.0-dev,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
+9.0.0-dev,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request.
+9.0.0-dev,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+9.0.0-dev,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
+9.0.0-dev,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.0.0-dev,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.0.0-dev,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request.
+9.0.0-dev,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+9.0.0-dev,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+9.0.0-dev,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+9.0.0-dev,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+9.0.0-dev,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+9.0.0-dev,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+9.0.0-dev,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+9.0.0-dev,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.0.0-dev,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+9.0.0-dev,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+9.0.0-dev,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+9.0.0-dev,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+9.0.0-dev,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+9.0.0-dev,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+9.0.0-dev,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+9.0.0-dev,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+9.0.0-dev,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+9.0.0-dev,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+9.0.0-dev,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+9.0.0-dev,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+9.0.0-dev,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+9.0.0-dev,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+9.0.0-dev,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.0.0-dev,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
+9.0.0-dev,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software
+9.0.0-dev,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software
+9.0.0-dev,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software.
+9.0.0-dev,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software.
+9.0.0-dev,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL.
+9.0.0-dev,true,threat,threat.software.type,keyword,extended,,Tool,Software type.
+9.0.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
+9.0.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
+9.0.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
+9.0.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
+9.0.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
+9.0.0-dev,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name.
+9.0.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
+9.0.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
+9.0.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
+9.0.0-dev,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
+9.0.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
+9.0.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
+9.0.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
+9.0.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
+9.0.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
+9.0.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
+9.0.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
+9.0.0-dev,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
+9.0.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
+9.0.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
+9.0.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
+9.0.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
+9.0.0-dev,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
+9.0.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
+9.0.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+9.0.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+9.0.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+9.0.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+9.0.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+9.0.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+9.0.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+9.0.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.0.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+9.0.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+9.0.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+9.0.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+9.0.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+9.0.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+9.0.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+9.0.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+9.0.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+9.0.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+9.0.0-dev,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+9.0.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+9.0.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+9.0.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+9.0.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.0.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
+9.0.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
+9.0.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
+9.0.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
+9.0.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
+9.0.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
+9.0.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
+9.0.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
+9.0.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
+9.0.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
+9.0.0-dev,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
+9.0.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
+9.0.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
+9.0.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
+9.0.0-dev,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
+9.0.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+9.0.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+9.0.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+9.0.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+9.0.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+9.0.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+9.0.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+9.0.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.0.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+9.0.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+9.0.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+9.0.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+9.0.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+9.0.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+9.0.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+9.0.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+9.0.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+9.0.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+9.0.0-dev,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+9.0.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+9.0.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+9.0.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+9.0.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.0.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
+9.0.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
+9.0.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
+9.0.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
+9.0.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
+9.0.0-dev,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+9.0.0-dev,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+9.0.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
+9.0.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+9.0.0-dev,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+9.0.0-dev,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+9.0.0-dev,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+9.0.0-dev,true,url,url.password,keyword,extended,,,Password of the request.
+9.0.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+9.0.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
+9.0.0-dev,true,url,url.query,keyword,extended,,,Query string of the request.
+9.0.0-dev,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+9.0.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
+9.0.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.0.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.0.0-dev,true,url,url.username,keyword,extended,,,Username of the request.
+9.0.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.0.0-dev,true,user,user.changes.email,keyword,extended,,,User email address.
+9.0.0-dev,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.0.0-dev,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.0.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.0.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
+9.0.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.0.0-dev,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.0.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.0.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.0.0-dev,true,user,user.effective.email,keyword,extended,,,User email address.
+9.0.0-dev,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.0.0-dev,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.0.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.0.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
+9.0.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.0.0-dev,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.0.0-dev,true,user,user.email,keyword,extended,,,User email address.
+9.0.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.0.0-dev,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.0.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.0.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group.
+9.0.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.0.0-dev,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.0.0-dev,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.0.0-dev,true,user,user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.0.0-dev,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.0.0-dev,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.0.0-dev,true,user,user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.0.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.0.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.0.0-dev,true,user,user.target.email,keyword,extended,,,User email address.
+9.0.0-dev,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.0.0-dev,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.0.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.0.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.0.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group.
+9.0.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.0.0-dev,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.0.0-dev,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.0.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.0.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
+9.0.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
+9.0.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+9.0.0-dev,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+9.0.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+9.0.0-dev,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+9.0.0-dev,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+9.0.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+9.0.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+9.0.0-dev,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+9.0.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+9.0.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+9.0.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+9.0.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
+9.0.0-dev,true,volume,volume.bus_type,keyword,extended,,FileBackedVirtual,Bus type of the device.
+9.0.0-dev,true,volume,volume.default_access,keyword,extended,,,Bus type of the device.
+9.0.0-dev,true,volume,volume.device_name,keyword,extended,,,Device name of the volume.
+9.0.0-dev,true,volume,volume.device_type,keyword,extended,,CD-ROM File System,Volume device type.
+9.0.0-dev,true,volume,volume.dos_name,keyword,extended,,E:,DOS name of the device.
+9.0.0-dev,true,volume,volume.file_system_type,keyword,extended,,,Volume device file system type.
+9.0.0-dev,true,volume,volume.mount_name,keyword,extended,,,Mount name of the volume.
+9.0.0-dev,true,volume,volume.nt_name,keyword,extended,,\Device\Cdrom1,NT name of the device.
+9.0.0-dev,true,volume,volume.product_id,keyword,extended,,,ProductID of the device.
+9.0.0-dev,true,volume,volume.product_name,keyword,extended,,Virtual DVD-ROM,Produce name of the volume.
+9.0.0-dev,true,volume,volume.removable,boolean,extended,,,Indicates if the volume is removable.
+9.0.0-dev,true,volume,volume.serial_number,keyword,extended,,,Serial number of the device.
+9.0.0-dev,true,volume,volume.size,long,extended,,,Size of the volume device in bytes.
+9.0.0-dev,true,volume,volume.vendor_id,keyword,extended,,,VendorID of the device.
+9.0.0-dev,true,volume,volume.vendor_name,keyword,extended,,Msft,Vendor name of the device.
+9.0.0-dev,true,volume,volume.writable,boolean,extended,,,Indicates if the volume is writable.
+9.0.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
+9.0.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
+9.0.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+9.0.0-dev,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+9.0.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
+9.0.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
+9.0.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
+9.0.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
+9.0.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
+9.0.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
+9.0.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
+9.0.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
+9.0.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
+9.0.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
diff --git a/generated/elasticsearch/composable/component/agent.json b/generated/elasticsearch/composable/component/agent.json
index 50480c9cbb..7f17383fbb 100644
--- a/generated/elasticsearch/composable/component/agent.json
+++ b/generated/elasticsearch/composable/component/agent.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html",
-    "ecs_version": "8.12.0-dev"
+    "ecs_version": "9.0.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/base.json b/generated/elasticsearch/composable/component/base.json
index 4f23f82647..624a1d6c97 100644
--- a/generated/elasticsearch/composable/component/base.json
+++ b/generated/elasticsearch/composable/component/base.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
-    "ecs_version": "8.12.0-dev"
+    "ecs_version": "9.0.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/client.json b/generated/elasticsearch/composable/component/client.json
index 12ad20b7eb..4cbfa854af 100644
--- a/generated/elasticsearch/composable/component/client.json
+++ b/generated/elasticsearch/composable/component/client.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-client.html",
-    "ecs_version": "8.12.0-dev"
+    "ecs_version": "9.0.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/cloud.json b/generated/elasticsearch/composable/component/cloud.json
index a8a8b153ce..51d4fee30e 100644
--- a/generated/elasticsearch/composable/component/cloud.json
+++ b/generated/elasticsearch/composable/component/cloud.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cloud.html",
-    "ecs_version": "8.12.0-dev"
+    "ecs_version": "9.0.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/container.json b/generated/elasticsearch/composable/component/container.json
index c7312c0590..4faf35f06d 100644
--- a/generated/elasticsearch/composable/component/container.json
+++ b/generated/elasticsearch/composable/component/container.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-container.html",
-    "ecs_version": "8.12.0-dev"
+    "ecs_version": "9.0.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/data_stream.json b/generated/elasticsearch/composable/component/data_stream.json
index e651fedd50..c40f2d272c 100644
--- a/generated/elasticsearch/composable/component/data_stream.json
+++ b/generated/elasticsearch/composable/component/data_stream.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-data_stream.html",
-    "ecs_version": "8.12.0-dev"
+    "ecs_version": "9.0.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/destination.json b/generated/elasticsearch/composable/component/destination.json
index 590ee3e5a5..730525eb7d 100644
--- a/generated/elasticsearch/composable/component/destination.json
+++ b/generated/elasticsearch/composable/component/destination.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-destination.html",
-    "ecs_version": "8.12.0-dev"
+    "ecs_version": "9.0.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/device.json b/generated/elasticsearch/composable/component/device.json
index 741cf82323..337d0743ea 100644
--- a/generated/elasticsearch/composable/component/device.json
+++ b/generated/elasticsearch/composable/component/device.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-device.html",
-    "ecs_version": "8.12.0-dev"
+    "ecs_version": "9.0.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/dll.json b/generated/elasticsearch/composable/component/dll.json
index 7c76d1ed0d..5c670260ab 100644
--- a/generated/elasticsearch/composable/component/dll.json
+++ b/generated/elasticsearch/composable/component/dll.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dll.html",
-    "ecs_version": "8.12.0-dev"
+    "ecs_version": "9.0.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/dns.json b/generated/elasticsearch/composable/component/dns.json
index 06ca50ac7f..45b9ec4cfa 100644
--- a/generated/elasticsearch/composable/component/dns.json
+++ b/generated/elasticsearch/composable/component/dns.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html",
-    "ecs_version": "8.12.0-dev"
+    "ecs_version": "9.0.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/ecs.json b/generated/elasticsearch/composable/component/ecs.json
index 083fc546bd..38df701cbf 100644
--- a/generated/elasticsearch/composable/component/ecs.json
+++ b/generated/elasticsearch/composable/component/ecs.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html",
-    "ecs_version": "8.12.0-dev"
+    "ecs_version": "9.0.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/email.json b/generated/elasticsearch/composable/component/email.json
index 4046e33558..f33c03d837 100644
--- a/generated/elasticsearch/composable/component/email.json
+++ b/generated/elasticsearch/composable/component/email.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-email.html",
-    "ecs_version": "8.12.0-dev"
+    "ecs_version": "9.0.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/error.json b/generated/elasticsearch/composable/component/error.json
index 826c6bac1a..7093c10d23 100644
--- a/generated/elasticsearch/composable/component/error.json
+++ b/generated/elasticsearch/composable/component/error.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-error.html",
-    "ecs_version": "8.12.0-dev"
+    "ecs_version": "9.0.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/event.json b/generated/elasticsearch/composable/component/event.json
index 7ae691519c..7c2b5ea678 100644
--- a/generated/elasticsearch/composable/component/event.json
+++ b/generated/elasticsearch/composable/component/event.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html",
-    "ecs_version": "8.12.0-dev"
+    "ecs_version": "9.0.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/faas.json b/generated/elasticsearch/composable/component/faas.json
index 4f54d3e060..b8c16712d2 100644
--- a/generated/elasticsearch/composable/component/faas.json
+++ b/generated/elasticsearch/composable/component/faas.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-faas.html",
-    "ecs_version": "8.12.0-dev"
+    "ecs_version": "9.0.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/file.json b/generated/elasticsearch/composable/component/file.json
index c032c0a53c..297ac13916 100644
--- a/generated/elasticsearch/composable/component/file.json
+++ b/generated/elasticsearch/composable/component/file.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html",
-    "ecs_version": "8.12.0-dev"
+    "ecs_version": "9.0.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/group.json b/generated/elasticsearch/composable/component/group.json
index c7e37d2323..a291ac1005 100644
--- a/generated/elasticsearch/composable/component/group.json
+++ b/generated/elasticsearch/composable/component/group.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-group.html",
-    "ecs_version": "8.12.0-dev"
+    "ecs_version": "9.0.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/host.json b/generated/elasticsearch/composable/component/host.json
index a955778bfe..ae079eb1b0 100644
--- a/generated/elasticsearch/composable/component/host.json
+++ b/generated/elasticsearch/composable/component/host.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-host.html",
-    "ecs_version": "8.12.0-dev"
+    "ecs_version": "9.0.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/http.json b/generated/elasticsearch/composable/component/http.json
index 9d209b4a3a..1ed457a5aa 100644
--- a/generated/elasticsearch/composable/component/http.json
+++ b/generated/elasticsearch/composable/component/http.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-http.html",
-    "ecs_version": "8.12.0-dev"
+    "ecs_version": "9.0.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/log.json b/generated/elasticsearch/composable/component/log.json
index 9703a4b497..aa8a9b2bec 100644
--- a/generated/elasticsearch/composable/component/log.json
+++ b/generated/elasticsearch/composable/component/log.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-log.html",
-    "ecs_version": "8.12.0-dev"
+    "ecs_version": "9.0.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/network.json b/generated/elasticsearch/composable/component/network.json
index 1725824f84..8c09be1804 100644
--- a/generated/elasticsearch/composable/component/network.json
+++ b/generated/elasticsearch/composable/component/network.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html",
-    "ecs_version": "8.12.0-dev"
+    "ecs_version": "9.0.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/observer.json b/generated/elasticsearch/composable/component/observer.json
index 99008f11a8..d31b163fd1 100644
--- a/generated/elasticsearch/composable/component/observer.json
+++ b/generated/elasticsearch/composable/component/observer.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html",
-    "ecs_version": "8.12.0-dev"
+    "ecs_version": "9.0.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/orchestrator.json b/generated/elasticsearch/composable/component/orchestrator.json
index 53a1bd6b89..9e72bdfa93 100644
--- a/generated/elasticsearch/composable/component/orchestrator.json
+++ b/generated/elasticsearch/composable/component/orchestrator.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-orchestrator.html",
-    "ecs_version": "8.12.0-dev"
+    "ecs_version": "9.0.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/organization.json b/generated/elasticsearch/composable/component/organization.json
index 56762f3de6..8730348984 100644
--- a/generated/elasticsearch/composable/component/organization.json
+++ b/generated/elasticsearch/composable/component/organization.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-organization.html",
-    "ecs_version": "8.12.0-dev"
+    "ecs_version": "9.0.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/package.json b/generated/elasticsearch/composable/component/package.json
index 6376f5b53f..bdaa12d928 100644
--- a/generated/elasticsearch/composable/component/package.json
+++ b/generated/elasticsearch/composable/component/package.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-package.html",
-    "ecs_version": "8.12.0-dev"
+    "ecs_version": "9.0.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/process.json b/generated/elasticsearch/composable/component/process.json
index d48a4eddab..81c4c03846 100644
--- a/generated/elasticsearch/composable/component/process.json
+++ b/generated/elasticsearch/composable/component/process.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-process.html",
-    "ecs_version": "8.12.0-dev"
+    "ecs_version": "9.0.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/registry.json b/generated/elasticsearch/composable/component/registry.json
index 3856c6e3cb..b8a73bd78b 100644
--- a/generated/elasticsearch/composable/component/registry.json
+++ b/generated/elasticsearch/composable/component/registry.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-registry.html",
-    "ecs_version": "8.12.0-dev"
+    "ecs_version": "9.0.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/related.json b/generated/elasticsearch/composable/component/related.json
index cac093b662..6b487f6c68 100644
--- a/generated/elasticsearch/composable/component/related.json
+++ b/generated/elasticsearch/composable/component/related.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-related.html",
-    "ecs_version": "8.12.0-dev"
+    "ecs_version": "9.0.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/rule.json b/generated/elasticsearch/composable/component/rule.json
index a3694fd784..12adf9ef56 100644
--- a/generated/elasticsearch/composable/component/rule.json
+++ b/generated/elasticsearch/composable/component/rule.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-rule.html",
-    "ecs_version": "8.12.0-dev"
+    "ecs_version": "9.0.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/server.json b/generated/elasticsearch/composable/component/server.json
index e8978c26ff..39fdfda05f 100644
--- a/generated/elasticsearch/composable/component/server.json
+++ b/generated/elasticsearch/composable/component/server.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-server.html",
-    "ecs_version": "8.12.0-dev"
+    "ecs_version": "9.0.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/service.json b/generated/elasticsearch/composable/component/service.json
index 17648ead56..b9da4f32d1 100644
--- a/generated/elasticsearch/composable/component/service.json
+++ b/generated/elasticsearch/composable/component/service.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-service.html",
-    "ecs_version": "8.12.0-dev"
+    "ecs_version": "9.0.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/source.json b/generated/elasticsearch/composable/component/source.json
index 0555f13234..7349d597b9 100644
--- a/generated/elasticsearch/composable/component/source.json
+++ b/generated/elasticsearch/composable/component/source.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-source.html",
-    "ecs_version": "8.12.0-dev"
+    "ecs_version": "9.0.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/threat.json b/generated/elasticsearch/composable/component/threat.json
index 40f98ec195..963682a592 100644
--- a/generated/elasticsearch/composable/component/threat.json
+++ b/generated/elasticsearch/composable/component/threat.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-threat.html",
-    "ecs_version": "8.12.0-dev"
+    "ecs_version": "9.0.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/tls.json b/generated/elasticsearch/composable/component/tls.json
index f3f26026cf..2bfd41ff15 100644
--- a/generated/elasticsearch/composable/component/tls.json
+++ b/generated/elasticsearch/composable/component/tls.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tls.html",
-    "ecs_version": "8.12.0-dev"
+    "ecs_version": "9.0.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/tracing.json b/generated/elasticsearch/composable/component/tracing.json
index 250aa8ed1e..38b9537b3f 100644
--- a/generated/elasticsearch/composable/component/tracing.json
+++ b/generated/elasticsearch/composable/component/tracing.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tracing.html",
-    "ecs_version": "8.12.0-dev"
+    "ecs_version": "9.0.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/url.json b/generated/elasticsearch/composable/component/url.json
index c14680686d..aa88348959 100644
--- a/generated/elasticsearch/composable/component/url.json
+++ b/generated/elasticsearch/composable/component/url.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-url.html",
-    "ecs_version": "8.12.0-dev"
+    "ecs_version": "9.0.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/user.json b/generated/elasticsearch/composable/component/user.json
index a98f31729b..5b657805c6 100644
--- a/generated/elasticsearch/composable/component/user.json
+++ b/generated/elasticsearch/composable/component/user.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user.html",
-    "ecs_version": "8.12.0-dev"
+    "ecs_version": "9.0.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/user_agent.json b/generated/elasticsearch/composable/component/user_agent.json
index 9ab60f9068..cd15db5f42 100644
--- a/generated/elasticsearch/composable/component/user_agent.json
+++ b/generated/elasticsearch/composable/component/user_agent.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html",
-    "ecs_version": "8.12.0-dev"
+    "ecs_version": "9.0.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/volume.json b/generated/elasticsearch/composable/component/volume.json
index b83bf621eb..76e7568b17 100644
--- a/generated/elasticsearch/composable/component/volume.json
+++ b/generated/elasticsearch/composable/component/volume.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-volume.html",
-    "ecs_version": "8.12.0-dev"
+    "ecs_version": "9.0.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/component/vulnerability.json b/generated/elasticsearch/composable/component/vulnerability.json
index 58f2df9bb6..43db4e229c 100644
--- a/generated/elasticsearch/composable/component/vulnerability.json
+++ b/generated/elasticsearch/composable/component/vulnerability.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html",
-    "ecs_version": "8.12.0-dev"
+    "ecs_version": "9.0.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/composable/template.json b/generated/elasticsearch/composable/template.json
index 1a16f6ab83..f3f690bd4a 100644
--- a/generated/elasticsearch/composable/template.json
+++ b/generated/elasticsearch/composable/template.json
@@ -1,49 +1,49 @@
 {
   "_meta": {
     "description": "Sample composable template that includes all ECS fields",
-    "ecs_version": "8.12.0-dev"
+    "ecs_version": "9.0.0-dev"
   },
   "composed_of": [
-    "ecs_8.12.0-dev_base",
-    "ecs_8.12.0-dev_agent",
-    "ecs_8.12.0-dev_client",
-    "ecs_8.12.0-dev_cloud",
-    "ecs_8.12.0-dev_container",
-    "ecs_8.12.0-dev_data_stream",
-    "ecs_8.12.0-dev_destination",
-    "ecs_8.12.0-dev_device",
-    "ecs_8.12.0-dev_dll",
-    "ecs_8.12.0-dev_dns",
-    "ecs_8.12.0-dev_ecs",
-    "ecs_8.12.0-dev_email",
-    "ecs_8.12.0-dev_error",
-    "ecs_8.12.0-dev_event",
-    "ecs_8.12.0-dev_faas",
-    "ecs_8.12.0-dev_file",
-    "ecs_8.12.0-dev_group",
-    "ecs_8.12.0-dev_host",
-    "ecs_8.12.0-dev_http",
-    "ecs_8.12.0-dev_log",
-    "ecs_8.12.0-dev_network",
-    "ecs_8.12.0-dev_observer",
-    "ecs_8.12.0-dev_orchestrator",
-    "ecs_8.12.0-dev_organization",
-    "ecs_8.12.0-dev_package",
-    "ecs_8.12.0-dev_process",
-    "ecs_8.12.0-dev_registry",
-    "ecs_8.12.0-dev_related",
-    "ecs_8.12.0-dev_rule",
-    "ecs_8.12.0-dev_server",
-    "ecs_8.12.0-dev_service",
-    "ecs_8.12.0-dev_source",
-    "ecs_8.12.0-dev_threat",
-    "ecs_8.12.0-dev_tls",
-    "ecs_8.12.0-dev_tracing",
-    "ecs_8.12.0-dev_url",
-    "ecs_8.12.0-dev_user_agent",
-    "ecs_8.12.0-dev_user",
-    "ecs_8.12.0-dev_volume",
-    "ecs_8.12.0-dev_vulnerability"
+    "ecs_9.0.0-dev_base",
+    "ecs_9.0.0-dev_agent",
+    "ecs_9.0.0-dev_client",
+    "ecs_9.0.0-dev_cloud",
+    "ecs_9.0.0-dev_container",
+    "ecs_9.0.0-dev_data_stream",
+    "ecs_9.0.0-dev_destination",
+    "ecs_9.0.0-dev_device",
+    "ecs_9.0.0-dev_dll",
+    "ecs_9.0.0-dev_dns",
+    "ecs_9.0.0-dev_ecs",
+    "ecs_9.0.0-dev_email",
+    "ecs_9.0.0-dev_error",
+    "ecs_9.0.0-dev_event",
+    "ecs_9.0.0-dev_faas",
+    "ecs_9.0.0-dev_file",
+    "ecs_9.0.0-dev_group",
+    "ecs_9.0.0-dev_host",
+    "ecs_9.0.0-dev_http",
+    "ecs_9.0.0-dev_log",
+    "ecs_9.0.0-dev_network",
+    "ecs_9.0.0-dev_observer",
+    "ecs_9.0.0-dev_orchestrator",
+    "ecs_9.0.0-dev_organization",
+    "ecs_9.0.0-dev_package",
+    "ecs_9.0.0-dev_process",
+    "ecs_9.0.0-dev_registry",
+    "ecs_9.0.0-dev_related",
+    "ecs_9.0.0-dev_rule",
+    "ecs_9.0.0-dev_server",
+    "ecs_9.0.0-dev_service",
+    "ecs_9.0.0-dev_source",
+    "ecs_9.0.0-dev_threat",
+    "ecs_9.0.0-dev_tls",
+    "ecs_9.0.0-dev_tracing",
+    "ecs_9.0.0-dev_url",
+    "ecs_9.0.0-dev_user_agent",
+    "ecs_9.0.0-dev_user",
+    "ecs_9.0.0-dev_volume",
+    "ecs_9.0.0-dev_vulnerability"
   ],
   "index_patterns": [
     "try-ecs-*"
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index 66b302cebd..1a8d14b60e 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -4,7 +4,7 @@
   ],
   "mappings": {
     "_meta": {
-      "version": "8.12.0-dev"
+      "version": "9.0.0-dev"
     },
     "date_detection": false,
     "dynamic_templates": [
diff --git a/version b/version
index b659a6eb73..f6c8661fed 100644
--- a/version
+++ b/version
@@ -1 +1 @@
-8.12.0-dev
+9.0.0-dev

From 2ff030d0e0497fde043d8567588afd16b3dc858c Mon Sep 17 00:00:00 2001
From: Michael Wolf <michael.wolf@elastic.co>
Date: Fri, 8 Nov 2024 09:32:09 -0800
Subject: [PATCH 180/186] Update backport list (#2402)

---
 .backportrc.json | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.backportrc.json b/.backportrc.json
index e1dd718528..8094d6e7fa 100644
--- a/.backportrc.json
+++ b/.backportrc.json
@@ -2,6 +2,8 @@
   "upstream": "elastic/ecs",
   "branches": [
     { "name": "main", "checked": true },
+    "8.x",
+    "8.16",
     "8.11",
     "8.10",
     "8.9",

From df2813bd93c16abbeeec4c7cb8a0adbb7e4eb996 Mon Sep 17 00:00:00 2001
From: Michael Wolf <michael.wolf@elastic.co>
Date: Wed, 13 Nov 2024 13:24:40 -0800
Subject: [PATCH 181/186] Finalize 8.16.0 changelog (#2404)

Finalize 8.16.0 changelog
---
 CHANGELOG.md      | 29 +++++++++++++++++++++++++++++
 CHANGELOG.next.md |  9 ---------
 2 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index dde2819ff2..69c807403c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,35 @@
 # CHANGELOG
 All notable changes to this project will be documented in this file based on the [Keep a Changelog](http://keepachangelog.com/) Standard. This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [8.16.0](https://github.com/elastic/ecs/compare/v8.11.0...v8.16.0)
+
+### Schema Changes
+
+#### Bugfixes
+* Fix broken link in docs for vulnerability.id. #2328
+
+#### Added
+
+* Added `volume.*` as beta field set. #2269
+* Advanced `process.env_vars` to GA. #2315
+* Advanced `process.io` and `process.tty` fields to GA. #2317
+* Added `threat.indicator.id`. #2324
+* Added `process.group` to generated schemas. #2335
+
+#### Improvements
+
+* Define base encoding of `x509.serial_number`. #2383
+
+### Tooling and Artifact Changes
+
+#### Bugfixes
+
+* Fix broken link for vulnerabilty.id #2328
+
+#### Added
+
+* Documentation in README.md providing instruction on contributions to ECS during the OTel donation #2325
+
 ## [8.11.0](https://github.com/elastic/ecs/compare/v8.10.0...v8.11.0)
 
 ### Schema Changes
diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 70a4a3e0a6..aae5b7a87f 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -13,16 +13,9 @@ Thanks, you're awesome :-) -->
 #### Breaking changes
 
 #### Bugfixes
-* Fix broken link in docs for vulnerability.id. #2328
 
 #### Added
 
-* Added `volume.*` as beta field set. #2269
-* Advanced `process.env_vars` to GA. #2315
-* Advanced `process.io` and `process.tty` fields to GA. #2317
-* Added `threat.indicator.id`. #2324
-* Added `process.group` to generated schemas. #2335
-
 #### Improvements
 
 * Define base encoding of `x509.serial_number`. #2383
@@ -37,8 +30,6 @@ Thanks, you're awesome :-) -->
 
 #### Added
 
-* Documentation in README.md providing instruction on contributions to ECS during the OTel donation #2325
-
 #### Improvements
 
 #### Deprecated

From 9c55b1d0bf6f0906f24049d783d3020f2caf0871 Mon Sep 17 00:00:00 2001
From: Michael Wolf <michael.wolf@elastic.co>
Date: Wed, 13 Nov 2024 13:26:15 -0800
Subject: [PATCH 182/186] Add 8.16 release notes (#2406)

Add 8.16 release notes to main
---
 docs/release-notes/8.16.asciidoc  | 38 +++++++++++++++++++++++++++++++
 docs/release-notes/index.asciidoc |  2 ++
 2 files changed, 40 insertions(+)
 create mode 100644 docs/release-notes/8.16.asciidoc

diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc
new file mode 100644
index 0000000000..f96da18a24
--- /dev/null
+++ b/docs/release-notes/8.16.asciidoc
@@ -0,0 +1,38 @@
+[[ecs-release-notes-8.16.0]]
+=== 8.16.0
+
+[[schema-changes-8.16.0]]
+[float]
+==== Schema changes
+
+[[schema-bugfixes-8.16.0]]
+[float]
+===== Bugfixes
+* Fix broken link in docs for vulnerability.id. {ecs_pull}2328[#2328]
+
+[[schema-added-8.16.0]]
+[float]
+===== Added
+
+* Added `volume.*` as beta field set. {ecs_pull}2269[#2269]
+* Advanced `process.env_vars` to GA. {ecs_pull}2315[#2315]
+* Advanced `process.io` and `process.tty` fields to GA. {ecs_pull}2317[#2317]
+* Added `threat.indicator.id`. {ecs_pull}2324[#2324]
+* Added `process.group` to generated schemas. {ecs_pull}2335[#2335]
+
+
+[[tooling-changes-8.16.0]]
+[float]
+==== Tooling and artifact changes
+
+[[tooling-bugfixes-8.16.0]]
+[float]
+===== Bugfixes
+* Fix broken link for vulnerabilty.id {ecs_pull}2328[#2328]
+
+[[tooling-added-8.16.0]]
+[float]
+===== Added
+
+* Documentation in README.md providing instruction on contributions to ECS during the OTel donation {ecs_pull}2325[#2325]
+
diff --git a/docs/release-notes/index.asciidoc b/docs/release-notes/index.asciidoc
index 968c6f62d9..01e792805a 100644
--- a/docs/release-notes/index.asciidoc
+++ b/docs/release-notes/index.asciidoc
@@ -3,6 +3,7 @@
 
 This section summarizes the changes in each release.
 
+* <<ecs-release-notes-8.16.0, {ecs} version 8.16.0>>
 * <<ecs-release-notes-8.11.0, {ecs} version 8.11.0>>
 * <<ecs-release-notes-8.10.0, {ecs} version 8.10.0>>
 * <<ecs-release-notes-8.9.0, {ecs} version 8.9.0>>
@@ -27,6 +28,7 @@ This section summarizes the changes in each release.
 :issue: https://github.com/elastic/ecs/issues/
 :pull: https://github.com/elastic/ecs/pull/
 
+include::8.16.asciidoc[]
 include::8.11.asciidoc[]
 include::8.10.asciidoc[]
 include::8.9.asciidoc[]

From cb1a2c14c072f6c1cb6126e6ee06aa90f0db1219 Mon Sep 17 00:00:00 2001
From: "elastic-renovate-prod[bot]"
 <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
Date: Thu, 21 Nov 2024 15:38:52 -0800
Subject: [PATCH 183/186] Update actions/setup-python digest to 0b93645 (#2393)

Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
Co-authored-by: Michael Wolf <michael.wolf@elastic.co>
---
 .github/workflows/test.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 829db21779..d40070d222 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -8,7 +8,7 @@ jobs:
     name: Unit Tests
     steps:
       - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
-      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5
+      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5
         with:
           python-version: '3.x'
       - run: git fetch --prune --unshallow --tags

From 4fd95849eb8a47de4a26f21c9e885f0e9fda5ae0 Mon Sep 17 00:00:00 2001
From: Christiano Haesbaert <haesbaert@elastic.co>
Date: Fri, 22 Nov 2024 15:00:15 +0100
Subject: [PATCH 184/186] Restrict x509.serial_number to base 16 for 9.x
 (#2398)

We made 8.x a `should` for the same field in
4fa0abdf5db87abc91791b9a0093b371cc696032.

As discussed in https://github.com/elastic/ecs/pull/2383#discussion_r1764034582
we are making this a `must` for 9.x.

Co-authored-by: Michael Wolf <michael.wolf@elastic.co>
---
 CHANGELOG.next.md                           |  1 +
 docs/fields/field-details.asciidoc          |  2 +-
 experimental/generated/beats/fields.ecs.yml | 14 +++++++-------
 experimental/generated/ecs/ecs_flat.yml     | 14 +++++++-------
 experimental/generated/ecs/ecs_nested.yml   | 16 ++++++++--------
 generated/beats/fields.ecs.yml              | 14 +++++++-------
 generated/ecs/ecs_flat.yml                  | 14 +++++++-------
 generated/ecs/ecs_nested.yml                | 16 ++++++++--------
 schemas/x509.yml                            |  2 +-
 9 files changed, 47 insertions(+), 46 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index aae5b7a87f..b46ee2c925 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -19,6 +19,7 @@ Thanks, you're awesome :-) -->
 #### Improvements
 
 * Define base encoding of `x509.serial_number`. #2383
+* Restrict the encoding of `x509.serial_number` to base 16. #2398
 
 #### Deprecated
 
diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index 489828f764..6d5ba6a780 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -13803,7 +13803,7 @@ example: `2048`
 [[field-x509-serial-number]]
 <<field-x509-serial-number, x509.serial_number>>
 
-a| Unique serial number issued by the certificate authority. For consistency, this should be encoded in base 16 and formatted without colons and uppercase characters.
+a| Unique serial number issued by the certificate authority. For consistency, this must be encoded in base 16 and formatted without colons and uppercase characters.
 
 type: keyword
 
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 4edbea7a0b..3cc3a5847b 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -3339,7 +3339,7 @@
       type: keyword
       ignore_above: 1024
       description: Unique serial number issued by the certificate authority. For consistency,
-        this should be encoded in base 16 and formatted without colons and uppercase
+        this must be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       default_field: false
@@ -9984,7 +9984,7 @@
       type: keyword
       ignore_above: 1024
       description: Unique serial number issued by the certificate authority. For consistency,
-        this should be encoded in base 16 and formatted without colons and uppercase
+        this must be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       default_field: false
@@ -10541,7 +10541,7 @@
       type: keyword
       ignore_above: 1024
       description: Unique serial number issued by the certificate authority. For consistency,
-        this should be encoded in base 16 and formatted without colons and uppercase
+        this must be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       default_field: false
@@ -11606,7 +11606,7 @@
       type: keyword
       ignore_above: 1024
       description: Unique serial number issued by the certificate authority. For consistency,
-        this should be encoded in base 16 and formatted without colons and uppercase
+        this must be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       default_field: false
@@ -12174,7 +12174,7 @@
       type: keyword
       ignore_above: 1024
       description: Unique serial number issued by the certificate authority. For consistency,
-        this should be encoded in base 16 and formatted without colons and uppercase
+        this must be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       default_field: false
@@ -12590,7 +12590,7 @@
       type: keyword
       ignore_above: 1024
       description: Unique serial number issued by the certificate authority. For consistency,
-        this should be encoded in base 16 and formatted without colons and uppercase
+        this must be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       default_field: false
@@ -12872,7 +12872,7 @@
       type: keyword
       ignore_above: 1024
       description: Unique serial number issued by the certificate authority. For consistency,
-        this should be encoded in base 16 and formatted without colons and uppercase
+        this must be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       default_field: false
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index d7b749d18d..52e90b2670 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -5510,7 +5510,7 @@ file.x509.public_key_size:
 file.x509.serial_number:
   dashed_name: file-x509-serial-number
   description: Unique serial number issued by the certificate authority. For consistency,
-    this should be encoded in base 16 and formatted without colons and uppercase characters.
+    this must be encoded in base 16 and formatted without colons and uppercase characters.
   example: 55FBB9C7DEBF09809D12CCAA
   flat_name: file.x509.serial_number
   ignore_above: 1024
@@ -16159,7 +16159,7 @@ threat.enrichments.indicator.file.x509.public_key_size:
 threat.enrichments.indicator.file.x509.serial_number:
   dashed_name: threat-enrichments-indicator-file-x509-serial-number
   description: Unique serial number issued by the certificate authority. For consistency,
-    this should be encoded in base 16 and formatted without colons and uppercase characters.
+    this must be encoded in base 16 and formatted without colons and uppercase characters.
   example: 55FBB9C7DEBF09809D12CCAA
   flat_name: threat.enrichments.indicator.file.x509.serial_number
   ignore_above: 1024
@@ -17085,7 +17085,7 @@ threat.enrichments.indicator.x509.public_key_size:
 threat.enrichments.indicator.x509.serial_number:
   dashed_name: threat-enrichments-indicator-x509-serial-number
   description: Unique serial number issued by the certificate authority. For consistency,
-    this should be encoded in base 16 and formatted without colons and uppercase characters.
+    this must be encoded in base 16 and formatted without colons and uppercase characters.
   example: 55FBB9C7DEBF09809D12CCAA
   flat_name: threat.enrichments.indicator.x509.serial_number
   ignore_above: 1024
@@ -18894,7 +18894,7 @@ threat.indicator.file.x509.public_key_size:
 threat.indicator.file.x509.serial_number:
   dashed_name: threat-indicator-file-x509-serial-number
   description: Unique serial number issued by the certificate authority. For consistency,
-    this should be encoded in base 16 and formatted without colons and uppercase characters.
+    this must be encoded in base 16 and formatted without colons and uppercase characters.
   example: 55FBB9C7DEBF09809D12CCAA
   flat_name: threat.indicator.file.x509.serial_number
   ignore_above: 1024
@@ -19836,7 +19836,7 @@ threat.indicator.x509.public_key_size:
 threat.indicator.x509.serial_number:
   dashed_name: threat-indicator-x509-serial-number
   description: Unique serial number issued by the certificate authority. For consistency,
-    this should be encoded in base 16 and formatted without colons and uppercase characters.
+    this must be encoded in base 16 and formatted without colons and uppercase characters.
   example: 55FBB9C7DEBF09809D12CCAA
   flat_name: threat.indicator.x509.serial_number
   ignore_above: 1024
@@ -20526,7 +20526,7 @@ tls.client.x509.public_key_size:
 tls.client.x509.serial_number:
   dashed_name: tls-client-x509-serial-number
   description: Unique serial number issued by the certificate authority. For consistency,
-    this should be encoded in base 16 and formatted without colons and uppercase characters.
+    this must be encoded in base 16 and formatted without colons and uppercase characters.
   example: 55FBB9C7DEBF09809D12CCAA
   flat_name: tls.client.x509.serial_number
   ignore_above: 1024
@@ -21002,7 +21002,7 @@ tls.server.x509.public_key_size:
 tls.server.x509.serial_number:
   dashed_name: tls-server-x509-serial-number
   description: Unique serial number issued by the certificate authority. For consistency,
-    this should be encoded in base 16 and formatted without colons and uppercase characters.
+    this must be encoded in base 16 and formatted without colons and uppercase characters.
   example: 55FBB9C7DEBF09809D12CCAA
   flat_name: tls.server.x509.serial_number
   ignore_above: 1024
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 28fbb237c6..6e1b49a8f9 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -6558,7 +6558,7 @@ file:
     file.x509.serial_number:
       dashed_name: file-x509-serial-number
       description: Unique serial number issued by the certificate authority. For consistency,
-        this should be encoded in base 16 and formatted without colons and uppercase
+        this must be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       flat_name: file.x509.serial_number
@@ -18863,7 +18863,7 @@ threat:
     threat.enrichments.indicator.file.x509.serial_number:
       dashed_name: threat-enrichments-indicator-file-x509-serial-number
       description: Unique serial number issued by the certificate authority. For consistency,
-        this should be encoded in base 16 and formatted without colons and uppercase
+        this must be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       flat_name: threat.enrichments.indicator.file.x509.serial_number
@@ -19794,7 +19794,7 @@ threat:
     threat.enrichments.indicator.x509.serial_number:
       dashed_name: threat-enrichments-indicator-x509-serial-number
       description: Unique serial number issued by the certificate authority. For consistency,
-        this should be encoded in base 16 and formatted without colons and uppercase
+        this must be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       flat_name: threat.enrichments.indicator.x509.serial_number
@@ -21606,7 +21606,7 @@ threat:
     threat.indicator.file.x509.serial_number:
       dashed_name: threat-indicator-file-x509-serial-number
       description: Unique serial number issued by the certificate authority. For consistency,
-        this should be encoded in base 16 and formatted without colons and uppercase
+        this must be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       flat_name: threat.indicator.file.x509.serial_number
@@ -22553,7 +22553,7 @@ threat:
     threat.indicator.x509.serial_number:
       dashed_name: threat-indicator-x509-serial-number
       description: Unique serial number issued by the certificate authority. For consistency,
-        this should be encoded in base 16 and formatted without colons and uppercase
+        this must be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       flat_name: threat.indicator.x509.serial_number
@@ -23308,7 +23308,7 @@ tls:
     tls.client.x509.serial_number:
       dashed_name: tls-client-x509-serial-number
       description: Unique serial number issued by the certificate authority. For consistency,
-        this should be encoded in base 16 and formatted without colons and uppercase
+        this must be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       flat_name: tls.client.x509.serial_number
@@ -23788,7 +23788,7 @@ tls:
     tls.server.x509.serial_number:
       dashed_name: tls-server-x509-serial-number
       description: Unique serial number issued by the certificate authority. For consistency,
-        this should be encoded in base 16 and formatted without colons and uppercase
+        this must be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       flat_name: tls.server.x509.serial_number
@@ -25706,7 +25706,7 @@ x509:
     x509.serial_number:
       dashed_name: x509-serial-number
       description: Unique serial number issued by the certificate authority. For consistency,
-        this should be encoded in base 16 and formatted without colons and uppercase
+        this must be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       flat_name: x509.serial_number
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 05a7e4da52..93b81e44bb 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -3289,7 +3289,7 @@
       type: keyword
       ignore_above: 1024
       description: Unique serial number issued by the certificate authority. For consistency,
-        this should be encoded in base 16 and formatted without colons and uppercase
+        this must be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       default_field: false
@@ -9934,7 +9934,7 @@
       type: keyword
       ignore_above: 1024
       description: Unique serial number issued by the certificate authority. For consistency,
-        this should be encoded in base 16 and formatted without colons and uppercase
+        this must be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       default_field: false
@@ -10491,7 +10491,7 @@
       type: keyword
       ignore_above: 1024
       description: Unique serial number issued by the certificate authority. For consistency,
-        this should be encoded in base 16 and formatted without colons and uppercase
+        this must be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       default_field: false
@@ -11556,7 +11556,7 @@
       type: keyword
       ignore_above: 1024
       description: Unique serial number issued by the certificate authority. For consistency,
-        this should be encoded in base 16 and formatted without colons and uppercase
+        this must be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       default_field: false
@@ -12124,7 +12124,7 @@
       type: keyword
       ignore_above: 1024
       description: Unique serial number issued by the certificate authority. For consistency,
-        this should be encoded in base 16 and formatted without colons and uppercase
+        this must be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       default_field: false
@@ -12540,7 +12540,7 @@
       type: keyword
       ignore_above: 1024
       description: Unique serial number issued by the certificate authority. For consistency,
-        this should be encoded in base 16 and formatted without colons and uppercase
+        this must be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       default_field: false
@@ -12822,7 +12822,7 @@
       type: keyword
       ignore_above: 1024
       description: Unique serial number issued by the certificate authority. For consistency,
-        this should be encoded in base 16 and formatted without colons and uppercase
+        this must be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       default_field: false
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index b58c35d5ff..3ab5bc75d5 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -5441,7 +5441,7 @@ file.x509.public_key_size:
 file.x509.serial_number:
   dashed_name: file-x509-serial-number
   description: Unique serial number issued by the certificate authority. For consistency,
-    this should be encoded in base 16 and formatted without colons and uppercase characters.
+    this must be encoded in base 16 and formatted without colons and uppercase characters.
   example: 55FBB9C7DEBF09809D12CCAA
   flat_name: file.x509.serial_number
   ignore_above: 1024
@@ -16090,7 +16090,7 @@ threat.enrichments.indicator.file.x509.public_key_size:
 threat.enrichments.indicator.file.x509.serial_number:
   dashed_name: threat-enrichments-indicator-file-x509-serial-number
   description: Unique serial number issued by the certificate authority. For consistency,
-    this should be encoded in base 16 and formatted without colons and uppercase characters.
+    this must be encoded in base 16 and formatted without colons and uppercase characters.
   example: 55FBB9C7DEBF09809D12CCAA
   flat_name: threat.enrichments.indicator.file.x509.serial_number
   ignore_above: 1024
@@ -17016,7 +17016,7 @@ threat.enrichments.indicator.x509.public_key_size:
 threat.enrichments.indicator.x509.serial_number:
   dashed_name: threat-enrichments-indicator-x509-serial-number
   description: Unique serial number issued by the certificate authority. For consistency,
-    this should be encoded in base 16 and formatted without colons and uppercase characters.
+    this must be encoded in base 16 and formatted without colons and uppercase characters.
   example: 55FBB9C7DEBF09809D12CCAA
   flat_name: threat.enrichments.indicator.x509.serial_number
   ignore_above: 1024
@@ -18825,7 +18825,7 @@ threat.indicator.file.x509.public_key_size:
 threat.indicator.file.x509.serial_number:
   dashed_name: threat-indicator-file-x509-serial-number
   description: Unique serial number issued by the certificate authority. For consistency,
-    this should be encoded in base 16 and formatted without colons and uppercase characters.
+    this must be encoded in base 16 and formatted without colons and uppercase characters.
   example: 55FBB9C7DEBF09809D12CCAA
   flat_name: threat.indicator.file.x509.serial_number
   ignore_above: 1024
@@ -19767,7 +19767,7 @@ threat.indicator.x509.public_key_size:
 threat.indicator.x509.serial_number:
   dashed_name: threat-indicator-x509-serial-number
   description: Unique serial number issued by the certificate authority. For consistency,
-    this should be encoded in base 16 and formatted without colons and uppercase characters.
+    this must be encoded in base 16 and formatted without colons and uppercase characters.
   example: 55FBB9C7DEBF09809D12CCAA
   flat_name: threat.indicator.x509.serial_number
   ignore_above: 1024
@@ -20457,7 +20457,7 @@ tls.client.x509.public_key_size:
 tls.client.x509.serial_number:
   dashed_name: tls-client-x509-serial-number
   description: Unique serial number issued by the certificate authority. For consistency,
-    this should be encoded in base 16 and formatted without colons and uppercase characters.
+    this must be encoded in base 16 and formatted without colons and uppercase characters.
   example: 55FBB9C7DEBF09809D12CCAA
   flat_name: tls.client.x509.serial_number
   ignore_above: 1024
@@ -20933,7 +20933,7 @@ tls.server.x509.public_key_size:
 tls.server.x509.serial_number:
   dashed_name: tls-server-x509-serial-number
   description: Unique serial number issued by the certificate authority. For consistency,
-    this should be encoded in base 16 and formatted without colons and uppercase characters.
+    this must be encoded in base 16 and formatted without colons and uppercase characters.
   example: 55FBB9C7DEBF09809D12CCAA
   flat_name: tls.server.x509.serial_number
   ignore_above: 1024
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 8c8aa6b1a8..c068d535a1 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -6478,7 +6478,7 @@ file:
     file.x509.serial_number:
       dashed_name: file-x509-serial-number
       description: Unique serial number issued by the certificate authority. For consistency,
-        this should be encoded in base 16 and formatted without colons and uppercase
+        this must be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       flat_name: file.x509.serial_number
@@ -18783,7 +18783,7 @@ threat:
     threat.enrichments.indicator.file.x509.serial_number:
       dashed_name: threat-enrichments-indicator-file-x509-serial-number
       description: Unique serial number issued by the certificate authority. For consistency,
-        this should be encoded in base 16 and formatted without colons and uppercase
+        this must be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       flat_name: threat.enrichments.indicator.file.x509.serial_number
@@ -19714,7 +19714,7 @@ threat:
     threat.enrichments.indicator.x509.serial_number:
       dashed_name: threat-enrichments-indicator-x509-serial-number
       description: Unique serial number issued by the certificate authority. For consistency,
-        this should be encoded in base 16 and formatted without colons and uppercase
+        this must be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       flat_name: threat.enrichments.indicator.x509.serial_number
@@ -21526,7 +21526,7 @@ threat:
     threat.indicator.file.x509.serial_number:
       dashed_name: threat-indicator-file-x509-serial-number
       description: Unique serial number issued by the certificate authority. For consistency,
-        this should be encoded in base 16 and formatted without colons and uppercase
+        this must be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       flat_name: threat.indicator.file.x509.serial_number
@@ -22473,7 +22473,7 @@ threat:
     threat.indicator.x509.serial_number:
       dashed_name: threat-indicator-x509-serial-number
       description: Unique serial number issued by the certificate authority. For consistency,
-        this should be encoded in base 16 and formatted without colons and uppercase
+        this must be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       flat_name: threat.indicator.x509.serial_number
@@ -23228,7 +23228,7 @@ tls:
     tls.client.x509.serial_number:
       dashed_name: tls-client-x509-serial-number
       description: Unique serial number issued by the certificate authority. For consistency,
-        this should be encoded in base 16 and formatted without colons and uppercase
+        this must be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       flat_name: tls.client.x509.serial_number
@@ -23708,7 +23708,7 @@ tls:
     tls.server.x509.serial_number:
       dashed_name: tls-server-x509-serial-number
       description: Unique serial number issued by the certificate authority. For consistency,
-        this should be encoded in base 16 and formatted without colons and uppercase
+        this must be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       flat_name: tls.server.x509.serial_number
@@ -25626,7 +25626,7 @@ x509:
     x509.serial_number:
       dashed_name: x509-serial-number
       description: Unique serial number issued by the certificate authority. For consistency,
-        this should be encoded in base 16 and formatted without colons and uppercase
+        this must be encoded in base 16 and formatted without colons and uppercase
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       flat_name: x509.serial_number
diff --git a/schemas/x509.yml b/schemas/x509.yml
index 40f8aa71da..606fdd2827 100644
--- a/schemas/x509.yml
+++ b/schemas/x509.yml
@@ -52,7 +52,7 @@
       type: keyword
       short: Unique serial number issued by the certificate authority.
       description: >
-        Unique serial number issued by the certificate authority. For consistency, this should be
+        Unique serial number issued by the certificate authority. For consistency, this must be
         encoded in base 16 and formatted without colons and uppercase characters.
       example: 55FBB9C7DEBF09809D12CCAA
 

From 9f1658ab05e07ace84468f198f9fb480e3785b0d Mon Sep 17 00:00:00 2001
From: "elastic-renovate-prod[bot]"
 <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
Date: Tue, 26 Nov 2024 13:38:41 -0800
Subject: [PATCH 185/186] Update actions/checkout digest to 11bd719 (#2390)

Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
Co-authored-by: Michael Wolf <michael.wolf@elastic.co>
---
 .github/workflows/test.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index d40070d222..959b256acf 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -7,7 +7,7 @@ jobs:
     runs-on: ubuntu-22.04
     name: Unit Tests
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5
         with:
           python-version: '3.x'

From a735abd9f31fe888db2bf06d17378c09b24117fe Mon Sep 17 00:00:00 2001
From: Michael Wolf <michael.wolf@elastic.co>
Date: Fri, 6 Dec 2024 16:17:53 -0800
Subject: [PATCH 186/186] Update template example in usage doc (#2412)

The example for template.json in the usage doc for the custom template and mapping setting section was incorrect and did not work for both template types. This fixes the example to work with both.
---
 USAGE.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/USAGE.md b/USAGE.md
index b29cdaa637..9035456951 100644
--- a/USAGE.md
+++ b/USAGE.md
@@ -372,7 +372,9 @@ This is an example `template.json` to be passed with `--template-setting-legacy`
       "refresh_interval": "1s"
     }
   },
-  "mappings": {}
+  "template": {
+    "mappings": {}
+  }
 }
 ```